Notification of Conformity Assessment Bodies to the European Commission

A notified body is a conformity assessment organisation that has been assessed, authorised, and notified to the European Commission by a member state national authority. Notified bodies are the third-party organisations that can conduct conformity assessments under Module B (type examination), Module H (quality management system assessment), and other modules that require third-party involvement.

Under the CRA, notified bodies are required for manufacturers of products in the higher-risk classes defined in Annex III — Class I (important products) and Class II (critical products). Default-class products can use Module A self-declaration without any notified body involvement.

Notified bodies are listed in NANDO (New Approach Notified and Designated Organisations), the European Commission's database of notified bodies. Manufacturers seeking third-party assessment should verify that their chosen assessment body is listed in NANDO for the relevant CRA assessment modules before engaging them.

Member states notify conformity assessment bodies to the Commission through the NANDO notification system. Before notifying a body, the member state must ensure the body meets the requirements set out in the CRA regarding competence, impartiality, independence from manufacturers, and financial stability.

The notification must specify the types of products and assessment tasks the body is authorised to handle. A notified body's scope is defined at notification — a body notified for consumer IoT assessments may not be authorised to assess industrial control systems without a separate or expanded notification.

Once a body is notified and appears in NANDO, manufacturers across all EU member states can engage it for assessments — not only manufacturers in the member state that notified the body. This cross-border validity is important for manufacturers seeking to choose assessment bodies based on expertise and commercial terms rather than geography.

Before a conformity assessment body can be notified under the CRA, it must typically be accredited by a national accreditation body recognised under Regulation (EC) 765/2008 (the accreditation regulation). Accreditation demonstrates that the body meets the competence and impartiality requirements — typically assessed against ISO/IEC 17065 (product certification bodies) or relevant standards depending on the assessment activity.

The CRA specifies specific competence requirements for cybersecurity assessment bodies, including technical knowledge of the relevant product categories, familiarity with cybersecurity testing methodologies, and understanding of the CRA's essential requirements. Bodies without accreditation in cybersecurity-relevant domains should not be used for CRA assessments, even if they are notified for other regulatory purposes.

Manufacturers should request evidence of the notified body's NANDO listing and accreditation scope before commissioning an assessment.

Member states are responsible for ongoing monitoring of the notified bodies they have authorised. If a notified body ceases to meet the requirements — for example, due to loss of accreditation, financial instability, or demonstrated incompetence — the member state must restrict, suspend, or withdraw its notification.

When a body's notification is withdrawn or suspended, this information is updated in NANDO and the Commission is informed. Certificates and assessment reports issued by a body before withdrawal remain valid unless the withdrawal was based on fraud or fundamental competence failure.

Manufacturers should periodically verify that the notified body that issued their assessment remains active and authorised. If a body's notification is withdrawn, they should assess whether a re-assessment by an alternative body is required.

For manufacturers of Annex III products, the availability of appropriately notified bodies is a practical constraint on market readiness. At the time of the CRA's application, the notified body market for cybersecurity assessments is still developing. Not all EU member states have notified bodies with cybersecurity expertise across all product categories.

Manufacturers should engage potential assessment bodies early — ideally 12 to 18 months before their target product launch date — to understand assessment timelines, costs, and documentation requirements. Capacity constraints at notified bodies could delay product launches if manufacturers leave engagement too late.

Product design choices that simplify the assessment process — such as using harmonised standards, maintaining rigorous technical documentation from the start of the development cycle, and building in security testing as a standard development step — can significantly reduce assessment time and cost.