Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Apply to become a notified body under the CRA

You can apply for approval as a notified body under the Cyber Resilience Act (CRA) if your organisation meets the requirements set for notified bodies.

On this page

Notified bodies may have significant business opportunities because there may be a large number of products requiring assessment across Europe.  

The CRA provisions concerning notified bodies will apply from 11 June 2026. 

When can you apply to become a notified body under the CRA?

You can apply for approval if your organisation is a conformity assessment body and meets the applicable requirements laid down in European Union legislation and standards.

Compliance is demonstrated in two stages:

  • accreditation, meaning the attestation of competence  
  • assessment by the notifying authority. 

How to apply to become a notified body under the CRA

  1. Step 1

    Apply for accreditation

    Apply for accreditation from Finland’s national accreditation body, FINAS Finnish Accreditation Service.

  2. Step 2

    Wait for the accreditation decision by FINAS

    FINAS will process the application, assess the competence of the conformity assessment body and make an accreditation decision. 

  3. Step 3

    Submit an application to the notifying authority

    Submit an application for notification to the notifying authority, the Finnish Transport and Communications Agency Traficom. Based on the information provided in the application and the documents submitted with it, the notifying authority will assess whether the conditions for designation as a notified body are met.

    Attach to the application the accreditation certificate issued by FINAS, the reports on the accreditation assessment and information on any use of subcontracting. 

  4. Step 4

    Wait for the notifying authority’s decision

    Traficom will use the accreditation carried out by FINAS when processing the matter, assess whether the requirements laid down in legislation are met and make a decision on the matter. 

  5. Step 5

    Wait for the information to be published

    The notifying authority will notify the European Commission and the other EU Member States of the approved body’s information. 

    At this stage, the Commission and the other Member States may still raise objections within the set period before the body can operate as a notified body. 

    Up-to-date information on notified bodies is published in the NANDO system maintained by the European Commission. 

We will soon add a link to the e-service on this page.

You need a Suomi.fi mandate to use the e-service

Identify yourself in the service using Suomi.fi e-Identification. You need the Suomi.fi mandate “Submitting applications related to conformity assessment bodies under cybersecurity regulation” to act on behalf of an organisation.

What happens after approval and notification? 

As a notified body under the CRA, the assessment body can carry out conformity assessments under the CRA.

The notifying authority supervises the notified body to ensure that it operates in accordance with the requirements and continues to meet the conditions set for it after notification. If the requirements are no longer met, the notification may need to be amended or it may be withdrawn.

Requirements for notified bodies

In addition to competence requirements, meaning requirements related to accreditation, notified bodies are also subject to other requirements and obligations. These are laid down in, for example, Articles 39, 49 and 51 of the CRA and Annex VIII.

In Finland, the tasks of a notified body are considered public administrative tasks. Notified bodies must therefore comply with the general acts on administration.

The personnel of a notified body must have appropriate knowledge and understanding of

  • the essential cybersecurity requirements set out in Annex I to the CRA  
  • the applicable harmonised standards  
  • common specifications  
  • the provisions of Union harmonisation legislation and implementing acts.

European Accreditation recommends the accreditation standard EN ISO/IEC 17065 for module B+C and the accreditation standard EN ISO/IEC 17021-1 for module H.

Standardisation work can support preparations for the tasks of a notified body

The preparation of harmonised standards for the CRA is under way. Participating in standardisation work can help an assessment body monitor how the requirements are developing and prepare for the activities of a notified body.

In Finland, standardisation is coordinated by SFS Finnish Standards, SESKO and Traficom. Please note that participating in standardisation work may be subject to a fee.

More information on the CRA requirements

The CRA has required supplementary national regulation. The related national act, Act 439/2026, entered into force on 1 June 2026.

More detailed provisions on applications for notification and the notification procedure are laid down in chapter 3 of the Act.

Page was last updated