EU Cyber Resilience Act FAQ Notified Bodies

A notified body is a conformity assessment body that has been designated and notified under the CRA to carry out notified-body conformity assessment activities.

The Commission assigns it an identification number and makes the list of notified bodies and their notified activities publicly available.

No.

A body becomes a notified body for CRA purposes only after it has been notified in accordance with Article 43 and the objection period has passed without objection.

A notified body is needed where the applicable CRA route is module B+C or module H.

That typically means important products of class I where Article 32(2) requires third-party assessment, important products of class II unless a qualifying certification route applies, and critical products where the Article 8(1) certification route does not apply. Module A does not involve a notified body.

Under module B, the notified body examines the product's technical design and development and the manufacturer's vulnerability-handling processes, reviews the technical documentation and supporting evidence, verifies specimens, and carries out or arranges the necessary examinations and tests.

If the outcome is positive, it issues the EU-type examination certificate. Under module C, the manufacturer remains responsible for production conformity.

Under module H, the notified body assesses and approves the manufacturer's quality system, reviews technical documentation for representative models, and then surveils the approved quality system through periodic audits.

Each Member State designates a notifying authority for that purpose.

The notifying authority is responsible for the assessment, designation, notification, and monitoring of conformity assessment bodies, including compliance with the CRA rules on subsidiaries and subcontracting.

Yes, under conditions.

Member States may decide that assessment and monitoring are carried out by a national accreditation body under Regulation (EC) No 765/2008. If the notifying authority delegates assessment, notification, or monitoring to a non-governmental body, that body must meet the CRA requirements applicable to notifying authorities and the notifying authority keeps full responsibility for the delegated tasks.

They must be organised to avoid conflicts of interest and preserve objectivity and impartiality.

The CRA also requires that decisions on notification are taken by competent persons different from those who carried out the assessment, and it prohibits the notifying authority from offering conformity-assessment activities or consultancy services on a commercial or competitive basis.

They must be third-party bodies independent from the organisation and the product with digital elements they assess.

They and their relevant personnel must not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user, or maintainer of the assessed products, and they must not engage in activities that conflict with their independence of judgment or integrity. The CRA states expressly that this applies in particular to consultancy services.

Possibly, yes.

Article 39(3) allows a body belonging to a business association or professional federation to be treated as a third-party body if its independence and the absence of conflicts of interest are demonstrated.

It must be capable of carrying out all the conformity-assessment tasks for which it is notified and must have the necessary personnel, procedures, means, equipment, and facilities.

Its personnel must also have the required training, knowledge of the CRA requirements, harmonised standards and common specifications, and the ability to draw up certificates, records, and reports showing that assessments were carried out.

Yes.

The CRA requires impartiality, bans remuneration structures tied to assessment numbers or results, requires liability insurance unless public liability arrangements apply, and imposes professional secrecy obligations with documented procedures to protect confidential information.

Yes.

They must participate in, or ensure their assessment personnel are informed of, the relevant standardisation activities and the work of the notified body coordination group established under Article 51, and they must use that group's administrative decisions and documents as general guidance.

Yes.

Notified bodies must operate on consistent, fair, proportionate, and reasonable terms and conditions while avoiding unnecessary burden for economic operators, taking particular account of the interests of microenterprises and SMEs in relation to fees.

One route is through relevant harmonised standards.

Article 40 gives a presumption of conformity with Article 39 where the body demonstrates conformity with the relevant harmonised standards, insofar as those standards cover the applicable requirements.

Yes, but only under conditions.

The notified body must ensure that the subcontractor or subsidiary meets the Article 39 requirements, inform the notifying authority, take full responsibility for the outsourced tasks, and obtain the manufacturer's agreement.

It must submit an application to the notifying authority of the Member State where it is established.

That application must include a description of the conformity-assessment activities, the procedures, and the products for which it claims competence and, where applicable, an accreditation certificate. If there is no accreditation certificate, the body must provide documentary evidence showing compliance with Article 39.

Only after the Article 43 notification procedure is complete.

If the notification is based on an accreditation certificate, the body may operate if no objection is raised within two weeks. If the notification is not based on accreditation, the no-objection period is two months.

The Commission assigns each notified body a single identification number and publishes an up-to-date public list of notified bodies, their identification numbers, and the activities for which they have been notified.

The notifying authority must restrict, suspend, or withdraw the notification, depending on the seriousness of the problem.

If the notification is restricted, suspended, or withdrawn, or the notified body stops activity, the notifying Member State must ensure that the body's files are either handled by another notified body or kept available for the responsible notifying and market-surveillance authorities.

Yes.

The Commission must investigate cases where it doubts, or is told to doubt, the competence of a notified body or its continued fulfilment of the applicable requirements. If the Commission concludes that the body no longer meets the requirements for notification, it requests corrective measures from the notifying Member State, including de-notification if necessary.

It must carry out conformity assessments in accordance with Article 32 and Annex VIII, in a proportionate way that avoids unnecessary burden but still preserves the required degree of rigour and protection.

It must require appropriate corrective measures and must not issue the certificate.

It must require corrective measures and, if necessary, suspend or withdraw the certificate.

If corrective measures are not taken or do not have the required effect, it must restrict, suspend, or withdraw the certificate as appropriate.

Yes.

Member States must ensure that an appeal procedure against decisions of notified bodies is available.

They must inform the notifying authority about refusals, restrictions, suspensions, or withdrawals of certificates, circumstances affecting the scope or conditions of notification, certain information requests from market-surveillance authorities, and, on request, information about their conformity-assessment activities, including cross-border activities and subcontracting.

They must provide other notified bodies carrying out similar conformity-assessment activities for the same products with relevant information on negative results and, on request, positive results.

Annex VIII adds more specific certificate-sharing duties for module B and module H approvals.

The Commission must organise exchange of experience between national authorities responsible for notification policy and ensure appropriate coordination and cooperation between notified bodies through a cross-sectoral group of notified bodies.

Member States must ensure that their notified bodies participate in that group, directly or through designated representatives.

Yes.

Chapter IV, which includes Articles 35 to 51 on notified bodies and notification, applies from 11 June 2026, even though most CRA obligations apply later.

Yes, where the CRA's conditions are met.

Article 12(2) says that notified bodies competent under the AI Act may also control conformity of high-risk AI systems falling within the CRA, provided their compliance with the CRA's Article 39 requirements has been assessed in the AI Act notification procedure.

No.

Where the CRA requires a notified body, the relevant procedures let the manufacturer apply to a single notified body of its choice. The CRA also states that notified bodies may offer their services throughout the Union. In practice, the key legal limit is not the manufacturer's location but whether the chosen body's notification covers the relevant CRA procedure and product scope.

No.

The CRA notification must specify the conformity-assessment activities, the module or modules, and the product or products with digital elements for which the body is competent. The public list likewise shows the activities for which the body has been notified. So a manufacturer should check that the body's CRA notification actually covers the relevant module and product scope.

No.

Accreditation is the preferred means of demonstrating competence, and an accreditation certificate can accompany the notification application. But the CRA also allows notification without accreditation if the body provides the documentary evidence needed to verify compliance with Article 39. In that case, the notifying authority must supply that evidence to the Commission and the other Member States, and the no-objection period is two months rather than two weeks.

No.

The CRA says bodies accredited and notified under other Union frameworks with similar requirements should still be newly assessed and notified under the CRA. Synergies may be used to avoid unnecessary burden where requirements overlap, but the body becomes a CRA notified body only once the CRA notification procedure is completed.

No.

Article 44 says the Commission assigns a single identification number even where the body is notified under several Union legal acts. The Blue Guide adds that this NANDO number is an administrative identifier for managing the lists of notified bodies; it does not itself confer substantive rights or scope beyond the published notification.