EU Notified Bodies: when & why they are required for compliance
Placing a product on the EU market comes with important responsibilities for manufacturers and suppliers. If you are a manufacturer or supplier looking to sell in that market, meeting compliance requirements and understanding when and why you need a Notified Body is critical to your product's legal marketability. With the cybersecurity requirements of the Radio Equipment Directive (RED) becoming mandatory in August 2025, there uncertainty about whether the radio-enabled products should go through third-party certification.
This blog explores what EU Notified Bodies are, their role in compliance, and how manufacturers can engage with them during the product conformity process.
What is a Notified Body?
A Notified Body (NB) is an independent entity appointed by an EU Member State to evaluate if products comply with specific EU regulatory requirements before being placed on the market.
Notified Bodies may be regarded as referees in the compliance process who are qualified to review technical documentation, perform testing, and grant certifications, depending on the legislation involved. While they are not government bodies, they are private or semi-public organizations that meet the EU standards for technical competence and neutrality.
Importance of Notified Bodies in EU compliance
Notified Bodies play a key role in the CE marking process, which declares that a product meets EU regulatory standards for selling within the European Economic Area (EEA).
In the case of Radio Equipment Directive (RED), the CE marking indicates that the product adheres to all applicable EU laws, including safety, electromagnetic compatibility, radio frequency usage, and cybersecurity. While manufacturers can typically opt for self-assessment and apply the CE mark themselves, the RED introduces certain cases where a Notified Body's involvement is required. Notified Bodies are contacted when your radio equipment falls into more complex categories which require advanced cybersecurity controls under the ETSI EN 18031-3 standards, or when self-declaration is not possible due to the absence of harmonized standards. In that case, the Notified Body can establish suitable test specifications and plans and offer support to manufacturers in meeting the necessary market access requirements.
Key responsibilities and functions of Notified Bodies
Notified Bodies play a crucial role in the conformity assessment process. The responsibilities include:
- Review of technical documentation such as product designs, risk assessments, and functional-safety testing.
- Conformity Assessments such as testing against RED's essential requirements (for radio equipment).
- Issuance of certificates which is required for CE Marking.
- Surveillance audits for ongoing compliance and post-market checks.
- Guidance on aligning with harmonised standards or alternatives
A Notified Body is required when:
- A product is classified as high-risk or new technology without prior benchmarks.
- The product falls under a module that requires third-party conformity assessment.
- The manufacturer does not completely follow harmonised standards such as EN 18031 for RED cybersecurity.
Compliance scenario: when third-party involvement becomes mandatory
The Radio Equipment Directive (RED) 2014/53/EU enforces new cybersecurity requirements outlined in Articles 3.3(d), (e), and (f) starting from August 2025. If a manufacturer of a connected smart speaker cannot fully implement the harmonized standard EN 18031 or is a high-risk product such as processing virtual money, then they are required to consult a Notified Body to ensure compliance with RED’s cybersecurity provisions.
Who needs a Notified Body?
Not all products require Notified Body services. However, certain devices like wireless medical implants, industrial IoT systems, or payment-enabled tools like e-wallets typically require oversight because of the high risk and specialized purpose. The RED 2014/53/EU itself mandates Notified Body involvement for equipment under Articles 3.3(a) to (f), especially the new cybersecurity provisions coming into effect in 2025.
- EU Directives/Regulations that require Notified Body involvement:
- Radio Equipment Directive (RED) - for devices with radio modules.
- Medical Device Regulation (MDR) - for medical devices and diagnostics.
- Low Voltage Directive (LVD) - ensures electrical safety of the product and users.
- Electromagnetic Compatibility (EMC) Directive - to ensure devices don’t interfere with or are affected by others.
- Construction Products Regulation (CPR) - structural safety and performance.
- Personal Protective Equipment Regulation (PPE) - safety gear, wearables.
Note: if your product falls under these directives and compliance cannot be met through harmonised standards, you'll need a Notified Body.
Steps to engage a Notified Body for EU compliance
- Determine the compliance to meet: Check your product specifications against applicable directives to determine if Notified Body (NB) involvement is required.
- Select the Notified Body: Consider an accredited NB based on their specialization through the NANDO (New Approach Notified and Designated Organisations) database.
- Prepare the documentation: Technical design files, risk assessments, test reports (e.g., RF, EMC, Cybersecurity).
- Conformity Assessment: The NB reviews the documentation and may conduct independent evaluations and tests. If compliant, the NB will issue an EU-Type Examination Certificate.
- CE Marking: Once certified, you can create the DoC and legally affix the CE mark.
Challenges in working with Notified Bodies
- Manufacturers and stakeholders often encounter a range of challenges in involving Notified Bodies. These include:
- Availability and Hold-ups: Certification can take anywhere from 3-6 months or longer due to the limited number of NBs for certain directives.
- High Costs: The services can range from €5,000 to €50,000+, depending on the product complexity.
- Interpretation of Standards: Some NBs interpret compliance differently, especially for emerging standards like EN 18031, leading to reworks.
- Language/National Barriers: Some NBs operate in non-English jurisdictions, and some require additional requirements based on National regulations adding to complexity of procedures.
To overcome these challenges, it is best advised to start early with pre-compliance checks and partner with a consultant who is familiar with the NB processes. Involving a third-party consultant becomes valuable in helping with pre-validate compliance, prepare technical documentation, and engage the right Notified Body.
With tightening EU regulations incorporating cybersecurity into product safety, manufacturers must take a proactive approach to determine if Notified Body involvement is required.. Although many products can still opt for self-declaration, those that are high-risk or non-compliant with the standards may be legally obligated to undergo assessment by the Notified Body.
As the RED’s cybersecurity requirements become mandatory from August 1, 2025, the pressure is increasing for connected device manufacturers to get their compliance strategy in place. Delaying the engagement of a Notified Body or approaching them unprepared could mean lost time, added expenses, and market access delays.
At Positka, we help you navigate through RED cybersecurity compliance, coordinate directly with Notified Bodies, and ensure your product meets all technical and legal standards for the market.
Our experts can support manufacturers throughout this process by navigating RED compliance, coordinating with Notified Bodies, and ensuring alignment with EU market requirements.
For more information, explore our Radio Equipment Directive (RED) product testing services.
References
- EU NANDO Database – List of Notified Bodies
- Radio Equipment Directive (2014/53/EU)
- Delegated Regulation (EU) 2022/30 for RED Cybersecurity
- CE Marking Overview
- Accreditation Bodies and Conformity Assessment
- ISO/IEC 17025 (accreditation standards)
- ISO/IEC 17065 (accreditation standards)
