Notified Body

A Notified Body is an independent conformity assessment organisation that has been formally accredited by a national accreditation body and notified to the European Commission by its member state. These organisations are authorised to perform third-party conformity assessments under specific EU legislation, issuing certificates that manufacturers need to affix the CE mark to their products. Under the Cyber Resilience Act, Notified Bodies carry out cybersecurity-focused assessments, examining whether a product's design, development processes, and vulnerability handling mechanisms meet the essential requirements set out in Annex I. A list of all notified bodies is published in the NANDO (New Approach Notified and Designated Organisations) database maintained by the European Commission.

The CRA establishes three conformity assessment routes. Default-class products (the vast majority) may self-certify via internal production control. Important Class I products have the option of using a Notified Body but may alternatively apply a harmonised standard and self-declare. Important Class II products — a smaller set of higher-risk categories such as hypervisors, industrial control systems, and smart meters — must involve a Notified Body unless they fully comply with a harmonised standard, in which case the manufacturer may self-certify using that standard's conformity route. Manufacturers of Class II products should begin engaging a Notified Body early in the product development lifecycle, as assessment timelines can extend to several months.

A Notified Body assessment for CRA purposes typically covers three areas. First, a review of technical documentation — verifying that security requirements have been identified, risk assessments conducted, threat models produced, and secure development processes followed. Second, an examination of vulnerability handling procedures — confirming that the manufacturer has a published CVD policy, a PSIRT function, a process for CVSS scoring and triage, and a mechanism for issuing security advisories. Third, testing of the product itself, either through review of existing test evidence or through independent testing, to verify that the essential cybersecurity requirements of Annex I are met. Notified Bodies issue EU-type examination certificates that are valid for a defined period and must be renewed when significant product changes occur.

Manufacturers should select a Notified Body with specific expertise in their product category — cybersecurity competence varies significantly between organisations. Key considerations include: whether the body is listed in NANDO for the relevant EU directive and CRA modules; the body's experience with software-intensive products; its capacity to assess vulnerability handling processes and not just hardware; and its geographic availability. Manufacturers should engage a Notified Body well before the CRA's compliance deadline for their product class. Providing complete technical documentation upfront, including threat models, SBOM, and vulnerability handling logs, significantly reduces assessment time and cost. CVD Portal's compliance export features are designed to generate the documentation artefacts Notified Bodies commonly request.