CRA Art.30: Changes to Notifications — When Notified Bodies Lose Status and What It Means for Your Class II Product (Developer Guide 2026)
You've spent months working with a notified body on your Class II product's conformity assessment. The body has issued a certificate. You're ready to apply the CE marking. Then the notification authority withdraws the body's notification.
This scenario isn't hypothetical — it happens across regulated industries. NB notifications get suspended or withdrawn because of audit failures, loss of accreditation, financial instability, or conflicts of interest. Under the EU Cyber Resilience Act, Article 30 governs exactly this: the conditions under which notification authorities can modify, restrict, suspend, or withdraw a notified body's status, and what happens to the certificates and assessments already in progress.
For Class II product manufacturers — those building firewalls, IDS/IPS systems, VPNs, HSMs, or smartcard products — understanding Art.30 is risk management. The CRA creates a new notified body market that won't fully mature until 2027. The bodies that enter that market may not all survive in it.
What CRA Article 30 Actually Covers
Article 30 establishes the lifecycle management of notification status. The notification process under Arts.28-29 creates the initial designation of a conformity assessment body as a notified body. Art.30 governs everything that happens after that point.
The article addresses three types of changes:
Restriction — limiting the scope of notification to specific product categories, assessment modules, or technical domains. A body originally notified for the full range of Class II products might be restricted to HSMs only if it can no longer demonstrate competency across the wider scope.
Suspension — temporary halt of notification, during which the body cannot accept new conformity assessment mandates. Existing in-progress assessments may continue under specific conditions, but no new work can begin under the suspended notification.
Withdrawal — complete removal of notified body status. The body can no longer act as a CRA notified body at all. All certificates previously issued under the withdrawn notification must be addressed according to transitional rules.
When Can a Notification Be Changed?
The notification authority — the member state body that granted the notification under Arts.28-29 — is responsible for continuous monitoring. Art.30 specifies the conditions that trigger a required review and potential status change.
Mandatory Change Triggers
Loss of accreditation: The EA MLA (European cooperation for Accreditation Multilateral Agreement) accreditation that underlies most NB notifications is itself subject to peer review cycles. If a national accreditation body withdraws accreditation from a CAB, the notification authority must act — typically by suspending notification while the situation is resolved.
Failure to meet Art.29 requirements: The requirements for notified bodies set out in the CRA are ongoing obligations, not one-time gating criteria. If a body stops meeting the requirements (independence, technical competence, financial stability, staff qualifications), the notification authority must investigate and, if the deficiency is confirmed, change the notification status.
Notification authority audit findings: The monitoring isn't passive. Notification authorities conduct regular audits of their designated bodies. Audit findings that reveal systematic deficiencies in how the body conducts CRA assessments can trigger restriction or suspension while corrective action is taken.
Voluntary surrender: A notified body may itself notify the notification authority that it wishes to cease acting as a CRA notified body. Art.30 establishes the procedural obligations for this scenario, including transition obligations to manufacturers with in-progress assessments.
Discretionary Change Triggers
Notification authorities also have discretion to investigate and potentially change notification status when:
- Complaints from manufacturers about assessment quality are substantiated
- Peer review findings from ENISA or Commission oversight indicate systematic issues
- A notified body is acquired, merged, or undergoes significant organizational change affecting its independence
- The body's insurance coverage drops below the required level
The Process: How Changes to Notifications Work
Step 1: Investigation and Provisional Measure
Before formally changing notification status, the notification authority will typically issue a provisional measure — requiring the notified body to provide evidence that it still meets requirements, or restricting it from taking new mandates while the investigation proceeds.
This gives the body an opportunity to demonstrate corrective action. The typical timeline is 30-90 days for a provisional measure period, depending on the severity of the issue.
Step 2: Decision and NANDO Notification
If the investigation confirms a deficiency, the notification authority takes a formal decision to restrict, suspend, or withdraw notification. This decision must be communicated to:
The Commission: via the NANDO notification system, which immediately updates the public database. From the moment a change is registered in NANDO, third parties — including manufacturers — can see that the body's status has changed.
Other member states: notification authorities across the EU are informed, allowing them to take account of the status change in any cross-border recognition or oversight activities.
The affected body: formally notified of the decision, the grounds, and (where applicable) the conditions for reinstatement.
Step 3: NANDO Update Visibility
The NANDO database — New Approach Notified and Designated Organisations, maintained by the Commission — is the authoritative public record of notified body status under EU harmonised legislation.
When a CRA notification is changed, NANDO will reflect:
- The date and type of change (restriction, suspension, withdrawal)
- The scope of the change (which product categories or modules are affected)
- In the case of suspension: the expected duration or review date
- Contact details for the notification authority handling the case
Manufacturers monitoring NANDO can see changes in near-real-time. This is why building a NANDO monitoring step into your compliance program is good practice if you're working with a Class II product.
Step 4: Reinstatement (for Restriction/Suspension)
Restriction and suspension are reversible. A notified body that addresses the identified deficiency — restoring accreditation, updating procedures, replacing disqualified staff — can have its notification reinstated or the restriction lifted.
The notification authority verifies the corrective action (often via a targeted audit) and notifies the Commission and other member states of the reinstatement. NANDO is updated accordingly.
Withdrawal is not automatically reversible — the body would need to go through the full Art.28 application and Art.29 notification process again.
What Happens to Already-Issued Certificates?
This is the question that matters most to manufacturers. Art.30 addresses the transitional rules for three scenarios:
Scenario 1: Certificate Issued, Product on Market
If a notified body's notification is withdrawn after it has issued a conformity assessment certificate and the product is already placed on the market, the certificate itself does not automatically become invalid.
The CRA's transitional provisions distinguish between the ongoing validity of the certificate and the body's ability to issue new ones. A validly issued certificate under a now-withdrawn notification remains valid unless:
- The notification authority or Commission determines that the assessment was conducted deficiently (in which case recall/remediation procedures under Chapter VIII may apply)
- The product itself undergoes a substantial modification (Art.20) that would require a new assessment
- The certificate expires and requires renewal (since the original body can no longer issue renewals)
The practical implication: if your body's notification is withdrawn, you will need to engage a different notified body for any future renewals, reassessments, or substantial modifications. The existing certificate is not automatically invalidated, but you are on notice that you'll need a new body relationship.
Scenario 2: Assessment In Progress, Certificate Not Yet Issued
If notification is withdrawn mid-assessment — after the body has accepted your mandate and begun technical review but before issuing a certificate — you face a more acute problem.
The withdrawn body can no longer complete the assessment and issue a valid certificate. You have two options:
- Transfer the assessment: negotiate with the body to transfer your documentation, test results, and assessment records to a new notified body, which can build on completed work to the extent it considers it valid
- Restart with a new body: begin the process fresh with a different notified body, which typically means new mandates, new timelines, and potentially different fees
Neither option is fast. This is the primary operational risk of the notified body bottleneck.
Scenario 3: Suspension (Not Withdrawal)
Suspension is less severe. If a body is suspended before completing your assessment, the notification authority typically determines whether ongoing assessments can continue under supervision or must be transferred.
In practice, suspension often allows in-progress work to continue to completion under specific conditions — the body remains technically capable, it just cannot take new mandates. Your assessment may proceed, with the notification authority keeping closer oversight.
Developer Risk: The Notified Body Bottleneck Amplified
The CRA creates a new market for notified bodies. By December 2027, manufacturers of Class II products need to have completed their conformity assessments. The challenge is that the pool of designated CRA notified bodies is just being established — and it's small.
Art.30 amplifies the risk already created by Art.28-29: not only may there be few bodies available, but some of those bodies may lose notification during the critical 2026-2027 ramp-up period. Reasons include:
- New entrants: CABs entering the CRA market may lack depth of experience, making audit findings more likely
- Staff turnover: Key assessors may leave, affecting the body's competency demonstration
- Accreditation timing: EA accreditation cycles don't always align with notification timelines
The concentration risk is real. If you work exclusively with one notified body and that body experiences a suspension, your compliance timeline is at risk.
Risk Mitigation Strategies for Class II Manufacturers
Strategy 1: NANDO Monitoring as Part of Compliance Program
Build NANDO monitoring into your compliance operations. Track the notification status of every body you work with or are considering working with. Status changes appear in NANDO before they affect your certificate — giving you advance notice to act.
import requests
from datetime import datetime, timedelta
import json
from typing import Optional
class NANDOMonitor:
"""
Monitor notified body status changes for CRA Art.30 compliance.
NANDO API provides current status — cross-reference against your
tracked bodies to detect changes.
"""
def __init__(self, tracked_bodies: list[dict]):
self.tracked_bodies = tracked_bodies # [{"id": "1234", "name": "Body X", "last_status": "active"}]
self.change_log: list[dict] = []
def check_status(self, nando_body_id: str) -> dict:
"""
Fetch current status for a specific notified body from NANDO.
Returns status dict with active/suspended/withdrawn and scope.
"""
# NANDO provides an API endpoint for individual body data
url = f"https://ec.europa.eu/tools/nando/index.cfm?fuseaction=directive.notifiedbody&id={nando_body_id}"
# In production: parse the NANDO response for current status flags
# This simplified version assumes a structured API response
try:
resp = requests.get(url, timeout=10)
return {"body_id": nando_body_id, "status": "active", "checked_at": datetime.utcnow().isoformat()}
except requests.RequestException as e:
return {"body_id": nando_body_id, "status": "unknown", "error": str(e)}
def detect_changes(self) -> list[dict]:
"""
Compare current NANDO status against last-known status.
Returns list of detected changes.
"""
detected = []
for body in self.tracked_bodies:
current = self.check_status(body["id"])
if current["status"] != body["last_status"]:
change = {
"body_id": body["id"],
"body_name": body["name"],
"previous_status": body["last_status"],
"current_status": current["status"],
"detected_at": datetime.utcnow().isoformat(),
}
detected.append(change)
self.change_log.append(change)
body["last_status"] = current["status"]
return detected
def assess_impact(self, change: dict, active_mandates: list[dict]) -> dict:
"""
Assess business impact of a notification status change.
active_mandates: [{"body_id": "1234", "phase": "in_progress|certificate_issued", "product": "..."}]
"""
affected = [m for m in active_mandates if m["body_id"] == change["body_id"]]
if not affected:
return {"impact": "none", "action_required": False}
impact_level = "critical" if change["current_status"] == "withdrawn" else "high"
return {
"impact": impact_level,
"action_required": True,
"affected_mandates": affected,
"recommended_action": (
"Immediately contact notification authority and identify backup notified body."
if impact_level == "critical"
else "Monitor for reinstatement; prepare contingency transfer plan."
),
}
Strategy 2: Multi-Body Qualification
Don't rely exclusively on a single notified body. Build relationships with two or three bodies qualified for your product category. This doesn't mean running parallel assessments — it means having a qualified backup that is familiar with your product and documentation.
The setup investment is modest: provide the backup body with a copy of your technical documentation for review, establish a framework agreement, and maintain periodic contact. If your primary body's notification is changed, you have an established path to continuation.
Strategy 3: Contractual Provisions in Notified Body Agreements
When entering into a conformity assessment mandate with a notified body, include contractual provisions that address Art.30 scenarios:
- Documentation return: Obligation for the body to return all assessment records and technical documentation in a portable format if notification is changed
- Transfer assistance: Obligation to cooperate in transferring the assessment to a successor body, including providing a technical handover summary
- Timeline commitments: Milestones that protect you from open-ended delays if the body enters a suspension period
- Status notification: Obligation for the body to notify you immediately if the notification authority initiates any monitoring or provisional measure proceedings
These provisions won't prevent an Art.30 event, but they reduce the recovery time and cost significantly.
Strategy 4: Certificate Validity Monitoring
Track the expiry dates of all certificates issued under CRA notified body assessments. If the issuing body's notification is withdrawn, you'll need to plan certificate renewals with a different body — and that planning takes time.
Maintain a compliance calendar that includes:
- Certificate issue date and validity period
- Issuing body NANDO ID and current status
- Next renewal trigger date (typically 12-18 months before certificate expiry to allow assessment time)
- Backup body contact for renewal
The Art.30 Feedback Loop: How Withdrawal Affects the Market
Art.30 isn't just about risk management — it's a quality mechanism. The ability to withdraw notification creates accountability for notified bodies. Bodies that know they face ongoing monitoring and potential withdrawal have strong incentives to maintain assessment quality.
This matters for the CRA market because the bar for CRA conformity assessment is high. The technical competency requirements under Art.29 are specific to cybersecurity — evaluating secure development processes, vulnerability management, automated testing, penetration testing evidence. Many generalist test labs entering the CRA market will face a learning curve.
The Art.30 monitoring mechanism ensures that bodies that fail to maintain the required competency level can be removed from the market. For manufacturers, this is ultimately positive: it means the notified body designation carries sustained credibility rather than just point-in-time qualification.
NANDO as Your Primary Intelligence Source
The NANDO database is the only authoritative source for notified body status under EU harmonised legislation. For CRA Art.30 purposes, it provides:
| Information | Where to Find It |
|---|---|
| Current notification status | Body detail page: active/suspended/withdrawn indicator |
| Notification scope | Product categories and assessment modules listed |
| Status change dates | History of changes visible for each body |
| Notification authority | Member state authority responsible for the body |
| Contact information | Body address and contact for manufacturers |
NANDO is publicly accessible without authentication. For production compliance monitoring, scrape or poll the relevant body pages at a cadence appropriate to your risk tolerance — weekly checks are reasonable for bodies currently active, daily checks if you've identified any risk indicators.
Art.30 and the Broader Notification Chapter
Article 30 is part of a larger system designed to ensure notified bodies remain qualified throughout the CRA's lifecycle. The full Chapter V framework:
| Article | Topic |
|---|---|
| Art.26 | General provisions on notified bodies |
| Art.27 | Requirements for notified bodies |
| Art.28 | Application for notification |
| Art.29 | Notification procedure and NANDO registration |
| Art.30 | Changes to notifications: restriction, suspension, withdrawal |
| Art.31 | Operational obligations of notified bodies |
| Art.32 | Conformity assessment activities |
Together, these articles create a complete system: qualification → designation → operation → monitoring → status change. Art.30 closes the loop, ensuring that designation is not permanent and that ongoing compliance with requirements is enforced.
Compliance Checklist: Art.30 Preparedness for Class II Manufacturers
Monitoring
- NANDO IDs recorded for all notified bodies you work with or are considering
- NANDO status monitoring process established (at minimum: monthly manual check)
- Alerts configured for notification status changes affecting your product categories
- Team member designated as responsible for notified body status monitoring
Contractual
- Notified body mandate agreement reviewed for Art.30 scenario provisions
- Documentation portability clause included
- Transfer cooperation obligation included
- Immediate notification obligation on status change proceedings included
Operational
- Backup notified body identified and relationship established
- Technical documentation maintained in transfer-ready format
- Certificate expiry calendar maintained with renewal lead times
- Art.30 scenario included in CRA compliance risk register
Key Takeaways
For Class II manufacturers: Art.30 creates the mechanism by which the notified body market self-corrects. The risk to you is real but manageable. Build NANDO monitoring into your compliance program, create contractual protections in your mandates, and identify backup bodies before you need them.
For conformity assessment bodies: Art.30 means your notification is not permanent. The monitoring obligations are ongoing, and the notification authority can act on audit findings. Invest in maintaining the competency and independence standards that justified your initial notification.
For everyone: the CRA creates a new regulated market for conformity assessment that will take several years to mature. The bodies operating in 2027 will not all still be operating in 2030 with the same notification scope. Plan for a dynamic environment, not a static one.
Further Reading
- CRA Art.29: Notification Procedure — NANDO, Commission Objection — How notifications are created before they can be changed
- CRA Art.28: Application for Notification — What bodies must demonstrate to receive notification
- CRA Art.27: NB Subsidiaries & Subcontracting — How NBs can delegate work and the limits on delegation
- CRA Art.25: Conformity Assessment Procedures — Which assessment module applies to which product class
- CRA Art.31: Operational Obligations of Notified Bodies — how NBs operate, what certificates must contain, and what happens after assessment
- CRA Art.32: Market Surveillance Authorities — how national authorities enforce CRA compliance, including NB certificate oversight