CN CRA NotebookCRA 閱讀筆記
Working note — actively evolving, may be revised. See /errata for change log. 推進中的筆記,可能持續修改。修訂紀錄見 /errata

Article 7 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章

Important products with digital elements 重要產品(具數位元素)

Twenty-three product categories. This is the article that decides whether a Taiwan-made router, firewall, VPN appliance, or smart-home hub self-declares or sits down with a notified body. 二十三個產品類別。這是一條決定台灣製路由器、防火牆、VPN 設備、智慧家庭集線器,走自我宣告、還是被推到指定機構面前,的條文。

Paragraphs段落數 · 4 Applies from適用起始 · 11 Dec 2027 Primary audience主要對象 · Manufacturer · Notified body製造商 · 指定機構 Last reviewed最後校閱 · 2026-04-25 Status狀態 · Working書寫

Block 1 · Official text 區塊 1 · 官方條文

What the Regulation actually says 條文實際怎麼寫

Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。

Scope of Article 7 and the integration clause 第 7 條適用範圍與整合條款 ¶ 1

1. Products with digital elements which have the core functionality of a product category set out in Annex III shall be considered to be important products with digital elements and shall be subject to the conformity assessment procedures referred to in Article 32(2) and (3). The integration of a product with digital elements which has the core functionality of a product category set out in Annex III shall not in itself render the product in which it is integrated subject to the conformity assessment procedures referred to in Article 32(2) and (3).

1. 核心功能屬於附件三所列產品類別者,視為重要產品,並適用第 32 條第 2 項與第 3 項所定之符合性評鑑程序。具附件三所列產品類別核心功能之具數位元素產品,其被整合進他項產品時,並不因此使該被整合之產品即適用第 32 條第 2 項與第 3 項所定之符合性評鑑程序。

The Class I / Class II eligibility criteria Class I / Class II 之判定準則 ¶ 2

2. The categories of products with digital elements referred to in paragraph 1 of this Article, divided into classes I and II as set out in Annex III, meet at least one of the following criteria:

2. 本條第 1 項所指之具數位元素產品類別(依附件三分為 Class I 與 Class II),至少符合下列其中一項準則:

(a) the product with digital elements primarily performs functions critical to the cybersecurity of other products, networks or services, including securing authentication and access, intrusion prevention and detection, end-point security or network protection;

(a) 該具數位元素產品主要執行對其他產品、網路或服務之網路安全具關鍵性之功能,包括確保身分認證與存取、入侵預防與偵測、端點安全或網路保護;

(b) the product with digital elements performs a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data.

(b) 該具數位元素產品所執行之功能,就其強度與能力而言,具重大負面影響風險,可直接操縱並干擾、控制或損害大量其他產品,或損害使用者之健康、安全或保全,例如中央系統功能,包括網路管理、組態控制、虛擬化或個資處理。

Commission's delegated-act power and 12-month transition 執委會之授權權限與 12 個月過渡期 ¶ 3

3. The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex III by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list. When assessing the need to amend the list set out in Annex III, the Commission shall take into account the cybersecurity-related functionalities or the function and the level of cybersecurity risk posed by the products with digital elements as set out by the criteria referred to in paragraph 2 of this Article.

3. 執委會有權依第 61 條採納授權法規以修訂附件三,包括於各 Class 下新增類別並明定其定義、將某類別於 Class 間移轉、或從名單中撤除既有類別。執委會評估修訂附件三之需要時,應考量本條第 2 項準則所定之網路安全相關功能或功能性質,以及該具數位元素產品所帶來之網路安全風險水平。

Second sub-paragraph: delegated acts shall provide a minimum 12-month transitional period, particularly when a new category is added to Class I or II or moved between classes, before the relevant conformity assessment procedures start applying — unless imperative grounds of urgency justify a shorter period.

第二子段:授權法案應提供至少 12 個月之過渡期,尤其當 Class I 或 II 新增類別、或於兩 Class 間移轉時,於相關符合性評鑑程序開始適用之前。惟如有急迫性正當事由,得採較短過渡期。

Implementing act deadline — 11 December 2025 執行法案截止日,2025 年 12 月 11 日 ¶ 4

4. By 11 December 2025, the Commission shall adopt an implementing act specifying the technical description of the categories of products with digital elements under classes I and II as set out in Annex III and the technical description of the categories of products with digital elements as set out in Annex IV. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 62(2).

4. 執委會應於 2025 年 12 月 11 日前採納執行法案,明定附件三所列 Class I 與 Class II 產品類別之技術描述,以及附件四所列產品類別之技術描述。該執行法案應依第 62 條第 2 項所定審查程序採納。

Implemented as Commission Implementing Regulation (EU) 2025/2392, published 1 December 2025 — the binding technical descriptions for all Annex III and Annex IV categories.

執行法案已以《執委會執行法規 (EU) 2025/2392》實現,於 2025 年 12 月 1 日公布,為附件三與附件四所有類別提供強制適用的技術描述。

Block 2 · Plain language 區塊 2 · 白話解讀

How Article 7 re-sorts the product landscape 第 7 條怎麼把產品重新分類

Article 6 set the baseline. Article 7 adds a lift. Any product whose core functionality matches one of the 23 categories in Annex III gets pushed from the baseline tier — where a manufacturer can self-declare conformity under Module A — into a heavier route that involves either fully applying a harmonised standard or calling in a notified body. Article 32(2) covers Class I; Article 32(3) covers Class II.

Four points decide how Article 7 lands on a specific product.

  1. "Core functionality" is a legal test, not a marketing test. Whether a product counts as, say, a "router, modem intended for the connection to the internet, and switch" under Annex III Class I (12) is decided by what function it primarily performs — not by the product sheet, not by the SKU name. Implementing Regulation 2025/2392 of 1 December 2025 provides the binding technical descriptions that resolve borderline cases. When in doubt, the 2025/2392 definition is the rule-book.

  2. The integration clause protects the host product. Article 7(1) second sentence: embedding, say, an Annex III Class I (8) boot manager inside a larger server does not make the whole server an important product. Only the boot manager itself falls under Article 7. This is the "component vs host" boundary rule. If you are a server ODM sourcing a third-party boot manager, your server does not inherit the Class I conformity assessment — but the boot manager supplier's product does, and you need their CE-compliance artefacts for your own Article 13 due-diligence file.

  3. Class I vs Class II reflects risk intensity, not alphabetical ordering. Class II contains only four categories: hypervisors and container runtimes; firewalls, intrusion detection and prevention systems; tamper-resistant microprocessors; tamper-resistant microcontrollers. Recital 44 explains why — products in Class II can either perform a cybersecurity-related function or another high-impact function that is higher in intensity than Class I, or meet both criteria simultaneously. A Class II product under Article 32(3) cannot self-declare even with a fully applied harmonised standard — Module B+C or Module H is mandatory.

  4. Annex III will move. Article 7(3) gives the Commission delegated-act power to add, move or remove categories — with a baseline 12-month transitional period. A product that is outside Annex III on Day 1 of CRA application could land in Class I a year later, or move from Class I to Class II. Planning conformity only for the list as of 2027 is short-sighted. Planning assumption: the list will expand, and the direction of movement is typically from outside-the-list into Class I, and from Class I into Class II, not the reverse.

第 6 條設定底線,第 7 條加一道門檻。任何 core functionality 命中附件三 23 類之一的產品,會被從底線層(Module A 自我宣告就行)推進到一條更重的路徑:要嘛完整適用 harmonised standard、要嘛找指定機構。第 32(2) 條規範 Class I;第 32(3) 條規範 Class II。

第 7 條落在一個產品上的方式,由四個重點決定。

  1. 「core functionality」是法律測試,不是行銷測試。一件產品算不算附件三 Class I (12) 下的「routers, modems for internet, switches」,是看它主要在做什麼,不是看產品型錄、不是看 SKU 名稱。Implementing Regulation 2025/2392(2025 年 12 月 1 日公布)對難以明確歸類的情況提供具強制適用力的技術描述。不確定時以 2025/2392 的定義為準。

  2. 整合條款保護母產品。第 7(1) 條第二句話:把一個附件三 Class I (8) 的 boot manager 嵌進一台 server 裡,不會讓整台 server 變成 important product。只有那個 boot manager 本身落入第 7 條。這是「元件 vs 主機產品」的邊界規則。如果你是 server ODM、採購第三方 boot manager,你的 server 不繼承 Class I 評鑑,但 boot manager 供應商的產品會繼承,而你做第 13 條的盡職調查時會需要對方的 CE 文件。

  3. Class I 跟 Class II 反映風險強度,不是字母順序。Class II 只有四類:hypervisor 跟 container runtime;防火牆、入侵偵測與預防系統;抗篡改微處理器;抗篡改微控制器。Recital 44 解釋為什麼:Class II 的產品要嘛執行網路安全相關功能、要嘛在比 Class I 更高的強度上執行高影響功能、有時兩者都符合。Class II 產品依第 32(3) 條,即使完整適用 harmonised standard 也不能自我宣告:Module B+C 或 Module H 是強制的。

  4. 附件三會動。第 7(3) 條給執委會 delegated act 的權限,可以新增、移轉、移除類別,基本過渡期 12 個月。CRA 全面適用首日不在附件三裡的產品,可能一年後就落入 Class I,或從 Class I 移到 Class II。只盯著 2027 年當下的名單做合規規劃是短視。規劃假設:名單會擴張,且移動方向通常是「名單外 → Class I → Class II」,反向比較少。

Block 3 · APAC perspective 區塊 3 · APAC 觀點

The Annex III categories that hit APAC hardest 附件三裡對 APAC 衝擊最大的類別

Run a finger down Annex III Class I and Class II and overlay the Taiwan ICT export catalogue. The overlap is not accidental. Many of the 23 categories are products in which Taiwan OEM/ODM firms hold significant global share — routers, switches, network-management systems, VPN hardware, boot managers in server boards, smart-home products with security functions, hypervisors and firewalls on appliance hardware. This is the article where the "we just sell hardware, the cybersecurity rules don't really apply to us" mental model dies.

把手指順著附件三 Class I 跟 Class II 往下滑,對照台灣 ICT 出口目錄。重疊不是巧合。23 個類別裡很多是台灣 OEM/ODM 廠商具有全球顯著市占的產品,routers、switches、網路管理系統、VPN 硬體、server 主板上的 boot manager、具安全功能的智慧家庭產品、appliance 硬體上的 hypervisor 跟防火牆。這就是「我們只做硬體、網路安全規則跟我們關係不大」的慣性思維死掉的地方。

Concrete APAC exposure analysis by Annex III entry:

依附件三項次列出 APAC 的具體暴露:

One structural observation for Japan and Korea makers. JC-STAR (METI + IPA) and the K-ISMS path are certification or labelling schemes, not statutes. They produce domestic voluntary-certification artefacts; they do not confer CRA presumption and do not substitute for CRA legal obligations. Domestic certification accelerates engineering readiness but does not remove the EU conformity step. Planning assumption: domestic schemes are necessary but not sufficient; EU conformity is a separate budget line.

給日韓廠商的結構性觀察:日本 JC-STAR(METI + IPA)跟韓國 K-ISMS 都是認證 / 標示計畫、不是法律。它們產出的是國內 voluntary 認證成品、不賦予 CRA 合規推定,也不替代 CRA 的法律義務。國內認證可以加速工程就緒、但不會消除 EU 合規這一步。規劃假設:國內機制必要、但不充分,EU 合規要另立預算項。

Annex III entry附件三項次 APAC supplier densityAPAC 供應佔比 Where the compliance pain hits符合性痛點在哪
Class I (12)
Routers, modems, switches路由器、數據機、交換器		 Very high — Taiwan ODMs dominate consumer and SMB segments globally極高,台灣 ODM 主導消費端跟 SMB 全球市場 Annex I Part I 2(a)–(m) applicability calls on every SKU. Firmware-update pipeline documentation for Annex I Part II. Fleet-scale CVD contact and SBOM maintenance.附件一第一部分 2(a) 到 (m) 對每個 SKU 的適用性判斷;附件一第二部分的韌體更新流程文件;全機種規模的 CVD 聯絡點跟 SBOM 維護。
Class I (5)
VPN productsVPN 產品		 High — hardware VPN appliances from Taiwan/Korea with global reach高,台韓硬體 VPN 設備有全球布局 Draft EN 304 620 series (2025 drafts) is the likely hEN candidate but citation in the CRA Official Journal is not confirmed. Manufacturers planning certification should treat EN 304 620 as a moving target.草案 EN 304 620 系列(2025 年草案)是可能的 hEN 候選,但 CRA OJ 公報的引用還沒確認。規劃認證的製造商應該把 EN 304 620 當成移動目標處理。
Class I (8)
Boot managersBoot managers		 Very high at component level — AMI/Insyde and derivatives ship in a majority of x86 motherboards from Taiwan ODMs元件層級極高,AMI / Insyde 及其衍生產品出現在絕大多數台灣 ODM 的 x86 主板上 Draft EN 304 623 (2025-11-20) is the pending hEN candidate. Integration clause critical: server/laptop makers do not inherit Class I conformity, but they need supply-chain evidence that the boot manager itself is CE-compliant.草案 EN 304 623(2025-11-20)是待定的 hEN 候選。整合條款是關鍵:server / 筆電廠商不繼承 Class I 合規,但仍然需要供應鏈證據證明那個 boot manager 本身符合 CE。
Class I (17)
Smart home products with security functions (smart locks, security cameras, baby monitors, alarm systems)具安全功能的智慧家庭產品(智慧門鎖、監視攝影機、嬰兒監視器、警報系統)		 High — Taiwan/China/Korea combined dominate OEM supply高,台灣、中國、韓國合計主導 OEM 供應 Overlaps with ETSI EN 303 645 and draft EN 18031 series. Also bumps into BSMI CNS 16190 / CNS 18031 Taiwan mandatory cybersecurity testing from 2028-01-01 — Taiwan makers face dual-track domestic + EU conformity for the same product.跟 ETSI EN 303 645 及草案 EN 18031 系列重疊。同時也踩到 BSMI 自 2028 年 1 月 1 日起的 CNS 16190 / CNS 18031 強制網路安全測試,台灣製造商就同一產品要面對國內 + EU 雙軌合規。
Class I (13)–(15)
Security-related microprocessors / microcontrollers / ASICs / FPGAs具安全相關功能的微處理器 / 微控制器 / ASIC / FPGA		 Very high — Taiwan fabless (MediaTek, Realtek) + foundry (TSMC) + Korea (Samsung) in the critical path極高,台灣 IC 設計(聯發科、瑞昱)加晶圓代工(台積)加韓國(三星)位在關鍵路徑上 "Security-related functionalities" is a legal threshold that must be tested per Implementing Regulation 2025/2392. A silicon vendor's one-line "security" claim in a datasheet can tip a whole chip family into Class I.「安全相關功能」是要依 Implementing Regulation 2025/2392 檢驗的法律門檻。晶片廠在 datasheet 寫一行「security」描述,就可能把整個晶片家族推進 Class I。
Class II (2)
Firewalls, IDS, IPS防火牆、IDS、IPS		 Moderate — Taiwan (Zyxel, Asus, etc.) and Korea compete in SMB tier; enterprise dominated by US/Israel中等,台灣(Zyxel、華碩等)跟韓國在 SMB 層競爭;企業級由美 / 以色列廠商主導 Module B+C or Module H mandatory. Notified body engagement cannot be avoided by applying a harmonised standard. Draft EN 304 636 (Firewalls, 2025-11-10) is the pending hEN candidate but again, OJ citation pending.強制 Module B+C 或 Module H。即使適用 harmonised standard 也不能繞過指定機構。草案 EN 304 636(防火牆,2025-11-10)是待定的 hEN 候選,但 OJ 公報引用還沒到位。

Block 4 · Cross-regulation map 區塊 4 · 跨法規對照

Article 7 alongside other classification regimes 第 7 條與其他分類機制對照

Product classification is a common regulatory device. Different regimes cut the same product population along different axes — "radio equipment", "medical device Class I/IIa/IIb/III", "high-risk AI system", "essential / important entity under NIS2". Article 7's cut is a cybersecurity-risk cut. Below is how it lines up with the classification regimes most likely to co-apply in APAC.

產品分類是常見的規管手段。不同法規以不同軸切分同一產品族群,「無線電設備」、「醫療器材 Class I/IIa/IIb/III」、「高風險 AI 系統」、「NIS2 下的重要 / 關鍵實體」。第 7 條切的是網路安全風險。下方為它與 APAC 最可能同時適用的分類機制對照。

RED Delegated Act 2022/30

Product-class-level cybersecurity for radio equipment

無線電設備產品類級網路安全

RED DA applies at class level (e.g., Class 3 internet-connected radio equipment). CRA Article 7 applies at Annex III category level. Many products fall into both — a Wi-Fi router is RED Class 3 and CRA Annex III Class I (12). RED DA repealed 11 Dec 2027. CRA succeeds RED DA after 11 Dec 2027; certificate transition to 11 Jun 2028.

RED DA 以 class 層級適用(例如 Class 3 聯網無線電設備)。CRA 第 7 條以附件三類別層級適用。許多產品兩邊都落入,Wi-Fi 路由器既是 RED Class 3,也是 CRA 附件三 Class I (12)。RED DA 於 2027/12/11 廢止、CRA 同日承接、既有證書過渡至 2028/6/11。

AI Act (EU) 2024/1689

High-risk AI system classification per Annex III of AI Act

依 AI Act 附件三之高風險 AI 系統分類

Two completely different Annex IIIs. CRA Annex III (this article) lists product categories. AI Act Annex III lists AI use-cases (biometric, critical infrastructure, education, employment, etc.). A product can be a CRA Important Product and a high-risk AI system, pulling both Article 7 and Article 12 obligations. Parallel regimes, different axes. Article 12 provides the cybersecurity bridge.

兩邊是完全不同的附件三。CRA 附件三(本條)列產品類別。AI Act 附件三列 AI 使用情境(生物辨識、關鍵基礎設施、教育、就業等)。一件產品可同時是 CRA 重要產品高風險 AI 系統,同時觸發第 7 條與第 12 條義務。 並行機制,不同軸。第 12 條提供網路安全橋接。

NIS2 Directive (EU) 2022/2555

Essential / important entity classification by sector and size

依部門與規模的關鍵 / 重要實體分類

NIS2 classifies entities. CRA Article 7 classifies products. A router is a CRA Annex III product; the telecom operator using it is a NIS2 essential entity. No overlap in the classification target but the populations interlock — NIS2 operators procure CRA-scoped products. Orthogonal. Different regulated population.

NIS2 分類實體;CRA 第 7 條分類產品。一台路由器是 CRA 附件三產品;使用它的電信營運商是 NIS2 關鍵實體。分類對象不重疊,但族群互扣,NIS2 營運者採購 CRA 範圍內的產品。 正交。規管對象不同。

Implementing Regulation (EU) 2025/2392

Technical descriptions of Annex III and IV categories

附件三與附件四類別的技術描述

The binding interpretive text for Article 7. Published 1 December 2025 (Article 7(4) deadline was 11 Dec 2025). Resolves borderline "core functionality" questions that would otherwise be left to case-by-case market surveillance decisions. Published and binding. The rule-book when Annex III language alone is ambiguous.

第 7 條的強制適用解釋文本。2025/12/1 公布(第 7(4) 條截止日為 2025/12/11)。解決原本須留給個案市場監管判斷的「核心功能」邊界問題。 已公布、具強制適用力。當附件三文字不清時的規則書。

Delegated acts under Article 7(3) and Article 8(1)

Future amendments to Annex III; mandatory certification for Annex IV

未來對附件三之修訂;附件四之強制認證

Article 7(3) delegated acts can move Annex III categories between classes or add new ones. Article 8(1) delegated acts can make EUCC (or similar) certification mandatory for Annex IV critical products. Both are live workstreams at the Commission. Monitor. Annex III is a moving target.

第 7(3) 條授權法案可於 Class 間移動附件三類別或新增類別。第 8(1) 條授權法案可將 EUCC(或類似機制)認證定為附件四關鍵產品的強制要求。兩者都是執委會持續推動中的工作。 須持續追蹤。附件三為活動目標。