Why a working CISO builds these kits

I run security and compliance in EU-regulated fintech — the kind of lean team where one person owns the framework, the evidence, and the audit all at once. When the CRA landed, I went looking for help and found two doors: a six-figure consulting engagement, or a faceless template shop selling a stale Word file “as is.” One was priced for enterprises with a budget line for exactly this; the other was a liability dressed up as a shortcut. Neither serves a small team staring down a real deadline with no head-count to spare.

So I built the document set I wished existed: grounded in the actual articles, split by the role you actually play, and written so a competent non-specialist can deploy it without a lawyer translating every clause first. Then I did the part the template shops quietly skip — I keep it current. Regulations don't sit still: harmonised standards land, annexes change, the Omnibus shifts the dates. Every kit carries a dated Currency Stamp and a public changelog, so you can see exactly what it reflects and when it last moved — not a file frozen on the day you happened to buy it.

It stays anonymous by design. This is an independent project, and keeping my name off it is how I keep it cleanly separate from my employer and my clients — no borrowed authority, no conflict of interest, nothing confidential carried across. What you get instead is more useful than a byline: practical, opinionated tools from someone who sits in the same chair you do, has scoped the same products, assembled the same evidence, and felt the same deadline breathing down their neck.

Built & maintained by a practicing CISO
EU-regulated fintech · 10+ years in security & compliance
CRADORANIS2PCI DSSISO 27001GDPR

How each kit is built

01

Grounded in the source text

Every document maps to specific articles and annexes of the regulation, cited inline, so any clause traces back to the text it answers to. There is no generic ISMS boilerplate reused across frameworks and relabelled — what applies to the CRA is written for the CRA, in the regulation's own terms. When a reviewer, an acquirer or an auditor asks where a requirement comes from, the answer is right there on the page, not buried in a consultant's head.

02

Split by the role you actually play

Manufacturer, importer, distributor — the obligations genuinely differ, so the packs do too. Most toolkits assume you build the product and stop there; this one ships the importer and distributor packs the incumbents skip, because a distributor's due-diligence duties are nothing like a manufacturer's conformity assessment. You buy the pack for the role you are actually in, not a one-size-fits-all bundle you have to gut and rebuild before it fits.

03

Pre-filled with editing guidance

Each file ships with inline “what to change” notes, worked examples, and a one-page cover sheet that explains where the document fits and who needs to sign it off. The point is deployability: a capable non-specialist should be able to adapt it in an afternoon, without hiring a consultant first just to translate the law into plain instructions. The blanks tell you what is wanted; the guidance tells you why it matters and where the risk sits.

04

Versioned and dated, then maintained

The Currency Stamp records exactly what each kit is current as of, and a public changelog tracks every revision in the open. When the rules move — harmonised standards published, the Omnibus simplification, annex updates, fresh regulator guidance — the kit and its changelog move with them, so you are never quietly relying on last year's text. A template you bought once and forgot is a liability; a kit that is maintained, and tells you when it was, is something you can actually stand behind.

See the CRA kit →Check your scope