Article 32 Regulation (EU) 2024/2847 · Chapter III 法規 (EU) 2024/2847 · 第三章

Conformity assessment procedures 符合性評鑑程序

Module A, B+C, or H. For most APAC manufacturers the answer used to be "A". The CRA's 23 important-product categories and three critical-product categories change that answer — and bring a notified body into the room. Module A、B+C 或 H。對大多數 APAC 製造商過去答案都是「A」。CRA 的 23 項重要產品類別加 3 項關鍵產品類別把答案改掉，並把指定機構請進會議室。

Paragraphs段落數 · 6 Applies from適用起始 · 11 Dec 2027 Primary audience主要對象 · Manufacturer · Notified body製造商 · 指定機構 Last reviewed最後校閱 · 2026-04-25 Status狀態 · Working書寫

Block 1 · Official text 區塊 1 · 官方條文

What the Regulation actually says 條文實際怎麼寫

Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本，發布於 OJ L 2024/2847，2024 年 11 月 20 日。此處中文為非官方翻譯；強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。

The four procedure options (default tier) 四種程序選項（預設層） ¶ 1

1. The manufacturer shall perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements set out in Annex I are met. The manufacturer shall demonstrate conformity with the essential cybersecurity requirements by using any of the following procedures:

1. 製造商應對具數位元素產品及其所建立之流程進行符合性評鑑，以確認是否滿足附件一所定之基本網路安全要求。製造商應採下列程序之任一項以證明符合性：

(a) the internal control procedure (based on module A) set out in Annex VIII;

(a) 附件八所定之內部管制程序（基於 Module A）；

(b) the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;

(b) 附件八所定之歐盟型式檢驗程序（基於 Module B）並接續以內部生產管制為基礎之歐盟型式符合性（基於 Module C）；

(d) where available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9).

(d) 如可行且適用，依第 27 條第 9 項之歐洲網路安全認證機制。

Class I — when self-declaration is not enough Class I，自我宣告不足時 ¶ 2

2. Where, in assessing the compliance of an important product with digital elements that falls under class I as set out in Annex III and the processes put in place by its manufacturer with the essential cybersecurity requirements set out in Annex I, the manufacturer has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes at assurance level at least 'substantial' as referred to in Article 27, or where such harmonised standards, common specifications or European cybersecurity certification schemes do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential cybersecurity requirements to either of the following procedures:

2. 就附件三所列 Class I 重要產品之符合性評鑑而言，若製造商未適用或僅部分適用依第 27 條之調和標準、共通規範或「實質」以上保證等級之歐洲網路安全認證機制，或該等標準、規範或認證機制不存在者，該具數位元素產品及其流程就相關基本網路安全要求，應採下列程序之一：

(a) module B followed by module C; or

(a) Module B 接續 Module C；或

(b) module H.

(b) Module H。

In plain terms: Class I can still use Module A — but only if the manufacturer fully applies a cited harmonised standard, common specification, or substantial-level EUCC certification covering all applicable Annex I requirements. Any gap pushes the product into B+C or H.

白話：Class I 仍可走 Module A，但僅限製造商完整適用已引用之調和標準、共通規範或 substantial 等級 EUCC 認證，且涵蓋所有適用之附件一要求。任何空缺即推向 B+C 或 H。

Class II — no self-declaration option Class II，無自我宣告選項 ¶ 3

3. Where the product is an important product with digital elements that falls under class II as set out in Annex III, the manufacturer shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using any of the following procedures:

3. 就附件三所列 Class II 重要產品，製造商應採下列程序之一以證明符合附件一之基本網路安全要求：

(a) module B followed by module C;

(a) Module B 接續 Module C；

(b) module H; or

(b) Module H；或

(c) where available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9) of this Regulation at assurance level at least 'substantial' pursuant to Regulation (EU) 2019/881.

Annex IV critical products — EUCC first 附件四關鍵產品，EUCC 優先 ¶ 4

4. Critical products with digital elements listed in Annex IV shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the following procedures:

4. 附件四所列關鍵產品應採下列程序之一以證明符合附件一之基本網路安全要求：

(a) a European cybersecurity certification scheme in accordance with Article 8(1); or

(a) 依第 8 條第 1 項之歐洲網路安全認證機制；或

(b) where the conditions in Article 8(1) are not met, any of the procedures referred to in paragraph 3 of this Article.

(b) 若第 8 條第 1 項之條件未被滿足，得採本條第 3 項所指之程序任一。

FOSS escape hatch & SME fee reduction FOSS 脫離條款 & SME 費用減免 ¶ 5 – 6

5. Manufacturers of products with digital elements qualifying as free and open-source software, which fall under the categories set out in Annex III, shall be able to demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market of those products.

5. 具自由與開源軟體性質、落於附件三所列類別之具數位元素產品，製造商於投放市場時將第 31 條所指之技術文件公開提供者，得採本條第 1 項所指程序之一以證明符合附件一之基本網路安全要求。

6. The specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, shall be taken into account when setting the fees for conformity assessment procedures and those fees shall be reduced proportionately to their specific interests and needs.

6. 就符合性評鑑程序之費用訂定而言，應考量微型與中小企業（含新創）之特定利益與需求，並依其情形比例減免。

Block 2 · Plain language 區塊 2 · 白話解讀

A decision tree, not a menu 這是一棵決策樹，不是菜單

Article 32 reads like a menu of four procedures. It is not a menu. It is a decision tree where the product tier restricts your options. Walk the tree in this order: is the product Annex IV (critical)? Is it Annex III Class II? Is it Annex III Class I? Otherwise it is default. Each answer removes procedures from the table.

第 32 條看起來像一份四個程序的菜單。其實不是菜單。這是一棵決策樹，產品層級決定你還剩下幾個選項。照這個順序走樹：產品是附件四（Critical）嗎？是附件三 Class II？是附件三 Class I？都不是就是 default 層。每走一步，桌上的程序就少掉幾個。

Product tier產品層級	Allowed procedures允許的程序	Notified body required?是否需指定機構？
Default (~90%)預先設定（~90%）	Module A, B+C, H, or EUCCModule A、B+C、H 或 EUCC	No (if Module A chosen)否（若採 Module A）
Annex III Class I (19 categories)附件三 Class I（19 類）	Module A only if hEN / common spec / EUCC substantial+ fully applied covering all applicable Annex I. Otherwise B+C or H.Module A 僅於完整適用已引用的 hEN / 共通規範 / EUCC substantial+ 且涵蓋所有適用的附件一要求時可行。否則採 B+C 或 H。	Conditional條件性
Annex III Class II (4 categories)附件三 Class II（4 類）	B+C, H, or EUCC substantial+. Module A is not available.B+C、H 或 EUCC substantial+。Module A 不可用。	Yes是
Annex IV Critical (3 categories)附件四關鍵（3 類）	EUCC per Article 8(1) if triggered; otherwise falls back to Class II options.若第 8(1) 條觸發則採 EUCC；否則退回 Class II 選項。	Yes是
Annex III FOSS (if tech docs public)附件三 FOSS（若技術文件公開）	Back to default-tier options — Article 32(5) escape hatch.回到預先設定層選項，第 32(5) 條脫離條款。	No否

Now the three modules, plainly described.

三個 module 的白話解釋如下。

Module A — internal control. The manufacturer verifies everything themselves and signs the Declaration of Conformity alone. No notified body in the room. This is what most APAC OEMs have always done for CE marking of radio equipment, EMC, low-voltage. The novelty for CRA is that Module A now requires a defensible technical file showing cybersecurity risk assessment per Annex I — not just an EMC test report.

Module A，內部管制。製造商自己驗證所有事項，獨自簽發 DoC。從頭到尾沒有指定機構介入。這是大部分 APAC OEM 在 RED、EMC、LVD 等 CE 標示底下一直在做的事。CRA 帶來的新東西：Module A 現在需要一份站得住的技術檔案，展示符合附件一的網路安全風險評估，不再只是一份 EMC 測試報告。
Module B + Module C — EU-type examination plus production control. A notified body examines the design and issues an EU-type examination certificate (Module B). The manufacturer then mass-produces to the approved type and self-declares that each unit matches (Module C). Module B happens once per product type; Module C runs continuously. Substantial modifications trigger a fresh Module B. The notified body also runs periodic audits of the vulnerability-handling process per Annex I Part II — there is no "done once, forever done".

Module B + Module C，EU type examination 加生產管制。指定機構檢驗設計並簽發 EU type examination certificate（Module B）。製造商隨後依核准型式量產，自己宣告每一單位都跟型式一致（Module C）。Module B 每個產品型式跑一次；Module C 持續做。實質修改會觸發重跑 Module B。指定機構另外依附件一第二部分定期稽核弱點處理流程，沒有「做一次就終身有效」這回事。
Module H — full quality assurance. The manufacturer implements an end-to-end quality management system covering design, production and post-market. The notified body assesses the whole system, not individual product types. Once certified, new product variants can be placed on the market without a fresh per-product notified-body examination — as long as they stay within the approved quality system scope. ISO 9001 is a useful starting point but not enough; Module H requires a CRA-specific QMS that covers Annex I essentials.

Module H，完全品質保證。製造商導入 end-to-end 品質管理系統，涵蓋設計、生產、上市後。指定機構評估整體系統，不是個別產品型式。一旦取得認證，新的產品變體可以投入市場、不用每一款都重新做指定機構檢驗，只要維持在認可的品質系統範圍內。ISO 9001 是有用的起點但不夠；Module H 要求一個符合 CRA 特性、涵蓋附件一 essential requirements 的 QMS。

Two common misreadings of Article 32 to flag. First, Class I is not free from notified-body engagement just because Module A is listed as an option. Module A is only available when the manufacturer fully applies harmonised standards, common specifications or EUCC substantial+ covering all applicable Annex I requirements. As of early 2026, no harmonised standard has been formally cited in the CRA Official Journal. Until citations happen, Class I effectively defaults to B+C or H in practice. Second, Article 32(5) FOSS escape hatch requires technical documentation to be made public, not merely shared with authorities. This is a meaningful cost — many FOSS projects with commercial products are not yet set up to publish the full Annex VII technical file openly.

第 32 條兩個常被誤讀的地方：第一，Class I 並不是「只因為 Module A 是其中一個列出的選項，就不需要指定機構介入」。Module A 只在製造商完整適用 hEN、common specification、或 EUCC substantial+、涵蓋所有適用的附件一要求時才能用。截至 2026 年初，CRA 官方公報還沒正式引用任何 hEN。在引用發生之前，Class I 實務上等於預設走 B+C 或 H。第二，第 32(5) 條的 FOSS 脫離條款要求技術文件對外公開，不只是跟主管機關分享。這是有成本的，很多含商業產品的 FOSS 專案、還沒準備好把完整附件七技術檔案設成公開。

Block 3 · APAC perspective 區塊 3 · APAC 觀點

The notified body supply problem 指定機構供給問題

Most APAC manufacturers have never engaged a notified body for anything other than functional-safety or medical-device work. Three decades of radio, EMC and low-voltage CE marking were done by Module A self-declaration, supported at most by in-country ISO 17025 accredited test labs producing test reports that went into the manufacturer's technical file. Article 32(2) and 32(3) change this baseline. For Annex III products, Module A is either conditional (Class I) or unavailable (Class II), and the notified body moves from "optional third-party safeguard" to "mandatory gatekeeper".

大多數 APAC 製造商從來沒有因為功能安全或醫材以外的事情找過指定機構。三十年的無線、EMC、低電壓 CE 標示全部都走 Module A 自我宣告，最多由國內具備 ISO 17025 認可的測試實驗室出測試報告、放進製造商技術檔案。第 32(2) 跟 32(3) 改變了這個基線。對附件三產品來說，Module A 要嘛是條件式的（Class I），要嘛不可用（Class II），指定機構從「選擇性的第三方保障」變成「強制守門人」。

Four planning dimensions this forces onto APAC manufacturers' roadmaps.

這逼著 APAC 製造商路線圖加上四個規劃面向：

Notified body capacity is finite and clustered in Europe. At the point of CRA full application (11 December 2027), the pool of CRA-designated notified bodies will be small and overwhelmingly EU-based. The application-to-designation process under Articles 42–43 runs through national notifying authorities and involves peer review; realistic timelines from designation application to active NB status run 12–24 months. Taiwan, Japan and Korea do not yet have locally-designated NBs, so APAC manufacturers queue into European NBs — the same queue as European manufacturers. Treat NB slot availability as a scheduling variable, not a given.

指定機構產能有限、且集中在歐洲。CRA 全面適用（2027 年 12 月 11 日）當下，CRA 指定機構的池子會很小、而且嚴重偏向歐盟。依第 42 到 43 條的「申請到指定」流程要經過各國通知機關、涉及同儕審查；從申請到取得有效 NB 身分的實務時程是 12 到 24 個月。台灣、日本、韓國目前還沒有國內指定的 NB，所以 APAC 製造商會排進歐洲 NB 的隊伍，跟歐洲製造商在同一條隊。把 NB 時段可用性當成一個可排程的變數，不要當成既定條件。

B+C vs H is a business-model decision, not a technical one. If the manufacturer ships a handful of stable SKUs with long life cycles (enterprise network appliances, industrial gateways), Module B+C's per-type certification cost amortises well. If the manufacturer ships dozens of variants on short cycles (consumer IoT, smart home, ASIC-level variants), Module H's QMS-scope approach can be significantly cheaper per SKU. A Taiwan ODM with a catalogue of 40+ active product variants might burn through €2–4 million in Module B+C fees in three years, but fit 80% of those variants under a single Module H quality-system scope. The CRA does not ban mix-and-match — a manufacturer can run Module H for one product family and Module B+C for another.

B+C 跟 H 的選擇是商業模型決策，不是技術決策。如果製造商出貨的是少量、週期長的穩定 SKU（企業級網路設備、工業閘道），Module B+C 的「每型式認證」成本可以攤提得很好。如果製造商出貨的是數十款短週期變體（消費性 IoT、智慧家庭、ASIC 層變體），Module H 的 QMS-scope 路徑在每 SKU 成本上可能明顯便宜。一家擁有 40 個以上活躍產品變體的台灣 ODM，三年內可能燒掉 €2M 到 €4M 的 Module B+C 費用，但能把其中 80% 的變體裝進一個 Module H 品質系統範圍內。CRA 不禁止混搭，製造商可以就一個產品家族走 Module H、另一個走 Module B+C。

FOSS escape hatch for Annex III is narrow but real. Article 32(5) is frequently cited by open-source advocates but rarely used in practice. Making Annex VII technical documentation public means disclosing design rationale, risk assessment, test reports, vulnerability-handling documentation and applied standards. This is a substantial competitive-transparency trade-off. For community-driven FOSS projects it may be natural; for commercial firms sponsoring embedded Linux or OSS routers, it often is not. Planning assumption: the FOSS escape hatch applies to a genuinely open project with no competitive-sensitivity in its technical file, not to a commercially-rebranded OSS derivative.

附件三的 FOSS 脫離條款存在、但範圍窄。第 32(5) 條常被開源倡議者引用，但實務上很少被使用。把附件七技術文件公開、代表要揭露設計理念、風險評估、測試報告、弱點處理文件、跟採用的標準。這是重大的競爭透明度交換。對社群驅動的 FOSS 專案來說可能很自然；對贊助嵌入式 Linux 或 OSS 路由器的商業公司來說，通常不是。規劃假設：FOSS 脫離條款適用在「技術檔案沒有商業敏感性的真正開放專案」，不適用於商業換貼牌的 OSS 衍生物。

SME fee reduction under Article 32(6) is a promise, not a tariff. The Regulation requires that SME interests be taken into account when setting NB fees and that fees be reduced proportionately. It does not specify the reduction percentage, the turnover threshold, or the mechanism. In practice, NB pricing will follow individual commercial policy plus competitive pressure. APAC SMEs should treat Article 32(6) as a negotiating anchor, not as a binding discount schedule.

第 32(6) 條 SME 費用減免是承諾、不是費率表。法規要求訂 NB 費用時要考量 SME 利益、並依比例減免。法規沒明定減幅、營業額門檻、或機制。實務上 NB 定價會依個別商業政策加上競爭壓力。APAC 中小企業應該把第 32(6) 條當成談判錨點，不是具強制適用力的折扣表。

Block 4 · Cross-regulation map 區塊 4 · 跨法規對照

Article 32 inside the EU conformity assessment universe 第 32 條在歐盟 conformity assessment 體系中的位置

Module A / B / C / H is NLF (New Legislative Framework) vocabulary — Decision (EC) 768/2008 lists the full menu A through H, and every sectoral EU regulation picks a subset. CRA Article 32 picks A, B+C, and H. To read Article 32 in context, two things are useful: (1) other EU legal regimes that use the same module vocabulary, and (2) voluntary management-system standards that often surface in Module H discussions but do not themselves substitute for CRA conformity assessment.

Module A / B / C / H 是 NLF (New Legislative Framework) 的語彙，Decision (EC) 768/2008 列出 A 到 H 整套菜單，每一部部門別歐盟法規挑選一個子集。CRA 第 32 條挑了 A、B+C、H。讀懂第 32 條的脈絡，兩件事有用：(1) 其他用同樣 module 語彙的歐盟法律工具；(2) Module H 討論中常被提到、但本身不能替代 CRA 合規評鑑的 voluntary 管理系統標準。

Layer 1 · EU legal instruments using the same module vocabulary 層級一・使用同套 module 語彙的歐盟法律工具

These are EU laws (Decisions, Directives, Regulations). They share the module language with the CRA — and where APAC manufacturers already have notified-body relationships under one of them, those relationships may be reusable for the CRA.

這些都是歐盟法律（Decision、Directive、Regulation）。它們跟 CRA 共用 module 語彙，APAC 製造商如果已經在其中一部下面有 notified body 關係，那些關係可能可以拿來重用在 CRA 上。

Instrument法律工具	Conformity assessment modules used所用合規評鑑模組	Relationship to CRA Article 32與 CRA 第 32 條的關係
Decision (EC) 768/2008 NLF common framework — defines Modules A through HNLF 共通框架，定義 Module A 到 H	All modules A1 / A2 / B / C / C1 / C2 / D / E / F / G / H / H1全部 module A1 / A2 / B / C / C1 / C2 / D / E / F / G / H / H1	Parent definition. CRA uses A, B+C, and H — not the full menu.母法定義。CRA 採用 A、B+C、H，不是整個菜單。
Radio Equipment Directive (RED) 2014/53/EU Including RED Delegated Act 2022/30 cybersecurity含 RED 授權法案 2022/30 網路安全	Module A, B+C, HModule A、B+C、H	Same module vocabulary. Many APAC radio-equipment manufacturers have existing Module B notified-body relationships for RED; these may be reusable for CRA if the NB gets CRA-designated. RED DA sunsets 11 Dec 2027 — CRA takes over cybersecurity aspects from that date.相同 module 語彙。許多 APAC 無線電設備製造商針對 RED 已有 Module B 指定機構關係；如果這個 NB 取得 CRA 指定，關係可能可沿用。RED DA 從 2027/12/11 廢止，CRA 從那天起接手網路安全面向。
Machinery Regulation (EU) 2023/1230 Applies from 14 Jan 20272027/1/14 起適用	Module A, B+C, HModule A、B+C、H	Parallel regime with overlapping cybersecurity clauses for high-risk machinery with digital controllers. A product can be subject to both Machinery Regulation and CRA conformity assessment — separate technical files, potentially the same notified body.平行的法律機制，跟具數位控制器的高風險機械有重疊的網路安全條款。單一產品可能同時面對 Machinery Regulation 跟 CRA 的合規評鑑，分別的技術檔案，可能同一指定機構。
AI Act (EU) 2024/1689 Conformity assessment for high-risk AI systems per Article 43依第 43 條對高風險 AI 系統的合規評鑑	Module A (internal control, Annex VI of AI Act) or Module H (full quality system, Annex VII of AI Act)Module A（內部管制、AI Act 附件六）或 Module H（完整品質系統、AI Act 附件七）	CRA Article 12 sets the bridge: high-risk AI systems in CRA scope generally follow AI Act Article 43 conformity procedure, with a carve-back for Important/Critical products where CRA Article 32 applies. A high-risk AI system that is also Annex III Class II or Annex IV falls under CRA Article 32, not AI Act Article 43.CRA 第 12 條設橋接：CRA 範圍內的高風險 AI 系統原則上走 AI Act 第 43 條合規程序，但重要 / 關鍵產品另作保留，由 CRA 第 32 條規範。同時是附件三 Class II 或附件四的高風險 AI 系統，落入 CRA 第 32 條，而不是 AI Act 第 43 條。
EUCC scheme — Implementing Regulation (EU) 2024/482 European Common Criteria-based cybersecurity certification歐洲基於 Common Criteria 的網路安全認證	EUCC assurance levels: Substantial / High / High-AVAEUCC 保證等級：Substantial / High / High-AVA	Article 32(1)(d), 32(3)(c), 32(4)(a) recognise EUCC certification as an alternative to Module A/B+C/H. EUCC certificate at substantial+ level can be presented in lieu of notified-body conformity assessment. Note that EUCC capabilities in APAC labs are concentrated — not all labs offering Common Criteria evaluation hold the required accreditation for EUCC scheme issuance.第 32(1)(d)、32(3)(c)、32(4)(a) 條承認 EUCC 認證為 Module A / B+C / H 的替代。EUCC substantial+ 等級的證書可代替指定機構的合規評鑑。要留意 APAC 實驗室的 EUCC 能力集中，不是所有提供 Common Criteria 評估的實驗室都持有 EUCC scheme 簽發所需的認可。

Layer 2 · Voluntary management-system standards (useful foundation, not a substitute) 層級二・voluntary 管理系統標準（有用的基礎、不是替代品）

These are voluntary international standards. They surface in Module H discussions because Module H is QMS-based — but holding a certificate against them does not by itself satisfy CRA Module H. The notified body will require evidence that the QMS covers the full CRA scope.

這些是 voluntary 國際標準。它們會在 Module H 討論裡出現，因為 Module H 是 QMS 為基礎，但持有這些標準的證書，本身不能滿足 CRA Module H。指定機構會要求證據證明 QMS 涵蓋完整的 CRA 範疇。

Standard標準	Scope範圍	Relationship to CRA Module H與 CRA Module H 的關係
ISO/IEC 27001 / ISO 9001 Information security / quality management systems (voluntary)資訊安全 / 品質管理系統（voluntary）	QMS certification schemesQMS 認證制度	Useful but not sufficient. An ISO 27001 certificate is a strong foundation for the Annex I Part II vulnerability-handling process element of Module H — but Module H requires a CRA-specific QMS that covers both product properties (Annex I Part I) and processes (Part II). The notified body will want evidence the QMS covers the full CRA scope, not just information security in general. Treat ISO 27001 / ISO 9001 as a starting platform you build on, not as a CRA-equivalent certification.有用、但不夠。ISO 27001 證書對 Module H 中附件一第二部分的弱點處理流程是有力基礎，但 Module H 要求一套 CRA 特定的 QMS，要涵蓋產品屬性（附件一第一部分）跟流程（第二部分）。指定機構會要求證據證明 QMS 涵蓋完整的 CRA 範疇，不是只一般的資訊安全。把 ISO 27001 / ISO 9001 當成往上建的起點平台，不是 CRA 等同的認證。