CRA Art.27: Notified Body Subsidiaries & Subcontracting — What Manufacturers Must Know (Developer Guide 2026)

Post #473 in the sota.io EU Cyber Compliance Series

Article 26 of the EU Cyber Resilience Act sets out who can become a notified body (NB). But conformity assessment of a complex cybersecurity product — especially a Class II critical product like a hardware security module, industrial gateway, or smart card OS — often requires specialist capabilities that no single organization possesses entirely in-house. A notified body accredited for product certification may need a specialist penetration testing laboratory to evaluate firmware hardening. A body with strong documentation review capabilities may need a hardware evaluation partner for side-channel analysis.

Article 27 governs exactly this scenario: when a notified body may delegate conformity assessment tasks to subsidiaries or subcontractors, and under what conditions. For manufacturers, understanding Art.27 is not abstract legal theory — it directly affects who actually tests your product, what visibility you have into that process, and who bears legal responsibility when something goes wrong.

The Core Rule: Delegation Is Permitted, But Constrained

Article 27 permits notified bodies to use subsidiaries and subcontractors for specific conformity assessment tasks. This is a deliberate policy choice by the CRA drafters: requiring every notified body to maintain all cybersecurity evaluation capabilities in-house would have severely constrained the supply of available notified bodies and driven up costs for manufacturers.

The key constraints are:

1. Pre-notification to the notifying authority — the NB must inform its national notifying authority before engaging a subsidiary or subcontractor for CRA assessment work
2. Equivalence of requirements — subcontractors must satisfy the same independence, competence, and impartiality requirements that the notified body itself must satisfy under Art.26
3. Retained responsibility — the notified body remains fully responsible for the work performed by any subcontractor or subsidiary
4. Manufacturer transparency — manufacturers must be informed about the use of subcontractors

These four constraints work together. The equivalence requirement prevents the notified body from laundering incompetent or conflicted work through an apparently-qualified subcontractor. The retained responsibility ensures the notified body cannot disclaim liability for subcontractor errors. The transparency requirement gives manufacturers visibility and the ability to raise objections.

What Activities Can Be Subcontracted?

The CRA does not enumerate which specific activities may or may not be subcontracted — instead, it uses the concept of "specific conformity assessment tasks." In practice, the following tasks are commonly subcontracted or performed by subsidiaries:

Commonly subcontracted:

• Specialized laboratory testing (e.g., hardware cryptographic evaluation, side-channel attack testing, EMC/RF testing)
• Penetration testing of firmware or software components
• Translation of technical documentation
• On-site audits in jurisdictions where the primary NB has no local presence
• EUCC-aligned evaluation of specific protection profiles

Typically not subcontracted (core certification decisions):

• The certification decision itself (issuing or refusing the certificate)
• Review of the overall conformity assessment file
• The formal NB report and opinion
• Liaison with the manufacturer on scope definition

The certification decision must remain with the notified body. Article 27 does not permit a notified body to wholesale subcontract the conformity assessment — it permits delegation of specific, defined tasks within an assessment the NB retains overall control of.

The Equivalence Requirement in Detail

When a notified body subcontracts, the subcontractor must satisfy requirements equivalent to those in Art.26. This means the subcontractor must be:

Technically competent: The subcontractor must have staff with the skills, knowledge, and experience to perform the specific tasks assigned. For a penetration testing subcontractor, this means demonstrable expertise in the product category and attack surface being evaluated — a generic IT security firm without embedded systems experience cannot perform hardware security evaluation for an IoT device.

Independent and impartial: The subcontractor must not have commercial relationships with the manufacturer that would compromise objectivity. If a manufacturer routinely retains a particular security consultancy for pre-assessment gap analysis, that same consultancy is likely disqualified from acting as an NB subcontractor for the subsequent formal assessment — even if contracted through a notified body rather than directly.

Documented: The subcontractor must operate under a documented quality management system, maintain records of its work, and make those records available to the notified body and (through the notified body) to the notifying authority.

Covered by accreditation or equivalent verification: Where the primary NB is accredited by a national accreditation body under ISO 17065, the subcontractor's competence for the delegated tasks should be verified. This may be through the subcontractor's own accreditation, or through the NB's own supplier qualification process.

In practice, major notified bodies maintain approved subcontractor lists, and manufacturers can request this list when selecting their NB. A body that cannot or will not disclose its subcontracting arrangements is a yellow flag.

Notification to the Notifying Authority

Before engaging a subcontractor, the notified body must inform its national notifying authority. This is not merely a courtesy — the notifying authority may object if it has concerns about the subcontractor's competence or independence.

The notification typically includes:

• Identity of the proposed subcontractor
• Scope of activities to be subcontracted
• Evidence that the subcontractor meets equivalence requirements
• Any existing accreditation certificates held by the subcontractor

This creates a paper trail that national supervisory bodies can audit. If a notified body's certification is later challenged, the notification records become important evidence.

For manufacturers: You do not participate in this notification process. But you can ask your notified body for confirmation that all subcontractors have been properly notified to the national authority, and for a copy of the notification if available.

Retained Responsibility: The Critical Liability Point

Perhaps the most important aspect of Art.27 for manufacturers: the notified body remains fully liable for the work of its subcontractors and subsidiaries.

This means:

• If a subcontractor performs a flawed penetration test that misses a critical vulnerability, the notified body — not the subcontractor — is liable for issuing a certificate based on that test
• If a subsidiary reviewing technical documentation reaches an incorrect conclusion, the notified body is responsible for that conclusion
• Manufacturers cannot contract around this — a notified body cannot include a clause in its certification agreement that shifts liability to a subcontractor for subcontracted work

The practical consequence is that notified bodies should, and generally do, exercise close oversight of subcontracted work. They will review subcontractor findings, cross-check key conclusions, and integrate subcontractor reports into their own assessment. A notified body that simply rubber-stamps subcontractor output without independent review is in breach of its own obligation to the notifying authority.

For manufacturers, this retained responsibility is valuable: it means you have a single point of accountability (the notified body) for the entire assessment, regardless of how the work was divided internally.

Manufacturer Transparency: What You Must Be Told

Under Art.27, manufacturers must be informed about subcontracting. The minimum information a manufacturer should expect:

1. Which tasks will be subcontracted — scope and nature of the delegated activities
2. Identity of the subcontractor — you should know who is actually evaluating your product
3. The subcontractor's relevant qualifications — accreditation certificates or equivalent competence evidence
4. That the NB remains responsible — confirmation of retained liability

Some notified bodies provide this information proactively in their contract terms. Others require manufacturers to request it explicitly. If your NB refuses to disclose subcontractor information, this may be a contractual and regulatory compliance issue — notifying authority expectations generally support manufacturer disclosure.

Practical recommendation: Include a disclosure clause in your conformity assessment contract that requires the NB to notify you in advance of any subcontracting and to provide subcontractor identity and qualification information. This is standard practice in medical device conformity assessment and becoming increasingly common in cybersecurity certification.

Subsidiaries vs. Subcontractors: Different Governance, Same Rules

Article 27 covers both subsidiaries (entities owned by or affiliated with the notified body) and external subcontractors (independent third parties). The legal requirements are the same for both — independence, competence, transparency, and retained responsibility.

However, the practical governance differs:

Subsidiaries: The parent NB typically has direct control over subsidiary operations, can mandate quality management procedures, and can require access to all records. Subsidiaries are usually pre-approved by the notifying authority at the time of notification and may be co-listed in the NANDO entry. Assessment using a subsidiary is generally lower-risk for manufacturers.

External subcontractors: The NB has only contractual leverage — it cannot mandate the subcontractor's internal processes beyond the contracted deliverables. More oversight is required. The NB must verify the subcontractor's independence separately for each assessment (the subcontractor may have acquired a conflicting commercial relationship since last used).

When evaluating notified bodies, ask whether the bodies in their network are subsidiaries or independent subcontractors. A body with a well-integrated subsidiary network offering complementary specialist capabilities is generally preferable to one that relies heavily on ad-hoc subcontracting arrangements.

EUCC and Multi-Body Assessment Scenarios

The European Cybersecurity Certification Scheme (EUCC) — the major EU cybersecurity certification scheme under the Cybersecurity Act — has specific provisions for iterated evaluation involving multiple laboratories and certification bodies. Under the EUCC, the evaluating laboratory (ITSEF — IT Security Evaluation Facility) performs technical evaluation, while the certification body (CB) makes the certification decision.

Under the CRA, if a manufacturer uses the EUCC path (permitted under Art.25), the ITSEF-CB relationship is governed by EUCC rules rather than CRA Art.27 directly. However, for non-EUCC CRA assessments (Annex IX or Annex X procedures), Art.27 applies.

For manufacturers targeting EUCC: Be aware that the accreditation and approval processes for ITSEFs under EUCC have historically taken 12-18 months. The supply of EUCC-approved evaluation facilities for embedded systems and IoT products is currently limited. This is a key reason why Class II manufacturers targeting the December 2027 deadline should engage their NB by mid-2026.

Article 27 in the Broader Chapter IV Context

Article 27 connects to other Chapter IV provisions:

• Art.26 — the underlying competence and independence requirements that Art.27 subcontractors must satisfy
• Art.30 — operational requirements for notified bodies, including maintenance of records and liability for their assessments
• Art.33 — operational obligations including informing the notifying authority of significant changes (major changes to subcontracting arrangements would likely trigger this)
• Art.35 — information sharing between notified bodies, including cases of refused or suspended certification (prevents manufacturers from "forum shopping" by approaching a different NB after one has identified issues)

Understanding Art.27 in isolation is insufficient — the subcontracting governance only makes sense as part of the broader accountability architecture of Chapter IV.

Practical Checklist for Class II Manufacturers

Before selecting a notified body for your CRA Class II conformity assessment:

Due diligence on the NB itself:

• Verify the NB appears in NANDO with an appropriate CRA or cybersecurity product scope
• Confirm the NB's national accreditation certificate is current (download directly from the national accreditation body's website)
• Review the NB's published procedures for conformity assessment under CRA or EUCC

Due diligence on subcontracting:

• Request the NB's current approved subcontractor/subsidiary list for your product category
• Confirm all key subcontractors have been notified to the national notifying authority
• Verify there are no commercial conflicts between your company and proposed subcontractors (previous consultancy relationships, joint ventures, shared investors)
• Check whether the NB's NANDO entry lists any specific co-designated subsidiaries

Contractual protections:

• Require advance disclosure of subcontracting for your specific assessment
• Include a clause confirming the NB's retained liability for subcontractor work
• Specify that subcontractor changes require your written approval (or at minimum, advance notice)
• Ensure the contract references Art.27 compliance explicitly

Timeline planning:

• Begin NB selection by Q3 2026 (mid-2026) at the latest for December 2027 deadline
• Allow 4-6 weeks for initial engagement and scoping discussions
• Budget 6-12 months for the assessment itself, depending on product complexity and NB workload

Key Takeaways

1. Subcontracting is permitted under CRA Art.27 — notified bodies do not need to perform every assessment task in-house
2. Subcontractors must meet the same requirements as the notified body itself (independence, competence, impartiality)
3. The NB remains fully liable for all subcontracted work — you have a single accountability point
4. You must be informed about which tasks are subcontracted and who the subcontractors are
5. EUCC assessments follow different rules (EUCC scheme rules govern the ITSEF-CB relationship rather than Art.27)
6. Limited NB supply is the key near-term risk — begin selection early, ask detailed questions about subcontracting capacity and current workload

Related in this series:

• CRA Art.25: Conformity Assessment Procedures — Annex VIII, IX, and X Explained
• CRA Art.26: Notified Bodies — Requirements, Selection & Practical Guide
• CRA Art.13: Manufacturer Obligations — Security by Design, SBOM, Update Support