2026-04-20·13 min read·

CRA Art.28: How Conformity Assessment Bodies Apply for Notification — The Official Procedure, Required Documentation & Timeline (Developer Guide 2026)

The EU Cyber Resilience Act creates a two-tier conformity assessment system. Most products — all Class I and default-class products — can self-certify. But Class II products (higher-risk categories including firewalls, IDS/IPS, VPNs, HSMs, and smartcards) require third-party assessment by a notified body designated under Chapter V of the CRA.

Article 28 governs the gateway: how a conformity assessment body (CAB) formally applies to become a notified body. Without this process functioning smoothly, there will be no notified bodies available when the CRA fully applies in December 2027 — and Class II manufacturers would face a compliance bottleneck.

This guide explains the Art.28 process in detail, what it means for manufacturers waiting on notified body availability, and how to factor the notification timeline into your CRA compliance roadmap.

What CRA Article 28 Actually Covers

Article 28 addresses one specific question: how does a conformity assessment body formally apply to receive notified body status?

The article defines:

Who may apply — any conformity assessment body established in the EU
What they must submit — a defined documentation package
Where they apply — to the national notifying authority of the member state where they are established
What the authority evaluates — competence, independence, impartiality, financial stability
The accreditation requirement — EA MLA accreditation as the baseline (or equivalent national framework)
The 70-day timeline — from complete application to notification decision

Understanding Art.28 is relevant not just to the CABs themselves but to any manufacturer of Class II products. If your product requires third-party conformity assessment, your ability to certify before December 2027 depends entirely on how many notified bodies get designated in time — and Art.28 governs that pipeline.

The Notification Application Package

A conformity assessment body applying under Art.28 must submit a comprehensive package to the national notifying authority. The required elements fall into five categories:

1. Organisational Documentation

The CAB must provide:

Legal establishment evidence: Certificate of incorporation, articles of association, or equivalent proof that the body is legally established in the EU member state
Organisational structure: An organogram showing the relationship between governance, technical functions, and any subsidiary or parent entities
Independence declaration: Formal documentation demonstrating the body is not subject to commercial, financial, or other pressure that could compromise impartiality
Conflict of interest policy: Written procedures for identifying and managing conflicts, including for individual assessors

Independence is a non-negotiable requirement under CRA. A body cannot assess products from companies in which it has a financial interest, with which it shares personnel in technical decision-making roles, or which provide it a disproportionate share of income.

2. Technical Competence Evidence

This is the core of the application. The CAB must demonstrate it has the technical capability to assess products against the essential cybersecurity requirements of Annex I of the CRA and the conformity assessment procedures of Annex VIII.

Required evidence includes:

Staff qualification records: CVs, certifications, and training records for all assessors who will work on CRA assessments. Relevant certifications include CISA, CISSP, CEH, and vendor-specific security certifications, plus engineering qualifications for the product categories claimed
Assessment methodology documentation: Written procedures explaining how the body will evaluate vulnerability handling (Art.10), lifecycle security (Art.11), and essential requirements across each product class
Experience records: Past conformity assessments, audit reports (redacted where necessary), or equivalent evidence of technical capability in cybersecurity product assessment
Equipment and facilities: For hardware-related assessments, evidence of appropriate test equipment, lab facilities, and calibration records

3. Scope of Notification

The CAB must specify the exact scope for which it is requesting notification. Scope is defined by:

Product category: Which Class II product types (Annex III) the body claims competence for
Assessment module: Which Annex VIII modules the body can perform (EU-type examination, quality assurance, full quality assurance)
Standards coverage: Which harmonised standards and ETSI/ISO norms the body can assess against

A CAB may apply for a narrow scope (e.g., only smartcard ICs under Annex III, point 1) or a broad scope (all Class II products). The notifying authority will only grant scope that is supported by evidence.

4. Quality Management System Documentation

The CAB must operate a quality management system (QMS) that governs its assessment activities. Required documentation includes:

QMS manual: The overarching quality management framework
Document control procedures: How the body maintains and updates its assessment procedures
Internal audit procedures: How the body monitors its own compliance
Corrective action processes: How the body responds to identified deficiencies

The QMS must cover all activities within the notification scope. An ISO/IEC 17065 accreditation (product certification) or ISO/IEC 17021 (management system certification) already implies QMS compliance for many assessment activities.

5. Accreditation Certificate

The preferred route to demonstrating competence and QMS compliance is accreditation by a national accreditation body that is a signatory to the European Accreditation (EA) Multilateral Agreement (MLA).

In Germany: DAkkS. In France: COFRAC. In the Netherlands: RvA. In Ireland: INAB. The full list of EA MLA signatories covers all EU member states.

The accreditation certificate must cover the specific scope of the notification application. A general ISO/IEC 17065 accreditation is not sufficient if it does not specifically cover cybersecurity product assessment against CRA requirements.

Where no accreditation exists: Under Art.28(2), if no accreditation is available for the specific scope (e.g., because CRA is new and no accreditation scheme has yet been developed), the CAB may apply without accreditation, but must provide "other documented evidence" demonstrating equivalent competence. The notifying authority has discretion on whether to accept such evidence. In practice, ENISA and the Commission expect accreditation to become the norm as EA-level schemes develop.

The 70-Day Decision Timeline

Article 28 establishes a procedural timeline from application submission to notification decision:

Day 0:    Complete application received by notifying authority
Day 1-14: Administrative completeness check
          → If incomplete: authority requests additional information
          → Clock stops until information received
Day 15-70: Technical evaluation
          → Authority examines documentation
          → May conduct on-site assessment visit
          → May consult ENISA or peer notifying authorities
Day 70:   Decision must be made (notification or refusal)
          → If notification: body added to NANDO database
          → If refusal: reasoned decision provided

The 70-day clock runs from receipt of a complete application. If the authority requests supplementary information, the clock stops and restarts only when the information is provided. In practice, this means complex applications with incomplete documentation can take significantly longer than 70 days.

Important for manufacturers: The 70-day timeline is for the notification decision, not for the body to become operational. After notification, a body typically needs additional months to:

Complete NANDO database registration
Establish client intake procedures
Build assessment queues
Train assessors on the specific product categories

For manufacturers with December 2027 compliance deadlines, the practical timeline for accessing a notified body is:

2026 Q2-Q3: CABs complete and submit Art.28 applications
2026 Q4:    First notification decisions expected
2027 Q1-Q2: Bodies become operational for client intake
2027 Q3-Q4: First completed assessments (for simple scopes)

This leaves very limited buffer for complex products.

What the Notifying Authority Evaluates

The national notifying authority (NTA) evaluates the application against the criteria in Art.26 (Notified Body Requirements) and Art.27 (Subsidiaries and Subcontracting). The key assessment dimensions are:

Independence and Impartiality

The authority must be satisfied that the CAB:

Has no commercial relationship with manufacturers it will assess
Has no financial interest in assessment outcomes
Has adequate procedures to prevent assessor conflicts
Is not under undue influence from any industry association

For bodies that are subsidiaries of larger organisations, the authority will examine whether parent company relationships could create commercial pressure on assessment decisions.

Technical Competence

This is often the most challenging dimension for new applicants. The authority assesses:

Assessor qualifications: Are the staff qualified for the specific technical areas?
Methodology soundness: Does the body understand how to assess against CRA Annex I requirements?
Track record: Has the body performed similar assessments before (e.g., under EUCC, Common Criteria, or IEC 62443)?

Bodies with existing Common Criteria evaluation facility (ITSEF) experience are better positioned, as EUCC assessments under Art.51 overlap significantly with CRA Class II requirements.

Financial Stability

The authority must be satisfied the body has sufficient financial resources to:

Sustain operations over multiple years
Maintain professional indemnity insurance
Fund internal quality processes

Procedural Completeness

The authority performs an administrative check before substantive evaluation. Common grounds for requesting additional information:

Missing accreditation certificate or equivalent
Scope description that doesn't align with Annex III categories
Incomplete staff qualification records
No documented conflict of interest procedures

Practical Python: CRA Notification Readiness Checker

The following Python class helps a conformity assessment body assess whether its documentation package is ready for Art.28 submission:

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime


class DocumentStatus(Enum):
    PRESENT = "present"
    MISSING = "missing"
    INCOMPLETE = "incomplete"
    NOT_APPLICABLE = "not_applicable"


@dataclass
class NotificationDocument:
    name: str
    status: DocumentStatus
    notes: str = ""
    last_updated: Optional[datetime.date] = None


@dataclass
class Art28ApplicationPackage:
    """Tracks readiness of a CRA Art.28 notification application package."""

    body_name: str
    member_state: str
    proposed_scope: list[str] = field(default_factory=list)

    # Category 1: Organisational
    legal_establishment: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Certificate of establishment", DocumentStatus.MISSING
        )
    )
    org_structure: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Organisational structure / organogram", DocumentStatus.MISSING
        )
    )
    independence_declaration: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Independence and impartiality declaration", DocumentStatus.MISSING
        )
    )
    coi_policy: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Conflict of interest policy and procedures", DocumentStatus.MISSING
        )
    )

    # Category 2: Technical competence
    staff_qualifications: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Staff CVs, certifications, training records", DocumentStatus.MISSING
        )
    )
    assessment_methodology: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "CRA assessment methodology documentation", DocumentStatus.MISSING
        )
    )
    experience_records: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Past assessment experience records", DocumentStatus.MISSING
        )
    )

    # Category 3: Scope definition
    scope_document: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Notification scope definition (Annex III categories + Annex VIII modules)",
            DocumentStatus.MISSING,
        )
    )

    # Category 4: QMS
    qms_manual: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Quality management system manual", DocumentStatus.MISSING
        )
    )
    internal_audit_procedures: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "Internal audit and corrective action procedures", DocumentStatus.MISSING
        )
    )

    # Category 5: Accreditation
    accreditation_certificate: NotificationDocument = field(
        default_factory=lambda: NotificationDocument(
            "EA MLA accreditation certificate (or equivalent evidence)",
            DocumentStatus.MISSING,
        )
    )

    def completeness_score(self) -> dict:
        """Returns readiness score and missing items."""
        all_docs = [
            self.legal_establishment,
            self.org_structure,
            self.independence_declaration,
            self.coi_policy,
            self.staff_qualifications,
            self.assessment_methodology,
            self.experience_records,
            self.scope_document,
            self.qms_manual,
            self.internal_audit_procedures,
            self.accreditation_certificate,
        ]

        present = sum(1 for d in all_docs if d.status == DocumentStatus.PRESENT)
        incomplete = [
            d.name for d in all_docs if d.status == DocumentStatus.INCOMPLETE
        ]
        missing = [d.name for d in all_docs if d.status == DocumentStatus.MISSING]

        total = len(all_docs)
        score = present / total

        return {
            "total_documents": total,
            "present": present,
            "incomplete_count": len(incomplete),
            "missing_count": len(missing),
            "completeness_percent": round(score * 100, 1),
            "incomplete_items": incomplete,
            "missing_items": missing,
            "submission_ready": score == 1.0 and len(incomplete) == 0,
        }

    def estimated_submission_date(
        self, target_decision_date: datetime.date
    ) -> datetime.date:
        """
        Given a desired decision date, returns the latest safe submission date.
        Accounts for 70-day timeline plus 14 days buffer for info requests.
        """
        buffer_days = 84  # 70 days + 14 days buffer
        return target_decision_date - datetime.timedelta(days=buffer_days)


# Example: A German CAB preparing for CRA notification
if __name__ == "__main__":
    cab = Art28ApplicationPackage(
        body_name="ExamplePrüf GmbH",
        member_state="DE",
        proposed_scope=[
            "CRA Annex III Class II — Firewalls (point 3)",
            "CRA Annex III Class II — Intrusion Detection Systems (point 4)",
        ],
    )

    # Update as documents are prepared
    cab.legal_establishment.status = DocumentStatus.PRESENT
    cab.legal_establishment.last_updated = datetime.date(2026, 3, 15)

    cab.org_structure.status = DocumentStatus.PRESENT
    cab.org_structure.last_updated = datetime.date(2026, 3, 20)

    cab.independence_declaration.status = DocumentStatus.INCOMPLETE
    cab.independence_declaration.notes = "Draft prepared, pending board sign-off"

    cab.coi_policy.status = DocumentStatus.PRESENT

    cab.staff_qualifications.status = DocumentStatus.INCOMPLETE
    cab.staff_qualifications.notes = "3 assessors complete, 2 still pending CVs"

    cab.assessment_methodology.status = DocumentStatus.MISSING
    cab.assessment_methodology.notes = "Planned for Q2 2026"

    cab.experience_records.status = DocumentStatus.PRESENT
    cab.experience_records.notes = "6 EUCC ITSEF assessments (2024-2025)"

    cab.scope_document.status = DocumentStatus.PRESENT

    cab.qms_manual.status = DocumentStatus.PRESENT

    cab.internal_audit_procedures.status = DocumentStatus.PRESENT

    cab.accreditation_certificate.status = DocumentStatus.INCOMPLETE
    cab.accreditation_certificate.notes = "DAkkS application submitted, decision Q3 2026"

    result = cab.completeness_score()
    print(f"\nCRA Art.28 Application Readiness: {cab.body_name}")
    print(f"Scope: {', '.join(cab.proposed_scope)}")
    print(f"\nCompleteness: {result['completeness_percent']}%")
    print(f"Present: {result['present']}/{result['total_documents']}")
    print(f"\nIncomplete ({result['incomplete_count']}):")
    for item in result["incomplete_items"]:
        print(f"  ⚠ {item}")
    print(f"\nMissing ({result['missing_count']}):")
    for item in result["missing_items"]:
        print(f"  ✗ {item}")

    target = datetime.date(2026, 12, 31)
    safe_submit = cab.estimated_submission_date(target)
    print(f"\nTarget decision by: {target}")
    print(f"Submit by: {safe_submit} (latest safe date)")
    print(f"\nSubmission ready: {result['submission_ready']}")

Art.28 and the NANDO Database

When a notification is granted, the body is entered into the NANDO database (New Approach Notified and Designated Organisations) maintained by the European Commission. NANDO serves as the public registry of all notified bodies across EU legislation.

Manufacturers use NANDO to:

Find notified bodies with scope covering their product category
Verify a body's current notification status and valid scope
Check whether a body's notification has been suspended or withdrawn

For CRA, NANDO entries will specify:

The member state that notified the body
The specific CRA product categories (Annex III reference)
The conformity assessment modules (Annex VIII reference)
Any restrictions or conditions on the notification
The date of notification and any expiry or review dates

The Commission is expected to add a CRA-specific section to NANDO as notification decisions begin to be made.

What This Means for Class II Manufacturers

If your product is in CRA Annex III (Class II), Art.28 determines whether you will have access to notified bodies by December 2027. The practical implications:

Monitor Notification Progress

Track which bodies are applying for notification in your member state or across the EU. If no body has notification scope covering your product type by mid-2026, you face a serious timeline risk.

ENISA maintains an informal registry of CABs expressing interest in CRA notification. The Commission and EA are developing harmonised accreditation criteria under ENISA coordination.

Build Notified Body Relationships Early

Even before bodies are officially notified, you can:

Engage prospective CABs in pre-assessment discussions
Share your Technical Documentation package for informal review
Understand their preliminary scope claims and methodology

Bodies are permitted (and incentivised) to conduct preparatory work with potential clients before formal notification.

Consider EUCC Route for Cybersecurity Products

For products that qualify for EUCC (EU Common Criteria-based Certification Scheme) certification, EUCC certification at assurance level AVA_VAN.3 or higher may satisfy certain CRA Class II assessment requirements under Art.51. ITSEF-accredited labs exist across multiple member states today and are working to align their scopes with CRA requirements.

Default Assumption: Self-Assessment

If you cannot secure a notified body, you cannot place a Class II product on the EU market with CE marking. There is no fallback to self-assessment for Class II products. This creates a strong incentive to:

Determine definitively whether your product is Class I (self-certifiable) or Class II
If Class II, start notified body engagement in 2026, not 2027
If genuinely uncertain, treat as Class II until Art.7(5) guidance confirms otherwise

25-Item Art.28 Compliance Checklist

For conformity assessment bodies preparing applications:

Organisational

Legal establishment certificate obtained and current
Organisational structure documented and reflects current state
Independence and impartiality declaration prepared and board-approved
Conflict of interest policy documented with specific CRA scenarios addressed
Financial stability evidence (audited accounts, insurance certificates) compiled

Technical Competence

All proposed assessors have CVs compiled
Assessor certifications relevant to cybersecurity product assessment documented
CRA-specific assessment methodology documented
Methodology explicitly maps to Annex I essential requirements
Methodology explicitly maps to Annex VIII assessment modules
Experience records from past assessments compiled
Equipment and facilities inventory prepared (for hardware assessments)

Scope

Notification scope document prepared
Scope maps to specific Annex III Class II categories
Scope maps to specific Annex VIII modules requested
Scope is supported by technical competence evidence

Quality Management

QMS manual updated to cover CRA assessment activities
Document control procedures include CRA-specific procedures
Internal audit schedule established for CRA activities
Corrective action procedures tested

Accreditation

EA MLA accreditation status confirmed with national accreditation body
Accreditation scope matches notification scope
Accreditation certificate is current and not due for renewal within 12 months
If no accreditation available: equivalent evidence package prepared

Submission

Target submission date set based on desired notification decision date
Contact at national notifying authority established
Application package assembled and reviewed by internal QA
Pre-submission meeting with notifying authority requested (recommended)

Key Takeaways

For conformity assessment bodies: Art.28 sets out a clear documentation package. The accreditation requirement is the most time-consuming element — EA-level accreditation takes 12-18 months if starting from scratch. Begin in 2025 if targeting early 2027 notification.

For Class II manufacturers: The notified body availability bottleneck is real. The 70-day application timeline means that even if all CABs submitted complete applications tomorrow, the first notifications wouldn't arrive until summer 2026 at the earliest. Start engaging prospective bodies now.

For everyone: The Art.28 notification pipeline is a leading indicator for CRA market readiness. Watch ENISA announcements and EA updates on CRA accreditation scheme development — these will determine whether the notified body market is functional by December 2027.