Annex VIII Regulation (EU) 2024/2847 · Annexes 法規 (EU) 2024/2847 · 附件
Conformity assessment modules — A, B, C, H 符合性評鑑模組,A、B、C、H
Four modules. Four operational regimes. Module A is the manufacturer alone; Modules B+C bring a notified body to the design but leave production to the manufacturer; Module H places the entire quality system under notified-body oversight. Annex VIII is where Article 32's routing decisions become concrete obligations. 四個模組。四種運作體制。Module A 僅製造商單方;Module B+C 引入指定機構於設計但生產仍由製造商負責;Module H 將整個品質系統置在指定機構監督下。附件八是第 32 條路徑決定具體化為義務之處。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Annex VIII, as published in OJ L 2024/2847, 20 November 2024. Annex VIII has four Parts corresponding to Modules A, B, C, H. Translation is unofficial; refer to EUR-Lex for binding text. 來源。條文自《法規 (EU) 2024/2847》附件八整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。附件八有四部分,對應 Module A、B、C、H。中文為非官方翻譯。
Part I — Module A (Internal control) 第一部分,Module A(內部控制) Part I, ¶ 1 – 5
1. Internal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
1. 內部控制為一符合性評鑑程序,由製造商履行本部分第 2、3、4 點所定義務,並於其獨自責任下確保並聲明具數位元素產品符合附件一第一部分所有基本網路安全要求、且製造商符合附件一第二部分基本網路安全要求。
2. The manufacturer shall draw up the technical documentation described in Annex VII.
2. 製造商應製備附件七所述技術文件。
3. The manufacturer shall take all measures necessary so that the design, development, production and vulnerability handling processes and their monitoring ensure compliance of the manufactured or developed products with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Parts I and II of Annex I.
3. 製造商應採取所有必要措施,使設計、開發、生產與弱點處理流程及其監控確保所製造或開發之具數位元素產品與製造商所建立流程符合附件一第一與第二部分基本網路安全要求。
4.1. The manufacturer shall affix the CE marking to each individual product with digital elements that satisfies the applicable requirements set out in this Regulation.
4.1. 製造商應於符合本法規適用要求之每一單件具數位元素產品上加施 CE 標示。
4.2. The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.
4.2. 製造商應就每一具數位元素產品依第 28 條製備書面 EU 符合性聲明,並連同技術文件留存供國家機關使用,於產品投放市場後 10 年或支援期間(兩者較長者)為止。
5. Authorised representative — the manufacturer's obligations may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.
5. 授權代表,製造商之義務得由其授權代表代為履行,於其名義及責任下行之,惟相關義務應載於委任書內。
Part II — Module B (EU-type examination) 第二部分,Module B(歐盟型式審查) Part II, ¶ 1 – 11
1. EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design of the product with digital elements and verifies and attests that the technical design of the product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I.
1. 歐盟型式審查為符合性評鑑程序之一部分,由指定機構審查具數位元素產品之技術設計,並核實與證明該產品之技術設計符合附件一第一部分基本網路安全要求。
Module B core mechanics: manufacturer applies to a single notified body of choice; submits the technical documentation per Annex VII plus a representative specimen or sample; NB conducts documentation-based assessment AND tests (itself or via external lab); on success, NB issues an EU-type examination certificate identifying the design and any conditions of validity. Substantial modifications require fresh assessment. Certificate validity period set by NB. Per point 8, NB carries out periodic audits to ensure vulnerability handling processes (Annex I Part II) remain adequately implemented. Per point 10, manufacturer keeps certificate copy + technical documentation for 10 years post-placement or support period, whichever longer.
Module B 核心機制:製造商向所選一家指定機構申請;提交附件七技術文件加代表性樣本;NB 進行以文件為基礎之評估「並」測試(自行或經外部實驗室);成功則 NB 發給 EU 型式審查證書,載明設計與有效性條件。實質修改需重新評估。證書有效期限由 NB 設定。依第 8 點,NB 進行定期稽核以確保弱點處理流程(附件一第二部分)持續充分實施。依第 10 點,製造商留存證書副本 + 技術文件 10 年(自投放後或支援期間,兩者較長者)。
Part III — Module C (Conformity to type, internal production control) 第三部分,Module C(型式符合性、內部生產控制) Part III, ¶ 1 – 4
1. Conformity to type based on internal production control is the part of a conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 3 of this Part, and ensures and declares that the products with digital elements concerned are in conformity with the type described in the EU-type examination certificate and satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
1. 基於內部生產控制之型式符合性為符合性評鑑程序之一部分,由製造商履行本部分第 2 與 3 點所定義務,並確保並聲明所涉具數位元素產品符合 EU 型式審查證書所載型式,並符合附件一第一部分基本網路安全要求,且製造商符合附件一第二部分基本網路安全要求。
2. Production — the manufacturer shall take all measures necessary so that the production and its monitoring ensure conformity of the manufactured products with digital elements with the approved type described in the EU-type examination certificate and with the essential cybersecurity requirements as set out in Part I of Annex I and ensures that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
2. 生產,製造商應採取所有必要措施使生產及其監控確保所製造之具數位元素產品符合 EU 型式審查證書所述之核准型式、並符合附件一第一部分基本網路安全要求、且確保製造商符合附件一第二部分基本網路安全要求。
3.1. The manufacturer shall affix the CE marking to each individual product with digital elements that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements set out in this Regulation.
3.1. 製造商應於符合 EU 型式審查證書所述型式並符合本法規適用要求之每一單件具數位元素產品上加施 CE 標示。
3.2. The manufacturer shall draw up a written declaration of conformity for a product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.
3.2. 製造商應就產品型號製備書面符合性聲明,並留存供國家機關使用 10 年(自投放後或支援期間,兩者較長者)。
4. Authorised representative — the manufacturer's obligations set out in point 3 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.
4. 授權代表,製造商於第 3 點所定之義務得由其授權代表代為履行,於其名義及責任下行之,惟相關義務應載於委任書內。
Part IV — Module H (Full quality assurance) 第四部分,Module H(完整品質保證) Part IV, ¶ 1 – 5
1. Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.
1. 基於完整品質保證之符合性為一符合性評鑑程序,由製造商履行本部分第 2 與 5 點所定義務,並於其獨自責任下確保並聲明所涉具數位元素產品或產品類別符合附件一第一部分基本網路安全要求、且製造商所建立之弱點處理流程符合附件一第二部分要求。
Module H core mechanics: manufacturer operates an approved quality management system covering design, development, production, vulnerability handling for the product categories within scope. The QMS may be based on ISO 9001 + CRA-specific extensions, but ISO 9001 accreditation alone does not satisfy Module H — a CRA notified body must approve the QMS scope and operations specifically. The NB performs initial QMS approval, periodic surveillance audits, and unannounced visits. Module H eliminates per-product type-examination but trades it for ongoing system-level oversight. Manufacturer keeps QMS documentation + DoC for 10 years post-placement or support period, whichever longer. Suitable for manufacturers with frequent updates or large product families since each new variant does not trigger fresh certificate.
Module H 核心機制:製造商運作經核准之品質管理系統,涵蓋範圍內產品類別之設計、開發、生產、弱點處理。QMS 可基於 ISO 9001 + CRA 特定延伸,但僅 ISO 9001 認可不滿足 Module H,需 CRA 指定機構具體核准 QMS 範圍與運作。NB 執行初次 QMS 核准、定期監督稽核、突擊訪查。Module H 消除每產品逐件型式審查,但以持續性系統層級監督替代。製造商留存 QMS 文件 + DoC 10 年(自投放後或支援期間,兩者較長者)。適合具頻繁更新或大產品家族之製造商,因每個新變體不觸發新證書。
Block 2 · Plain language 區塊 2 · 白話解讀
Four modules, three patterns of notified-body involvement 四個 module、三種指定機構介入程度
Annex VIII is the rulebook that explains how each conformity assessment route actually operates. The four modules — A, B, C, H — are not parallel options of equal weight. Module A is the "manufacturer alone" path. Modules B and C work as a pair: B audits the design once, C ensures production matches that approved design. Module H replaces both B and C with continuous system-level oversight of the manufacturer's quality management system. Article 32 decides which combinations are permitted for which product tiers; Annex VIII defines what each combination actually requires.
"Module B+C is one route, not two. Single Module B does not satisfy any Article 32 path — the regulation always pairs B with C in the same engagement."
Reading the modules together reveals three distinct patterns of notified-body involvement — Module A (no NB), Module B+C (one-off design audit), Module H (continuous QMS oversight). The state-machine table below summarises the engagement patterns; the three structural points after it are worth absorbing before module-selection planning.
The 10-year retention floor is module-agnostic. Each module's documentation-retention clause says the same thing in slightly different language: keep it for 10 years after placing on market, or for the support period, whichever is longer. The floor accumulates across modules — even if a manufacturer migrates from Module A to Module H mid-product-life, the Module-A-era technical file and DoC stay on the shelf until their retention period expires. The 10-year clock under Article 13(8) governing support-period determination is independent and may be longer.
Module B+C is one route, not two. Module B alone does not satisfy any Article 32 path; Module B always pairs with Module C in the regulation's text. Treating them as separate is a conceptual error. The B+C combination divides labour: the design phase is NB-supervised once, the production phase is internally controlled but with an explicit obligation to maintain conformity to the type described in the EU-type examination certificate. When a manufacturer "uses Module B+C", they must execute both Parts II and Part III obligations — including the production-phase Module C controls per Part III point 2.
Module H requires CRA-specific QMS approval, not generic ISO 9001. Many APAC manufacturers already operate ISO 9001 quality management systems. Module H's QMS may be built on top of ISO 9001 — and reusing existing QMS infrastructure is sensible — but ISO 9001 accreditation alone does not equal Module H eligibility. A CRA notified body must specifically assess whether the QMS scope, design controls, vulnerability-handling processes, and documentation discipline cover the CRA Annex I Part I and Part II requirements. The NB issues a Module-H approval distinct from the ISO 9001 certificate. The Commission's CRA FAQ explicitly notes this distinction.
附件八是「每條 conformity assessment 路徑實際怎麼跑」的規則書。四個 module(A、B、C、H)不是權重相等的並列選項。Module A 是「製造商自己跑」這條路。Module B 跟 C 是配對運作:B 對設計做一次性稽核、C 確保生產出來的東西符合那份核准設計。Module H 用「對製造商 QMS 的持續性系統層級監督」取代 B 跟 C。第 32 條決定哪種產品層級允許哪種組合;附件八定義每種組合實際在要求什麼。
「Module B+C 是一條路、不是兩條。單獨用 Module B 不滿足第 32 條任何路徑,法規文字永遠把 B 跟 C 配對在同一次委請裡。」
把這幾個 module 合起來讀、看得出三種不同的指定機構介入程度:Module A(無 NB)、Module B+C(一次性設計稽核)、Module H(持續 QMS 監督)。下方 state-machine 表整理介入模式;表後三個結構性要點值得在規劃 module 選擇前先掌握。
10 年保存期跟 module 無關。每個 module 的文件保存條款用稍微不同的措辭講同一件事:投入市場後 10 年或 support period(取較長者)。這個保存期跨 module 累計,即使製造商在產品生命週期中從 Module A 換到 Module H、Module A 時期的技術檔案跟 DoC 仍然要保留到原本的保存期結束。第 13(8) 條規定 support period 決定的時鐘是獨立的、而且可能比 10 年更長。
Module B+C 是一條路、不是兩條。單獨用 Module B 不滿足第 32 條任何路徑;法規文字裡 Module B 永遠跟 Module C 配對。把它們當分開的兩條路是概念錯誤。B+C 的組合把工作切兩段:設計階段一次性的 NB 監督、生產階段內部控制但要明確維持符合 EU type examination certificate 所述的型式。製造商「使用 Module B+C」時、必須同時執行第二部分跟第三部分的義務,包括第三部分第 2 點的生產階段 Module C 控制。
Module H 需要 CRA 專屬的 QMS 核准、不是通用的 ISO 9001。很多 APAC 製造商已經有 ISO 9001 品質管理系統在運作。Module H 的 QMS 可以建在 ISO 9001 之上,重用既有的 QMS 基礎建設合理,但只有 ISO 9001 認證不等於 Module H 資格。CRA 指定機構必須具體評估 QMS 範圍、設計控制、弱點處理流程、文件紀律是不是涵蓋 CRA 附件一第一部分跟第二部分要求。NB 發出的 Module H 核准跟 ISO 9001 證書是分開的兩件事。執委會 CRA FAQ 明確區分這一點。
| Pattern模式 | NB engagementNB 介入 | Manufacturer's burden shape製造商負擔形狀 |
|---|---|---|
| Module A — internal control | None. Manufacturer self-declares on sole responsibility.無。製造商在獨自責任下自我聲明。 | Front-loaded design + technical-file work, then ongoing internal control. No NB fees.設計與技術檔案工作前置、然後持續性內部控制。無 NB 費用。 |
| Module B + C — design audit + production conformity | NB audits the design once and issues an EU-type examination certificate. Periodic vulnerability-handling audits during validity. Production phase is manufacturer's responsibility under Module C.NB 一次性稽核設計並發 EU 型式審查證書。有效期內定期弱點處理稽核。生產階段於 Module C 下為製造商責任。 | Discrete design-stage NB engagement; production stays internal but must trace back to certificate-described type. Substantial modifications trigger fresh assessment.設計階段離散式 NB 介入;生產仍為內部但須回溯至證書所載型式。實質修改觸發重新評估。 |
| Module H — full quality assurance | NB approves the manufacturer's QMS scope and operations, then conducts ongoing surveillance audits and unannounced visits across design + production + vulnerability handling.NB 核准製造商的 QMS 範圍與運作、然後對設計、生產、弱點處理執行持續性監督稽核與突擊訪查。 | Continuous system-level discipline. High up-front QMS investment but eliminates per-product certification work — efficient at scale.持續性系統層級紀律。前期 QMS 投資高但消除每產品認證工作,規模上效率高。 |
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Module-selection economics for APAC ODM/OEM operations APAC ODM/OEM 的 module 選擇經濟學
Module selection is not a regulatory checkbox — it is a multi-year operational decision. For APAC manufacturers exporting volume to the EU, three economic dimensions dominate the choice between Modules A, B+C, and H.
Module 選擇不是法規上勾選一格的事,它是一個多年期的營運決策。對出口歐盟量大的 APAC 製造商來說,三個經濟層面主導 Module A、B+C、H 之間的選擇。
1. Product churn rate determines whether B+C survives 1. 產品迭代率決定 B+C 走不走得下去
Module B+C's design-stage NB engagement is fine for a stable product family with quarterly revisions but breaks down in fast-iterating product lines. Each "substantial modification" — defined in Article 3 point 41 as a change that affects compliance with essential cybersecurity requirements — triggers a fresh Module B examination. APAC ODMs with consumer-IoT lines that ship 6–12 SKUs annually with major firmware revisions every quarter face cumulative NB fees that quickly exceed the up-front Module H investment. A useful heuristic: if your product churn averages > 3 substantial-modification events per year per SKU, model the NPV of B+C vs H over three years before committing. Module H typically wins above this threshold.
Module B+C 的「設計階段 NB 介入」對每季小修的穩定產品家族還行、但碰到快速迭代的產品線就崩了。每一次「substantial modification」(依第 3(41) 條定義、是影響 essential cybersecurity requirements 合規的變更)、都會觸發一次新的 Module B 審查。出貨年產 6–12 個 SKU、每季重大韌體修訂的消費性 IoT 線的 APAC ODM、累計 NB 費用很快就會超過 Module H 的前期投資。實用判斷:如果你的產品迭代平均每個 SKU 每年超過 3 次 substantial modification、下決定前先把 B+C vs H 的 3 年期 NPV 算過。超過這個門檻、通常 Module H 勝出。
2. Module H QMS extension cost concentrates in vulnerability-handling discipline 2. Module H 的 QMS 擴展成本集中在弱點處理紀律
APAC manufacturers with mature ISO 9001 + ISO 27001 systems often underestimate the work of extending into Module H. The bottleneck is rarely the design-control or production-control sections — those map cleanly onto existing ISO 9001 clause 8 controls. The work concentrates in three Annex I Part II areas: (i) coordinated vulnerability disclosure (CVD) policy with documented intake-to-remediation workflow, (ii) software bill of materials (SBOM) generation and maintenance with versioned artifacts retained for the support period plus 10 years, and (iii) reproducible secure-update distribution mechanics with cryptographic-integrity evidence. These are not check-the-box artifacts; they are operational disciplines that need to be exercised continuously and visible in audit trails.
已經有成熟 ISO 9001 + ISO 27001 系統的 APAC 製造商、常低估擴展到 Module H 的工作量。瓶頸很少在設計控制或生產控制,這些清楚對應到既有 ISO 9001 第 8 章控制。工作集中在附件一第二部分的三個區域:(i) 有書面流程(從接收到修補)的 coordinated vulnerability disclosure (CVD) 政策;(ii) SBOM 的生成與維護、含 support period 加 10 年的版本化保存;(iii) 有密碼完整性證據的可重現安全更新發送機制。這些不是打勾就過的成品、是必須持續執行、並在稽核軌跡上看得到的營運紀律。
3. NB capacity in APAC remains structurally constrained 3. APAC 的 NB 量能仍然結構性受限
CRA notified bodies are designated under Chapter IV. As of early 2026, the geographic distribution heavily favours Europe — most designated NBs operate primary labs in Germany, the Netherlands, France, Italy, and Belgium. APAC NB capacity is being built but lags. For Module B+C and Module H, manufacturers must engage a designated NB. Three options exist for APAC manufacturers: (i) engage an EU-based NB and ship samples to Europe (long lead times, logistics overhead), (ii) wait for an APAC subsidiary of an EU NB to receive designation (unpredictable timing), (iii) engage a Taiwan-based or Japan-based testing house affiliated with an EU NB through a subcontracting arrangement (intermediate option, depends on NB-specific policy). Module A avoids this entirely — but only if the product tier permits.
CRA 指定機構依第四章指派。截至 2026 年初、地理分布嚴重偏向歐洲,多數指定 NB 的主要實驗室位於德國、荷蘭、法國、義大利、比利時。APAC NB 量能正在建置中但仍落後。Module B+C 跟 Module H 都必須委請指定 NB。APAC 製造商有三條路:(i) 委請歐洲的 NB、把樣本送到歐洲(lead time 長、物流成本高);(ii) 等歐洲 NB 的 APAC 子公司獲指派(時程難預測);(iii) 委請跟歐洲 NB 有分包安排的台灣或日本檢測機構(中間選項、看個別 NB 政策)。Module A 完全避開這個問題,但只在產品層級允許時才能用。
A practical decision framework. For an APAC manufacturer planning their CRA module strategy, the right sequence is: (1) confirm product tier under Article 32 — this constrains options before economics enter; (2) for Class I products with hEN published in OJEU, model Module A vs Module B+C cost over a 3-year horizon including expected substantial-modification events; (3) for Class II or Critical products, model Module B+C vs Module H using same horizon, weighting NB lead-time risk; (4) for FOSS Annex III products, evaluate the Article 32(5) public-disclosure-of-technical-file path that re-enables Module A. Skipping step 1 is the most common APAC error — many manufacturers begin economic modelling before confirming whether their product is even Module-A-eligible.
實用決策框架:規劃 CRA module 策略的 APAC 製造商、正確順序是:(1) 依第 32 條先確認產品層級,這在經濟分析之前就先約束選項;(2) 對 OJEU 已引用 hEN 的 Class I 產品、把 3 年期 Module A vs Module B+C 成本算過、含預期 substantial modification 事件;(3) 對 Class II 或 Critical 產品、用同樣期間算 Module B+C vs Module H、加上 NB lead-time 風險的權重;(4) 對 FOSS 附件三產品、評估第 32(5) 條的「技術檔案公開揭露」路徑,這條路會重新打開 Module A。跳過步驟 1 是最常見的 APAC 錯誤,很多製造商在還沒確認自己的產品是不是 Module A 適格前、就開始做經濟模型。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Decision 768/2008/EC modules across EU product regulations EU 產品法規中的 Decision 768/2008/EC 模組
CRA Annex VIII does not invent its modules from scratch. The A / B / C / H labels come from Decision 768/2008/EC — the New Legislative Framework's common reference template for product-conformity modules. The same module letters appear in RED, Machinery Regulation, EMC Directive, MDR, AI Act, with regulation-specific adaptations. The table below shows what each module letter conventionally means and how CRA's flavour differs. CRA 附件八的 module 非從零發明。A / B / C / H 標籤源自《Decision 768/2008/EC》,新立法框架對產品符合性模組的共通參考模板。相同模組字母出現於 RED、機械規章、EMC 指令、MDR、AI Act、含法規特定調整。下表列出各模組字母慣例意義與 CRA 風味差異。
| Module / regulation模組 / 法規 | Conventional meaning (Decision 768/2008/EC)慣例意義(Decision 768/2008/EC) | CRA-specific adaptationCRA 特定調整 |
|---|---|---|
| Module A — internal control | Manufacturer self-declaration of design + production conformity. No NB. Foundational module for low-risk products.製造商對設計與生產符合性自我宣告。無 NB。低風險產品的基礎模組。 | CRA additionally requires Annex I Part II vulnerability-handling processes (CVD, SBOM, secure update distribution) — these are obligations even under Module A's no-NB model.CRA 額外要求附件一第二部分弱點處理流程(CVD、SBOM、安全更新發送),即使於 Module A 無 NB 模型下也為義務。 |
| Module B — EU-type examination | NB examines technical design and issues type-examination certificate. Always paired with a production-control module (C, C1, C2, D, E, F, F1, G).NB 審查技術設計並發型式審查證書。總與生產控制模組(C、C1、C2、D、E、F、F1、G)配對。 | CRA pairs only with Module C (not C1/C2 or D/E/F variants). CRA Module B explicitly requires NB to perform periodic vulnerability-handling audits during certificate validity (Part II point 8) — atypical of generic Module B.CRA 僅與 Module C 配對(非 C1/C2 或 D/E/F 變體)。CRA Module B 明示要求 NB 於證書有效期內執行定期弱點處理稽核(第二部分第 8 點),通用 Module B 不典型。 |
| Module C — internal production control after type | Manufacturer ensures production conforms to type described in B's certificate. No NB in production phase.製造商確保生產符合 B 證書所述型式。生產階段無 NB。 | CRA Module C only mode used; no Module C1 (NB tests at random) or C2 (NB tests planned) variants. Production phase remains entirely manufacturer's responsibility per Article 32 architecture.CRA 只用 Module C 模式;無 Module C1(NB 隨機測試)或 C2(NB 計畫測試)變體。第 32 條架構下生產階段完全為製造商責任。 |
| Module H — full quality assurance | NB approves and oversees a comprehensive QMS covering design + production + monitoring. Manufacturer self-declares conformity within the QMS framework.NB 核准與監督涵蓋設計、生產、監控的完整 QMS。製造商於 QMS 框架內自我宣告符合性。 | CRA Module H QMS scope must explicitly include vulnerability handling per Annex I Part II — including CVD policy operations, SBOM generation, and secure update distribution. ISO 9001 alone is insufficient. Module H1 (with design examination) is not adopted by CRA.CRA Module H QMS 範圍須明示含附件一第二部分弱點處理,含 CVD 政策運作、SBOM 生成、安全更新發送。僅 ISO 9001 不夠。Module H1(含設計審查)不為 CRA 採用。 |
| RED Directive 2014/53/EU | Uses Modules A, B+C, H. Same template, applied to radio equipment safety + spectrum + cybersecurity (post-RED-DA).使用 Module A、B+C、H。相同模板、適用於無線電設備的安全 + 頻譜 + 網路安全(RED-DA 後)。 | RED's cybersecurity scope (RED Delegated Act 2022/30) is repealed 11 Dec 2027 by CRA. Manufacturers transitioning from RED-cyber to CRA need to re-evaluate module choice — RED's hEN ecosystem is mature, CRA's is still emerging.RED 的網路安全範圍(RED 授權法案 2022/30)於 2027/12/11 為 CRA 廢止。自 RED-cyber 過渡至 CRA 的製造商須重新評估模組選擇,RED 的 hEN 生態成熟、CRA 的仍在浮現。 |
| Machinery Regulation (EU) 2023/1230 | Uses Modules A, B+C, H. Annex IX (cybersecurity-relevant safety-related machinery) requires NB regardless of Module choice.使用 Module A、B+C、H。附件九(網路安全相關的安全性機械)不論模組選擇都需 NB。 | A connected industrial machine may simultaneously be a Machinery Reg Annex IX product (NB-mandatory) AND a CRA Class I product. Single DoC under CRA Article 28(3) must consolidate; one NB engagement may cover both regimes if the same NB is designated under both.聯網的工業機械可同時為機械規章附件九產品(NB 強制)「且」 CRA Class I 產品。CRA 第 28(3) 條下單一 DoC 須合併;若同 NB 在兩制度下都獲指派、一次 NB 委請可涵蓋兩制度。 |
| AI Act (EU) 2024/1689 | Uses Annex VI (internal control, conceptually similar to Module A) and Annex VII (full quality assurance + technical doc, similar to Module H). NOT same letters as CRA.使用附件六(內部控制、概念上類 Module A)與附件七(完整品保 + 技術文件、類 Module H)。非與 CRA 同字母。 | CRA Article 12 cybersecurity bridge: when a product is both high-risk AI and Annex III Class II, the AI Act's Annex VI/VII conformity assessment satisfies CRA cybersecurity if appropriately configured. The cross-mapping requires careful module-by-module alignment.CRA 第 12 條網路安全橋接:產品同時為高風險 AI 與附件三 Class II 時、AI Act 的附件六 / 七符合性評鑑在適當配置下滿足 CRA 網路安全。交叉對映需逐模組仔細對齊。 |