I don't know that the legal entities are necessarily different - the roles and accreditations are different but one group could hold both.
Both our ISO 13485 and CE certificates are issued by BSI Group based in the Netherlands, which is both an NB and a CB. Our MDSAP certificate, however, is issued by BSI Americas, which is the group that does the on-site surveillance auditing. So, I think this is highly dependent on how the NB is organized.
MDD/MDR both have quality system requirements for certain conformity routes, so yes, CE marking often involved quality management system certification. Some products don't require NB review to obtain a "product certificate" but you still need a QMS certified to the regulation (even if you have ISO 13485 certification, you also get an MDR QMS certificate).
To be clear, the statement about BSI not "recognizing" certs from non-NB issuing orgs is only in the context of MDR technical documentation review. It doesn't mean that BSI doesn't think the certificate is valid, it just doesn't meet BSI's interpretation of the MDR requirements for that specific portion of the tech doc.
I think that it's inappropriate, or at least an uncommonly harsh, assumption made by BSI.
The qualification and control of non-critical suppliers is up to the supplier, and it is common some form of QMS certification results in less customer-specific qualification and control work.
The aspects of outsourced processes (especially design and virtual/contract manufacturing) and supplier production processes whose results cannot be validated are what make a supplier critical.
From the harmonized ISO 13485 A11 annex, no additional requirements are imposed on clauses relating to this (4.1.5; 4.1.6, 7.4, 7.5.6, 7.5.7)
The A11 even has clarifications such as "9, 1st paragraph, 1st sentence; 4,5,6,7,8;
Covered. EN ISO 13485 requires the quality management system to comply with applicable regulatory requirements and that production is
planned, carried, monitored, and controlled to ensure that product conforms to specification and regulatory requirements.", and "9, 3rd paragraph (d); 4.1.5, 6, 7.4.1;
Covered. EN ISO 13485 includes specific requirements for provision of human resources including competence, infrastructure, work environment and contamination control", and "2.2 2nd pararagraph (b) indent 3; 4.1.5, 7.4.1;
Covered. EN ISO 13485 has requirements for cases when an organization outsources an activity, and these requirements link with the requirements for evaluation and selection of suppliers, their monitoring and their re-evaluation".
The MDR itself concerns itself with suppliers and notified bodies
4.5.2. Quality management system auditing
(a) As part of the assessment of the quality management system, a notified body shall prior to an audit and in accordance with its documented procedures:
...
— identify links between, and allocation of responsibilities among, the various manufacturing sites, and identify relevant suppliers and/or subcontractors of the manufacturer, and
consider the need to specifically audit any of those suppliers or subcontractors or both,
...
(b) Based on the audit programme it has drawn up, the notified body shall, in accordance with its documented procedures:
Besides the BSI one I have had some technical documentation review formats from SGS, DEKRA and Tuv Sud lying around.
Some (rightfully) look at special processes and the appropriate supplier controls, something for which generally validation documentation and control arrangements are useful.
...
— if not already covered by the audit programme,
audit the control of processes on the premises of the manufacturer's suppliers,
when the conformity of finished devices is significantly influenced by the activity of suppliers a
nd, in particular when the manufacturer cannot demonstrate sufficient control over its suppliers,
The right to audit such critical suppliers is common, but as part of the arrangements to meet the regulatory obligations, and not as a 'to-do' by default with exemptions for Notified Body certificates.
I also have access to the MDR technical documentation guidances of Tuv Sud, DEKRA, SGS. In those, none of them have the kind of setup regarding critical suppliers that BSI has. Furthermore, I think the level stated only makes sense and can be argued to hold for design service suppliers and virtual manufacturing suppliers, as these can have more intense integration and ambiguity with respect to (continued) EU MDR compliance.
For suppliers who are critical merely due to a special process for a part, this would indicate a disbelief by BSI in the accreditation setup surrounding ISO 13485 certification.
