Article 27 Regulation (EU) 2024/2847 · Chapter III 法規 (EU) 2024/2847 · 第三章
Presumption of conformity — the upstream door 符合性推定,上游門
Harmonised standards, Commission common specifications, and European cybersecurity certificates — the three paths that let a manufacturer demonstrate Annex I compliance by pointing at someone else's document. As of early 2026, none of the candidate harmonised standards has been formally cited in the Official Journal. The door exists but is not yet open. 調和標準、執委會共通規範、歐洲網路安全證書,讓製造商能以指向他人的文件示範符合附件一之三條路徑。截至 2026 年初,尚無任何候選調和標準於官方公報正式引用。門存在,但尚未打開。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。中文為非官方翻譯。
Harmonised standards presumption 調和標準之推定 ¶ 1
1. Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof. The Commission shall, in accordance with Article 10(1) of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the essential cybersecurity requirements set out in Annex I to this Regulation. When preparing standardisation requests for this Regulation, the Commission shall strive to take into account existing European and international standards for cybersecurity that are in place or under development in order to simplify the development of harmonised standards, in accordance with Regulation (EU) No 1025/2012.
1. 符合於《歐盟官方公報》已公告引用之調和標準或其部分之具數位元素產品與製造商所建立之流程,就該等標準或其部分所涵蓋之附件一基本網路安全要求,推定為符合。執委會應依《規章 (EU) 1025/2012》第 10(1) 條,請求一個或多個歐洲標準化組織就本法規附件一之基本網路安全要求草擬調和標準。執委會準備本法規之標準化請求時,應致力於考量既有或發展中之歐洲及國際網路安全標準,以依《規章 (EU) 1025/2012》簡化調和標準之發展。
Common specifications — conditions and fallback 共通規範,條件與退路 ¶ 2 – 3
2. The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential cybersecurity requirements set out in Annex I for products with digital elements that fall within the scope of this Regulation. Those implementing acts shall be adopted only where the following conditions are fulfilled:
2. 執委會得採納執行法規建立共通規範,載明提供方法以符合本法規適用範圍內具數位元素產品之附件一基本網路安全要求之技術要求。該等執行法規僅於下列條件皆滿足時得採納:
(a) the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the essential cybersecurity requirements set out in Annex I and: (i) the request has not been accepted; (ii) the harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or (iii) the harmonised standards do not comply with the request; and
(a) 執委會已依《規章 (EU) 1025/2012》第 10(1) 條請求一個或多個歐洲標準化組織就附件一基本網路安全要求草擬調和標準,且:(i) 請求未被接受;(ii) 回應該請求之調和標準未於《規章 (EU) 1025/2012》第 10(1) 條所定期限內交付;或 (iii) 調和標準不符合該請求;且
(b) no reference to harmonised standards covering the relevant essential cybersecurity requirements set out in Annex I to this Regulation has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period.
(b) 尚無涵蓋本法規附件一所定相關基本網路安全要求之調和標準引用依《規章 (EU) 1025/2012》於《歐盟官方公報》公告,且於合理期間內預期不會有此類引用公告。
3. Before preparing the draft implementing act referred to in paragraph 2 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 2 of this Article have been fulfilled.
3. 於準備本條第 2 項所指執行法規草案之前,執委會應告知《規章 (EU) 1025/2012》第 22 條所指之委員會,聲明其認為本條第 2 項之條件已被滿足。
Stakeholder consultation; common-spec presumption 利害關係人諮詢;共通規範推定 ¶ 4 – 5
4. When preparing the draft implementing act referred to in paragraph 2, the Commission shall take into account the views of relevant bodies and shall duly consult all relevant stakeholders.
4. 於準備第 2 項所指執行法規草案時,執委會應考量相關機構之意見並充分諮詢所有相關利害關係人。
5. Products with digital elements and processes put in place by the manufacturer which are in conformity with the common specifications established by implementing acts referred to in paragraph 2 of this Article, or parts thereof, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those common specifications or parts thereof.
5. 符合於本條第 2 項執行法規所建立之共通規範或其部分之具數位元素產品與製造商所建立之流程,就該等共通規範或其部分所涵蓋之附件一基本網路安全要求,推定為符合。
hEN supersedes common specification; Member State objection 調和標準取代共通規範;會員國反對 ¶ 6 – 7
6. Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When a reference of a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 2 of this Article, or parts thereof which cover the same essential cybersecurity requirements as those covered by that harmonised standard.
6. 歐洲標準化組織採納調和標準並向執委會提議以於《歐盟官方公報》公告其引用時,執委會應依《規章 (EU) 1025/2012》評估該調和標準。調和標準之引用於《歐盟官方公報》公告後,執委會應廢止本條第 2 項所指之執行法規,或該執行法規涵蓋與調和標準所涵蓋相同基本網路安全要求之部分。
7. Where a Member State considers that a common specification does not entirely satisfy the essential cybersecurity requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.
7. 會員國認為共通規範未完全滿足附件一所定基本網路安全要求者,應提交詳細說明通知執委會。執委會應評估該詳細說明,並於適當時修訂建立相關共通規範之執行法規。
EU cybersecurity certificate presumption & delegated-act power 歐盟網路安全證書推定與授權權限 ¶ 8 – 9
8. Products with digital elements and processes put in place by the manufacturer for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I in so far as the EU statement of conformity or European cybersecurity certificate, or parts thereof, cover those requirements.
8. 已依《規章 (EU) 2019/881》採納之歐洲網路安全認證機制發給歐盟符合性聲明或證書之具數位元素產品與製造商所建立之流程,就該歐盟符合性聲明或歐洲網路安全證書(或其部分)所涵蓋之附件一基本網路安全要求範圍內,推定為符合。
9. The Commission is empowered to adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity of products with digital elements with the essential cybersecurity requirements or parts thereof as set out in Annex I to this Regulation.
9. 執委會有權依本法規第 61 條採納授權法規以補充本法規,具體指明依《規章 (EU) 2019/881》採納之何等歐洲網路安全認證機制可用以證明具數位元素產品符合本法規附件一所定基本網路安全要求(或其部分)。
Block 2 · Plain language 區塊 2 · 白話解讀
The three paths to presumption — and a fourth unofficial one 合規推定的三條路徑,加一條非官方的
Article 27 answers one question: when can a manufacturer say "my product meets Annex I" without having to independently argue why? The legal answer is: presumption of conformity arises when the product conforms to one of three things — a harmonised standard cited in the Official Journal (§1), a Commission common specification (§5), or a European cybersecurity certificate at substantial or higher (§8). Presumption is not a certificate; it is a legal shortcut that shifts the burden of proof. The market surveillance authority must demonstrate non-compliance rather than the manufacturer having to re-prove compliance from scratch.
The three official routes, and a fourth route that does not produce presumption but often gets confused with one.
Harmonised standard (hEN) — §1. The cleanest path. When a European standardisation organisation (CEN/CENELEC or ETSI) delivers a standard responding to a Commission standardisation request, and the Commission formally cites the standard in the Official Journal, conformity with that standard creates presumption for the essential requirements it covers. The critical word is "cited". Merely being published as an EN standard is not enough — the OJEU citation is the event that switches presumption on. As of early 2026, no hEN for the CRA has been cited in the OJEU. Candidate standards under the CEN/CENELEC JTC 13 and ETSI CYBER-EUSR workstreams exist in draft form but have not cleared the citation step.
Commission common specification — §2 & §5. An emergency fallback. If the standardisation process fails (request not accepted, deadline missed, or standard does not comply with the request) and no hEN citation is expected in reasonable time, the Commission can adopt its own technical specification via implementing act. This is a backstop — political signals from the Commission indicate it does not intend to use this route lightly. When an hEN is eventually cited for the same requirements, Article 27(6) obliges the Commission to repeal the overlapping common specification. Common specs are temporary scaffolding, not permanent architecture.
European cybersecurity certificate — §8. A certificate issued under a scheme adopted under the Cybersecurity Act (Regulation (EU) 2019/881) grants presumption for the Annex I requirements the certificate covers. The EUCC scheme (Implementing Regulation (EU) 2024/482) is currently the only active scheme. The certificate must be at substantial or higher assurance — basic level does not carry presumption. The scope of presumption is limited by what the certificate actually covers, not what the product does overall. A smartcard with an EUCC certificate for its secure element still has to cover other Annex I aspects (e.g., update mechanisms for the host system) through other means.
Other standards with "used to inform Annex I compliance" status — not presumption. A manufacturer can apply any international standard (ISO/IEC 27001, IEC 62443, NIST SP 800-218 SSDF, ETSI EN 303 645) as part of its Annex I compliance narrative without the standard being cited as an hEN. This is the common case today. The standard does not produce presumption, but using it is legitimate — the technical file must explain how the chosen standards' provisions address specific Annex I requirements. This is more work, but not less valid. Many APAC manufacturers will end up here for their first CRA cycle, pending hEN citations.
The practical consequence of the "no hEN cited yet" state. As of early 2026, Article 32(2) effectively forces Class I products into B+C or H, because the Module A path requires full application of a cited hEN — and none exists. Article 27 is fully drafted law, but most of its beneficial effect is in the future tense. APAC manufacturers planning CRA readiness in 2026 and 2027 should treat Article 27 as a promise that pays out progressively, not as a flip-the-switch benefit.
第 27 條回答一個問題:製造商什麼時候可以說「我的產品符合附件一」、而不用另外論證為什麼?法律答案是:合規推定在產品符合下列三者之一時產生,OJ 公報引用的 harmonised standard(§1)、執委會 common specification(§5)、或 substantial 以上等級的歐洲網路安全 certification(§8)。「推定」不是「認證」,而是「轉移舉證責任」的法律捷徑。市場監督機關必須證明你不合規,不是製造商必須從零開始證明自己合規。
三條官方路徑,加上一條不產生推定、但常被混為一談的第四路徑:
Harmonised standard(hEN),§1。最乾淨的路徑。當歐洲標準化組織(CEN/CENELEC 或 ETSI)交付回應執委會標準化請求的標準、且執委會在 OJ 公報正式引用該標準時,符合該標準就對它涵蓋的 essential requirements 產生推定。關鍵字是「引用」。光是作為 EN 標準發布還不夠,OJEU 引用才是啟動推定的事件。截至 2026 年初,還沒有任何 CRA 的 hEN 在 OJEU 上被引用。CEN/CENELEC JTC 13 跟 ETSI CYBER-EUSR 工作的候選標準以草案形式存在,但還沒通過引用步驟。
執委會 common specification(§2 跟 §5)。緊急退路。如果標準化流程失敗(請求沒被接受、錯過期限、或標準不符合請求)且合理期間內預期沒有 hEN 引用,執委會可以透過 implementing regulation 採納自己的技術規範。這是緩衝網,執委會的政治訊號是不會輕易動用這條路徑。同要求的 hEN 最終被引用時,第 27(6) 條要求執委會廢止重疊的 common specification。Common specification 是臨時鷹架,不是永久結構。
歐洲網路安全 certificate(§8)。依 Cybersecurity Act(Regulation (EU) 2019/881)採納的 scheme 發給的 certificate,對該 certificate 涵蓋的附件一要求給予推定。EUCC scheme(Implementing Regulation (EU) 2024/482)目前是唯一在運作的 scheme。Certificate 必須在 substantial 以上保證等級,basic 等級不帶推定。推定的範圍由 certificate 實際涵蓋的內容決定,不是產品整體行為。持有 EUCC certificate(針對其安全元件)的智慧卡,仍然要透過其他方式涵蓋其他附件一項目(例如主機系統的更新機制)。
其他具「用來支持附件一合規」地位的標準,不產生推定。製造商可以在自己的附件一合規敘述中採用任何國際標準(ISO/IEC 27001、IEC 62443、NIST SP 800-218 SSDF、ETSI EN 303 645),這個標準不必作為 hEN 被引用。這是現在常見的情境。該標準不產生推定,但使用合法,技術檔案必須解釋所採標準的條款怎麼對應到特定附件一要求。工作量比較大,但不是比較沒效。很多 APAC 製造商在第一個 CRA 循環會停在這裡,等 hEN 引用發生。
「還沒有 hEN 引用」這個狀態的實務後果:截至 2026 年初,第 32(2) 條實質上把 Class I 產品逼到 B+C 或 H,因為 Module A 路徑要求完整適用已被引用的 hEN:而現在沒有任何一份。第 27 條是已經完整起草的法律,但它多數的好處還在未來時態。在 2026 跟 2027 年規劃 CRA 就緒的 APAC 製造商,應該把第 27 條當成「會逐步兌現的承諾」,不是「一鍵打開的福利」。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Standards roadmap uncertainty and what to do about it 標準路線圖的不確定性、跟因應的方法
The European standardisation workstream for the CRA is active but slow. The Commission has issued a standardisation request under M/606, with CEN-CENELEC JTC 13 and ETSI-CYBER-EUSR splitting responsibilities across a horizontal core standard and multiple vertical product-category standards. Drafts are public but citation is not. For APAC planning, three concrete observations are worth holding.
CRA 的歐洲標準化工作還在進行中、但速度慢。執委會已經依 M/606 發出標準化請求,由 CEN-CENELEC JTC 13 跟 ETSI-CYBER-EUSR 分擔橫向核心標準跟多個垂直產品類別標準的責任。草案公開、但引用還沒定。對 APAC 規劃來說,三個具體觀察值得記住。
Known candidate standards, known uncertainty on citation. The M/606 Work Programme version 1 (dated 2 April 2026) identifies the concrete work items. For the horizontal core, prEN 40000-1-1/-2/-3 cover general requirements, vulnerability handling, and support-period considerations. For vertical product categories, the EN 304 61X series (browsers, password managers, antivirus, VPN, OS, boot managers, routers-modems-switches, firewalls, smart-home products) is progressing. For six verticals — Line 20 VPN, Line 21 NMS, Line 22 SIEM, Line 25 Physical/Virtual Network Interfaces, Line 27 Routers/Modems/Switches, Line 36 Firewalls/IDS/IPS — the Work Programme v1 verifies IEC 62443 Security Profile work under CLC/TC 65X WG3 Mode 2 plus ETSI CYBER-EUSR. For other verticals, the IEC 62443 connection remains unverified. Planning posture: track M/606 status monthly; do not treat any specific standard as cited until EUR-Lex confirms.
已知候選標準、已知引用不確定性。M/606 工作計畫第一版(2026 年 4 月 2 日)指認了具體工作項目。橫向核心方面:prEN 40000-1-1/-2/-3 涵蓋一般要求、弱點處理、support period 考量。垂直產品類別方面:EN 304 61X 系列(browsers、password managers、antivirus、VPN、OS、boot managers、routers/modems/switches、firewalls、智慧家庭產品)製作中。對六個垂直,Line 20 VPN、Line 21 NMS、Line 22 SIEM、Line 25 實體/虛擬網路介面、Line 27 routers/modems/switches、Line 36 firewalls/IDS/IPS:工作計畫第一版確認 IEC 62443 Security Profile 工作會在 CLC/TC 65X WG3 Mode 2 加 ETSI CYBER-EUSR 下進行。對其他垂直,IEC 62443 連結還沒驗證。規劃姿態:每月追蹤 M/606 狀態;EUR-Lex 確認之前,不要把任何特定標準當成已被引用。
"Partial application" is a real and useful concept. Article 27(1) says presumption arises for the essential requirements "covered by those standards or parts thereof". Manufacturers can mix-and-match — a routers product might apply EN 304 627 (if cited) for most Annex I 2(a)–(m) items, but handle a specific item through an alternative solution explicitly described in the technical file. This is the Blue Guide approach applied to CRA. It is not an escape hatch but a working mode. The technical file burden (Annex VII item 5) rises when alternative solutions are used.
「部分適用」是真實而且有用的概念。第 27(1) 條說推定針對「這些標準或其部分所涵蓋」的 essential requirements 產生。製造商可以混搭,一台 router 產品可以就多數附件一 2(a) 到 (m) 項次適用 EN 304 627(如果被引用),但就特定項次透過技術檔案中明確描述的替代方案處理。這是應用於 CRA 的 Blue Guide 方法。不是逃生門,是工作模式。用替代方案時,技術檔案的負擔(附件七項次 5)會上升。
Standards with existing APAC adoption base have a head-start advantage. ETSI EN 303 645 is already referenced in Taiwan BSMI CNS 16190, in the UK PSTI regime, in India's TEC ITSAR. If EN 303 645 (or a derivative) is cited as a CRA hEN for smart-home or consumer-IoT categories, APAC manufacturers already compliant in multiple non-EU markets can transfer their engineering effort directly. IEC 62443 series, widely adopted in industrial contexts, has the same character. Conversely, standards with thin APAC adoption base (e.g., specific French or German national standards) create higher switching cost. Where existing APAC work aligns with candidate hENs, it is worth accelerating that work regardless of citation timing.
有既有 APAC 採用基礎的標準佔先發優勢。ETSI EN 303 645 已經被台灣 BSMI CNS 16190、英國 PSTI 制度、印度 TEC ITSAR 引用。如果 EN 303 645(或衍生品)被引用為智慧家庭或消費性 IoT 類別的 CRA hEN,已經在多個非歐盟市場合規的 APAC 製造商可以直接把工程成果移轉過來。IEC 62443 系列在工業情境被廣泛採用,性質一樣。反過來,APAC 採用基礎薄的標準(例如特定法國或德國國家標準)會產生較高切換成本。在既有 APAC 工作跟候選 hEN 對齊的地方,不管引用時程怎樣,都值得加速。
Tactical posture for the next 18 months. Until a meaningful number of hENs land in the OJEU, APAC manufacturers planning Annex III Class I products should (i) build technical files that assume the "no cited hEN" fallback of Module B+C or H, (ii) simultaneously engineer against the most likely candidate standards so the presumption switch, when flipped, does not require rework, and (iii) maintain a watch-list of the top 5–10 standards most relevant to their product lines with automatic alerts on EUR-Lex citation events.
未來 18 個月的戰術姿態:在有意義數量的 hEN 落到 OJEU 之前,規劃附件三 Class I 產品的 APAC 製造商應該 (i) 建立假設「沒有 hEN 引用」退路的技術檔案(也就是 Module B+C 或 H);(ii) 同時針對最可能的候選標準做工程,這樣推定開關翻轉時不用重工;(iii) 維護一份對自己產品線最相關的前 5 到 10 個標準的觀察清單,設定 EUR-Lex 引用事件的自動警示。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Candidate standards, verified status, citation expectations 候選標準、已驗證狀態、引用預期
The table below lists the categories of standards most often discussed in the context of CRA presumption of conformity, with verified 2026 status and the realistic view on when presumption may become usable through them.
下表列出 CRA 符合性推定脈絡下最常被討論的標準類別,附 2026 年已驗證狀態與透過這些標準使用推定的現實預期。
prEN 40000-1-X series
Horizontal CRA core — general, vulnerability handling, support period
CRA 橫向核心,一般、弱點處理、支援期間
Drafts circulating (2025 versions). Not yet EN published. Not cited in OJEU. Candidate for first-tranche OJEU citation once published as EN. Timeline unverified — expect 2026 at the earliest.
草案流通中(2025 年版本)。尚未作為 EN 發布。未在 OJEU 引用。 發布為 EN 後,為首批 OJEU 引用候選。時程未驗證,預計最早 2026 年。
EN 304 61X / 62X / 63X series
Vertical product-category standards (browsers, VPN, routers, OS, boot managers, smart-home, firewalls, etc.)
垂直產品類別標準(瀏覽器、VPN、路由器、OS、boot managers、智慧家庭、防火牆等)
Drafts at various maturity levels (V0.0.3 to V0.0.13). Progressing under ETSI CYBER-EUSR. Not yet EN published. Not cited. Most relevant for Annex III Class I products. Citation timing depends on per-vertical EN publication and Commission assessment. Treat all as draft with no presumption effect as of 2026.
草案於不同成熟度(V0.0.3 至 V0.0.13)。於 ETSI CYBER-EUSR 下製作。尚未作為 EN 發布。未引用。 對附件三 Class I 產品最相關。引用時程依各垂直 EN 發布與執委會評估。於 2026 年全部視為草案、無推定效果。
ETSI EN 303 645
Consumer IoT baseline
消費性 IoT 基線
Published 2020 (v2.1.1). Not originally drafted for CRA but widely used in parallel regimes (UK PSTI, Taiwan BSMI CNS 16190, India TEC ITSAR). Could become CRA hEN for smart-home categories (Annex III Class I (16) (17)) possibly via an EN 18031-series derivative. Not currently cited. Useful for Annex I coverage irrespective of citation.
2020 年發布(v2.1.1)。原本非為 CRA 起草,但於平行機制(英國 PSTI、台灣 BSMI CNS 16190、印度 TEC ITSAR)廣用。 可能經 EN 18031 系列衍生品成為智慧家庭類別(附件三 Class I (16) (17))的 CRA 調和標準。目前未引用。不論引用,對附件一涵蓋都有用。
EN IEC 62443-4-1 prAA:2026 / EN IEC 62443-4-2 prAA:2026
Secure product development lifecycle / component security
安全產品開發生命週期 / 元件安全
Under revision with CRA-aligned prAA:2026 amendments. Widely adopted in industrial contexts. Presumption-of-conformity status for CRA not confirmed. For the six verified M/606 verticals (VPN, NMS, SIEM, physical/virtual network interfaces, routers/modems/switches, firewalls/IDS/IPS) IEC 62443 Security Profile work is active. Citation mechanism unclear. Treat as strong engineering reference, not as presumption path.
以對齊 CRA 的 prAA:2026 修訂中修訂中。於工業情境廣泛採用。CRA 的符合性推定狀態未確認。 對六個已驗證 M/606 垂直(VPN、NMS、SIEM、實體/虛擬網路介面、路由器/數據機/交換器、防火牆/IDS/IPS),IEC 62443 Security Profile 工作活動中。引用機制不清。視為強工程參考,非推定路徑。
NIST SP 800-218 SSDF
Secure Software Development Framework
安全軟體開發框架
US federal voluntary framework. Not an EU standard. No CRA presumption pathway. Useful evidence for Annex I Part II vulnerability-handling alignment. Technical file can cite SSDF implementation, but it does not produce Article 27 presumption.
美聯邦自願性框架。非歐盟標準。無 CRA 推定路徑。 對附件一第二部分弱點處理對齊為有用證據。技術檔案可引用 SSDF 實作,但不產生第 27 條推定。
EUCC — Implementing Regulation (EU) 2024/482
European Common Criteria-based cybersecurity certification
歐洲以 Common Criteria 為基礎的網路安全認證
In force since 27 Feb 2024. Substantial / High / High-AVA assurance levels. Article 27(8) grants presumption to EUCC-certificated products within the certificate scope at substantial or higher. Currently the only fully operational §8 pathway. A future Article 27(9) delegated act is expected to specify EUCC's scope of presumption for CRA Annex I items.
自 2024/2/27 起生效。Substantial / High / High-AVA 保證等級。 第 27(8) 條對 substantial 或以上 EUCC 認證產品於證書範疇內給予推定。目前唯一完全運作之 §8 路徑。未來第 27(9) 條授權法案預計將明定 EUCC 對 CRA 附件一項次的推定範圍。