CRA Art.26: Notified Bodies — Requirements, Selection & Practical Guide for Class II Manufacturers (Developer Guide 2026)
Post #472 in the sota.io EU Cyber Compliance Series
Article 25 of the EU Cyber Resilience Act defines three conformity assessment paths. Most manufacturers self-certify via Annex VIII. But for Class II critical products — hardware security modules, root CAs, smart meter infrastructure — Annex X mandatory third-party certification applies. This means involving a notified body (NB). Article 26 (and the surrounding Chapter IV, Articles 26–36) defines how notified bodies are constituted, designated, and supervised.
Why manufacturers need to understand this chapter: Class II manufacturers cannot simply pick any testing laboratory. They must use a body formally notified to the European Commission by a Member State — a process involving national accreditation, competence verification, and legal designation. Getting this selection wrong can invalidate your entire conformity assessment.
Deadline: 11 December 2027. Article 26 obligations apply from that date. Given accreditation backlogs and the limited number of NBs currently designated for cybersecurity, Class II manufacturers should identify and engage their NB by mid-2026 at the latest.
What Is a Notified Body?
A notified body is a third-party conformity assessment organization that a Member State has formally notified to the European Commission as competent to carry out conformity assessment procedures under the CRA. "Notification" is the legal act by which the Member State informs the Commission that a specific body (an accredited laboratory, certification institute, or inspection body) is authorized to issue certificates under the CRA.
Notified bodies are identified by a unique four-digit number (e.g., NB 2456) assigned by the Commission. They appear in the NANDO (New Approach Notified and Designated Organisations) database at ec.europa.eu/growth/tools-databases/nando/, which is the authoritative public registry.
Under the CRA, notified bodies perform:
- Annex IX EU type-examination: Reviews the technical documentation and tests a representative product sample for Class I products that opt for third-party assessment
- Annex X third-party certification: Full product evaluation for Class II critical products (mandatory)
- EUCC-aligned assessments: Where a manufacturer uses the European Cybersecurity Certification Scheme (EUCC) instead of CRA conformity procedures
The Notification Architecture: Three Layers
Understanding how NBs are designated requires understanding the three-layer system:
Layer 1 — National Accreditation Body (NAB): Each Member State has one national accreditation body (typically the national metrology or standards institute, such as DAkkS in Germany, UKAS in the UK/pre-Brexit, COFRAC in France, or RvA in the Netherlands). The NAB assesses whether a conformity assessment body meets the ISO 17065 (for product certification) or ISO 17021 (for management system certification) competence requirements. Accreditation from the NAB is the technical foundation for notification.
Layer 2 — National Notifying Authority: The Member State designates a government authority to review accredited bodies and formally notify them to the Commission. The notifying authority verifies that the body is legally established, independent, impartial, and capable of performing the specific conformity assessment tasks it is being notified for. Under Art.26, Member States must inform the Commission which authority they have designated as the notifying authority for CRA purposes.
Layer 3 — European Commission: The Commission receives Member State notifications via the NANDO IT system. If no objection is raised within two weeks (or four weeks if the NB is not accredited), the notification takes effect and the body receives its four-digit NB number.
For manufacturers: you deal only with Layer 3 — you select a notified body from the NANDO database, contract directly with them, and pay their assessment fees. The Layers 1 and 2 process happens before the NB appears in NANDO.
Article 26 Requirements: What Notified Bodies Must Demonstrate
Article 26 sets out the conditions a conformity assessment body must satisfy before a Member State may notify it. These requirements protect manufacturers from engaging with incompetent or conflicted assessors.
Independence and Impartiality (Art.26(1))
The notified body must be independent of the manufacturer, importer, and distributor of the products it assesses. Critically, it must be independent of:
- Any business association or trade organization that represents manufacturers of products covered by the CRA
- Competitors of the organizations it assesses
- Any organization that consults on CRA compliance matters commercially
This means a law firm or consultancy that provides CRA compliance services cannot be notified as a conformity assessment body for the same product categories. The NB cannot have its own CRA-compliant products on the market.
Technical Competence (Art.26(2))
The notified body must demonstrate technical competence across all product categories it seeks to be notified for. For CRA cybersecurity assessments, this means:
- Staff with expertise in embedded security, cryptographic implementation, network protocol security, software vulnerability analysis, and supply chain security
- Access to laboratory equipment capable of performing penetration testing, side-channel analysis, and firmware analysis
- Documented assessment methodologies aligned with CRA Annex I essential requirements and applicable harmonised standards (EN 18031 series)
Accreditation by the national accreditation body under ISO/IEC 17065 is the standard means of demonstrating competence. Art.26 allows (but does not require) accreditation — notifying authorities may notify bodies without accreditation but must notify the Commission with additional justification documentation.
Organizational Requirements (Art.26(3)–(5))
- Legal personality: The NB must be a distinct legal entity, not a department of a manufacturer
- Liability insurance: Must maintain professional indemnity insurance sufficient to cover assessment activities
- Personnel: Staff must not be under financial or other pressure from assessed manufacturers; assessment personnel cannot be remunerated based on the number or result of assessments performed
- Confidentiality: Staff are bound by professional secrecy for all information obtained during assessments (except vis-à-vis market surveillance authorities)
- Conflict of interest management: Must maintain procedures to identify and manage conflicts of interest, including for personnel who previously worked at assessed manufacturers
Subcontracting Constraints (Art.32)
Notified bodies may subcontract specific assessment tasks but:
- Must maintain overall responsibility for the assessment
- Cannot subcontract to entities that do not meet the same independence requirements
- Must inform the manufacturer when subcontracting is proposed
- Must make subcontracting information available to market surveillance authorities on request
For manufacturers: this means your NB may use specialist subcontractors for specific technical tests (e.g., side-channel analysis). Your contract should address how subcontractor reports feed into the final certification decision.
The Notification Procedure (Art.28–29)
When a conformity assessment body seeks to become a notified body for CRA purposes:
- Application to national notifying authority: The body submits evidence of accreditation (or technical competence without accreditation) plus documentation on independence, organizational structure, and assessment scope
- Notifying authority review: The national authority verifies requirements under Art.26 are met; if accreditation exists, this review is simplified
- Commission notification via NANDO: The Member State submits the notification electronically through the NANDO IT system; the body receives a preliminary NB number
- Objection period: The Commission and other Member States have two weeks (four weeks without accreditation) to raise objections; if no objection, notification takes effect
- Effective notification: The body's NB number and scope are published in NANDO; manufacturers may now contract with the body for CRA assessments
Timeline implication for manufacturers: New NBs will emerge as the December 2027 deadline approaches. If your preferred NB is not yet in NANDO, check their accreditation status with the national NAB — accreditation typically precedes notification by 6–12 months.
Finding and Selecting a Notified Body
NANDO Database Search
The authoritative source for notified bodies is NANDO at ec.europa.eu/growth/tools-databases/nando/. When searching for CRA notified bodies:
- Select "Regulation (EU) 2024/2847 (Cyber Resilience Act)" from the legislation list
- Filter by product category (Annex III Class II, or Annex IV Class I)
- Review the notification scope carefully — some NBs may be notified only for specific product types (e.g., HSMs but not root CAs)
- Verify the notification status is "Active" (not "Suspended" or "Withdrawn")
As of early 2026, the CRA has only recently entered its applicability phase. The number of CRA-notified bodies is expected to increase significantly through 2026–2027. Early movers will face less competition for NB capacity.
Selection Criteria Beyond NANDO Listing
Being listed in NANDO is a necessary but not sufficient criterion. Also evaluate:
Technical scope match: Does the NB have demonstrated experience with your specific product category? An NB notified for smart meters may not have relevant expertise for HSMs. Request references from comparable product assessments.
Capacity and lead times: In the 2026–2027 period, popular NBs will face queue backlogs. Get a lead time estimate early — some NBs are reporting 6–12 month queues for Annex X assessments.
Geographic presence: NBs may have assessment personnel only in specific countries; international travel costs add to assessment fees. An NB headquartered near your development team reduces coordination friction.
Fee structure: NB fees vary widely. Expect EUR 15,000–80,000 for a full Class II Annex X assessment depending on product complexity, documentation maturity, and NB. Request itemized quotes.
Communication and documentation language: Confirm the NB can operate in your team's working language for document review and on-site visits.
Assessment Process: What to Expect During Annex X Certification
For Class II manufacturers engaging a notified body under Annex X:
Phase 1 — Pre-assessment (optional but recommended): The NB reviews a draft of your technical documentation and provides preliminary feedback on gaps. Cost: typically 10–20% of full assessment fee. Benefit: identifies documentation gaps before the formal assessment, reducing risk of rejection.
Phase 2 — Technical documentation review: The NB systematically reviews your Annex V technical documentation against CRA Annex I requirements. Key focus areas:
- Security risk assessment methodology and outcomes
- Implementation of all applicable Annex I Part I essential requirements
- Vulnerability handling processes (Art.13(6), Art.16)
- SBOM completeness and format (Annex I Part II)
- Secure development lifecycle evidence (design reviews, code reviews, penetration tests)
Phase 3 — Product testing: The NB tests a representative sample against applicable harmonised standards (EN 18031-1, EN 18031-2, EN 18031-3 as applicable to your product category). Testing may include:
- Penetration testing of the product's security mechanisms
- Cryptographic algorithm and key management validation
- Secure boot and firmware verification
- Network communication security analysis
- Side-channel analysis for hardware security products
Phase 4 — Assessment report and certificate decision: The NB issues an assessment report. If compliant, a CRA certificate is issued for the specific product version. The certificate includes the product description, assessed standards, and validity period (typically 5 years).
Phase 5 — Surveillance (ongoing): After initial certification, NBs typically conduct annual surveillance reviews to verify continued conformity. Significant product changes trigger re-assessment under Art.20 (substantial modification).
Python Tool: CRANotifiedBodySelector
from dataclasses import dataclass
from typing import Optional
import json
from datetime import date, timedelta
@dataclass
class ProductProfile:
name: str
category: str # "Class II", "Class I", "Default"
annex_iii_item: Optional[str] # e.g., "HSM", "root_ca", "smart_meter"
development_country: str
target_market_date: date
@dataclass
class NotifiedBodyCandidate:
name: str
nb_number: str
member_state: str
scope_description: str
estimated_lead_weeks: int
fee_range_eur: tuple[int, int]
languages: list[str]
class CRANotifiedBodySelector:
"""Guide manufacturers through NB selection for CRA Class II certification."""
CLASS_II_PRODUCTS = {
"HSM": "Hardware security module",
"smartcard": "Smartcard and smartcard reader (security functionality)",
"microprocessor_security": "Microprocessor with security functionality",
"root_ca": "Root certificate authority",
"smart_meter": "Smart meter for gas/electricity networks",
"industrial_iot_critical": "Industrial IoT in critical infrastructure",
}
def assess_nb_requirement(self, product: ProductProfile) -> dict:
"""Determine whether NB involvement is mandatory."""
if product.category == "Class II":
mandatory = True
procedure = "Annex X (third-party certification by notified body)"
rationale = f"CRA Annex III Class II product: {product.annex_iii_item}"
elif product.category == "Class I":
mandatory = False
procedure = "Annex VIII (self-assessment) OR Annex IX (NB type-examination, optional)"
rationale = "CRA Annex IV Class I — manufacturer may choose NB involvement"
else:
mandatory = False
procedure = "Annex VIII (self-assessment only)"
rationale = "Default product category — NB not required"
return {
"nb_mandatory": mandatory,
"procedure": procedure,
"rationale": rationale,
"recommendation": self._get_recommendation(product, mandatory)
}
def _get_recommendation(self, product: ProductProfile, mandatory: bool) -> str:
months_to_deadline = (date(2027, 12, 11) - product.target_market_date).days / 30
if mandatory:
if months_to_deadline < 18:
return "URGENT: Start NB selection immediately. Typical lead time 6-12 months."
elif months_to_deadline < 24:
return "Begin NB selection within 3 months. Request quotes from ≥3 NBs."
else:
return "Identify NBs now. Pre-assessment recommended 18 months before target date."
else:
return "Consider voluntary NB assessment for market differentiation (Annex IX)."
def calculate_nb_engagement_timeline(self, product_target_date: date) -> dict:
"""Work backward from target date to NB engagement milestones."""
return {
"start_nando_search": product_target_date - timedelta(weeks=78),
"request_quotes": product_target_date - timedelta(weeks=72),
"select_nb_and_contract": product_target_date - timedelta(weeks=64),
"pre_assessment": product_target_date - timedelta(weeks=56),
"submit_technical_docs": product_target_date - timedelta(weeks=48),
"nb_document_review_complete": product_target_date - timedelta(weeks=36),
"nb_product_testing": product_target_date - timedelta(weeks=28),
"certificate_issued": product_target_date - timedelta(weeks=16),
"buffer_for_issues": product_target_date - timedelta(weeks=8),
"target_market_date": product_target_date,
}
def generate_nb_rfq_checklist(self) -> list[str]:
"""Items to include in a Request for Quotation to a notified body."""
return [
"Confirmation NB is notified for your specific Annex III/IV product category",
"Current lead time for Annex X assessments (quote queue position)",
"Fee breakdown: document review / product testing / certificate / surveillance",
"Assessment methodology alignment with EN 18031 series",
"Experience with comparable products (references)",
"Subcontracting arrangements (if any) and subcontractor identities",
"Language capabilities for documentation review and on-site assessment",
"Certificate validity period and surveillance frequency",
"Policy on substantial modifications (Art.20) requiring re-assessment",
"Process for handling confidential technical documentation",
]
def export_selection_report(self, product: ProductProfile) -> str:
assessment = self.assess_nb_requirement(product)
timeline = self.calculate_nb_engagement_timeline(product.target_market_date)
rfq = self.generate_nb_rfq_checklist()
report = {
"product": product.name,
"generated": date.today().isoformat(),
"nb_requirement": assessment,
"engagement_timeline": {k: v.isoformat() for k, v in timeline.items()},
"rfq_checklist": rfq
}
return json.dumps(report, indent=2)
# Example: HSM manufacturer targeting Q1 2027 market placement
selector = CRANotifiedBodySelector()
product = ProductProfile(
name="SecureVault HSM v3.0",
category="Class II",
annex_iii_item="HSM",
development_country="DE",
target_market_date=date(2027, 3, 1)
)
print(selector.export_selection_report(product))
Article 33: Operational Obligations of Notified Bodies
Once notified, NBs are subject to ongoing obligations under Art.33 that directly affect the manufacturer relationship:
Consistency obligations: NBs must apply conformity assessment procedures consistently and proportionately to the size of the undertaking. This is particularly relevant for SMEs — NBs cannot apply disproportionately burdensome procedures for small manufacturers producing Class II products.
Information to market surveillance authorities: NBs must provide national market surveillance authorities with information about their conformity assessment activities on request, including negative decisions (refusals to certify).
ENISA reporting: NBs must report to ENISA on their cybersecurity certification activities under the EUCC scheme, feeding into the European cybersecurity certification framework transparency.
Information to Commission: If an NB discovers that a manufacturer's product no longer meets CRA requirements after certification, it must inform the relevant national market surveillance authority — triggering potential recall or restriction proceedings.
For manufacturers: maintain open communication with your NB about product changes. A substantial modification (Art.20) that triggers re-assessment but is not disclosed to the NB risks invalidating your certificate without warning.
Article 35: Exchange of Information Between Notified Bodies
Article 35 establishes a coordination mechanism among notified bodies: they must share information about negative assessment results and inconsistent assessment practices with the Commission and each other. This has practical implications:
- If your product was assessed and rejected by NB-A, NB-B will have access to that information when you approach them
- Inconsistent certification decisions across EU Member States are flagged — the system is designed to prevent "forum shopping" for the most lenient NB
- Harmonised assessment methodologies will be enforced through this peer review mechanism
For manufacturers: An NB rejection is not a purely private matter. Design your conformity assessment strategy assuming that any technical shortcomings identified during assessment will be visible to other NBs.
Notified Body Suspension and Withdrawal (Art.30)
When a notified body no longer meets the requirements of Art.26, the Member State's notifying authority must:
- Restrict, suspend, or withdraw the notification
- Immediately notify the Commission and other Member States
- Update NANDO accordingly
Manufacturer risk: If your NB's notification is suspended during your active assessment, you must transfer your assessment file to another NB. Art.30(5) requires the withdrawing Member State to ensure that manufacturer files are transferred to another notified body or kept available.
Mitigation: When selecting an NB, verify their accreditation history and any recent audit findings from their national accreditation body. Established bodies with multi-decade track records in cybersecurity certification carry lower suspension risk than newly notified bodies.
25-Point Art.26 Compliance Checklist for Class II Manufacturers
## Notified Body Engagement Checklist (CRA Art.26)
### Pre-Selection
- [ ] Confirmed product classification: Class II (Annex III) → Annex X mandatory
- [ ] Identified specific Annex III product category (e.g., HSM, root CA)
- [ ] Calculated target market date and backward-planned NB engagement start
- [ ] Searched NANDO for CRA-notified bodies in relevant scope
- [ ] Filtered NANDO results: status=Active, scope matches product category
- [ ] Identified ≥3 candidate NBs for competitive evaluation
### Due Diligence on Candidate NBs
- [ ] Verified NB notification scope covers your specific Annex III item
- [ ] Requested current lead time and queue status
- [ ] Obtained itemized fee quotes from ≥3 NBs
- [ ] Verified NB accreditation status with national NAB (ISO 17065)
- [ ] Reviewed NB experience with comparable products
- [ ] Confirmed NB language capabilities for your documentation
- [ ] Reviewed NB subcontracting policy and subcontractor list
- [ ] Checked Art.26 independence: NB has no consulting arm in your product space
### Contract Phase
- [ ] Contract includes: scope, fee structure, confidentiality, file retention
- [ ] Agreed timeline milestones documented in contract
- [ ] Defined process for handling substantial modifications (Art.20)
- [ ] Defined surveillance frequency and conditions post-certification
- [ ] Agreed on NB withdrawal/suspension contingency (file transfer procedure)
### Assessment Preparation
- [ ] Pre-assessment (optional) scheduled ≥12 months before target date
- [ ] Technical documentation package complete per CRA Annex V
- [ ] Representative product sample prepared for NB testing
- [ ] Internal security testing evidence collated (pen test reports, code reviews)
- [ ] SBOM validated for completeness and format compliance
- [ ] Vulnerability handling procedure documented and evidence ready
Key Takeaways
For Class II manufacturers: Article 26 creates a multi-layer trust infrastructure (NAB → notifying authority → Commission) to ensure NBs are genuinely competent and independent. Your practical job is to engage a NANDO-listed NB with the right scope and lead time. Start no later than 18 months before your target market date.
For Class I manufacturers: NB involvement is optional under Annex IX. Voluntary certification can provide market differentiation and reduce market surveillance scrutiny, but is not required for CE marking.
For default product manufacturers: No NB involvement required. Annex VIII internal self-assessment is the only path, and market surveillance authorities assess compliance post-market rather than pre-market.
See also:
- CRA Art.25: Conformity Assessment Procedures — which procedure maps to which product class
- CRA Art.22: Technical Documentation — Annex V documentation the NB will review
- CRA Art.23: EU Declaration of Conformity — issued after NB certification
- CRA Art.13: Manufacturer Obligations — underlying obligations NB will verify against