2026-04-20·13 min read·

CRA Art.31: What Notified Bodies Must Actually Do — Operational Obligations, Certificates, and What Class II Manufacturers Can Expect (Developer Guide 2026)

Most CRA guidance for manufacturers focuses on what you need to prepare: technical documentation, SBOM, vulnerability handling processes, security-by-design evidence. Less attention goes to what the notified body on the other side of the table is legally required to do.

That's a gap. Understanding a notified body's operational obligations under CRA Article 31 directly affects how you manage the conformity assessment process — what you can demand from the NB, what records they must keep, how they must handle your certificate, and what recourse you have if the process breaks down.

Article 31 sets the operational floor for all CRA-designated notified bodies. It covers how they conduct assessments, what documentation they must maintain, how they issue and manage certificates, their transparency and reporting obligations, and how they must cooperate with national authorities and the Commission.

The Purpose of Article 31 in the CRA Structure

Articles 26 through 30 create the notified body system: requirements for designation (Art.26), subsidiaries and subcontracting rules (Art.27), the application and notification process (Arts.28-29), and the grounds for changing notification status (Art.30).

Article 31 shifts from who can be a notified body to what a notified body must do. It governs the ongoing conduct of designated bodies in performing their CRA-mandated functions.

For manufacturers, this matters because:

It defines the minimum standard of service you're entitled to expect from any CRA-designated NB
It establishes documentation requirements that affect what the NB must provide to you and to authorities
It governs how your certificate can be issued, suspended, or withdrawn — independent of your own compliance
It sets the rules for how NBs cooperate with each other and with ENISA, which affects multi-jurisdictional certification strategies

Core Operational Obligations Under Art.31

Conduct Assessments in Conformity with CRA Requirements

The foundational obligation: notified bodies must perform conformity assessments in accordance with the procedures established under the CRA. This means following the Annex VIII modules appropriate to the product class (Module B+C, Module D, Module H, or the full QMS approach).

In practice this means:

The NB cannot shortcut the technical examination. For Class II products, a notified body performing a Module B examination must actually evaluate the technical documentation, test the product against the essential requirements in Annex I, and form an independent technical judgment. Rubber-stamping documentation without substantive review is not compliant with Art.31.

The scope must match the assessment type. If a manufacturer applies for a certificate covering a specific product range, the NB's assessment scope must correspond to that range. It cannot issue certificates for products not covered by the examination.

The assessment must be current. Where a manufacturer makes significant changes to a product covered by an existing certificate, Art.31 requires the NB to re-evaluate whether the changes affect the certificate's validity — this links directly to Art.20 (substantial modification) obligations on the manufacturer's side.

Maintain Adequate Technical Competence

NBs are required to maintain — on an ongoing basis — the technical competence to assess the products within their notified scope. This is not a one-time gate at designation.

For manufacturers, this creates a practical check: if an NB has been designated for assessment of products in a technical domain (say, HSMs with hardware security features requiring specific cryptographic expertise), the body must maintain staff who can actually evaluate those products. An NB that loses key technical staff may no longer be competent to issue certificates in that area, even if their overall notification status is unchanged.

When selecting an NB, you can — and should — assess their demonstrated competence in your specific product domain. Art.31 gives you a legal basis to expect competence, not just designation.

Documentation and Record-Keeping

Article 31 establishes documentation obligations that run in parallel with your own technical documentation requirements as a manufacturer.

Assessment records: The NB must maintain records of all conformity assessments performed — the evidence reviewed, tests conducted, findings made, and reasoning behind the certification decision. These records must be retained for a period sufficient to support post-market surveillance activities and regulatory investigations.

Certificate registers: All certificates issued, modified, suspended, or withdrawn must be recorded. This includes the reasoning for any certificate action, particularly adverse actions that restrict or remove certification.

Access for authorities: Notification authorities and national market surveillance authorities have access rights to the NB's records. If a regulator is investigating a product that holds a CRA certificate, the NB must be able to produce the underlying assessment records on request.

The practical implication: when a certificate is issued, the NB's records are the evidentiary foundation for your CE marking. Those records must be preserved and must accurately reflect the assessment that was actually conducted.

Certificate Issuance and Management

This is the operational core of Art.31 for most manufacturers — the rules governing how NBs issue, maintain, and revoke CRA conformity certificates.

Certificate Content Requirements

A CRA certificate issued under Art.31 must include:

Identification of the manufacturer and the product covered
The scope of the certificate (technical specifications, product range boundaries)
The assessment modules applied and the standards referenced
Validity period and conditions for renewal
The NB's identification number (assigned by the Commission)
Any conditions or limitations on the certificate

The completeness of this information matters because CE marking validity depends on the certificate. If the certificate scope is ambiguous, it creates compliance risk when the product reaches market.

Certificate Modifications

When a manufacturer notifies the NB of product changes under Art.20 procedures, or when the NB identifies issues through post-issuance monitoring, the certificate may need to be modified. Art.31 requires the NB to evaluate modification requests and either:

Issue a supplementary certificate or modified scope document
Require a new assessment if the changes are substantial enough
Indicate that the changes fall within the existing certificate scope

The NB cannot simply ignore modification notifications. Receiving a change notification triggers an obligation to evaluate and respond.

Certificate Suspension and Withdrawal by the NB

This is the part of Art.31 most manufacturers overlook — the NB's own power to suspend or withdraw your certificate, independently of the manufacturer's actions.

Art.31 permits (and in some cases requires) the NB to suspend or withdraw a certificate when:

Evidence of non-compliance emerges: If post-market surveillance information, ENISA incident reports, or the NB's own monitoring reveals that a certified product has cybersecurity vulnerabilities or non-conformities that were not identified during the original assessment, the NB must re-evaluate. If re-evaluation confirms the certificate was granted in error or that the product no longer meets the essential requirements, suspension or withdrawal follows.

The manufacturer fails to cooperate: Certificate holders have ongoing obligations to notify the NB of significant changes and to cooperate with NB monitoring activities. If a manufacturer obstructs or fails to respond to NB inquiries, Art.31 supports certificate action.

The assessment basis changes: Where the harmonised standards referenced in the certificate are updated, or where technical guidance from ENISA materially changes the interpretation of essential requirements, the NB may need to revisit certificates issued under the prior standards. This creates a time-bound validity consideration even for certificates that are technically still in their original validity period.

Transparency and Reporting Obligations

Communication with Notification Authorities

NBs have ongoing reporting obligations to the national authority that designated them. This includes:

Periodic performance reports on assessment activities
Immediate notification of any situation where the NB believes it may no longer meet the requirements for designation
Reporting of manufacturer non-compliance situations that may require market surveillance intervention

ENISA and Commission Cooperation

The CRA creates a centralized oversight layer for notified bodies through ENISA and Commission coordination mechanisms. Art.31 NBs must:

Participate in coordination activities among notified bodies (the NB coordination group established under the CRA)
Share assessment methodologies and technical guidance to ensure consistency across the internal market
Contribute to ENISA's knowledge base on cybersecurity assessment approaches
Report to ENISA where significant cybersecurity vulnerabilities are discovered during assessment that may have systemic implications

This coordination function matters for manufacturers because it means NB assessment practices are not fully siloed. An assessment decision by one NB on a particular product category creates precedent that other NBs are expected to follow, supporting consistency across the single market.

Public Information Requirements

NBs must make certain information publicly available, including:

Their notification scope and the CRA modules they are accredited to apply
The categories of products they assess
The general structure of their assessment processes

This transparency allows manufacturers to evaluate NB capabilities before engaging them, and supports competition in the conformity assessment market.

The NB Coordination Group: Why It Matters

One underappreciated aspect of Art.31 is its role in establishing the notified body coordination mechanism. The CRA requires designated NBs to participate in a sector-specific coordination group facilitated by ENISA.

The NB coordination group serves several functions:

Harmonisation of interpretation: Different NBs may initially interpret the essential requirements in Annex I differently. The coordination group is the mechanism for resolving divergences and building consistent assessment practice across the single market.

Sharing of technical findings: Where an NB encounters a novel technical challenge — say, assessing a new class of hardware security module with an unusual architecture — the coordination group allows findings to be shared so that other NBs benefit from the analysis.

Prevention of assessment shopping: Without coordination, manufacturers could seek certification from whichever NB applies the most permissive interpretation of the requirements. The coordination group reduces the scope for this by aligning NB approaches.

For Class II manufacturers, the existence of NB coordination means the certification landscape will become more consistent over time. In the early years of CRA implementation (2025-2027), expect more variation in NB approaches. As the coordination group matures, assessment expectations will converge.

What This Means for Class II Manufacturers: Practical Guidance

Due Diligence When Selecting an NB

Art.31 obligations give you a framework for evaluating potential NBs before engaging them:

Verify demonstrated competence in your product domain. Ask for examples of prior assessments in your technical area. An NB designated for HSM assessment should have assessors with cryptographic engineering backgrounds — ask to verify.

Ask about their record-keeping practices. How long do they retain assessment records? In what format? What access will you have to your own assessment documentation? Their answers reveal how seriously they take the Art.31 documentation obligations.

Understand their certificate management processes. What triggers a certificate review after issuance? How do they handle change notifications under Art.20? How do they communicate with manufacturers if certificate suspension becomes necessary?

Check their coordination group participation. Active NB coordination group participants are more likely to have current, harmonised assessment methodologies.

Managing Certificate Continuity Risk

One risk that Art.31 creates for manufacturers is NB-side certificate action. Your product may be fully compliant, but if the NB's own status changes (under Art.30) or if the NB identifies a post-issuance issue (under Art.31), your certificate can be affected.

Mitigation strategies:

Choose established, well-capitalised NBs. New market entrants in the CRA space carry higher suspension/withdrawal risk. Established bodies with existing EUCC, Common Criteria, or other security certification experience have demonstrated sustainability.

Build review triggers into your NB contracts. Contractually require the NB to notify you before any certificate suspension action, with a defined period for response or remediation.

Consider multi-body strategies for critical products. For high-value Class II products where market access disruption is costly, some manufacturers obtain certificates from two NBs under different modules, providing redundancy.

Track harmonised standard updates. Monitor CEN/CENELEC and ETSI work programmes for updates to the EN 18031 series and other CRA-relevant standards. Standard updates may trigger NB certificate reviews — knowing in advance allows proactive re-assessment before forced action.

Handling Certificate Disputes

If an NB suspends or withdraws your certificate and you believe the action is unwarranted, Art.31 establishes the dispute pathway:

Internal NB complaints process: All Art.31 NBs must have a documented internal complaints and appeals process. This is the first step — file a formal complaint with the NB.
Notification authority escalation: If the internal process doesn't resolve the dispute, escalate to the national notification authority. They have oversight responsibility for the NB's conduct under Art.31.
ENISA coordination channel: For systemic issues affecting multiple manufacturers or involving divergent NB practice, the ENISA-facilitated coordination mechanism is an appropriate escalation path.
Market surveillance authority: Where a certificate dispute affects your ability to place conforming products on the market, national market surveillance authorities can investigate whether the NB's action was procedurally correct.

Python: CRA Notified Body Assessment Tracker

For Class II manufacturers managing NB relationships across multiple products or jurisdictions, tracking assessment status, certificate validity, and change notifications becomes operationally complex. This Python class provides a structure for managing it:

from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional


class CertificateStatus(Enum):
    ACTIVE = "active"
    SUSPENDED = "pending_review"
    WITHDRAWN = "withdrawn"
    EXPIRED = "expired"
    RENEWAL_DUE = "renewal_due"


class AssessmentModule(Enum):
    MODULE_B_PLUS_C = "B+C"
    MODULE_D = "D"
    MODULE_H = "H"
    FULL_QMS = "QMS"


@dataclass
class NBCertificate:
    certificate_id: str
    nb_name: str
    nb_identification_number: str
    product_name: str
    product_scope: str
    assessment_module: AssessmentModule
    issue_date: date
    expiry_date: date
    status: CertificateStatus = CertificateStatus.ACTIVE
    referenced_standards: list[str] = field(default_factory=list)
    conditions: list[str] = field(default_factory=list)
    last_nb_contact: Optional[date] = None
    pending_change_notifications: list[str] = field(default_factory=list)

    def days_to_expiry(self) -> int:
        return (self.expiry_date - date.today()).days

    def renewal_due(self, lead_days: int = 90) -> bool:
        return self.days_to_expiry() <= lead_days

    def status_summary(self) -> dict:
        return {
            "certificate_id": self.certificate_id,
            "nb": self.nb_name,
            "product": self.product_name,
            "status": self.status.value,
            "expiry": self.expiry_date.isoformat(),
            "days_remaining": self.days_to_expiry(),
            "renewal_action_needed": self.renewal_due(),
            "pending_change_notifications": len(self.pending_change_notifications),
            "overdue_change_notifications": self._overdue_notifications(),
        }

    def _overdue_notifications(self) -> list[str]:
        # Flag change notifications older than 30 days without NB response
        return [
            n for n in self.pending_change_notifications
            if "submitted" in n.lower()
        ]


class CRANotifiedBodyTracker:
    """Tracks Art.31 compliance status across NB relationships."""

    def __init__(self):
        self.certificates: dict[str, NBCertificate] = {}
        self.nb_monitoring: dict[str, dict] = {}

    def register_certificate(self, cert: NBCertificate) -> None:
        self.certificates[cert.certificate_id] = cert

    def flag_change_notification(
        self, certificate_id: str, change_description: str
    ) -> None:
        """Record that a manufacturer change notification has been sent to NB."""
        if certificate_id in self.certificates:
            notification = (
                f"submitted:{date.today().isoformat()} — {change_description}"
            )
            self.certificates[certificate_id].pending_change_notifications.append(
                notification
            )

    def resolve_change_notification(
        self, certificate_id: str, resolution: str
    ) -> None:
        """Mark change notification as resolved after NB response."""
        if certificate_id in self.certificates:
            cert = self.certificates[certificate_id]
            cert.pending_change_notifications = [
                n for n in cert.pending_change_notifications
                if "submitted" not in n.lower()
            ]
            cert.last_nb_contact = date.today()
            print(f"Change notification resolved: {resolution}")

    def audit_dashboard(self) -> list[dict]:
        """Generate Art.31 compliance overview for all certificates."""
        results = []
        for cert in self.certificates.values():
            summary = cert.status_summary()
            summary["risk_flags"] = self._assess_risk(cert)
            results.append(summary)
        return sorted(results, key=lambda x: x["days_remaining"])

    def _assess_risk(self, cert: NBCertificate) -> list[str]:
        flags = []
        if cert.days_to_expiry() < 90:
            flags.append("RENEWAL_REQUIRED")
        if cert.days_to_expiry() < 0:
            flags.append("EXPIRED — CE marking invalid")
        if cert.status != CertificateStatus.ACTIVE:
            flags.append(f"STATUS_ISSUE: {cert.status.value}")
        if cert.pending_change_notifications:
            flags.append(
                f"PENDING_CHANGE_NOTIFICATION: {len(cert.pending_change_notifications)} outstanding"
            )
        if cert.last_nb_contact and (
            date.today() - cert.last_nb_contact
        ).days > 180:
            flags.append("NB_CONTACT_OVERDUE — check Art.31 monitoring compliance")
        return flags


# Usage example
tracker = CRANotifiedBodyTracker()

tracker.register_certificate(NBCertificate(
    certificate_id="CRA-2027-HSM-001",
    nb_name="TÜV SÜD",
    nb_identification_number="0123",
    product_name="SecureHSM v3",
    product_scope="Hardware Security Module — Class II CRA",
    assessment_module=AssessmentModule.MODULE_B_PLUS_C,
    issue_date=date(2027, 3, 15),
    expiry_date=date(2032, 3, 14),
    referenced_standards=["EN 18031-1:2024", "EN 18031-3:2024"],
))

dashboard = tracker.audit_dashboard()
for item in dashboard:
    print(f"{item['certificate_id']}: {item['status']} — {item['days_remaining']}d remaining")
    if item['risk_flags']:
        print(f"  RISK: {', '.join(item['risk_flags'])}")

Art.31 in the CRA Article Chain

Article 31 sits at the end of the notified body chain that runs from Art.26 through Art.31:

Art.26 — Who can be a notified body (independence, competence, financial stability)
Art.27 — Subsidiaries and subcontracting within NB structures
Art.28 — How CABs apply for notification
Art.29 — How notification authorities notify the Commission (NANDO)
Art.30 — How notifications can be changed, restricted, or withdrawn
Art.31 — What designated bodies must actually do in practice

After Art.31, the CRA moves into the oversight and market surveillance framework (Arts.32+) which governs how national authorities monitor the market for compliant products, how ENISA contributes to technical oversight, and how the Commission coordinates across member states.

For manufacturers, Art.31 is the last article in the "your conformity assessment provider" chain. Once you understand what your NB is required to do, and what rights you have in the NB relationship, you can engage the conformity assessment process from a position of knowledge rather than dependency.

Art.31 Compliance Checklist for Class II Manufacturers

Use this before and during your NB engagement:

Before Selecting an NB

Verify NB holds notification for your specific product scope (NANDO database)
Confirm NB has demonstrable technical competence in your product domain
Request NB participation record in CRA NB coordination group
Review NB's published assessment process documentation
Confirm NB's record-retention policies for assessment documentation
Understand NB's certificate management and change-notification process
Clarify NB's internal complaints and appeals procedure

During Assessment

Confirm scope of assessment matches your CE marking intent
Request documentation of standards applied and test methods used
Ensure certificate content includes all Art.31 required elements
Obtain copies of NB assessment records supporting the certificate
Establish communication protocol for future change notifications

After Certificate Issuance

Set renewal reminder 90 days before certificate expiry
Monitor CEN/CENELEC/ETSI updates to referenced standards
Report significant product changes to NB under Art.20 procedures
Track NB's own Art.30 notification status via NANDO
Maintain internal log of all NB communications

If Certificate Issues Arise

Use NB internal complaints process first
Escalate to national notification authority if unresolved
Engage market surveillance authority if market access is affected
Document all steps and timelines for regulatory purposes