The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements. For many manufacturers, compliance will involve a Cyber Resilience Act Notified Body (NB) or certification under an EU cybersecurity scheme such as EUCC.

Applus+ Laboratories is progressing through the CRA Notified Body accreditation and notification process and already performs CRA-aligned testing and documentation reviews that can be reused later in formal NB assessments. This helps you reduce delays, minimize rework, and keep your development roadmap on track while CRA standards and guidance continue to evolve.
 

Your strategic partner in testing and certification

Complete our quick form

GET A QUOTE

The role of a Cyber Resilience Act Notified Body

A CRA Notified Body is an independent, accredited organization designated to perform third-party conformity assessment against CRA essential cybersecurity requirements. In practice, a Notified Body will:

  • Assess your product’s cybersecurity design and architecture against CRA essential requirements
  • Review your technical documentation, including risk assessments, SBOM, etc.
  • Evaluate your vulnerability handling and incident reporting processes.
  • Analyze your path to CE marking by issuing EU-type examination certificates where applicable.

For Important and Critical products, third-party assessment will be required. Specifically for Important Class I, third-party assessment is needed unless harmonized standards become available and allow self-assessment under Module A.

Current status of CRA Notified Bodies

EU member states are currently working on the designation of CRA Notified Bodies. At this stage, formal listings are still pending, but the CRA implementation timeline is already running, and manufacturers cannot wait until the last moment to start preparing.

At Applus+ Laboratories, we have structured our CRA services so that testing and assessments performed today can be partially reused as input for future NB evaluations, once the formal designation is completed. This allows you to start building evidence and closing gaps well before CRA becomes fully applicable.

Harmonized standards: delays, limitations and implications

CRA-specific standards are still under development, and their approval and publication process includes multiple steps. In the short and medium term, this means that:

  • Many Important products that could eventually be self-assessed will still need a Notified Body in practice.
  • Critical products will continue to rely on third-party conformity assessment or cybersecurity certification schemes.
  • Waiting for harmonized standards before acting is likely to result in compressed timelines, higher risk and extra rework.

CRA conformity assessment routes

The CRA offers different conformity assessment routes. The most relevant ones for manufacturers are summarized below.

Module A — Internal Control (Self-Assessment)

Under Module A, the manufacturer performs an internal conformity assessment and issues the EU declaration of conformity without involving a Notified Body.

When is it possible?

  • For default category.
  • For Important Class I category, but only when harmonized standards are available for the product category.  

Key limitations:

  • Dependence on external timelines, potentially resulting in limited time buffers for compliance activities.
  • No independent third-party assurance for customers or regulators.
  • High risk of rework if standards, guidance or expectations evolve.

Module B + C — EU-Type Examination + Production Control 

Module B + C is the primary third-party route under the CRA for many products:

  • Module B (EU-type examination): A Notified Body assesses the product’s design, cybersecurity controls and vulnerability-handling processes. If compliant, the NB issues an EU-type examination certificate.
  • Module C (conformity to type based on   internal production control): The manufacturer ensures that mass-produced units conform to the approved type and applies CE marking accordingly.

Advantages of Module B + C:

  • Suitable — and often required — for Important and Critical products while harmonized standards are not available.
  • Provides independent, recognized assurance of your product’s cybersecurity.
  • Reduces regulatory and commercial risk compared to purely internal self-assessment.
     

Module H — Full Quality Assurance

Under Module H, conformity is based on the assessment of the manufacturer’s cybersecurity quality management system, covering design, development, production and vulnerability handling, rather than on individual product testing. The system is assessed and subject to ongoing surveillance by a Notified Body, and compliant products bear the CE marking.

Advantages of Module H:

  • Well-suited for large manufacturers with mature cybersecurity and quality management processes.
  • Attractive for software developers with frequent releases and continuous development lifecycles.
  • Reduces the need for repeated product-by-product conformity assessments.
  • Provides a scalable compliance model aligned with the New Legislative Framework.

EU Cybersecurity Act Schemes (CSA/EUCC)

In addition to the CRA-specific modules, certain products — particularly Important and Critical categories — may rely on EU cybersecurity certification schemes under the Cybersecurity Act, such as EUCC.

In practice, this route is particularly suitable for manufacturers that already use EUCC or Common Criteria certification in the market. These products are often classified as Important or Critical under the CRA and typically play a security enabling role for other systems. EUCC builds on existing Protection Profiles and Common Criteria assessments, and can provide strong, reusable evidence of conformity relevant for CRA compliance, especially where presumption of conformity applies and where regulators or security-sensitive customers expect certified assurance.

Further analysis on how EUCC can be used in the context of CRA compliance is discussed in Applus+ Laboratories’ publication based on the EUCC scheme webinar.

Why work with a Notified Body even when it is not mandatory

Even when self-assessment could be legally possible in the future, working with a Notified Body provides significant strategic advantages. As highlighted in the Cyber Global Marketing Plan, the key principle is: “Evaluate now. Reuse later. Reduce rework.”

Benefits of involving a Notified Body:

  • Higher trust for customers, partners and public tenders.
  • Independent validation of your controls, documentation and security posture.
  • Reduced risk of costly redesigns when standards and guidance are finalized.
  • Ability to reuse early testing and assessments once CRA Notified Bodies are formally designated.
  • Better alignment between your development roadmap and regulatory timelines.

Start your CRA evaluation now and reuse it later

You do not need to wait for harmonised standards or official NB listings to begin your CRA journey. Applus+ Laboratories already offers CRA-oriented services that can be reused within future Notified Body and EUCC evaluations, including:

  • CRA-focused cybersecurity risk assessments for products with digital elements.
  • Review of technical documentation and SBOM against CRA expectations.
  • Assessment of vulnerability handling, disclosure and reporting processes.
  • Security and vulnerability testing aligned with upcoming CRA and EUCC requirements.
  • Pre-assessment of Module B + C with a future CRA Notified Body.

This early work creates a solid evidence-base that you can build on, rather than starting from zero when CRA enforcement becomes critical.

CRA Notified Body pre-certification services 

Applus+ Laboratories provides a modular portfolio of precertification services specifically designed around CRA and future Notified Body assessments: 

  • CRA Readiness Assessment: Gap analysis and roadmap to CRA compliance. 
  • Security and Vulnerability Testing: Tailored test plans for Important, Critical and Default products. 
  • CRA NB Pre-Assessment (Module B + C simulation): A structured “mock” evaluation to prepare for the formal NB process. 
  • EUCC Conformity Assessment: High-assurance certification route providing evidence of conformity relevant to CRA requirements for eligible products. 
  • CRA Training Sessions: Targeted training sessions on CRA requirements and their impact on your products. 

Why choose Applus+ Laboratories as your future CRA Notified Body partner 

Applus+ Laboratories combines deep cybersecurity expertise with strong certification credentials: 

  • 250+ cybersecurity experts with extensive experience in security evaluation, certification and penetration testing. 
  • Accredited across 30+ cybersecurity schemes, including EUCC and Common Criteria. 
  • Active contribution to European cybersecurity frameworks through organizations such as ENISA and SCCG. 
  • Global presence across Europe, North America and Asia providing services to international manufacturers. 
GET A QUOTE

Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

Cookie settings panel