Art. 47 Operational obligations of notified bodies | CRA regulation | CRA

This article governs how notified bodies must conduct conformity assessments under the Cyber Resilience Act.

It sets out both the procedural framework — referencing Article 32 and Annex VIII — and the behavioural standards expected of these bodies.

The article strikes a balance between flexibility and rigour: assessments must be tailored to the realities of the businesses being assessed, but this cannot come at the expense of the protection standards the regulation demands.

The article also addresses what notified bodies must do when non-compliance is detected, both before and after a certificate has been issued.

Important points:

Notified bodies are required to conduct conformity assessments in a proportionate manner, taking into account factors such as the size of the undertaking, its sector, and the cybersecurity risk level of the product — with particular consideration for microenterprises and SMEs.
Notified bodies must not issue a certificate of conformity where a manufacturer has failed to meet the essential cybersecurity requirements, and must instead require corrective measures.
Notified bodies retain ongoing monitoring obligations after issuing a certificate, and must suspend or withdraw it — and ultimately restrict or revoke it — if corrective measures are not taken or prove ineffective.

1. Notified bodies shall carry out conformity assessments in accordance with the conformity assessment procedures provided for in Article 32 and Annex VIII.
1. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of undertakings, in particular as regards microenterprises and small and medium-sized enterprises, the sector in which they operate, their structure, their degree of complexity and the cybersecurity risk level of the products with digital elements and technology in question and the mass or serial nature of the production process.
1. Notified bodies shall however respect the degree of rigour and the level of protection required for the compliance of products with digital elements with this Regulation.
1. Where a notified body finds that the requirements set out in Annex I or in corresponding harmonised standards or common specifications as referred to in Article 27 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a certificate of conformity.
1. Where, in the course of the monitoring of conformity following the issuance of a certificate, a notified body finds that a product with digital elements no longer complies with the requirements laid down in this Regulation, it shall require the manufacturer to take appropriate corrective measures and shall suspend or withdraw the certificate if necessary.
1. Where corrective measures are not taken or do not have the required effect, the notified body shall restrict, suspend or withdraw any certificates, as appropriate.