Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 35 Notification
Summary What does Article 35 of the CRA regulation say?
This brief but practically important article opens the chapter on notified bodies by establishing two foundational obligations for Member States.
It sets up the notification mechanism — whereby Member States must inform the Commission and each other about bodies authorised to carry out conformity assessments — and it introduces a capacity goal, requiring Member States to work toward having enough of these bodies in place by a specific date.
The article connects directly to the conformity assessment framework established elsewhere in the regulation, as notified bodies are the entities that assess whether products with digital elements meet the essential cybersecurity requirements set out in Annex I.
Important points:
- Member States are required to notify the Commission and all other Member States of any bodies authorised to conduct conformity assessments under this Regulation.
- Member States must strive to ensure a sufficient number of notified bodies exist in the Union by 11 December 2026.
- The sufficiency requirement is explicitly aimed at preventing bottlenecks and hindrances to market entry.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Member States shall notify the Commission and the other Member States of bodies authorised to carry out conformity assessments in accordance with this Regulation.
Member States shall strive to ensure, by 11 December 2026 that there is a sufficient number of notified bodies in the Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.
Relevant recitals
Recital 95 Ensuring enough notified bodies
In order to ensure a smooth application of this Regulation, Member States should strive to ensure, before the date of application of this Regulation, that a sufficient number of notified bodies is available to carry out third-party conformity assessments. The Commission should seek to assist Member States and other relevant parties in this endeavour, in order to avoid bottlenecks and hindrances to market entry for manufacturers. Targeted training activities led by Member States, including where appropriate with the support of the Commission, can contribute to the availability of skilled professionals including to support the activities of notified bodies under this Regulation. Furthermore, in light of the costs that third-party conformity assessment may entail, funding initiatives at Union and national level that seek to alleviate such costs for microenterprises and small enterprises should be considered.
Recital 98 Notification of conformity assessment bodies
In order to carry out third-party conformity assessment for products with digital elements, conformity assessment bodies should be notified by the national notifying authorities to the Commission and the other Member States, provided they comply with a set of requirements, in particular on independence, competence and absence of conflicts of interest.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
component
Definition
cybersecurity
Definition
manufacturer
Definition
notified body
Definition
Union harmonisation legislation
Definition
product with digital elements
Definition
conformity assessment
Definition
microenterprises
Definition
remote data processing
Definition
conformity assessment body
Definition
notifying authority
Definition
electronic information system
Definition
hardware
Definition
software