Business opportunities for notified bodies under the CRA

There are significant business opportunities for notified bodies, as there may be a large number of products across Europe requiring assessment. Insufficient assessment capacity poses a risk to products entering the market. 

The provisions relating to notified bodies become applicable 18 months after the regulation enters into force, i.e. on 11 June 2026. 

This page describes how a conformity assessment body can apply for designation as a notified body under the European Union’s Cyber Resilience Act (EU) 2024/2847 (CRA). We will supplement these pages with more detailed guidance as the requirements are clarified.

How to apply to become a notified body under the CRA

Approval as a notified body requires the organisation to meet all applicable requirements of EU legislation and standards. Compliance is demonstrated through a two-stage procedure consisting of: 

1. accreditation, i.e. recognition of competence, and 
2. a review by the notifying authority.

Accreditation means a third-party recognition of competence by a national accreditation body confirming that a conformity assessment body meets the applicable requirements laid down in harmonised standards. Accreditation is regulated by Regulation (EC) No 765/2008 of the European Parliament and of the Council (NLF Regulation). According to the NLF Regulation, accreditation is the primary means of demonstrating the competence of a notified body. In Finland, the national accreditation body is FINAS.

A review by the notifying authority refers to the information and documents submitted by the conformity assessment body in its application, on the basis of which the authority can make a decision. An application to become a notified body is therefore submitted to the notifying authority. When making its decision, the notifying authority relies on the accreditation carried out by the FINAS accreditation service. 

The notifying authority is responsible for entering the details of notified bodies into the NANDO database maintained by the European Commission. The notification procedure is further specified in Article 43 of the CRA. The notifying authority monitors the activities of notified bodies.

The national implementation of the CRA is under way. The implementation will set out, among other things, the official duties under the CRA, such as those of the notifying authority. The progress of the implementation can be followed via the gateway to information on government projects (“hankeikkuna” in Finnish). 

Requirements for a notified body

A notified body must meet: 

1. The competence requirements laid down for accreditation, and 
2. The obligations set out in the CRA. These obligations are laid down in Articles 39, 49 and 51 and in Annex VIII of the CRA. 
3. In Finland, the tasks of notified bodies are considered a public administrative duty, meaning that the notified body must comply with the general laws governing public administration. 

The personnel of a notified body are required to have appropriate knowledge and understanding of the essential cybersecurity requirements laid down in Annex I to the CRA, the applicable harmonised standards and common specifications, as well as the relevant provisions of Union harmonisation legislation and implementing acts.

CEN-CENELEC and ETSI have launched the preparation of harmonised standards under the CRA. Companies have the opportunity to participate in the standardisation work, which is a good way to influence the requirements and prepare for the activities of a notified body. 

In Finland, standardisation is coordinated by Finnish Standards (SFS), Sesko and Traficom. It is important to note that participation in standardisation work may be subject to fees.