ENISA outlines competence requirements for Cyber Resilience Act notified bodies
ENISA has published guidance on the technical competence requirements for conformity assessment bodies seeking designation as notified bodies under the EU Cyber Resilience Act. The document aims to support consistent assessment practices across member states and ensure that organisations evaluating connected products possess the necessary cybersecurity, auditing and conformity assessment expertise.
The European Union Agency for Cybersecurity (ENISA) has released a new report detailing the technical competence requirements for conformity assessment bodies (CABs) that wish to become notified bodies under the Cyber Resilience Act (CRA). Published in June 2026, the document provides guidance for national authorities, accreditation bodies and certification organisations responsible for assessing the cybersecurity of products with digital elements.
The report focuses on the knowledge, skills, experience and training that personnel must possess to carry out conformity assessments under the CRA. It is intended to help harmonise practices across the EU as Member States designate notified bodies responsible for evaluating manufacturers’ compliance with the regulation.
ENISA identifies three key groups of personnel whose competencies must be assessed: evaluators and evaluation teams conducting assessments, staff responsible for preparing evaluations, and personnel reviewing reports and making certification decisions. The agency emphasises that these roles require different combinations of cybersecurity expertise, conformity assessment knowledge and sector-specific understanding.
According to the guidance, evaluators should possess knowledge of cybersecurity principles, secure product development, vulnerability management, risk assessment, cryptographic mechanisms where relevant, and the legal and regulatory requirements applicable to cybersecurity. Evaluation teams must also collectively demonstrate technical expertise related to the products being assessed and the sectors in which they are used.
The document also highlights the importance of practical skills. Depending on the assessment type, personnel may need competencies in testing, inspection, auditing, interviewing, report writing and evaluation management. For assessments based on CRA Module H, which focuses on quality assurance systems, teams must include expertise in auditing and product-specific knowledge.
ENISA notes that competence should not be measured solely through academic qualifications. Given the relatively young nature of the cybersecurity profession, the report recommends flexible approaches that combine education, professional experience, practical training and, where appropriate, personal certifications. The agency argues that different career paths should be recognised when determining qualification levels.
The guidance also stresses that notified bodies must establish processes for managing and maintaining competencies over time. Authorities assessing notified bodies should evaluate not only whether qualified personnel are available at the time of designation, but also whether mechanisms exist to ensure skills remain current as technologies, threats and regulatory requirements evolve.
The report forms part of ENISA’s broader support for implementation of the Cyber Resilience Act, which introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market.
