Annex III Regulation (EU) 2024/2847 · Annex III 法規 (EU) 2024/2847 · 附件三
Important product categories 重要產品類別
Annex III lists 23 product categories that the Commission considers carry above-default cybersecurity risk. Class I (19 categories) and Class II (4 categories) follow stricter conformity assessment than the default — harmonised standards, common specifications, EUCC certification, or notified body involvement become the alternative paths. The technical descriptions are now bound by Implementing Regulation (EU) 2025/2392. 附件三列出執委會認定具高於預設網路安全風險的 23 項產品類別。Class I(19 項)與 Class II(4 項)走比預設更嚴的合規評鑑,調和標準、共通規範、EUCC 認證、或指定機構介入成為替代路徑。技術描述現由《執行法規 (EU) 2025/2392》強制適用。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Annex III, as published in OJ L 2024/2847, 20 November 2024. The technical descriptions are bound by Implementing Regulation (EU) 2025/2392, published 1 December 2025. Translations below are unofficial. 來源。條文自《法規 (EU) 2024/2847》附件三,發布於 OJ L 2024/2847,2024 年 11 月 20 日。技術描述由《執行法規 (EU) 2025/2392》強制適用(2025 年 12 月 1 日於 OJ L 公告)。以下中文為非官方翻譯。
Class I — 19 product categories Class I — 19 項產品類別 Items 1 – 19
1 Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers.
1 身份管理系統與特權存取管理軟硬體,含驗證與存取控制讀取器(含生物特徵讀取器)。
2 Standalone and embedded browsers.
2 獨立式與嵌入式瀏覽器。
3 Password managers.
3 密碼管理器。
4 Software that searches for, removes, or quarantines malicious software.
4 偵測、移除、或隔離惡意軟體之軟體。
5 Products with digital elements with the function of virtual private network (VPN).
5 具虛擬私人網路(VPN)功能之具數位元素產品。
6 Network management systems.
6 網路管理系統(NMS)。
7 Security information and event management (SIEM) systems.
7 安全資訊與事件管理(SIEM)系統。
8 Boot managers.
8 開機管理器。
9 Public key infrastructure and digital certificate issuance software.
9 公開金鑰基礎建設(PKI)與數位憑證發行軟體。
10 Physical and virtual network interfaces.
10 實體與虛擬網路介面。
11 Operating systems.
11 作業系統。
12 Routers, modems intended for the connection to the internet, and switches.
12 路由器、用於連網之數據機、與交換器。
13 Microprocessors with security-related functionalities.
13 具安全相關功能之微處理器。
14 Microcontrollers with security-related functionalities.
14 具安全相關功能之微控制器。
15 Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities.
15 具安全相關功能之 ASIC 與 FPGA。
16 Smart home general purpose virtual assistants.
16 智慧家庭通用虛擬助理。
17 Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems.
17 具安全功能之智慧家庭產品,含智慧門鎖、安全攝影機、嬰兒監控系統、警報系統。
18 Internet connected toys covered by Directive 2009/48/EC that have social interactive features (e.g. speaking or filming) or that have location tracking features.
18 《指令 2009/48/EC》涵蓋之具社交互動功能(如語音或攝影)或具位置追蹤功能之連網玩具。
19 Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or (EU) 2017/746 do not apply, or personal wearable products that are intended for the use by and for children.
19 配戴於人體、具健康監測(如追蹤)目的且不適用《法規 (EU) 2017/745》或《法規 (EU) 2017/746》之個人穿戴產品;或預期供兒童使用或為兒童使用之個人穿戴產品。
Class II — 4 product categories Class II — 4 項產品類別 Items 1 – 4
1 Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments.
1 支援作業系統與類似環境之虛擬化執行的 Hypervisor 與容器執行環境。
2 Firewalls, intrusion detection and prevention systems.
2 防火牆、入侵偵測與防禦系統(IDS / IPS)。
3 Tamper-resistant microprocessors.
3 防篡改微處理器。
4 Tamper-resistant microcontrollers.
4 防篡改微控制器。
Block 1b · Technical descriptions (Implementing Regulation 2025/2392) 區塊 1b · 技術描述(執行法規 2025/2392)
What each Annex III category technically means 附件三每一類別的技術定義
Source. Commission Implementing Regulation (EU) 2025/2392, published in OJ L 2025/2392, 1 December 2025. The technical descriptions below are the binding scope criteria. A product's core functionality determines whether it falls into a category — incidental sub-features (e.g., a router with a basic firewall) do not by themselves trigger reclassification. Examples cited in 2025/2392 are illustrative, not exhaustive. Translations below are unofficial summaries — refer to EUR-Lex for binding text. 來源。《執委會執行法規 (EU) 2025/2392》,發布於 OJ L 2025/2392,2025 年 12 月 1 日。下列技術描述是強制適用的範圍判定標準。產品的核心功能決定它是否落入某一類別,附帶的次要功能(例如一台路由器內建基本防火牆)本身不會觸發重新分類。2025/2392 所舉例子為說明性、非完整列舉。下列中文為非官方摘要,強制適用的條文請見 EUR-Lex。
Core functionality test (Recitals 4–5). A product whose core functionality matches a category falls in scope even if it performs additional functions. A product that can perform a category's functions but whose core functionality is something else is generally not in scope. Examples: a smartphone integrating an OS and a password manager is generally not classified as either, because its core functionality is neither. SOAR software performing SIEM-like data gathering is generally not a SIEM, because SOAR's core functionality is orchestration / response. 核心功能判斷(Recital 4–5)。產品核心功能符合某類別、即使它執行額外功能,仍落入範圍。產品有能力執行某類別功能、但核心功能是別的、一般不在範圍內。例子:智慧型手機整合作業系統與密碼管理器、一般不被歸為兩者之一、因為它的核心功能不是作業系統也不是密碼管理器。SOAR 軟體執行 SIEM 風格的資料蒐集、一般不被歸為 SIEM、因為 SOAR 核心功能是編排 / 響應。
Class I · 1–6 — Identity, Browsers, Password, Antimalware, VPN, NMS Class I · 1–6 — 身份、瀏覽器、密碼、防毒、VPN、NMS Items 1 – 6
1 Identity management systems. Products providing authentication or authorisation mechanisms, and may also provide lifecycle management of identity credentials of natural persons, legal persons, devices or systems (registration, provisioning, maintenance, deregistration). Includes access management systems for natural persons, legal persons, devices or systems. Examples cited: biometric readers, single sign-on software, multi-factor authentication software.
1 身份管理系統。提供驗證或授權機制之產品;也可能提供自然人、法人、裝置、或系統之身份憑證生命週期管理(註冊、發放、維護、取消註冊)。含對自然人、法人、裝置、或系統之存取管理系統。引用例子:生物特徵讀取器、單一簽入(SSO)軟體、多因子驗證軟體。
2 Standalone and embedded browsers. Software with the core functionality of accessing web content via HTTP/HTTPS — includes browser extensions and AI agent integration that operates on web content. Embedding a browser as a component does not in itself reclassify the host product (e.g., a news app integrating an embedded browser is not itself a browser product, but its overall security must consider the embedded browser).
2 獨立式與嵌入式瀏覽器。核心功能為透過 HTTP/HTTPS 取用網路內容的軟體,含瀏覽器擴充元件與在網路內容上運作的 AI agent 整合。將瀏覽器嵌入為元件、本身不重分類宿主產品(例如:整合嵌入式瀏覽器的新聞 App 本身不是瀏覽器產品、但其整體安全須考量嵌入式瀏覽器)。
3 Password managers. Software that stores, generates, and auto-fills credentials. Core functionality test: a smartphone integrating a password manager component is generally not classified as a password manager because its core functionality is something else.
3 密碼管理器。儲存、產生、自動填入憑證之軟體。核心功能判斷:智慧型手機整合密碼管理器元件、一般不被歸為密碼管理器、因為其核心功能是別的。
4 Antimalware software. Software searching for, removing, or quarantining malicious code or harmful software (viruses, worms, trojans, ransomware, spyware, rootkits). Includes detection, real-time protection, and forensic / incident response features. Does not include products whose security functions are limited to network connectivity (those map to other categories).
4 防毒軟體。偵測、移除、或隔離惡意程式碼或有害軟體之軟體(病毒、蠕蟲、特洛伊、勒索軟體、間諜軟體、rootkit)。含偵測、即時防護、與鑑識 / 事件響應功能。不含安全功能限於網路連線之產品(後者落入其他類別)。
5 VPN products. Products with digital elements with the function of virtual private network — establish encrypted, end-to-end tunnels to logical or virtual networks, including software-defined networking. Both client-side and gateway-side VPN products. Includes purpose-built VPN appliances and VPN-as-feature in firewalls when VPN is the core functionality.
5 VPN 產品。具虛擬私人網路功能之具數位元素產品,建立加密的、端到端的通道至邏輯或虛擬網路、含軟體定義網路。含客戶端與閘道端 VPN 產品。含專用 VPN 設備與防火牆中 VPN 為核心功能之 VPN-as-feature。
6 Network management systems (NMS). Software for managing network devices and infrastructure (routers, switches, servers, network endpoints). Includes configuration management, performance monitoring, fault detection, and topology management. Multiple-device management is core; single-device admin tools generally do not qualify.
6 網路管理系統(NMS)。管理網路裝置與基礎之軟體(路由器、交換器、伺服器、網路端點)。含組態管理、效能監控、故障偵測、與拓撲管理。多裝置管理是核心;單裝置管理工具一般不符合。
Class I · 7–12 — SIEM, Boot, PKI, Network Interfaces, OS, Routers Class I · 7–12 — SIEM、開機、PKI、網路介面、作業系統、路由器 Items 7 – 12
7 SIEM systems. Software gathering data from multiple sources, analysing it, and presenting it as actionable information for security purposes. Includes log aggregation, correlation, alerting. SOAR software, despite functional overlap, is generally not in this category — SOAR's core functionality is orchestration / response, not security event analysis.
7 SIEM 系統。從多個來源蒐集資料、分析、以可採取行動的資訊呈現以供安全目的之軟體。含日誌彙總、關聯、警告。SOAR 軟體儘管功能重疊、一般不在此類別,SOAR 核心功能是編排 / 響應、不是安全事件分析。
8 Boot managers. Software controlling the system startup process — initial firmware, UEFI / multi-stage boot loaders, rescue / recovery boot environments. Core functionality is selecting and loading operating systems and similar environments after power-on / restart.
8 開機管理器。控制系統啟動流程之軟體,初始韌體、UEFI / 多階段開機載入程式、救援 / 還原開機環境。核心功能是電源開啟 / 重啟後選擇與載入作業系統與類似環境。
9 Public key infrastructure and digital certificate issuance software. PKI systems that manage cryptographic key lifecycles — generation, distribution, storage, revocation, renewal, destruction. Includes certificate issuance, key escrow, key rotation, status validation. Includes purpose-built CA software and integrated PKI components.
9 公開金鑰基礎建設(PKI)與數位憑證發行軟體。管理密碼金鑰生命週期之 PKI 系統,產生、發放、儲存、撤銷、更新、銷毀。含憑證發行、金鑰託管、金鑰輪換、狀態驗證。含專用 CA 軟體與整合 PKI 元件。
10 Physical and virtual network interfaces. Devices or software components that provide network connectivity at the OSI link / network layers — physical NICs, virtual interfaces, switches that operate at link layer with security-relevant functions. Boundary case: a basic NIC without security features may not qualify; a security-focused interface (e.g., NIC with built-in encryption) more likely does.
10 實體與虛擬網路介面。在 OSI 連結 / 網路層提供網路連線之裝置或軟體元件,實體 NIC、虛擬介面、在連結層運作具安全相關功能之交換器。邊界案例:不具安全功能的基本 NIC 可能不符合;以安全為焦點的介面(如內建加密的 NIC)較可能符合。
11 Operating systems. Software with the core functionality of managing hardware resources and providing services to applications. Often includes ancillary functions (calculators, simple graphics editors) that don't change the OS classification. May integrate browser or password manager components without losing OS core functionality. Includes desktop, server, mobile, embedded, and real-time operating systems.
11 作業系統。核心功能為管理硬體資源、為應用程式提供服務之軟體。常含附屬功能(計算機、簡單繪圖編輯器)、不改變 OS 分類。可整合瀏覽器或密碼管理器元件、不失去 OS 核心功能。含桌上型、伺服器、行動、嵌入式、即時作業系統。
12 Routers, modems for internet connection, and switches. Network devices providing routing, internet access, or layer-2 / layer-3 forwarding. A router integrating firewall functionality is still classified as a router (its core functionality is routing). Industrial-grade and consumer-grade both included. Distinguishes internet-connected modems from purely point-to-point modems.
12 路由器、用於連網之數據機、與交換器。提供路由、網際網路存取、或 layer-2 / layer-3 轉發之網路裝置。整合防火牆功能的路由器仍歸為路由器(其核心功能是路由)。工業級與消費級皆含。區分連網數據機與純點對點數據機。
Class I · 13–15 — MCU / MPU / ASIC / FPGA with security functions (non-tamper-resistant) Class I · 13–15 — 具安全功能之 MCU / MPU / ASIC / FPGA(非防篡改) Items 13 – 15
13 Microprocessors with security-related functionalities. MPUs designed with security features — secure boot, hardware-enforced isolation, cryptographic acceleration, side-channel resistance below tamper-resistance threshold. Critical distinction: if the MPU additionally provides AVA_VAN level 2 or 3 protection per Common Criteria, it falls into Class II item 3 (tamper-resistant microprocessors), not Class I item 13.
13 具安全相關功能之微處理器。具安全功能設計之 MPU:安全開機、硬體強制隔離、密碼加速、低於防篡改門檻之側通道阻抗。關鍵區別:若 MPU 額外依 Common Criteria 提供 AVA_VAN level 2 或 3 保護、則落入 Class II 第 3 項(防篡改微處理器)、不在 Class I 第 13 項。
14 Microcontrollers with security-related functionalities. MCUs with security features below tamper-resistance level. Same AVA_VAN distinction as MPUs: AVA_VAN 2/3 → Class II item 4; below → Class I item 14.
14 具安全相關功能之微控制器。具安全功能、低於防篡改等級之 MCU。同 MPU 的 AVA_VAN 區分:AVA_VAN 2/3 → Class II 第 4 項;以下 → Class I 第 14 項。
15 ASIC and FPGA with security-related functionalities. Application-specific integrated circuits and field-programmable gate arrays designed with security functions — cryptographic engines, secure key storage, hardware root of trust. Below tamper-resistance levels reserved for Class II / Annex IV.
15 具安全相關功能之 ASIC 與 FPGA。具安全功能設計之 ASIC 與 FPGA:密碼引擎、安全金鑰儲存、硬體信任根。低於 Class II / 附件四保留之防篡改等級。
Class I · 16–19 — Smart home, toys, wearables (consumer-facing) Class I · 16–19 — 智慧家庭、玩具、穿戴(面向消費者) Items 16 – 19
16 Smart home general purpose virtual assistants. Voice / interaction-driven assistants (Alexa, Google Assistant, Siri-class) deployed in smart home environments with general-purpose interaction scope. Specialised single-function voice control (e.g., voice-only thermostat) generally does not qualify.
16 智慧家庭通用虛擬助理。部署於智慧家庭環境之語音 / 互動驅動助理(Alexa、Google Assistant、Siri 級別),具通用互動範圍。專屬單一功能的語音控制(如僅語音控溫器)一般不符合。
17 Smart home products with security functionalities. Smart door locks, security cameras, baby monitoring systems, alarm systems, and sensors with security-related functionality. The 2025/2392 description is explicit and inclusive — these consumer-facing categories are intentionally broad. A connected camera without security functionality (e.g., pure pet camera) is borderline; a security camera or surveillance camera squarely qualifies.
17 具安全功能之智慧家庭產品。智慧門鎖、安全攝影機、嬰兒監控系統、警報系統、與具安全相關功能之感測器。2025/2392 描述明確且涵蓋範圍廣,這些面向消費者的類別有意設計成廣泛。不具安全功能的連網攝影機(如純寵物攝影機)屬邊界案例;安全攝影機或監視器明確符合。
18 Connected toys with social interactive features or location tracking. Toys covered by Toy Safety Directive 2009/48/EC that have speaking, filming, or location-tracking features. Anchored to existing toy safety regime. The CRA stack adds cybersecurity on top of physical safety.
18 具社交互動功能或位置追蹤之連網玩具。《玩具安全指令 2009/48/EC》涵蓋、具語音、攝影、或位置追蹤功能之玩具。錨定於既有玩具安全制度。CRA 在實體安全上加疊網路安全。
19 Personal wearables — health monitoring or for children. Wearable products with health monitoring purposes (and not falling under MDR 2017/745 or IVDR 2017/746), or wearables intended for children. Smartwatches with health features that are not MDR-classified medical devices — typical scope. Children-specific wearables — broader inclusion regardless of health features.
19 個人穿戴,健康監測或兒童用。具健康監測目的(且不適用 MDR 2017/745 或 IVDR 2017/746)之穿戴產品;或預期供兒童使用之穿戴產品。具健康功能但非 MDR 分級醫療器材的智慧手錶,典型範圍。兒童專用穿戴,不論健康功能皆廣泛涵蓋。
Class II · 1–4 — Hypervisors, Firewalls/IDS/IPS, Tamper-resistant MPU/MCU Class II · 1–4 — Hypervisor、防火牆 / IDS / IPS、防篡改 MPU / MCU Items 1 – 4
1 Hypervisors and container runtime systems. Software supporting virtualised execution of operating systems and similar environments. Includes Type 1 (bare-metal: VMware ESXi, Hyper-V, KVM, Xen) and Type 2 hypervisors. Container runtimes (Docker, containerd, CRI-O) are explicitly included. Lightweight VM tooling that does not provide isolation guarantees may be borderline.
1 Hypervisor 與容器執行環境。支援作業系統與類似環境之虛擬化執行的軟體。含 Type 1(裸機:VMware ESXi、Hyper-V、KVM、Xen)與 Type 2 Hypervisor。容器執行環境(Docker、containerd、CRI-O)明確包含。不提供隔離保證的輕量 VM 工具可能屬邊界。
2 Firewalls, intrusion detection and prevention systems (IDS / IPS). Network security products with the core functionality of traffic filtering, intrusion detection, or active prevention. Includes hardware appliances, virtual / cloud firewalls, and host-based firewalls when firewalling is the core function. A router with firewall features remains a router; a dedicated firewall is Class II.
2 防火牆、入侵偵測與防禦系統(IDS / IPS)。核心功能為流量過濾、入侵偵測、或主動防禦之網路安全產品。含硬體設備、虛擬 / 雲端防火牆、與防火牆為核心功能之主機型防火牆。具防火牆功能的路由器仍是路由器;專用防火牆是 Class II。
3 Tamper-resistant microprocessors. MPUs designed with tamper evidence, resistance, or response, additionally providing protection of AVA_VAN level 2 or 3 per Common Criteria and Common Evaluation Methodology. AVA_VAN level distinguishes Class II tamper-resistant MPUs (level 2 or 3) from Annex IV secure elements (level 4+). The AVA_VAN level test is the binding boundary criterion.
3 防篡改微處理器。具篡改證明、阻抗、或響應設計之 MPU、額外依 Common Criteria 與 Common Evaluation Methodology 提供 AVA_VAN level 2 或 3 保護。AVA_VAN 等級區分 Class II 防篡改 MPU(level 2 或 3)與附件四 secure element(level 4+)。AVA_VAN 等級判斷是強制適用的邊界標準。
4 Tamper-resistant microcontrollers. MCUs with the same tamper-resistance criteria as item 3 — AVA_VAN level 2 or 3 protection. The Class II MCU vs Annex IV secure element distinction is again the AVA_VAN level (4+ for secure elements).
4 防篡改微控制器。與第 3 項相同防篡改標準之 MCU:AVA_VAN level 2 或 3 保護。Class II MCU 與附件四 secure element 的區分再次取決於 AVA_VAN 等級(secure element 為 4+)。
AVA_VAN as the legal boundary marker. Recital 8 of 2025/2392 explicitly uses AVA_VAN level (set out in Common Criteria and Common Evaluation Methodology, also underlying EUCC scheme Implementing Reg 2024/482) as the boundary mechanism between three categories: (a) Class I items 13–15 (no specific AVA_VAN level required); (b) Class II items 3, 4 (AVA_VAN 2 or 3); (c) Annex IV item 3 — secure elements (AVA_VAN 4+). For APAC silicon vendors, the AVA_VAN level chosen at design time determines the entire CRA conformity assessment path. AVA_VAN 作為法律邊界標記。2025/2392 Recital 8 明確使用 AVA_VAN 等級(定於 Common Criteria 與 Common Evaluation Methodology、也是 EUCC 制度執行法規 2024/482 之基礎)作為三類別之間的邊界機制:(a) Class I 第 13–15 項(不要求特定 AVA_VAN 等級);(b) Class II 第 3、4 項(AVA_VAN 2 或 3);(c) 附件四第 3 項:secure element(AVA_VAN 4+)。對 APAC 矽晶片廠商、設計階段選擇的 AVA_VAN 等級決定整個 CRA 合規評鑑路徑。
Block 2 · Plain language 區塊 2 · 白話解讀
What the Important list actually means for compliance 「重要產品」名單對合規實際代表什麼
Annex III is not an academic taxonomy — it is the regulatory mechanism that decides whether a manufacturer can self-assess (Module A) or must engage a notified body. APAC manufacturers reading Annex III for the first time should understand four operational consequences.
"Class II products have no Module A path. The four categories — hypervisors, firewalls/IDS/IPS, tamper-resistant MPU/MCU — are subject to mandatory third-party assessment from day one."
Class I products have a conditional self-assessment path. Article 32(2)(a) lets Class I manufacturers self-assess (Module A) only if harmonised standards, common specifications, or EUCC certification cover the relevant essential requirements. If those don't fully cover Annex I — or the manufacturer chooses not to apply them — the manufacturer must use Module B+C, Module H, or seek an EUCC certification at substantial level. The default is therefore notified body involvement; self-assessment is the exception that requires standards coverage.
Class II products have no Module A path. Article 32(2)(b) requires Class II manufacturers to use Module B+C, Module H, or EUCC certification. Self-assessment is not available. The four Class II categories — hypervisors, firewalls/IDS/IPS, tamper-resistant microprocessors, tamper-resistant microcontrollers — are by design subject to mandatory third-party assessment. APAC vendors with products in these four categories must budget for notified body engagement from day one of CRA planning.
Implementing Regulation 2025/2392 turns category names into binding technical specifications. The 19+4 entries in Annex III are short — "network management systems", "hypervisors". The Implementing Regulation published 1 December 2025 supplies the binding technical descriptions of what each category means. APAC manufacturers must read the Implementing Regulation alongside Annex III; without the Implementing Regulation, scope determination is guesswork.
Borderline product classifications are the manufacturer's call — until they're not. A smart home device with limited security features may or may not fall under Annex III item 17. A simple browser plugin may or may not be Annex III item 2. Manufacturers make the initial call; market surveillance authorities may disagree. APAC manufacturers should document the classification reasoning explicitly in their technical file (Annex VII) — "why we determined this product is not Annex III" is itself a regulatorily relevant document.
附件三不是學術分類,是決定製造商可以自我評鑑(Module A)或必須找指定機構介入的法規機制。第一次讀附件三的 APAC 製造商、應理解四個營運後果。
「Class II 產品沒有 Module A 路徑。四個類別,Hypervisor、防火牆/IDS/IPS、防篡改 MPU/MCU:從第一天起就要強制第三方評鑑。」
Class I 產品有條件式的自我評鑑路徑。第 32(2)(a) 條讓 Class I 製造商只在相關基本要求被調和標準、共通規範、或 EUCC 認證涵蓋時、才能自我評鑑(Module A)。若上述未完全涵蓋附件一,或製造商選擇不採用,必須走 Module B+C、Module H、或尋求 substantial level 的 EUCC 認證。所以預設是指定機構介入;自我評鑑是要求有標準涵蓋的例外。
Class II 產品沒有 Module A 路徑。第 32(2)(b) 條要求 Class II 製造商走 Module B+C、Module H、或 EUCC 認證。自我評鑑不可用。Class II 四個類別,Hypervisor、防火牆/IDS/IPS、防篡改微處理器、防篡改微控制器,按設計需要強制第三方評鑑。具這四個類別產品的 APAC 廠商、必須從 CRA 規劃第一天就編列指定機構介入預算。
《執行法規 2025/2392》把類別名稱轉成強制適用的技術規格。附件三的 19+4 個條目很短,「網路管理系統」、「Hypervisor」。2025 年 12 月 1 日發布的執行法規(《執行法規 (EU) 2025/2392》),提供每個類別含義的強制適用技術描述。APAC 製造商必須跟附件三並讀執行法規;沒有執行法規、範圍判定是猜測。
邊界產品的分類是製造商的判斷,直到不是為止。具有限安全功能的智慧家庭裝置可能屬於、也可能不屬於附件三第 17 項。簡單的瀏覽器外掛可能是、也可能不是附件三第 2 項。製造商做初步判斷;市場監督機關可能不同意。APAC 製造商應在技術檔(附件七)明文記錄分類理由,「為什麼我們認定本產品不屬於附件三」本身就是法規上重要的文件。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
APAC product portfolios and the Annex III dividing line APAC 產品組合與附件三分界線
For APAC ICT exporters, Annex III is the article that determines whether they have a notified body cost line in their CRA budget. The exposure varies sharply by industry.
對 APAC ICT 出口商,附件三決定他們的 CRA 預算裡是否需要編列指定機構成本。風險因產業而大不相同。
| APAC industry segmentAPAC 產業區段 | Annex III hit categories附件三命中類別 | CA path implication合規評鑑路徑後果 |
|---|---|---|
| Taiwan / Korea consumer router / WiFi gear台灣 / 韓國消費路由器 / WiFi 設備 | Class I item 12 (routers, modems, switches), often item 10 (network interfaces).Class I 第 12 項(路由器、數據機、交換器)、常含第 10 項(網路介面)。 | Module A possible if EN 18031 + applicable harmonised standards cover Annex I; otherwise NB.若 EN 18031 加適用調和標準涵蓋附件一、Module A 可行;否則 NB。 |
| Industrial firewall / IDS / IPS vendors工業防火牆 / IDS / IPS 廠商 | Class II item 2 (firewalls, IDS, IPS).Class II 第 2 項(防火牆、IDS、IPS)。 | No Module A. Module B+C / H or EUCC mandatory. NB engagement budget required.無 Module A。強制 Module B+C / H 或 EUCC。需編列 NB 介入預算。 |
| Taiwan IC design (MediaTek, Realtek)台灣 IC 設計(聯發科、瑞昱) | Class I items 13, 14, 15 if security-related; Class II items 3, 4 if tamper-resistant.具安全相關功能、Class I 第 13、14、15 項;具防篡改、Class II 第 3、4 項。 | Bifurcated SKU strategy needed — security-MCU lines have NB cost, general-MCU lines do not.需要二分 SKU 策略,安全 MCU 線有 NB 成本、一般 MCU 線沒有。 |
| Smart home device makers (Taiwan / Korea)智慧家庭裝置製造商(台 / 韓) | Class I items 16, 17 (assistants, security devices); often 18 if for children; sometimes 19 (wearables).Class I 第 16、17 項(助理、安全裝置);兒童用常含第 18 項;穿戴有時含第 19 項。 | Module A path real but conditional; SBOM and CVD maturity often the bottleneck.Module A 路徑實際存在但有條件;SBOM 跟 CVD 成熟度常是瓶頸。 |
| Japan / Korea IIoT operating systems日 / 韓 IIoT 作業系統 | Class I item 11 (operating systems).Class I 第 11 項(作業系統)。 | Embedded RTOS vendors with multi-customer reach should plan Module H once-and-for-all approach.客戶量大的嵌入式 RTOS 廠商、應規劃 Module H 一次到位作法。 |
| Connected toy makers (Taiwan)連網玩具製造商(台灣) | Class I item 18 if interactive features or location tracking; otherwise general PwDE.具互動功能或位置追蹤、Class I 第 18 項;否則為一般具數位元素產品。 | Toy Safety Directive 2009/48/EC + CRA stack; consumer collective action exposure (Article 65).玩具安全指令 2009/48/EC + CRA 疊加;消費者集體訴訟風險(第 65 條)。 |
A practical observation about Class II: the four Class II categories were chosen for their security criticality, not their market size. Hypervisors are dominated by US (VMware, Microsoft) and OSS (KVM, Xen) — limited APAC vendor footprint. Firewall / IDS / IPS has APAC vendors at all tiers. Tamper-resistant microprocessors / microcontrollers are dominated by EU (Infineon, NXP, ST) and Asian (Samsung, MediaTek) silicon vendors with deep secure-element expertise. APAC vendors in these segments should expect NB cost lines from 2026 onwards.
對 Class II 的實務觀察:Class II 四個類別是按安全關鍵性選的,不是按市場規模。Hypervisor 由美(VMware、Microsoft)跟開源(KVM、Xen)主導,APAC 廠商立足點有限。防火牆 / IDS / IPS 各層級都有 APAC 廠商。防篡改微處理器 / 微控制器由歐(Infineon、NXP、ST)跟亞洲(Samsung、聯發科)具深度 secure-element 專業之矽晶片廠商主導。在這些區段的 APAC 廠商,應預期從 2026 年起編列 NB 成本。
Borderline classification is where APAC manufacturers most often miscalculate. A networking switch with built-in firewalling features could be classified as Class I item 12 (router/switch — Module A possible) or Class II item 2 (firewall — no Module A). The classification depends on the dominant function. APAC manufacturers should document the dominant-function reasoning at design phase — once the product is on market, re-classification disputes are slow and expensive.
邊界分類是 APAC 製造商最常算錯的地方。一台具內建防火牆功能的網路交換器,可被分類為 Class I 第 12 項(路由器 / 交換器:Module A 可行)或 Class II 第 2 項(防火牆,無 Module A)。分類取決於主要功能。APAC 製造商應在設計階段記錄主要功能理由,產品上市後,重新分類爭議慢且貴。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Annex III in the EU regulatory product-classification landscape 附件三在 EU 法規產品分類全景中
Risk-tiered product classification is a recurring EU pattern. Multiple regimes use it; APAC manufacturers familiar with one set transfer the reading skills. 分級風險產品分類是 EU 重複出現的模式。多個制度使用;熟悉一組的 APAC 製造商可轉用閱讀能力。
Implementing Regulation 2025/2392 — the binding technical descriptions執行法規 2025/2392:強制適用的技術描述
Implementing Regulation (EU) 2025/2392, published 1 December 2025, supplies binding technical descriptions for each Annex III category. Categories like "identity management systems" or "hypervisors" are short labels in Annex III; 2025/2392 fills in the technical scope. Without 2025/2392, the boundary between Class I item 12 (routers/switches) and Class II item 2 (firewalls/IDS/IPS) cannot be reliably drawn. APAC manufacturers must read both documents in pair.
《執行法規 (EU) 2025/2392》(2025 年 12 月 1 日於 OJ L 公告),為附件三每個類別提供強制適用的技術描述。「身份管理系統」或「Hypervisor」在附件三是簡短標籤;2025/2392 填入技術範圍。沒有 2025/2392,Class I 第 12 項(路由器 / 交換器)與 Class II 第 2 項(防火牆 / IDS / IPS)的邊界無法可靠劃定。APAC 製造商必須兩份文件並讀。
Annex IV — Critical products (the higher tier)附件四,關鍵產品(更高層級)
Annex IV defines a third tier above Annex III: Critical products. Currently three categories — hardware devices with security boxes (HSM-class hardware), smart meter gateways, smartcards / secure elements. Annex IV products require the most stringent conformity assessment under Article 32(2)(c) and may be required to obtain EUCC certification at "high" assurance level. APAC manufacturers in HSM, secure element, smart card spaces face this top-tier path.
附件四在附件三之上定義第三層:關鍵產品。目前三個類別,具安全盒之硬體裝置(HSM 等級硬體)、智慧電表 gateway、智慧卡 / secure element。附件四產品依第 32(2)(c) 條要求最嚴格的合規評鑑,可能需要取得「高」保證等級的 EUCC 認證。在 HSM、secure element、智慧卡空間的 APAC 製造商面對此最高層級路徑。
Medical Devices Regulation 2017/745 — Class I/IIa/IIb/III tiering醫療器材法規 2017/745:Class I/IIa/IIb/III 分級
MDR uses a four-class risk-tiered system. Class I devices typically self-declare; Class IIa/IIb/III require notified body involvement at increasing intensity. The CRA Annex III pattern follows the same logic — "important" → moderate scrutiny, "critical" → high scrutiny. APAC medical device manufacturers familiar with MDR's classification rules transfer the reading easily.
MDR 使用四級風險分級系統。Class I 通常自我宣告;Class IIa / IIb / III 在遞增強度下需要指定機構介入。CRA 附件三模式遵循同一邏輯,「重要」→ 中等審查、「關鍵」→ 高審查。熟悉 MDR 分類規則的 APAC 醫療器材製造商容易轉用。
EU AI Act 2024/1689 — high-risk AI list (Annex III)EU AI Act 2024/1689:高風險 AI 名單(附件三)
AI Act has its own Annex III listing high-risk AI systems requiring stricter conformity assessment. The pattern is identical to CRA Annex III. Products bundling high-risk AI under PwDE may simultaneously be (a) an AI Act high-risk system and (b) a CRA Annex III important product. The two classifications operate independently — both regulatory tracks run in parallel.
AI Act 有自己的附件三、列出需要更嚴合規評鑑的高風險 AI 系統。模式跟 CRA 附件三相同。同時搭配高風險 AI 在具數位元素產品下的產品,可能同時是 (a) AI Act 高風險系統與 (b) CRA 附件三重要產品。兩個分類獨立運作,兩條法規軌道平行跑。
Article 7 — power for Commission to amend Annex III via delegated act第 7 條:執委會透過授權行為修訂附件三的權力
Article 7 lets the Commission update Annex III by delegated act, based on ENISA biennial trend reports (Article 17(2)) and risk assessments. The Annex III list is therefore a living document, not a one-shot snapshot. Categories may be added or moved between Class I and Class II. APAC manufacturers should expect the list to expand 2028–2032 as ENISA accumulates incident data.
第 7 條讓執委會基於 ENISA 兩年期趨勢報告(第 17(2) 條)與風險評鑑,透過授權行為更新附件三。附件三名單因此是活文件、不是一次性快照。類別可能新增或在 Class I 與 Class II 之間移動。隨著 ENISA 累積事件資料,APAC 製造商應預期 2028 到 2032 年名單擴張。