Annex IV Regulation (EU) 2024/2847 · Annex IV 法規 (EU) 2024/2847 · 附件四
The Critical products tier 關鍵產品層級
Annex IV defines the highest CRA risk tier — three categories of Critical products. Hardware devices with security boxes (HSM-class hardware), smart meter gateways, smartcards and secure elements. Where Article 8(1) delegated acts fire, manufacturers are required to obtain an EUCC certificate at assurance level at least "substantial". Where no delegated act has been adopted, Article 32(3) third-party conformity assessment applies. The strictest pathway tier in the CRA framework. 附件四定義 CRA 最高風險層級,三項關鍵產品類別。具安全盒之硬體裝置(HSM 等級硬體)、智慧電表 gateway、智慧卡與 secure element。第 8(1) 條授權法案觸發時,製造商須取得至少「substantial」保證等級之 EUCC 證書;尚未通過授權法案時,走第 32(3) 條第三方合規評鑑。CRA 框架中最嚴的路徑層級。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Annex IV, as published in OJ L 2024/2847, 20 November 2024. Translations below are unofficial; the binding text is at EUR-Lex. 來源。條文自《法規 (EU) 2024/2847》附件四,發布於 OJ L 2024/2847,2024 年 11 月 20 日。以下中文為非官方翻譯;強制適用條文請見 EUR-Lex。
Critical products — three categories 關鍵產品,三項類別 Items 1 – 3
1 Hardware Devices with Security Boxes.
1 具安全盒之硬體裝置(HSM 等級硬體)。
2 Smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944, and other devices for advanced security purposes, including for secure cryptoprocessing.
2 智慧電表系統中的智慧電表 gateway(依《指令 (EU) 2019/944》第 2(23) 條定義),與其他用於進階安全目的之裝置(含安全密碼處理)。
3 Smartcards or similar devices, including secure elements.
3 智慧卡或類似裝置,含 secure element。
Block 1b · Technical descriptions (Implementing Regulation 2025/2392, Annex II) 區塊 1b · 技術描述(執行法規 2025/2392 附件 II)
What each Annex IV category technically means 附件四每一類別的技術定義
Source. Commission Implementing Regulation (EU) 2025/2392, Annex II, published in OJ L 2025/2392, 1 December 2025. The technical descriptions below are the binding scope criteria for the three Critical product categories. Translations below are unofficial summaries — refer to EUR-Lex for binding text. 來源。《執委會執行法規 (EU) 2025/2392》附件 II,發布於 OJ L 2025/2392,2025 年 12 月 1 日。下列技術描述是三項關鍵產品類別之強制適用範圍判定標準。下列中文為非官方摘要,強制適用的條文請見 EUR-Lex。
Annex IV Critical · Technical descriptions 附件四關鍵產品 · 技術描述 Items 1 – 3
1 Hardware Devices with Security Boxes (HWSB). Hardware products with digital elements that securely store, process, or manage sensitive data or perform cryptographic operations, and that consist of multiple discrete components, incorporating a hardware physical envelope providing tamper evidence, resistance or response as countermeasures against physical attacks. Examples cited in 2025/2392: physical payment terminals, hardware security modules (HSMs) that generate and manage cryptographic elements, and tachographs meeting the above description. The multi-component + physical envelope test is the defining criterion.
1 具安全盒之硬體裝置(HWSB)。具數位元素之硬體產品、安全儲存、處理、或管理敏感資料、或執行密碼運算、且由多個離散元件組成、整合提供篡改證明、阻抗、或響應作為對實體攻擊反制措施之硬體實體封裝。2025/2392 引用例子:實體支付終端機、產生與管理密碼元素的硬體安全模組(HSM)、與符合上述描述之 tachograph(行車紀錄器)。多元件 + 實體封裝判斷是定義標準。
2 Smart meter gateways. Products with digital elements that control communication between components in or attached to smart metering systems (as defined in Article 2(23) of Directive (EU) 2019/944), and other devices for advanced security purposes including secure cryptoprocessing. Includes communication gateways for electricity, gas, heat, and water metering systems with cryptographic protection and secure communication layers. The cryptographic and gateway-control core functionality is the defining criterion.
2 智慧電表 gateway。具數位元素之產品、控制智慧電表系統內或附加元件之間的通訊(依《指令 (EU) 2019/944》第 2(23) 條定義),與其他用於進階安全目的之裝置(含安全密碼處理)。含具密碼保護與安全通訊層之電力、瓦斯、熱、水計量系統通訊 gateway。密碼與 gateway 控制核心功能是定義標準。
3 Smartcards or similar devices, including secure elements. Tamper-resistant chips designed to provide protection of AVA_VAN level 4 or higher per Common Criteria and Common Evaluation Methodology — distinguished from Class II tamper-resistant MPU/MCU (AVA_VAN 2 or 3). Includes payment card secure elements, mobile SIM secure elements, eID secure elements, and similar high-assurance silicon. The AVA_VAN 4+ design intent is the binding boundary between Class II tamper-resistant MPU/MCU and Annex IV secure elements.
3 智慧卡或類似裝置、含 secure element。設計提供 AVA_VAN level 4 或更高 Common Criteria 與 Common Evaluation Methodology 保護之防篡改晶片,與 Class II 防篡改 MPU / MCU(AVA_VAN 2 或 3)區別。含支付卡 secure element、行動 SIM secure element、eID secure element、與類似高保證矽晶片。AVA_VAN 4+ 設計意圖是 Class II 防篡改 MPU / MCU 與附件四 secure element 之間的強制適用邊界。
The AVA_VAN gradient (Recital 8). 2025/2392 deliberately uses AVA_VAN level as the legal differentiator across the silicon stack: Class I items 13–15 (security functions, no specific AVA_VAN required) → Class II items 3, 4 (tamper-resistant, AVA_VAN 2 or 3) → Annex IV item 3 (secure elements, AVA_VAN 4+). The AVA_VAN level the silicon vendor chooses at design time mechanically determines whether the product faces Module A self-assessment, Module B+C / H notified body, or potentially Article 8(1) EUCC certification. AVA_VAN 梯度(Recital 8)。2025/2392 刻意使用 AVA_VAN 等級作為矽晶片堆疊的法律區別:Class I 第 13–15 項(具安全功能、不要求特定 AVA_VAN)→ Class II 第 3、4 項(防篡改、AVA_VAN 2 或 3)→ 附件四第 3 項(secure element、AVA_VAN 4+)。矽晶片廠商在設計階段選擇的 AVA_VAN 等級、機制性地決定產品面對的是 Module A 自我評鑑、Module B+C / H 指定機構、或潛在的第 8(1) 條 EUCC 認證。
Block 2 · Plain language 區塊 2 · 白話解讀
Why three categories carry the heaviest CRA burden 為什麼三個類別承擔最重的 CRA 負擔
Annex IV is short — just three categories — but it has the longest reach in compliance cost terms. The Commission picked these three because they sit at the root of cybersecurity trust chains. If the HSM is compromised, every certificate it issues is suspect. If the smart meter gateway is compromised, the entire metering grid is at risk. If the secure element is compromised, payment cards and identity credentials lose their guarantees.
"Annex IV products cannot self-assess. The path is either NB-led conformity assessment (Modules B+C or H) or EUCC certification — both Common Criteria-rooted, both 18–36 months, both six-to-seven figures per product."
The conformity assessment path is the strictest. Article 8(1) lets the Commission, via delegated act, require Critical products to obtain an EUCC certificate at assurance level at least "substantial" (the assurance level depends on the cybersecurity risk per Article 8(1)). Where no Article 8(1) delegated act has been adopted, Annex IV products fall back to Article 32(3) third-party conformity assessment (Modules B+C or H). APAC manufacturers in these categories cannot self-assess; they need either NB-led conformity assessment or EUCC certification — both involving Common Criteria-rooted evaluation typically taking 18–36 months and costing six to seven figures per product.
HSMs (Item 1) are an existing CC market. Hardware Security Modules already follow Common Criteria evaluation in most regulated markets — FIPS 140-3 in the US, CC in the EU. The CRA Annex IV designation formalises what was already industry practice. APAC HSM vendors (limited footprint — mostly EU and US dominate) can leverage existing CC infrastructure to satisfy CRA. The new burden is not certification itself, but vulnerability-handling lifecycle alignment to CRA Annex I Part II.
Smart meter gateways (Item 2) introduce sectoral overlap. Smart meter gateways are subject to multiple regulatory regimes simultaneously — CRA Annex IV, NIS2 (energy sector), national smart-grid regulations (Germany BSI TR-03109 series, France Linky platform requirements). The regulatory stack is unusually heavy. APAC vendors targeting EU smart-grid procurement (limited Korean / Japanese vendors) face complex multi-regime conformity work.
Smartcards / secure elements (Item 3) are an established CC market dominated by EU vendors. The category covers payment-card secure elements, mobile SIM secure elements, eID secure elements. Infineon, NXP, ST Microelectronics, Idemia hold dominant share. Asian competitors (Samsung, Nationz, MediaTek partnerships) exist but face a market where CC EAL5+ certification at "high" assurance is the de facto entry condition. CRA Annex IV makes this entry condition law.
附件四很短,僅三個類別,但在合規成本層面它的觸及面最廣。執委會選這三個、因為它們位於網路安全信任鏈的根部。若 HSM 被攻破、它所簽發的每一張憑證都可疑。若智慧電表 gateway 被攻破、整個計量電網處於風險中。若 secure element 被攻破、支付卡與身分憑證失去保證。
「附件四產品無法自我評鑑。路徑只剩 NB 主導合規評鑑(Module B+C 或 H)或 EUCC 認證,兩者皆源於 Common Criteria、皆 18 到 36 個月、皆每產品六到七位數。」
合規評鑑路徑最嚴。第 8(1) 條讓執委會透過授權行為、要求關鍵產品取得至少「substantial」保證等級的 EUCC 證書(保證等級依第 8(1) 條按網路安全風險決定)。第 8(1) 條授權法案尚未通過時、附件四產品退回到第 32(3) 條第三方合規評鑑(Module B+C 或 H)。在這些類別的 APAC 製造商不能自我評鑑;需要 NB 主導合規評鑑或 EUCC 認證,兩者皆涉及源於 Common Criteria 的評鑑、典型 18 到 36 個月、每個產品成本六到七位數。
HSM(第 1 項)是既有的 CC 市場。硬體安全模組在多數受規管市場已遵循 Common Criteria 評鑑,美國的 FIPS 140-3、EU 的 CC。CRA 附件四的指派把已是業界實務的事正式化。APAC HSM 廠商(立足點有限,多由歐美主導)可借既有 CC 基礎滿足 CRA。新負擔不是認證本身、而是弱點處理生命週期對齊 CRA 附件一第二部分。
智慧電表 gateway(第 2 項)引入部門別重疊。智慧電表 gateway 同時受多個法規制度規範,CRA 附件四、NIS2(能源部門)、國家智慧電網法規(德國 BSI TR-03109 系列、法國 Linky 平台要求)。法規堆疊異常沉重。瞄準 EU 智慧電網採購的 APAC 廠商(少量韓 / 日廠商)面對複雜的多制度合規工作。
智慧卡 / secure element(第 3 項)是既有的 CC 市場、由歐廠主導。類別涵蓋支付卡 secure element、行動 SIM secure element、eID secure element。Infineon、NXP、ST Microelectronics、Idemia 持主導份額。亞洲競爭者(Samsung、紫光國微、聯發科合作)存在、但面對「高」保證的 CC EAL5+ 認證為實際進入條件之市場。CRA 附件四把此進入條件變成法律。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Annex IV exposure across APAC industries APAC 產業的附件四風險
Annex IV exposure is concentrated in a narrow band of APAC industries — secure-element silicon, smart card manufacturing, smart meter gateway hardware. For most APAC ICT exporters, Annex IV is irrelevant. For the affected vendors, it is decisive.
附件四風險集中在 APAC 少數產業,secure element 矽晶片、智慧卡生產、智慧電表 gateway 硬體。對多數 APAC ICT 出口商,附件四無關。對受影響的廠商,它是決定性的。
| APAC vendor typeAPAC 廠商類型 | Annex IV applicability附件四適用 | Strategic implication策略意義 |
|---|---|---|
| Server / industrial OEM (Taiwan)伺服器 / 工業 OEM(台灣) | Limited — only if the OEM bundles HSM modules; otherwise Class I or II at most.有限,僅在 OEM 整合 HSM 模組時;否則最多到 Class I 或 II。 | HSM is sourced from EU; integration risk passes through but original CC certification stays with HSM vendor.HSM 由歐廠採購;整合風險穿過、但原始 CC 認證留在 HSM 廠商。 |
| Secure element silicon (Samsung, Nationz, partnered Asian)Secure element 矽晶片(Samsung、紫光國微、合作亞洲廠) | Direct — Annex IV item 3 hits.直接適用:附件四第 3 項命中。 | EUCC certification likely required when Article 8(1) delegated act fires; substantial / high assurance level depends on risk. CC EAL5+ infrastructure exists for established vendors.第 8(1) 條授權法案觸發時可能要求 EUCC 認證;substantial / high 保證等級依風險決定。既有廠商已有 CC EAL5+ 基礎。 |
| Smart card manufacturers (Korea, Japan)智慧卡製造商(韓國、日本) | Direct — Annex IV item 3 hits.直接適用:附件四第 3 項命中。 | EU vendors dominate; APAC plays in non-EU markets primarily. CRA Annex IV codifies an EU-favoured market structure.歐廠主導;APAC 主要在非歐市場。CRA 附件四把對歐廠有利的市場結構法律化。 |
| Smart meter gateway makers (Korea, China-tier APAC)智慧電表 gateway 製造商(韓國、中國層級 APAC) | Direct — Annex IV item 2 hits.直接適用:附件四第 2 項命中。 | National security overlay (Article 5) typically restricts non-EU vendors anyway. Annex IV adds technical certification burden on top.國家安全層級(第 5 條)通常已限制非歐廠商。附件四在其上加技術認證負擔。 |
| Cryptographic IP licensors (silicon IP houses)密碼 IP 授權商(矽晶片 IP 廠) | Indirect — IP block licensed to silicon vendor; certification typically follows the silicon.間接,IP 區塊授權給矽晶片廠商;認證通常隨矽晶片走。 | Documentation handover practices need to support downstream EUCC high certification work.文件交付實務需要支援下游 EUCC high 認證工作。 |
A practical observation about HSM and secure element markets: these are dominated by deep CC-evaluation expertise and long-cycle vendor relationships with EU government and financial customers. APAC vendors entering these segments face a decade-scale ramp — not because they lack technical capability, but because evaluator relationships, certification scheme insider knowledge, and customer trust are accumulated over many cycles. CRA Annex IV does not change this; it formalises it.
對 HSM 與 secure element 市場的實務觀察:這些由深度 CC 評鑑專業與跟歐盟政府及金融客戶長週期廠商關係主導。進入這些區段的 APAC 廠商面對十年級的爬升,不是因為他們缺乏技術能力,而是評鑑員關係、認證計畫內部知識、客戶信任都是多週期累積的。CRA 附件四不改變這點;它把它正式化。
For APAC industrial OEMs that bundle EU-sourced HSMs into their products: the certification responsibility traces back to the HSM vendor for the HSM module itself. The OEM's own integration is governed by CRA Annex I Part I + Part II, but the Annex IV burden does not transfer onto the OEM. APAC industrial OEMs should ensure procurement contracts with HSM vendors include CC certification documentation handover — that paper trail flows through into their own technical file (Annex VII).
對整合歐盟採購之 HSM 至產品內的 APAC 工業 OEM:HSM 模組本身的認證責任追溯到 HSM 廠商。OEM 自身整合受 CRA 附件一第一部分 + 第二部分規範,但附件四負擔不轉移到 OEM。APAC 工業 OEM 應確保與 HSM 廠商的採購合約包含 CC 認證文件交付,該書面軌跡流入自家技術檔(附件七)。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Annex IV in the EU high-assurance security ecosystem 附件四在 EU 高保證安全生態中
Annex IV products operate at the intersection of multiple high-assurance security regimes. APAC vendors in these segments need to map across all of them. 附件四產品運作於多個高保證安全制度的交集。在這些區段的 APAC 廠商、需要全面對應。
Cybersecurity Act 2019/881 + EUCC Implementing Regulation 2024/482網路安全法 2019/881 + EUCC 執行法規 2024/482
EUCC is the first EU-level cybersecurity certification scheme adopted under the Cybersecurity Act. It supports three assurance levels — basic, substantial, high. Annex IV products may be required by Commission Article 8(1) delegated act to obtain an EUCC certificate at assurance level at least "substantial" — meaning rigorous Common Criteria evaluation by an EU-accredited ITSEF (IT Security Evaluation Facility), with results reviewed by national CC scheme authorities. The exact assurance level (substantial or high) is set by the delegated act based on cybersecurity risk. ENISA coordinates the scheme.
EUCC 是依網路安全法通過的第一個 EU 層級網路安全認證計畫。支援三個保證等級,basic、substantial、high。附件四產品可能被執委會第 8(1) 條授權行為要求取得至少「substantial」保證等級之 EUCC 證書,意指由 EU 認可的 ITSEF(IT Security Evaluation Facility)做嚴謹 Common Criteria 評鑑、結果由國家 CC 計畫主管機關審核。確切保證等級(substantial 或 high)由授權行為依網路安全風險設定。ENISA 協調計畫。
Common Criteria ISO/IEC 15408 — the technical foundationCommon Criteria ISO/IEC 15408:技術基礎
Common Criteria (ISO/IEC 15408) is the international evaluation framework for security products. EUCC builds directly on CC. Annex IV products typically need EAL4+ (smart meter gateways) or EAL5+ (HSMs, secure elements) under CC. The CCRA (Common Criteria Recognition Arrangement) mutual recognition gives APAC-evaluated products some carry-over but not for high assurance — high assurance is EU-internal evaluation.
Common Criteria(ISO/IEC 15408)是安全產品的國際評鑑框架。EUCC 直接建立在 CC 之上。附件四產品在 CC 下通常需要 EAL4+(智慧電表 gateway)或 EAL5+(HSM、secure element)。CCRA(Common Criteria 互認安排)的互認讓 APAC 評鑑產品有部分延續、但不適用於高保證,高保證是 EU 內部評鑑。
Smart meter directive 2019/944 (Article 2(23))智慧電表指令 2019/944(第 2(23) 條)
CRA Annex IV item 2 explicitly cross-references Directive 2019/944 for the definition of smart meter gateway. The directive sets the EU electricity market's general framework. Member State implementations vary — Germany has BSI TR-03109 with national-specific requirements; France has Linky platform specs. APAC smart meter vendors need to track all three layers: 2019/944 framework + Member State spec + CRA Annex IV cybersecurity.
CRA 附件四第 2 項明文交叉引用《指令 2019/944》對智慧電表 gateway 的定義。該指令設定 EU 電力市場一般框架。會員國實施各異,德國有 BSI TR-03109 的國家特定要求;法國有 Linky 平台規格。APAC 智慧電表廠商需要追蹤三層:2019/944 框架 + 會員國規格 + CRA 附件四網路安全。
FIPS 140-3 — US parallel for cryptographic modulesFIPS 140-3:密碼模組的美國對等規範
FIPS 140-3 is the US federal standard for cryptographic modules, equivalent in scope to CC for HSMs. NVLAP labs do FIPS evaluations; CMVP issues certificates. APAC HSM vendors selling globally typically maintain both FIPS 140-3 and CC EAL5+ tracks — the CRA Annex IV designation reinforces the existing dual-certification reality without adding a new burden for established vendors.
FIPS 140-3 是美國對密碼模組的聯邦標準、範圍等同 CC 對 HSM。NVLAP 實驗室做 FIPS 評鑑;CMVP 發證。全球銷售的 APAC HSM 廠商通常同時維持 FIPS 140-3 與 CC EAL5+ 兩條軌道,CRA 附件四的指派強化既有雙認證現實、對既有廠商不增加新負擔。
Article 8 — Commission delegated act on Critical product designation第 8 條:執委會對關鍵產品指派的授權行為
Article 8 lets the Commission expand Annex IV via delegated act. Categories may be added based on cybersecurity risk to fundamental functions. Article 7 / 8 together govern Annex III / Annex IV expansion. APAC manufacturers should monitor delegated act consultation cycles — early visibility into draft expansions gives 18–24 months lead time for compliance preparation.
第 8 條讓執委會透過授權行為擴充附件四。類別可基於對基本功能的網路安全風險新增。第 7 / 8 條一起規範附件三 / 附件四擴充。APAC 製造商應監控授權行為諮詢循環,對草案擴充的早期能見度、給合規準備 18 到 24 個月前置時間。