Article 3 is a budget sluice. Read it like one. 第 3 條決定錢從哪裡花。它不是辭典。

It’s a Friday afternoon in an office park somewhere in the APAC manufacturing belt, and an ODM engineering lead is reading the Cyber Resilience Act because his legal team has stopped accepting “I’ll get to it next sprint.” He moves through Article 1 and Article 2 quickly — subject matter, scope, the standard regulatory throat-clearing — and lands on Article 3 ready to skim. Definitions are the part you skim.

He stops at point (39). Substantial modification. Next month his team is pushing a firmware update to an industrial PC that’s been on European shelves for eighteen months. The update adds an AI inference module for anomaly detection. Until now this was a sprint-planning item. Reading the definition, he’s no longer sure it’s the same product after the update.

That’s the moment Article 3 stops being a glossary. It’s fifty-one small sluice gates, each one wired to a budget line, a timeline, an allocation of liability. And several of them are still being slowly turned by the European Commission.

§ 01Why fifty-one definitions are not a dictionary

Most regulations carry their definitions article like ballast. The job of a definitions article in a typical EU regulation is restatement — echoing terms from upstream legislation, smoothing ambiguities, foreclosing the most obvious litigation arguments. You read it once, you check that nothing surprising is in there, you move on.

Article 3 of the CRA does not work that way.

The clearest test is to see what each definition does in the rest of the text. Manufacturer in Art 3(13) doesn’t sit on its shelf — it activates the twenty-five-paragraph backbone of Article 13. Substantial modification in Art 3(39) doesn’t describe anything — it triggers the manufacturer-by-modification regime in Articles 21 and 22, which can transfer manufacturer status from one legal entity to another. Important product in Art 3(17) and critical product in Art 3(18) don’t classify, they route — they decide whether your product walks through Article 32 as a Module A self-assessment or arrives at the door of a Notified Body or, in the worst case for budget purposes, ends up needing EUCC certification. Support period in Art 3(40) doesn’t define a period — it sets the time horizon along which Article 13(8) obligations have to be funded.

This is what makes Article 3 a sluice rather than a glossary. A wrong reading inside Article 3 doesn’t cause a problem inside Article 3. It causes a problem inside Article 13, Articles 21 and 22, Article 32, Annex III — usually halfway through implementation, when someone discovers that the conformity route they assumed doesn’t apply, or that the entity they assumed bore the obligations didn’t actually bear them.

The second thing that makes Article 3 unusual is harder to see on a first read: several of these definitions are still moving. The Commission Guidance on the application of the CRA, first circulated in draft in February 2026, is the first official authority on how concepts like substantial modification, software steward, free and open-source software placed on the market, and remote data processing solutions should actually be applied. Implementing acts, FAQ updates, and the Commission’s Q&A workstream will continue to refine the boundary of these definitions through 2026 and 2027. Reading Article 3 is not a one-time exercise. It’s a subscription.

For an APAC operator trying to plan a CRA programme, the implication is structural. Compliance is not something you assess once against the definitions article and then implement. Compliance is something you re-assess every time a definition shifts, because every shift propagates downstream. There has to be someone whose job is to track that propagation. In most APAC manufacturers, that role does not yet exist.

§ 02Product with digital elements: the scope gate

The first definition in the article, Art 3(1), is the gate everything else passes through. A product with digital elements is “a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.” The phrasing is dense, and most of its cost-bearing weight sits in three small words: “or,” “separately,” and the recursive embedding of remote data processing solutions.

Consider an industrial fanless computer manufacturer in APAC. The product line has been in market for years, sold to factory operators across Europe through a mix of direct distribution and integration partners. The company’s self-image is that it sells hardware. The BIOS comes from a third-party vendor. The web-based management console is “just a tool we ship with the box.” The cloud telemetry service the customers optionally subscribe to is “a separate product.” When the team first reads about the CRA, the working assumption is that maybe one product line is partially affected.

The working assumption is wrong on three different axes, each one inside Art 3(1).

First, the “or”: a product with digital elements is software or hardware. It is not a hardware product with software inside — the inclusive disjunction means each thing, on its own, can be a PwDE. The BIOS is a software product placed on the market. The management console is a software product placed on the market. They don’t need to be sold separately; the regulation explicitly captures “hardware or software components being placed on the market separately” as their own products with digital elements. So the manufacturer is not facing one product in scope. It’s facing one box plus several embedded software products.

Second, the recursive embedding through Art 3(2). A remote data processing solution is the data processing service that is “intended and developed by the manufacturer, or under the responsibility of the manufacturer, the absence of which would prevent the product with digital elements from performing one of its functions.” If the cloud telemetry service is necessary for the product to function as advertised, that cloud-side software is in scope as part of the PwDE — even though it lives on someone else’s servers. The CRA reaches up the wire.

Third, the consequence of being in scope. Once Art 3(1) catches you, every Annex I essential requirement applies, every Article 13 obligation applies, every Article 32 conformity assessment routing decision applies. There is no “partial scope.” You are either inside the regulation or outside, and which side you stand on is decided by Art 3(1) before any of those other articles even get read.

The cost of getting this wrong is rarely a single missed obligation. It’s discovering, in late 2027, that an entire product line was misclassified out of scope and that none of the design-time work, supply-chain documentation, or post-market vulnerability handling was done. The remediation runway at that point is whatever is left of the calendar.

§ 03Manufacturer: the responsibility gate (and Articles 21 & 22's expansion of it)

Art 3(13) defines a manufacturer as “any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge.” The clause that does the work, and the one most often misread, is markets them under its name or trademark.

The default APAC reading is intuitive and wrong: an ODM that designs and builds a connected device for a European brand-customer assumes it is the manufacturer, because it’s the one doing the manufacturing. This reading collapses on contact with Art 3(13). The European brand is the entity placing the product on the market under its own name and trademark. The European brand is the manufacturer for CRA purposes. The ODM is, in regulatory terms, invisible.

The ODM’s relief, when this lands, is short-lived — because invisibility is the worst commercial position to be in. Most Article 13 obligations are operationally impossible without the ODM’s cooperation. The SBOM has to come from whoever wrote the code. Vulnerability handling has to be done by whoever can patch the firmware. The support period commitment has to be honoured by whoever can keep the supply chain alive long enough to ship updates. The European brand carries the legal liability, but the work has to flow back to the ODM through contracts. So the ODM ends up doing most of the operational compliance work for which the European brand keeps its legal name on the line. It’s the asymmetric corner of the negotiating table: full operational burden, zero regulatory standing.

Then Articles 21 and 22 widen the membership of the manufacturer category. Article 21 catches an EU importer or distributor who places a product under their own name or trademark, or who carries out a substantial modification of a product already on the market — a distributor who reflashes firmware before resale, an importer who repackages and re-documents the product, both become manufacturers for that variant. Article 22 catches anyone else — integrators, system integrators, re-importers, consultancies bundling products with services — who carries out a substantial modification and makes the product available on the market. An ODM that takes a product they originally built for a European brand, modifies it, and sells the modified version under their own brand into Europe, becomes a manufacturer for that branded version under whichever article fits the ODM’s role at the moment of placing on market — carrying the full Article 13 stack either way.

This expansion is what makes Art 3(13) genuinely difficult to read in isolation. The membership of the “manufacturer” category is not static. It can be acquired by modification, by rebranding, by re-import. Every contract in the supply chain has to be checked against the possibility that one of the downstream parties is, by their own actions, becoming a manufacturer for the same product — and pulling the obligations away from where the original parties expected them to sit.

The two cost outcomes are mirror images of each other. An ODM that wrongly believes itself to be the manufacturer over-invests in conformity assessment infrastructure it doesn’t legally need. A European brand that wrongly believes its ODM is the manufacturer under-invests in Article 13 capability and discovers the gap when Article 14’s reporting obligations first trigger and there’s no incident response apparatus on the brand side. Both errors are caused by stopping at the obvious reading of Art 3(13) instead of pairing it with Articles 21 and 22.

§ 04Substantial modification: the live-update gate

Back to the engineering lead and the firmware update. Art 3(39) defines substantial modification as “a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended use for which the product with digital elements has been assessed.”

The structural feature of this definition is that the two triggers are joined by or. Either the modification affects Annex I compliance, or it changes the intended use for which the product was originally assessed. Hitting either one is sufficient.

The AI inference module case is illustrative. Adding anomaly detection to an industrial PC almost certainly changes the intended use: the original assessment was for a monitoring gateway in an industrial environment; the post-update product is a device with autonomous analytical behaviour. Even if every Annex I requirement that applied to the original product still applies to the updated one (the “Annex I compliance” trigger doesn’t fire), the “intended use” trigger does. That alone is enough for the update to qualify as a substantial modification, with everything that flows from Articles 21 and 22.

The harder pattern to spot is the inverse: a small engineering change that lands inside the Annex I compliance trigger. A change to the cryptographic algorithm used for a secure boot routine. A change to the authentication library. A patch that alters the trust boundary between two components. None of these would be flagged by an engineering team as “substantial” in the colloquial sense — they’re routine engineering work. But “substantial” in Art 3(39) is not an engineering judgement. It’s a legal one. A small change that touches Annex I crosses the threshold; a large change that doesn’t touch Annex I or the intended use does not.

Then there is the moving-target dimension. The Commission Guidance circulated in February 2026 is the first official document that gives concrete examples of which kinds of software updates count as substantial modifications and which don’t. Before that document, the boundary was a matter of interpretation by individual operators, lawyers, and notified bodies. After that document, the boundary becomes more concrete, but it will continue to be refined as cases work through market surveillance and as the Commission issues further clarifications. Of all fifty-one definitions in Article 3, this is one of the most actively in motion.

The cost of misreading this definition is recursive. Underestimate substantial modification on a single firmware update, and the product loses presumption of conformity for the post-update version. The first Article 14 incident report on the post-update product triggers a market surveillance question about what conformity assessment was performed for the modification. With no answer, Article 64’s penalty bracket activates — and because Article 13 obligations are all retroactively in question for the modified product, the breach is not localised to the update. It propagates back into the entire post-update lifecycle of the product line.

§ 05Important and critical: the conformity-route gate

Art 3(17) defines an important product with digital elements as one listed in Annex III. Art 3(18) defines a critical product with digital elements as one listed in Annex IV. These two definitions look like cross-references — pointers to other parts of the regulation — but in practice they are the article that decides how much you spend on conformity assessment. The factor between the cheapest and most expensive routes is not 20% or 50%. In the IoT consumer category it’s typically 5–10x. In industrial and network-infrastructure categories, including everything that would route through a Notified Body, it can run 10–20x or more, with timeline overhead measured in quarters rather than weeks.

Annex III lists nineteen Class I categories and four Class II categories. Annex IV lists three Critical product categories. Implementing Regulation 2025/2392, published on 1 December 2025, refines the Annex III categories further — including, for example, the inclusion of payment terminals in the Class I scope. The list itself is not the difficulty. The difficulty is reading the list correctly.

An APAC manufacturer building a smart-home gateway provides the cleanest illustration. The product, on its surface, does several things: local network management, user authentication, cloud connectivity. The team has to decide which Annex III rows the product hits.

The instinctive approach is to look for “smart-home gateway” in the Annex III text. That word is not there. Annex III lists functions — network management systems, boot managers, firewalls, smart-home virtual assistants, routers and modems and switches, VPN, password managers, antivirus, browsers, operating systems — not commercial categories. The same gateway, depending on what its firmware actually implements, can land in Class I (smart-home virtual assistant; router; operating system) and simultaneously in Class II (VPN; network management system; SIEM functionality, if it forwards security events). The product can be in two rows at once, and the conformity route is determined by the strictest row it hits.

The economic consequence is that small differences in firmware functionality, driven by what feels like ordinary product-management decisions, change the conformity assessment route by an order of magnitude. Adding a VPN endpoint to a smart-home gateway is a feature decision. From an Art 3(17)/(18) perspective, it is a budget decision — one that can pull the product from a Module A self-assessment route into a Module B+C, Module H, or in the Critical case, EUCC route. The Notified Body capacity in the European TIC market is finite, scheduling slots are scarce, and the cost differential reflects both the test effort and the queue.

The two-sided error pattern is identical to the manufacturer case. Misread downward (assume default when the product is actually Class I, or assume Class I when the product is actually Class II) and conformity assessment work has to be repeated, sometimes after engineering work has frozen. Misread upward (assume Class II when the product is in fact Class I and a harmonised standard could have supported Module A) and the budget is over-spent on Notified Body fees that the regulation didn’t require. The first error breaks timelines; the second error wastes capital. Both are caused by reading Art 3(17) as a category lookup rather than a functional analysis of what the product actually does.

§ 06Support period: the time-axis gate

Art 3(40) defines the support period as “the period during which the manufacturer is required to ensure that vulnerabilities of the product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part I of Annex I.” Article 13(8) is where the period actually gets determined: the manufacturer sets it, the period must reflect the time during which users can reasonably expect to use the product, and the period must be at least five years unless the expected use is shorter.

The five-year floor gets read by most APAC manufacturers as the answer. It isn’t. It’s the floor.

Consider an APAC industrial-equipment manufacturer whose product is a programmable logic controller deployed on factory floors. The internal product-planning view of support is five years — aligned with the warranty term, aligned with the depreciation schedule the company uses for its own development costs. From a Friday-afternoon planning perspective, five years is a clean number. The customer base, however, is European automotive Tier-1 plants whose own depreciation schedules and process-validation timelines run ten to twelve years. Production lines that took eighteen months to validate are not going to be re-validated against new equipment because the original vendor decided five years was enough.

The Art 3(40) plus Art 13(8) reading is that the support period must reflect the reasonable expectations of users. If the user base reasonably expects ten years of operational life — and in industrial B2B contexts that expectation is usually documented in customer specifications, RFQ templates, and procurement contracts — then five years is not a defensible support period commitment. The floor remains five, but the actual obligation is “at least the reasonable expected use,” which can be eight, ten, or more.

The cost structure this creates is the part most companies have not modelled. Support period is not a marketing claim. It is a legal obligation under Article 13(8) to handle vulnerabilities, ship free security updates, and maintain SBOM verifiability for the entire declared period. Stretching the period from five to ten years stretches the SBOM maintenance budget, the coordinated vulnerability disclosure infrastructure budget, and the Article 14 reporting capability, all by the same factor. For an industrial product line with thin margins and long lifecycles, this is the line item that disrupts the P&L most.

The strategic reading — once the cost is on the table — is that support period is not a number to minimise. It’s a number to align with the commercial structure. For B2B industrial vendors, the right move is usually to negotiate explicit seven- or ten-year support terms with customers, price the support cost into the unit price or into a maintenance contract, and use the “stop selling, stop supporting” provisions at the back end of Article 13(8) only as a planned end-of-life event rather than a fire exit. The article allows manufacturers to end support after the declared period — with mandatory user notification — but using that exit cleanly requires the support period to have been declared in alignment with reality from the start.

The two-sided error pattern, again. Declare too short, and customers in active use are left without vendor support during a period they reasonably expected to be covered — with the consequences flowing through Article 13(8) compliance and through commercial relationships. Declare too long without commercial alignment, and the support period turns into a permanent loss-making line on the operating budget. Both errors come from reading Art 3(40) as a calendar item rather than a budget item.

§ 07The reading isn’t finished. It’s subscribed.

Back to the engineering lead at the end of his Friday afternoon. If he reads Article 3 once and closes the file, he has missed half of the article — not because the article is hard, but because the version he’s reading is the version published on 23 October 2024, and several of the definitions he just read have a second authoritative layer that started arriving in February 2026 and will keep arriving through 2027. Substantial modification, software steward, free and open-source software placed on the market, remote data processing solutions: none of these definitions stops moving when the reading session ends.

The correct posture toward Article 3 is therefore not “finish reading it.” It is “subscribe to it.” Each Commission Guidance update, each implementing regulation, each FAQ revision, each market-surveillance Q&A from a national authority potentially shifts one of these definitions. When a definition shifts, every downstream article that activates on it shifts with it. The shift is rarely announced as a definitional change — it’s usually announced as guidance on a specific question, and the definitional implication has to be reverse-engineered.

For an APAC manufacturer, the operational implication is that CRA compliance is not a project with a delivery date. It’s a standing function. Someone has to track Article 3 movements, translate each movement into a P&L impact, and propagate the change to the engineering, procurement, and customer-facing teams. In most APAC manufacturers, this role does not have a name, a budget line, or a person assigned to it. The structural blind spot in CRA implementation across the region is not a technical capability gap. It’s an organisational one.

Fifty-one sluice gates. Several of them being slowly turned by hands in Brussels. Who is turning, in which direction, and on what timeline — that is the thing worth watching, monthly, between now and the end of 2027.