Article 8 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
Critical products with digital elements 關鍵產品(具數位元素)
Three product categories. A Commission delegated-act trigger. And — if the trigger fires — mandatory EUCC certification at substantial or higher. This is the top shelf of the CRA: above Class II, above notified-body sign-off, into the certification-scheme tier. 三個產品類別。一個執委會授權法案觸發器。若觸發,強制 EUCC 認證達 substantial 或以上。這是 CRA 最上層:在 Class II 之上、在指定機構簽核之上,進入認證機制層級。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. EUCC scheme references are to Commission Implementing Regulation (EU) 2024/482. Translation is unofficial. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。EUCC 機制引用《執委會執行法規 (EU) 2024/482》。中文為非官方翻譯。
Delegated-act power to mandate EUCC certification 強制 EUCC 認證之授權權限 ¶ 1
1. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least 'substantial' under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881, to demonstrate conformity with the essential cybersecurity requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted pursuant to Regulation (EU) 2019/881 and is available to manufacturers.
1. 執委會有權依第 61 條採納授權法規補充本法規,以決定核心功能屬於本法規附件四所列產品類別之具數位元素產品中,哪些應於依《規章 (EU) 2019/881》採納之歐洲網路安全認證機制下,取得至少「實質」(substantial)保證等級之歐洲網路安全證書,以證明符合本法規附件一之基本網路安全要求或其部分,惟涵蓋該等產品類別之歐洲網路安全認證機制已依《規章 (EU) 2019/881》採納並對製造商可用為前提。
The delegated acts shall specify the assurance level proportionate to the cybersecurity risk and shall take account of intended purpose, including critical dependency by essential entities per Article 3(1) of Directive (EU) 2022/2555 (NIS2). Before adopting such acts, the Commission shall carry out a market-impact assessment and consult stakeholders including the European Cybersecurity Certification Group established under Regulation (EU) 2019/881. Where no such delegated acts have been adopted, Annex IV products shall be subject to the conformity assessment procedures in Article 32(3). Minimum transitional period: six months, unless imperative urgency justifies a shorter period.
授權法案應明定與網路安全風險相稱之保證等級,並考量預期用途,包括依《指令 (EU) 2022/2555》(NIS2)第 3(1) 條所指關鍵實體之關鍵依賴。採納前,執委會應進行市場影響評估並諮詢利害關係人,包括依《規章 (EU) 2019/881》所設立之歐洲網路安全認證小組。未採納此類授權法案時,附件四產品應依第 32(3) 條之符合性評鑑程序進行。最短過渡期 6 個月,惟有急迫正當事由得採較短期。
Delegated-act power to amend Annex IV 修訂附件四之授權權限 ¶ 2
2. The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex IV by adding or withdrawing categories of critical products with digital elements. When determining such categories of critical products with digital elements and the required assurance level, in accordance with paragraph 1 of this Article, the Commission shall take into account the criteria referred to in Article 7(2) and ensure that the categories of products with digital elements meet at least one of the following criteria:
2. 執委會有權依第 61 條採納授權法規修訂附件四,以新增或撤除關鍵產品類別。依本條第 1 項決定關鍵產品類別及所需保證等級時,執委會應考量第 7(2) 條所指之準則,並確保該等產品類別至少符合下列其中一項準則:
(a) there is a critical dependency of essential entities as referred to in Article 3 of Directive (EU) 2022/2555 on the category of products with digital elements;
(a) 《指令 (EU) 2022/2555》第 3 條所指之關鍵實體對該具數位元素產品類別存有關鍵依賴;
(b) incidents and exploited vulnerabilities concerning the category of products with digital elements could lead to serious disruptions of critical supply chains across the internal market.
(b) 涉及該具數位元素產品類別之事件與已遭利用之弱點,可能導致內部市場上關鍵供應鏈之嚴重中斷。
The Commission shall carry out a market-impact assessment before adopting such acts. Minimum transitional period: six months.
執委會應於採納該等法案前進行市場影響評估。最短過渡期 6 個月。
Annex IV — the three critical product categories 附件四,三個關鍵產品類別 Annex IV
1. Hardware Devices with Security Boxes — devices designed to protect cryptographic keys and sensitive data against physical and logical attacks, including HSMs.
1. 具安全裝置的硬體設備(HWSB),設計用以保護密碼金鑰與敏感資料免於實體與邏輯攻擊,含 HSM。
2. Smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944, and other devices for advanced security purposes, including for secure cryptoprocessing.
2. 智慧計量系統中之智慧電表閘道,依《指令 (EU) 2019/944》第 2 條第 23 點所定,及其他進階安全用途之裝置,含用於安全密碼處理者。
3. Smartcards or similar devices, including secure elements.
3. 智慧卡或類似裝置,含安全元件。
Implementing Regulation (EU) 2025/2392 of 1 December 2025 provides binding technical descriptions for the three Annex IV categories. The EUCC scheme (Implementing Regulation (EU) 2024/482) already covers smartcards and secure elements at assurance levels including High-AVA (covering AVA_VAN.4 and AVA_VAN.5).
《執行法規 (EU) 2025/2392》於 2025/12/1 公布,為附件四三類提供強制適用的技術描述。EUCC 機制(執行法規 (EU) 2024/482)已涵蓋智慧卡與安全元件,保證等級包含 High-AVA(含 AVA_VAN.4 與 AVA_VAN.5)。
Block 2 · Plain language 區塊 2 · 白話解讀
A conditional escalator, not a locked ceiling 一條有條件的升級路徑,不是天花板
Article 8 is commonly read as "Annex IV products must obtain EUCC certification". That reading is wrong by default. A careful reading shows the obligation is conditional on the Commission adopting a delegated act under Article 8(1) naming specific sub-categories of Annex IV as subject to mandatory EUCC. Until that happens, Annex IV products follow CRA Article 32(3) — the Class II route of Module B+C, Module H, or EUCC substantial+ as an option, not a requirement.
第 8 條常被誤讀成「附件四產品必須拿到 EUCC certification」。這個讀法預設是錯的。仔細讀會發現,這個義務必須等執委會先依第 8(1) 條採納 delegated act、具名指定附件四的特定子類別為強制 EUCC 適用對象,才會啟動。在這之前,附件四產品依 CRA 第 32(3) 條:走 Class II 路徑的 Module B+C、Module H,或把 EUCC substantial+ 當作選項(不是要求)。
Three moving parts decide the practical state of Article 8 at any given moment.
第 8 條在任何一個時間點的實務狀態,由三個變動元件決定:
-
Whether a usable EUCC scheme exists. Article 8(1) only applies when "a European cybersecurity certification scheme covering those categories... has been adopted pursuant to Regulation (EU) 2019/881 and is available to manufacturers". The EUCC scheme (Implementing Regulation (EU) 2024/482) entered into force 27 February 2024 and covers smartcards, secure elements, and certain hardware cryptographic modules at assurance levels Substantial, High, and High-AVA. A Commission delegated act cannot mandate EUCC for an Annex IV category that no EUCC scheme actually covers.
EUCC scheme 是不是已經可用。第 8(1) 條只在「涵蓋這些類別的歐洲網路安全認證 scheme... 已依 Regulation (EU) 2019/881 採納、且對製造商可用」時才會適用。EUCC scheme(Implementing Regulation (EU) 2024/482)於 2024 年 2 月 27 日生效,涵蓋智慧卡、安全元件,以及某些硬體密碼模組在 Substantial、High、High-AVA 保證等級。執委會 delegated act 不能對「EUCC scheme 還沒實際涵蓋的附件四類別」強制 EUCC。
-
Whether the Commission has triggered the delegated act. As of early 2026 no Article 8(1) delegated act has been adopted. The Article 8(1) procedure itself is load-bearing: a market-impact assessment, a stakeholder consultation involving the European Cybersecurity Certification Group, a minimum six-month transition once adopted. This is not a switch that flips silently. The first Article 8(1) delegated act — when it arrives — is likely to target smartcards / secure elements first, since that is where the EUCC scheme coverage is most mature.
執委會有沒有觸發 delegated act。截至 2026 年初還沒有採納任何第 8(1) 條的 delegated act。第 8(1) 條的程序本身就有份量:市場影響評估、跟歐洲網路安全認證小組做利害關係人諮詢、採納後最短過渡期 6 個月。這不是隨手就能撥動的開關。第一份第 8(1) 條 delegated act 推出時,最可能先針對智慧卡 / 安全元件,因為這個領域的 EUCC scheme 涵蓋最成熟。
-
Whether Annex IV itself gets amended. Article 8(2) lets the Commission add or remove Annex IV categories via a separate delegated act. Two criteria gate this: (a) essential entities per NIS2 have a critical dependency on the category, or (b) incidents / exploited vulnerabilities could cause serious supply-chain disruption. Both the Annex IV list itself and the sub-category-level mandatory-EUCC designation under §1 can shift over time.
附件四本身有沒有被修訂。第 8(2) 條允許執委會透過獨立的 delegated act 新增或撤除附件四類別。兩個準則把關:(a) NIS2 下的關鍵實體對這個類別有關鍵依賴;(b) 事件或已被利用的弱點,可能導致嚴重的供應鏈中斷。附件四清單本身,以及 §1 下子類別層級的強制 EUCC 指定,都可能隨時間變動。
The resulting state-machine for an Annex IV product at any given moment:
附件四產品在任何一個時間點的狀態,可以這樣判斷:
| Scenario情境 | Conformity route符合性路徑 | Notified body involved?是否涉及指定機構? |
|---|---|---|
| No Article 8(1) delegated act yet尚無第 8(1) 條授權法案 | Article 32(3) — Module B+C, Module H, or EUCC substantial+ (manufacturer chooses)第 32(3) 條,Module B+C、Module H 或 EUCC substantial+(製造商選擇) | Yes — via Module B+C or H是,透過 Module B+C 或 H |
| Article 8(1) delegated act adopted, covers this sub-category第 8(1) 條授權法案已採納且涵蓋本子類別 | EUCC substantial+ mandatory. Module B+C and Module H no longer satisfy.強制 EUCC substantial+。Module B+C 與 Module H 不再充分。 | Yes — via EUCC accredited lab + CAB是,透過 EUCC 認可實驗室 + CAB |
| Article 8(1) delegated act adopted, does NOT cover this sub-category第 8(1) 條授權法案已採納但不涵蓋本子類別 | Article 32(3) continues to apply — same three options as scenario 1.第 32(3) 條繼續適用,與情境 1 相同之三選項。 | Yes — via Module B+C or H是,透過 Module B+C 或 H |
| Article 12(3) AI bridge carve-back第 12(3) 條 AI 橋接保留 | If the product is also a high-risk AI system that would use AI Act Annex VI, Article 12(3) routes the cybersecurity conformity back to CRA Article 32(3) — same as scenario 1.若產品也為依 AI Act 附件六之高風險 AI 系統,第 12(3) 條將網路安全符合性路由回 CRA 第 32(3) 條,與情境 1 相同。 | Yes是 |
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Three categories, three different APAC exposure profiles 三個類別、三種不同的 APAC 暴露
Annex IV is small — three product categories — but the APAC manufacturer exposure profile for each differs sharply. A one-size-fits-all Article 8 planning narrative misses this.
附件四很小,只有三個產品類別,但每個類別的 APAC 製造商暴露程度差異很大。一體適用的第 8 條規劃敘述會錯過這個差異。
Three planning dimensions worth calling out for APAC manufacturers in the Annex IV zone.
在附件四區的 APAC 製造商,值得標出三個規劃層面:
EUCC lab capacity in APAC is scarce and clustered. Common Criteria evaluation facilities at ITSEF level capable of performing AVA_VAN.4+ vulnerability analysis exist in Japan, Korea, Singapore, India — but EUCC scheme recognition specifically requires the lab to be accredited under the EUCC scheme rules, not just ISO/IEC 17025 against CC. As of early 2026, EUCC-accredited labs are concentrated in Europe. APAC manufacturers planning EUCC certification should budget for either (i) EU lab engagement with sample logistics, or (ii) wait for local lab EUCC accreditation which typically lags the European rollout by 12–18 months.
APAC 的 EUCC 實驗室能量稀少且集中。能在 ITSEF 層級執行 AVA_VAN.4+ 弱點分析的 Common Criteria 評估設施在日本、韓國、新加坡、印度都有,但 EUCC scheme 認可具體要求實驗室依 EUCC scheme 規則取得認可,不是只依 ISO/IEC 17025 對 CC 取得認可。截至 2026 年初,EUCC 認可的實驗室集中在歐洲。規劃 EUCC 認證的 APAC 製造商,預算上要選 (i) 委請歐洲實驗室加上樣品物流;或 (ii) 等待本地實驗室取得 EUCC 認可,這通常比歐洲推行晚 12 到 18 個月。
The assurance level specified by the delegated act matters enormously. EUCC has three levels — Substantial, High, High-AVA (mapping broadly to CC EAL2, EAL4, EAL4+ AVA_VAN.4+). Jumping from "EUCC Substantial" to "EUCC High-AVA" is not a marginal step — test duration increases 3–5×, cost increases 3–10×, and vulnerability analysis methodology (AVA_VAN.4 "methodical analysis" or AVA_VAN.5 "advanced methodical analysis") requires specialised attack expertise that few labs globally possess. Article 8(1) second sentence obliges the Commission to set proportionate assurance levels, but "proportionate to cybersecurity risk" leaves wide latitude.
delegated act 指定的保證等級極為重要。EUCC 有三級,Substantial、High、High-AVA(大致對應 CC EAL2、EAL4、EAL4+ AVA_VAN.4+)。從「EUCC Substantial」跳到「EUCC High-AVA」不是小一步,測試期間增加 3 到 5 倍、成本增加 3 到 10 倍,而且弱點分析方法論(AVA_VAN.4「方法論式分析」或 AVA_VAN.5「進階方法論式分析」)要求全球少數實驗室才有的專業攻擊能力。第 8(1) 條第二句要求執委會設定具比例性的保證等級,但「跟網路安全風險相稱」留下很大彈性空間。
Commercial CC evaluations done for non-EU markets do not automatically convert. An APAC secure-element vendor that already holds CC certificates under Japan's JISEC scheme, Korea's KISA CC scheme, or a national SOG-IS MRA scheme has strong technical groundwork but not a directly transferable EUCC certificate. The EUCC scheme has its own Certification Bodies (CABs) and its own scope-of-certification rules. Existing CC evaluations can often be reused as evidence inside an EUCC evaluation — significant time saved — but the final certificate is a new issue.
非歐盟市場做的商業 CC 評估不會自動轉換成 EUCC。已經持有日本 JISEC、韓國 KISA CC、或國家 SOG-IS MRA scheme 下 CC 證書的 APAC 安全元件廠商,技術基底很強,但這些不會自動轉成可用的 EUCC 證書。EUCC scheme 有自己的 Certification Bodies (CAB) 跟自己的認證範圍規則。既有的 CC 評估通常可以在 EUCC 評估中當作證據重用,可以省下不少時間,但最終證書還是新發的。
| Annex IV category附件四類別 | APAC exposureAPAC 暴露 | Practical planning posture實務規劃姿態 |
|---|---|---|
| (1) Hardware Devices with Security Boxes (HWSB) — including HSMs | Low — HSM supply is dominated by EU/US/Israel vendors (Thales, Utimaco, Entrust, nCipher, Marvell). APAC supply is niche.低,HSM 供應由歐 / 美 / 以色列廠商主導(Thales、Utimaco、Entrust、nCipher、Marvell)。APAC 是利基供應。 | For APAC manufacturers not in the HSM business, Article 8 has near-zero direct relevance. Integrators using third-party HSMs rely on the HSM supplier's certification, not their own.對不在 HSM 業務的 APAC 製造商,第 8 條直接相關性幾乎是零。使用第三方 HSM 的系統整合商依賴 HSM 供應商的認證,不是自己的認證。 |
| (2) Smart meter gateways and advanced-security cryptoprocessing devices | Moderate — Korea (LS Electric, Itron Korea) and Japan (Toshiba, Hitachi) have smart-meter programmes; Taiwan presence limited. EU-side gateways typically sourced locally per Member-State tender.中等,韓國(LS Electric、Itron Korea)跟日本(東芝、日立)有智慧電表專案;台灣參與有限。歐盟側閘道通常由各會員國招標、當地採購。 | APAC makers exporting to EU smart-grid tenders need to monitor Article 8(1) delegated-act movement closely. Member State procurement policies often already require certification against national protection profiles (e.g., BSI-TR-03109 in Germany) that pre-exist CRA.出口歐盟智慧電網標案的 APAC 廠商必須密切監測第 8(1) 條 delegated act 動向。會員國採購政策通常已經要求符合國家 protection profile(例如德國 BSI-TR-03109)的認證,這些要求比 CRA 更早存在。 |
| (3) Smartcards or similar devices, including secure elements | High — Korea (Samsung, SK Hynix) and Taiwan (Winbond, Macronix) are global secure-element suppliers. Japan (Sony, Renesas, Toshiba) strong in automotive and IC card secure elements. APAC silicon is upstream of much of the world's smartcard supply.高,韓國(三星、SK 海力士)跟台灣(華邦、旺宏)是全球安全元件供應商。日本(Sony、瑞薩、東芝)在車用跟 IC 卡安全元件有實力。APAC 晶片位於全球智慧卡供應的上游。 | The category where Article 8(1) is most likely to fire first. EUCC already covers smartcards at High-AVA (AVA_VAN.4 / AVA_VAN.5). Planning assumption: APAC secure-element suppliers should be EUCC-ready before the delegated act rather than reactive. The investment horizon matters — CC evaluation against a Protection Profile at AVA_VAN.4+ runs 12–24 months.最可能率先觸發第 8(1) 條的類別。EUCC 已經涵蓋智慧卡到 High-AVA(AVA_VAN.4 / AVA_VAN.5)。規劃假設:APAC 安全元件供應商應該在 delegated act 採納前備妥 EUCC 能力,不要被動等待。投資期限很重要,針對 protection profile 的 CC 評估在 AVA_VAN.4+ 等級需 12 到 24 個月。 |
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 8 inside the EU cybersecurity-certification architecture 第 8 條於歐盟網路安全認證架構中的位置
Article 8 does not stand alone. It is the CRA-side plug that connects to an upstream cybersecurity-certification machinery defined by the Cybersecurity Act (Regulation (EU) 2019/881). Understanding how Article 8 relates to that upstream machinery is essential to predicting when mandatory-EUCC delegated acts actually fire.
第 8 條不獨立存在。它是 CRA 側的插頭,連接到由《網路安全法》(Regulation (EU) 2019/881)所定義之上游網路安全認證體系。理解第 8 條與該上游體系的關係,對預測強制 EUCC 授權法案何時實際觸發不可或缺。
Cybersecurity Act (EU) 2019/881
EU cybersecurity certification framework
歐盟網路安全認證框架
Establishes the legal basis for European cybersecurity certification schemes, defines assurance levels (Basic / Substantial / High), creates ENISA's role, and establishes the European Cybersecurity Certification Group (ECCG). Article 8(1) explicitly invokes "European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881". The whole mandatory-certification machinery rides on this upstream law.
建立歐洲網路安全認證機制的法源,定義保證等級(Basic / Substantial / High),設立 ENISA 的角色,建立歐洲網路安全認證小組(ECCG)。 第 8(1) 條顯式引用「依Regulation (EU) 2019/881採納的歐洲網路安全認證機制」。整個強制認證體系架在此上游法之上。
EUCC — Implementing Regulation (EU) 2024/482
European Common Criteria-based cybersecurity certification
歐洲以 Common Criteria 為基礎的網路安全認證
First EU-level certification scheme adopted under 2019/881. Covers ICT products, particularly smartcards, secure elements, and HSMs. Entry into force 27 Feb 2024. Three assurance levels: Substantial, High, High-AVA. The only currently-usable scheme Article 8(1) can point at. A mandatory-EUCC delegated act for Annex IV cannot fire until EUCC scope covers the relevant Annex IV sub-category at the target assurance level.
依 2019/881 採納的首個歐盟級認證機制。涵蓋 ICT 產品,特別是智慧卡、安全元件、HSM。2024/2/27 生效。三個保證等級:Substantial、High、High-AVA。 第 8(1) 條目前唯一可指的機制。對附件四之強制 EUCC 授權法案,非於 EUCC 範圍涵蓋相關附件四子類別至目標保證等級後不得觸發。
NIS2 Directive (EU) 2022/2555
Network and information security — essential entities
網路與資訊安全,關鍵實體
Classifies entities (not products) into essential and important tiers. Essential entities per Article 3(1) include energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, ICT services management, public administration, space. Article 8(2)(a) ties Annex IV amendment to NIS2 essential-entity dependency. A new category can be added to Annex IV when essential entities critically depend on it — so the regulatory case for escalation traces back to which sectors use the product.
將實體(非產品)分是關鍵與重要層級。依第 3(1) 條,關鍵實體含能源、運輸、銀行、金融市場基礎設施、醫療、飲水、數位基礎設施、ICT 服務管理、公共行政、太空。 第 8(2)(a) 條將附件四修訂與 NIS2 關鍵實體依賴連結。新類別可在關鍵實體對其存關鍵依賴時新增至附件四,故升級的規管案源流可追溯至使用該產品的部門。
SOG-IS MRA
Senior Officials Group Information Systems Security — Mutual Recognition Agreement
Senior Officials Group Information Systems Security,互相承認協議
Pre-EUCC European arrangement for mutual recognition of CC certificates. Covers hardware devices with security, smartcards, SW covered by Protection Profiles. Being superseded by EUCC. Existing SOG-IS certificates remain valid under their terms but are not themselves EUCC certificates. Transition arrangements from SOG-IS to EUCC are being implemented scheme-by-scheme. APAC vendors with SOG-IS-aware certifications have partial, but not full, portability to EUCC.
EUCC 之前歐洲的 CC 證書互認安排。涵蓋具安全的硬體裝置、智慧卡、由保護輪廓所涵蓋的軟體。正由 EUCC 取代。 既有 SOG-IS 證書在其條款下仍有效,但本身非 EUCC 證書。自 SOG-IS 到 EUCC 的過渡安排逐機制實施。持 SOG-IS 認證的 APAC 廠商對 EUCC 有部分但非完全的可攜性。
FIPS 140-3
US/Canada cryptographic module validation
美 / 加密碼模組驗證
NIST-administered validation for cryptographic modules. Four security levels. Widely used commercially and mandatory for US federal procurement. No direct recognition by EUCC or the CRA. FIPS 140-3 certificates do not substitute for EUCC certificates for Annex IV purposes. Manufacturers selling into both markets face dual certification. Cost implications for APAC silicon are significant.
NIST 管理的密碼模組驗證。四個安全等級。商業廣用且為美國聯邦採購的強制要求。 EUCC 與 CRA 不直接承認。FIPS 140-3 證書對附件四目的來說不能取代 EUCC 證書。出貨兩個市場的製造商面對雙重認證。對 APAC 晶片廠的成本影響可觀。
CRA Article 27 & 32
Presumption of conformity; conformity assessment procedures
符合性推定;符合性評鑑程序
The CRA's own machinery for deciding when certification substitutes for notified-body engagement. Article 27(8) establishes presumption for EUCC-certified products; Article 32(3) and (4) define the conformity routes. When Article 8(1) fires, the EUCC certificate is the conformity assessment. When it has not fired, Article 32(3) kicks in and EUCC is an option alongside Module B+C and H.
CRA 自身決定認證何時取代指定機構介入的機制。第 27(8) 條建立 EUCC 認證產品的推定;第 32(3) 與 (4) 條定義符合性路徑。 第 8(1) 條觸發時,EUCC 證書就是符合性評鑑。未觸發時,第 32(3) 條啟動,EUCC 與 Module B+C 及 H 並列為選項。