CRA Notified Body — Class II & Critical

Three thresholds you cannot avoid

Class II

Annex III: hypervisors, firewalls/IDS, tamper-resistant MCU/MPU — third-party mandatory (Art. 32(3))

Critical

Annex IV: hardware with security boxes, smart-meter gateways, smartcards/secure elements (Art. 32(4))

11 Jun 2026

Chapter IV (notified bodies) applies (Art. 71(2))

How third-party conformity assessment works

These are the steps a Class II or Critical manufacturer follows from notified-body selection to the EU declaration of conformity.

Confirm classification

Verify your product is genuinely in Annex III Class II or Annex IV. The four Class II categories are: (1) hypervisors and container runtimes, (2) firewalls and IDS/IPS, (3) tamper-resistant microprocessors, (4) tamper-resistant microcontrollers. The three Critical categories are: (1) hardware devices with security boxes, (2) smart-meter gateways, (3) smartcards and similar devices including secure elements.

Choose a notified body

Notified bodies are listed in the New Approach Notified and Designated Organisations (NANDO) information system maintained by the Commission (Art. 44). From 11 June 2026, Member States can notify bodies under the CRA. Member States shall strive to ensure a sufficient supply by 11 December 2026 (Art. 35(2)).

Lodge the application

Annex VIII, Part II, point 3: submit the application to one notified body of your choice. It must include the technical documentation per Annex VII, supporting evidence for design and vulnerability-handling solutions, and a written declaration that the same application has not been lodged with any other notified body.

Choose your module: B+C or H

Annex VIII, Part II + III (Module B + Module C) splits design examination (notified body) from production conformity (manufacturer). Annex VIII, Part IV (Module H) is full quality assurance: the notified body assesses your whole quality management system. H is more upfront work but proportionate for serial production.

Notified body examination

The notified body examines the technical documentation and supporting evidence, verifies specimens, carries out or commissions tests, and assesses the vulnerability handling processes against Annex I, Part II. If solutions deviate from harmonised standards, the body verifies that the alternative solutions meet the essential requirements (Annex VIII, Part II, point 4).

EU-type examination certificate (Module B)

Where the type and the vulnerability handling processes meet the requirements, the notified body issues an EU-type examination certificate (Annex VIII, Part II, point 6). The certificate may have annexes, validity conditions, and identification data.

CE marking with notified body number

Article 30(4): when Module H is used, the CE marking is followed by the identification number of the notified body. The notified body itself — or the manufacturer under its instructions — affixes the number.

Ongoing surveillance

Annex VIII, Part II, point 8 — the notified body carries out periodic audits to ensure that vulnerability handling processes (Annex I, Part II) are implemented adequately. Module H adds surveillance of the full quality system (Part IV, point 4).

Common mistakes

❌

MODULE A MISUSE

“We will self-assess our firewall product”

Not permitted. Article 32(3) makes third-party assessment mandatory for every Class II product — firewalls and intrusion detection/prevention systems are explicitly in Annex III, Class II, point 2. Module A is not available for Class II regardless of which standards you apply. The only options are Module B+C, Module H, or an EU cybersecurity certificate at assurance level ‘substantial’ or higher.

❌

NB CAPACITY DENIAL

“We will book a notified body in October 2027”

There may not be one available. Notified bodies need accreditation under Regulation (EC) No 765/2008 and notification via NANDO; Member States shall strive to ensure sufficient capacity by 11 December 2026 (Art. 35(2)), but capacity will be tight throughout 2027. Engage early.

❌

CRITICAL UNDERSTATEMENT

“Our secure element is just a Class II microcontroller”

Annex IV, point 3 specifically lists ‘smartcards or similar devices, including secure elements’ as Critical. Article 32(4) allows for European cybersecurity certification under a delegated act of Article 8, which is a more demanding regime than Class II under Article 32(3). Classify carefully — misclassification voids the dossier.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🔍 NOTIFIED BODY CONFORMITY ASSESSMENT FEES

€15,000–€80,000

Notified-body fees vary widely by module, product complexity and surveillance frequency. Module H surveillance recurs annually. Excludes pre-engagement consultant fees (€8–25k).

CRACHECK — SAME OUTPUT

€149

CRACheck does not replace the notified body. It produces the dossier that the notified body will examine — reducing back-and-forth and consultant pre-engagement hours.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Which Class II products are listed in Annex III?

Four categories: (1) hypervisors and container runtime systems that support virtualised execution; (2) firewalls and intrusion detection and prevention systems; (3) tamper-resistant microprocessors; (4) tamper-resistant microcontrollers. The integration of one of these in a larger product does not make the larger product Class II — only the core functionality counts (Art. 7(1)).

Can I use Module A for a Class II product?

No. Article 32(3) limits Class II to three procedures: (a) EU-type examination (Module B) followed by conformity to type based on internal production control (Module C); (b) full quality assurance (Module H); or (c) where available and applicable, a European cybersecurity certification scheme under Reg (EU) 2019/881 at assurance level at least ‘substantial’. Module A (internal control) is not available for Class II.

Do I need a notified body for Annex IV Critical products?

Article 32(4) makes the regime even stricter for Critical products. The first option is a European cybersecurity certification scheme under Article 8(1) when such a scheme is adopted and the Commission has issued the corresponding delegated act. If no such scheme is in place, the Critical product falls back to the Class II procedures of Article 32(3). Either route involves third-party assessment.

What does Article 39 require of the notified body itself?

Twelve paragraphs: legal personality and establishment under national law; independence from the products assessed (Art. 39(3)–(4)); top management and assessment staff not involved in design, manufacture or maintenance of the products they assess (Art. 39(4)); professional integrity, freedom from financial pressure (Art. 39(5)); technical knowledge, descriptions of procedures, means and equipment (Art. 39(6)–(7)); impartial remuneration not tied to assessment count (Art. 39(8)); liability insurance (Art. 39(9)); professional secrecy (Art. 39(10)).

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

Notified bodies for CRA Class II and Critical products: who they are, when third-party assessment is mandatory, and what Article 39 requires of them