EU Cyber Resilience Act FAQ Notified Bodies

A CRA notified body is a conformity assessment body that has been assessed, designated, and notified for CRA conformity assessment tasks. It may be public or private, but it must meet the CRA requirements for legal personality, independence, competence, impartiality, confidentiality, and operational capability.

A body does not become a CRA notified body just because it performs cybersecurity audits, penetration testing, certification, or assessments under another EU law. For CRA purposes, the notification procedure must be completed and the body's public notification must cover the relevant CRA activities.

Each Member State designates a notifying authority. That authority is responsible for the procedures used to assess, designate, notify, and monitor conformity assessment bodies, including their use of subsidiaries or subcontractors.

A Member State may use a national accreditation body for assessment and monitoring. If assessment, notification, or monitoring is delegated to a non-governmental body, the notifying authority remains fully responsible for the delegated tasks.

The body applies to the notifying authority in the Member State where it is established. The application must describe the conformity assessment activities, the conformity assessment procedure or procedures, and the products with digital elements for which the body claims competence.

Where available, the application includes an accreditation certificate from a national accreditation body. Without accreditation, the body must provide documentary evidence allowing the notifying authority to verify, recognise, and regularly monitor compliance with Article 39.

A body may perform CRA notified-body activities only after the Article 43 notification procedure is complete. If the notification relies on accreditation, the no-objection period is two weeks. If it does not rely on accreditation, the no-objection period is two months.

The notification must include full details of the conformity assessment activities, the module or modules, the products with digital elements concerned, and the relevant attestation of competence. That scope is central: a body can be notified for some CRA activities without being competent for every CRA module or product category.

The Commission assigns each CRA notified body an identification number and publishes an up-to-date list showing the bodies notified under the CRA, their numbers, and the activities for which they have been notified.

A listing should be read as a scope record, not as a blanket approval. Manufacturers should check whether the listed CRA notification covers the product with digital elements, the applicable conformity route, and the specific module needed for the assessment.

No. Where the CRA procedure requires a notified body, Annex VIII lets the manufacturer apply to a single notified body of its choice for the relevant Module B or Module H assessment.

The practical constraint is scope, not the manufacturer's location. The selected body must be notified for the CRA module and product scope that match the product and assessment route.

A notified body is part of the route when the product must use Module B+C or Module H. Module A, internal control, does not involve a notified body.

Article 32 allows several conformity routes. For important class I products, third-party assessment is triggered where qualifying harmonised standards, common specifications, or cybersecurity certification routes are not applied or do not exist for the relevant requirements. Important class II products use Module B+C, Module H, or an applicable certification route. Critical products use the Article 8 certification route where it applies, otherwise the CRA third-party routes in Article 32 apply.

Module B is the notified-body step. The notified body examines the technical design and development of the product and the manufacturer's vulnerability-handling processes, reviews technical documentation and supporting evidence, examines specimens of critical parts, and carries out or arranges appropriate examinations and tests.

Module C follows Module B and is not a second notified-body production approval. Under Module C, the manufacturer ensures and declares that production units conform to the type described in the EU-type examination certificate and satisfy the CRA requirements.

If the product type and vulnerability-handling processes meet the applicable essential cybersecurity requirements, the notified body issues an EU-type examination certificate. The certificate identifies the manufacturer, states the conclusions of the examination, records any validity conditions, and includes the data needed to identify the approved type and vulnerability-handling processes.

If the type or vulnerability-handling processes do not meet the requirements, the notified body must refuse the certificate and give detailed reasons. Modifications that may affect conformity or certificate validity require additional approval as an addition to the original EU-type examination certificate.

Yes, but the surveillance is specific. Under Module B, the notified body must carry out periodic audits to ensure that the manufacturer's vulnerability-handling processes are implemented adequately.

That does not turn Module C into notified-body production surveillance. The production-control obligation remains with the manufacturer under Module C.

Module H is full quality assurance. The manufacturer operates an approved quality system for design, development, production, final product inspection and testing, and vulnerability handling. The notified body assesses whether that quality system satisfies the CRA requirements.

The quality-system documentation must cover responsibilities, design and development specifications, vulnerability-handling process specifications, production and quality assurance techniques, examinations and tests, quality records, and monitoring of product quality and system effectiveness.

Module H has surveillance under the responsibility of the notified body. The purpose is to make sure the manufacturer fulfils the obligations arising from the approved quality system.

For assessment, the manufacturer must allow access to design, development, production, inspection, testing, and storage sites and provide quality-system documentation and quality records. The notified body carries out periodic audits and provides an audit report.

Module B+C is product-type oriented: a notified body examines the type and vulnerability-handling processes, then the manufacturer controls production conformity to the approved type.

Module H is system oriented: the notified body assesses and surveils the manufacturer's quality system covering design, development, production, final inspection, testing, and vulnerability handling for the covered product categories. The Commission FAQ notes that Module H can be useful for manufacturers with numerous product types or frequent updates because it can streamline assessment of new or substantially modified products within the approved system.

Only for the CRA Module H route. Article 30 says the CE marking is followed by the notified body's identification number where that body is involved in conformity assessment based on full quality assurance.

For Module B+C, the CRA requires the manufacturer to keep the EU-type examination certificate and use Module C production control, but Article 30's notified-body-number rule is tied to Module H.

A CRA notified body must be independent of the organisation and product it assesses. It and its relevant management and assessment personnel must not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user, maintainer, or authorised representative of the products being assessed.

The CRA also bars activities that conflict with independence of judgement or integrity, especially consultancy services. A body connected to an industry association can still qualify only if independence and absence of conflicts of interest are demonstrated.

For every CRA procedure and product kind or category in its notified scope, the body must have personnel, procedures, means, equipment, and facilities needed to perform the assessment tasks. Its procedures must be transparent and reproducible and must distinguish notified-body tasks from other activities.

Assessment personnel must have appropriate training, knowledge of the applicable CRA requirements, harmonised standards and common specifications, and the ability to draw up certificates, records, and reports showing that assessments were carried out.

Yes, but the notified body remains responsible. It must ensure the subcontractor or subsidiary meets Article 39 requirements, inform the notifying authority, keep qualification and work records available to the notifying authority, and obtain the manufacturer's agreement before subcontracting activities or using a subsidiary.

Subcontracting does not expand the notified body's scope. The manufacturer's check should still start with the notified body's own CRA notification and the activities it is authorised to perform.

Before issuing a certificate, the notified body must require corrective measures and must not issue the certificate if non-compliance remains. After a certificate has been issued, it must require corrective measures and, if necessary, suspend or withdraw the certificate.

If corrective measures are not taken or do not have the required effect, the notified body must restrict, suspend, or withdraw the certificate as appropriate. Member States must also ensure that an appeal procedure against notified-body decisions is available.

Notified bodies must inform their notifying authority about certificate refusals, restrictions, suspensions, or withdrawals; circumstances affecting the scope or conditions of notification; and certain information requests from market surveillance authorities. On request, they must also provide information about conformity assessment activities, including cross-border activities and subcontracting.

They must also share relevant information with other notified bodies carrying out similar CRA conformity assessment activities for the same products: negative results must be shared, and positive results must be shared on request. Annex VIII adds specific information-sharing duties for EU-type examination certificates and Module H quality-system approvals.

The notifying authority must restrict, suspend, or withdraw the notification depending on the seriousness of the failure, and it must inform the Commission and the other Member States.

If notification is restricted, suspended, withdrawn, or the body ceases activity, the notifying Member State must ensure the body's files are handled by another notified body or kept available for the responsible notifying and market-surveillance authorities.

Yes. The Commission must investigate where it doubts, or where doubt is brought to its attention about, a notified body's competence or continued fulfilment of CRA requirements and responsibilities.

If the Commission concludes that the body does not meet or no longer meets the notification requirements, it asks the notifying Member State to take corrective measures, including de-notification if necessary.

Sometimes. For high-risk AI systems that also fall within the CRA, notified bodies competent under the AI Act may control conformity with CRA Annex I requirements if their compliance with CRA Article 39 has been assessed in the AI Act notification procedure.

This is not a general shortcut for all CRA products. The Article 12 rule is tied to high-risk AI systems and the CRA conditions specified there.

No. The CRA expects bodies accredited and notified under other Union frameworks with similar requirements to be newly assessed and notified under the CRA, although synergies can be used where requirements overlap.

For manufacturers, this means a certificate, audit relationship, or notified-body number under another EU act is not enough. The CRA listing and scope must support the CRA procedure being relied on.