A Taipei OEM is sourcing a hardware password manager IC for a new enterprise laptop. Class I category 3, no question. The OEM’s product team panics: does that mean the laptop becomes a Class I “Password Manager”? Does integrating an important component drag the entire host product into Notified Body territory? 一家台北 OEM 正在採購一顆硬體密碼管理 IC,要用在新的企業筆電上。Class I 第 3 類,毫無疑問。OEM 的產品團隊慌了:這代表筆電會變成 Class I「Password Manager」嗎?整合一個 important 元件,會把整台主機產品拖進 Notified Body 的地盤嗎?
No. The CRA closes that door explicitly — in two places, with two authority levels. This is structurally important for APAC, because the entire ODM/OEM business model rests on integrating components. If the answer were yes, every Taipei smart-home brand would inherit Class I status the moment they soldered in an authentication chip. 不會。CRA 把這扇門明確地關上——在兩個地方、兩種權威等級。這對 APAC 在結構上很重要,因為整個 ODM/OEM 商業模式建立在整合元件之上。如果答案是 yes,每一家台北智慧家庭品牌,在焊上一顆認證晶片的那一刻,都會繼承 Class I 地位。
The rule in plain language用白話講這個規則The whole product’s core functionality is what counts.看整個產品的 core functionality——這才算數。
The rule reads: classification is decided at the level of the whole product, by reference to the whole product’s core functionality. A component’s classification stays inside the component. It does not propagate up to the host. The Implementing Regulation gives a worked example in Recital 3 itself: an embedded browser used as a component of a news app does not render the news app subject to the “standalone and embedded browsers” conformity assessment procedure. The news app is a news app. It has a different core functionality. 規則這樣讀:分類由「整個產品」這個層級決定,由「整個產品的 core functionality」決定。元件的分類留在元件裡。它不向上傳染到主機產品。執行法規在 Recital 3 自己給了一個具體範例:一個用在新聞 app 裡作為元件的 embedded browser,不會讓新聞 app 走「standalone and embedded browsers」的 conformity assessment 程序。新聞 app 就是新聞 app。它有不同的 core functionality。
The Draft Guidance reinforces this in § 6.1 paragraph 126, with a smartphone example. A smartphone integrates an operating system. The OS provides the functions described in Annex I point 11 of the Implementing Regulation. The smartphone as a whole has a different core functionality — communication, information access, third-party application execution. The mere integration of the OS does not mean the smartphone has the core functionality of an OS. 指引草案在 §6.1 第 126 段用智慧手機例子強化這一點。智慧手機內含 OS。OS 提供執行法規附件一第 11 點所描述的功能。智慧手機整體的 core functionality 不一樣——是通訊、資訊存取、執行第三方應用。內含 OS 這件事本身,不會讓智慧手機具有 OS 的 core functionality。
The flip side反面Non-propagation does not mean non-responsibility.不傳染,不等於免責。
Recital 3 of the Implementing Regulation is careful to add the second half of the rule. The manufacturer needs to ensure that the product as a whole meets the essential cybersecurity requirements. The manufacturer needs to evaluate the security of the whole product, considering, as appropriate, the security of the components or functionalities integrated into it. 執行法規 Recital 3 特意補上規則的另一半。製造商必須確保整個產品符合 essential cybersecurity requirements。製造商必須評估整個產品的安全——適當地考慮被整合進來的元件或功能的安全。
In the news app example, the integrator demonstrates conformity for the news app, considering as appropriate the security of the embedded browser inside it. So the browser’s security still has to be assessed — just at the news-app level, against the news app’s threat model, not by triggering a separate browser-as-product conformity assessment. 在新聞 app 的例子裡,整合者為新聞 app 做合規證明,適當考慮裡面 embedded browser 的安全。所以 browser 的安全還是要被評估——只是在新聞 app 這個層級、對著新聞 app 的 threat model——不會去觸發一個「browser 作為產品」的獨立 conformity assessment。
The cleaner way to think about this: integration moves the assessment up, not in. The component’s risks become inputs to the host’s risk assessment, but the component’s separate classification doesn’t move with it. 比較乾淨的想法:整合把評估「往上推」,不是「往內塞」。元件的風險變成主機 risk assessment 的輸入,但元件的獨立分類不會跟著進去。
Article 13(5) due diligence第 13 條第 5 項盡職調查The legal hook for upstream component scrutiny.對上游元件審視的法律掛鉤。
The Commission’s mechanism for getting integrators to take component security seriously is Article 13(5): manufacturers shall, when integrating components sourced from third parties, exercise due diligence to ensure those components do not undermine the cybersecurity of the product. Recital 34 elaborates: due diligence is risk-based, focused on what the host product needs from the component to meet its cybersecurity objectives. 執委會讓整合者認真看待元件安全的機制,是第 13 條第 5 項:製造商在整合來自第三方的元件時,應做盡職調查、確保這些元件不削弱產品的 cybersecurity。Recital 34 延伸:盡職調查是 risk-based、聚焦在「主機產品為了達成它的 cybersecurity 目標、需要元件提供什麼」。
The Draft Guidance § 7.3 lists what evidence due diligence might consist of: technical specifications obtained from the component manufacturer, security documentation, relevant conformity or assurance documentation, and where appropriate functional tests carried out by the integrator. So integrating a Class I password-manager IC into your enterprise laptop means you don’t inherit the password manager classification, but you do need a paper trail showing the IC’s manufacturer takes its CRA obligations seriously and the IC behaves the way the laptop’s threat model needs it to. 指引草案 §7.3 列出盡職調查可能包含什麼證據:從元件製造商取得的技術規格、安全文件、相關的合規或保證文件,以及(適當時)整合者進行的功能測試。所以把一顆 Class I 密碼管理 IC 整合進企業筆電——你不會繼承密碼管理器分類,但你需要一連串紀錄,證明 IC 製造商認真看待自己的 CRA 義務、IC 的行為符合筆電 threat model 的需求。
The classification stays in the component. The risk assessment moves up to the host. The CE marking is on the host product alone — backed by due diligence on what’s inside. 分類留在元件裡。風險評估往上移到主機。CE 標誌貼在主機產品上——後面由「裡面那些東西的盡職調查」做支撐。
Where it does propagate會傳染的情況When the host’s core functionality genuinely is the component’s.當主機的 core functionality 真的就是元件的那個。
Non-propagation has a limit. If the host product’s own core functionality matches a Class I or Annex IV category, the host is in that category — whether the matching capability is implemented in-house, embedded, or licensed. The classification doesn’t propagate from component to host, but it also doesn’t hide behind component boundaries. 不傳染有極限。如果主機產品自己的 core functionality 對應到 Class I 或附件四的一個類別,主機就在那個類別裡——不管那個能力是自己做的、內嵌的、或授權的。分類不會從元件傳染到主機,但也不會躲在元件邊界後面。
Take a smart-home authentication hub: a device whose intended purpose is to manage user identity and credentials for the household. That product is in Class I category 1 (identity management systems) — not because it integrates an authentication component, but because identity management is what the device is for. The Recital 3 rule does not exempt this case. It exempts the case where the host’s core is something else and the Class I component is in service of that something else. 舉例:一個智慧家庭認證 hub——一個 intended purpose 就是管理家戶使用者身份與憑證的裝置。這個產品在 Class I 第 1 類(identity management systems)——不是因為它整合了一個認證元件,而是因為「身份管理」就是這個裝置是用來做什麼的。Recital 3 規則不豁免這個情況。它豁免的是:主機 core 是別的東西,Class I 元件是為那個「別的東西」服務的情況。
The diagnostic question: if I removed the Class I component, would the product still meet its intended purpose? If yes, the component is genuinely in service of the host’s different core, and the non-propagation rule applies. If no — the product’s intended purpose is the Class I capability — the host is in that category, and the rule doesn’t apply. 診斷問題:如果我把那個 Class I 元件拿掉,產品還能達成它的 intended purpose 嗎?可以——元件真的是在為主機那個不同的 core 服務,不傳染規則適用。不行——產品的 intended purpose 就是那個 Class I 能力——主機就在那個類別裡,規則不適用。
APAC implicationsAPAC 落地Three patterns from the integrator’s side.整合者端常見的三個模式。
Pattern 1: The over-classification reflex. A Taipei industrial PC ODM uses a TPM 2.0 module on every motherboard. Their compliance lead, reading Annex III for the first time, classifies the entire industrial PC as Class I “tamper-resistant microcontroller” because the TPM is one. Wrong on multiple grounds: tamper-resistant microcontrollers are Class II not Class I, and the rule is non-propagation. The PC’s core functionality is general-purpose computing for industrial use cases. The TPM is a component. The PC sits in default. The compliance lead saved a year of unnecessary Notified Body engagement by re-reading Recital 3. 模式一:過度分類的反射動作。一家台北工業電腦 ODM 在每塊主板上都用 TPM 2.0 模組。他們的合規主管第一次讀附件三,把整台工業電腦分類為 Class I「tamper-resistant microcontroller」,因為 TPM 是其中之一。多重錯誤:tamper-resistant microcontroller 是 Class II 不是 Class I,而且規則是不傳染。電腦的 core functionality 是工業用例的通用運算。TPM 是元件。電腦在 default 級別。合規主管重新讀了 Recital 3,省下一年不必要的 Notified Body engagement。
Pattern 2: The component-vendor passing the buck. A Taiwan secure-element vendor selling Class I chips into European OEM customers. The OEM customer asks for the chip’s CRA documentation. The vendor responds: “you’re the manufacturer of the final product, you do the conformity assessment.” That’s wrong on the chip’s own behalf — the chip is Class I, the chip vendor placed the chip on the market, the chip vendor is the manufacturer of the chip. The OEM is the manufacturer of the OEM product, separately. The non-propagation rule means classification doesn’t flow up; it doesn’t mean the upstream vendor escapes the rules for the component itself. 模式二:元件廠把球踢開。一家台灣 secure element 廠賣 Class I 晶片給歐洲 OEM 客戶。OEM 客戶要晶片的 CRA 文件。元件廠回應:「你是最終產品的製造商,你做 conformity assessment。」對晶片本身來說錯了——晶片是 Class I,晶片廠把晶片投入市場,晶片廠就是晶片的製造商。OEM 是 OEM 產品的製造商,分開的。不傳染規則的意思是分類不往上流;不是上游廠商可以逃掉「元件本身」要遵守的規則。
Pattern 3: The smartphone “security vendor” gambit. A Korean smartphone OEM markets their device with strong messaging around its built-in identity management, password manager, and authentication features. They publish a glossy “Security Centre” brochure. The marketing language nudges the product’s apparent intended purpose toward security, even though the actual product is a general-purpose smartphone. The risk: a Notified Body or surveillance authority reading the marketing material as evidence of intended purpose. The CRA reads intended purpose from technical documentation, instructions for use, and promotional materials. Marketing matters. Don’t market your way into Class I. 模式三:智慧手機的「資安廠商」操作。一家韓國智慧手機 OEM 在行銷上強打內建的 identity management、password manager、認證功能。出了一本華麗的「Security Centre」手冊。行銷語言把產品看起來的 intended purpose 往「資安」方向推,即使實際產品是通用智慧手機。風險:Notified Body 或市場監督機關把行銷素材當作 intended purpose 的證據。CRA 從技術文件、使用說明跟行銷素材讀 intended purpose。行銷有影響。別把自己行銷進 Class I。
What to do tomorrow明天就做的事Map components to host. Document due diligence per component.把元件 map 到主機。每個元件留盡職調查紀錄。
Make a Bill of Components for each product. For each component that has a CRA classification on its own (Class I, Class II, Critical), record three things: the component’s classification; what the host product needs from the component (cryptographic functions? authentication? secure storage?); evidence the component meets that need. 為每個產品做一份 Bill of Components(元件清單)。對每個自己有 CRA 分類的元件(Class I、Class II、Critical),記錄三件事:元件的分類;主機產品需要這個元件做什麼(密碼運算?認證?安全儲存?);證明元件做到這件事的證據。
Then write the host product’s intended purpose in one sentence and check: does the verb in that sentence match a Class I/II/Critical category? If yes, the host is in that category regardless of the components. If no, the host is default and the components are upstream concerns handled via Article 13(5) due diligence. The Bill of Components is the documentation that supports the second answer when a Notified Body asks why you’re self-assessing under module A despite shipping with Class I parts. 然後用一句話寫下主機產品的 intended purpose、檢查:那句話裡的動詞對應到 Class I/II/Critical 類別嗎?對應到,不管元件、主機就在那個類別。沒對應到,主機是 default、元件是透過第 13 條第 5 項盡職調查處理的上游問題。元件清單就是支撐這第二個答案的文件——當 Notified Body 問你「為什麼你出貨用了 Class I 零件、但走 module A self-assessment」時,就是這份。