Search every question across sub-FAQs

If the product type and vulnerability-handling processes meet the applicable essential cybersecurity requirements, the notified body issues an EU-type examination certificate. The certificate identifies the manufacturer, states the conclusions of the examination, records any validity conditions, and includes the data needed to identify the approved type and vulnerability-handling processes.

If the type or vulnerability-handling processes do not meet the requirements, the notified body must refuse the certificate and give detailed reasons. Modifications that may affect conformity or certificate validity require additional approval as an addition to the original EU-type examination certificate.

Yes, but the surveillance is specific. Under Module B, the notified body must carry out periodic audits to ensure that the manufacturer's vulnerability-handling processes are implemented adequately.

That does not turn Module C into notified-body production surveillance. The production-control obligation remains with the manufacturer under Module C.

Module H is full quality assurance. The manufacturer operates an approved quality system for design, development, production, final product inspection and testing, and vulnerability handling. The notified body assesses whether that quality system satisfies the CRA requirements.

The quality-system documentation must cover responsibilities, design and development specifications, vulnerability-handling process specifications, production and quality assurance techniques, examinations and tests, quality records, and monitoring of product quality and system effectiveness.

Module H has surveillance under the responsibility of the notified body. The purpose is to make sure the manufacturer fulfils the obligations arising from the approved quality system.

For assessment, the manufacturer must allow access to design, development, production, inspection, testing, and storage sites and provide quality-system documentation and quality records. The notified body carries out periodic audits and provides an audit report.

Module B+C is product-type oriented: a notified body examines the type and vulnerability-handling processes, then the manufacturer controls production conformity to the approved type.

Module H is system oriented: the notified body assesses and surveils the manufacturer's quality system covering design, development, production, final inspection, testing, and vulnerability handling for the covered product categories. The Commission FAQ notes that Module H can be useful for manufacturers with numerous product types or frequent updates because it can streamline assessment of new or substantially modified products within the approved system.

Only for the CRA Module H route. Article 30 says the CE marking is followed by the notified body's identification number where that body is involved in conformity assessment based on full quality assurance.

For Module B+C, the CRA requires the manufacturer to keep the EU-type examination certificate and use Module C production control, but Article 30's notified-body-number rule is tied to Module H.

A CRA notified body must be independent of the organisation and product it assesses. It and its relevant management and assessment personnel must not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user, maintainer, or authorised representative of the products being assessed.

The CRA also bars activities that conflict with independence of judgement or integrity, especially consultancy services. A body connected to an industry association can still qualify only if independence and absence of conflicts of interest are demonstrated.

For every CRA procedure and product kind or category in its notified scope, the body must have personnel, procedures, means, equipment, and facilities needed to perform the assessment tasks. Its procedures must be transparent and reproducible and must distinguish notified-body tasks from other activities.

Assessment personnel must have appropriate training, knowledge of the applicable CRA requirements, harmonised standards and common specifications, and the ability to draw up certificates, records, and reports showing that assessments were carried out.

Yes, but the notified body remains responsible. It must ensure the subcontractor or subsidiary meets Article 39 requirements, inform the notifying authority, keep qualification and work records available to the notifying authority, and obtain the manufacturer's agreement before subcontracting activities or using a subsidiary.

Subcontracting does not expand the notified body's scope. The manufacturer's check should still start with the notified body's own CRA notification and the activities it is authorised to perform.

Before issuing a certificate, the notified body must require corrective measures and must not issue the certificate if non-compliance remains. After a certificate has been issued, it must require corrective measures and, if necessary, suspend or withdraw the certificate.

If corrective measures are not taken or do not have the required effect, the notified body must restrict, suspend, or withdraw the certificate as appropriate. Member States must also ensure that an appeal procedure against notified-body decisions is available.

Notified bodies must inform their notifying authority about certificate refusals, restrictions, suspensions, or withdrawals; circumstances affecting the scope or conditions of notification; and certain information requests from market surveillance authorities. On request, they must also provide information about conformity assessment activities, including cross-border activities and subcontracting.

They must also share relevant information with other notified bodies carrying out similar CRA conformity assessment activities for the same products: negative results must be shared, and positive results must be shared on request. Annex VIII adds specific information-sharing duties for EU-type examination certificates and Module H quality-system approvals.

The notifying authority must restrict, suspend, or withdraw the notification depending on the seriousness of the failure, and it must inform the Commission and the other Member States.

If notification is restricted, suspended, withdrawn, or the body ceases activity, the notifying Member State must ensure the body's files are handled by another notified body or kept available for the responsible notifying and market-surveillance authorities.

Yes. The Commission must investigate where it doubts, or where doubt is brought to its attention about, a notified body's competence or continued fulfilment of CRA requirements and responsibilities.

If the Commission concludes that the body does not meet or no longer meets the notification requirements, it asks the notifying Member State to take corrective measures, including de-notification if necessary.

Sometimes. For high-risk AI systems that also fall within the CRA, notified bodies competent under the AI Act may control conformity with CRA Annex I requirements if their compliance with CRA Article 39 has been assessed in the AI Act notification procedure.

This is not a general shortcut for all CRA products. The Article 12 rule is tied to high-risk AI systems and the CRA conditions specified there.

No. The CRA expects bodies accredited and notified under other Union frameworks with similar requirements to be newly assessed and notified under the CRA, although synergies can be used where requirements overlap.

For manufacturers, this means a certificate, audit relationship, or notified-body number under another EU act is not enough. The CRA listing and scope must support the CRA procedure being relied on.

Under the CRA, free and open-source software means software whose source code is openly shared and which is made available under a licence that provides the rights to make it freely accessible, usable, modifiable, and redistributable.

No.

For the economic operators covered by the CRA, only free and open-source software made available on the market, meaning supplied for distribution or use on the Union market in the course of a commercial activity, falls under the full CRA product regime.

No.

Open-source status does not by itself decide the issue. The key CRA question is whether the software is supplied on the Union market in the course of a commercial activity.

The CRA does not reduce it to a single formal test.

Recital 15 gives practical indicators. Commercial activity may be characterised not only by charging a price for the software itself, but also by charging for technical support where that does not merely recover actual costs, by an intention to monetise, by using the software to monetise other services, by requiring personal-data processing as a condition of use for reasons other than security, compatibility, or interoperability, or by accepting donations exceeding the costs associated with the software's design, development, and provision.

Yes, in principle.

If the software is supplied on the Union market in the course of a commercial activity, open-source status does not prevent it from being treated as a product with digital elements under the CRA.