diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 68702ce65c..99fc0d2ae4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -309,6 +309,9 @@ stages:
 .rule_tag_open_source: &rule_tag_open_source
   - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && $CI_COMMIT_TAG !~ /-S/'
 
+.rule_tag_security: &rule_tag_security
+  - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && $RELEASE_TYPE == "security"'
+
 .rule_tag_security_or_subscription: &rule_tag_security_or_subscription
   - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && ($RELEASE_TYPE == "security" || $CI_COMMIT_TAG =~ /-S/)'
 
@@ -1645,9 +1648,12 @@ release:
       - bind-${CI_COMMIT_TAG}-release
     expire_in: "1 month"
 
-.signer-ssh-job: &signer_ssh_job
+.manual_release_job: &manual_release_job
   stage: release
   when: manual
+
+.signer-ssh-job: &signer_ssh_job
+  <<: *manual_release_job
   allow_failure: false
   tags:
     - signer
@@ -1757,39 +1763,85 @@ publish:
   rules:
     - *rule_tag_open_source
 
-# Job creating the release announcement MR in Printing Press
-
-prepare-release-announcement:
+.manual_release_job_qa: &manual_release_job_qa
+  <<: *manual_release_job
   <<: *base_image
-  stage: release
-  when: manual
-  variables:
-    GIT_DEPTH: 1
   before_script:
     - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
+  needs:
+    - job: staging
+      artifacts: false
+
+# Setting the FORCE_CVE_IDS environment variable to a comma-separated
+# list of CVE IDs enables overriding the autodetected ones.
+#
+# Setting the FORCE_SECURITY_RELEASES environment variable to a
+# comma-separated list of BIND 9 versions enables overriding the
+# autodetected ones.
+.printing_press_job: &printing_press_job
+  <<: *manual_release_job_qa
+  variables:
+    GIT_DEPTH: 1
   script:
-    - bind9-qa/releng/prepare_release_announcement.py --metadata bind9-qa/releng/metadata.json
-  needs: []
-  rules:
-    - *rule_tag_open_source
+    - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json ${FORCE_CVE_IDS:+--force-cve-ids ${FORCE_CVE_IDS}} ${FORCE_SECURITY_RELEASES:+--force-security-releases ${FORCE_SECURITY_RELEASES}}
   artifacts:
     paths:
       - printing-press/
     when: on_failure
 
+# Job creating the release announcement MR in Printing Press
+
+prepare-release-announcement:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: release-announcement
+  rules:
+    - *rule_tag_open_source
+
+# Job preparing an EVN MR in Printing Press
+
+prepare-evn:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: evn
+  rules:
+    - *rule_tag_security
+
+# Job preparing a security pre-announcement MR in Printing Press
+
+prepare-preannouncement:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: security-preannouncement
+  rules:
+    - *rule_tag_security
+
+# Job preparing a packager notification MR in Printing Press
+
+prepare-package-notification:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: packager-notification
+  rules:
+    - *rule_tag_security
+
+# Job preparing a post-disclosure notification MR in Printing Press
+
+prepare-post-disclosure-notification:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: post-disclosure-notification
+  rules:
+    - *rule_tag_security
+
 # Job merging the tag back into its base branch
 
 merge-tag:
-  <<: *base_image
-  stage: release
-  when: manual
+  <<: *manual_release_job_qa
   variables:
     GIT_DEPTH: 100
-  before_script:
-    - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
   script:
     - bind9-qa/releng/merge_tag.py --tag "$CI_COMMIT_TAG"
-  needs: []
   rules:
     - *rule_tag_open_source
   artifacts: