Engineers don’t think about “core functionality”. Marketing teams don’t think about it either. Lawyers might. The CRA, however, requires you to declare it — because it decides whether you go through a Notified Body or not. And it asks you to declare it about a product that probably has five things it does, four of which look like categories on Annex III. 工程師不會去想「core functionality」這件事。行銷團隊也不會。律師可能會。但 CRA 要求你親自宣告它——因為它決定你要不要走 Notified Body。而它要你對一個可能做五件事、其中四件看起來都像 Annex III 類別的產品,做這個宣告。
A SOAR has SIEM functions. A router has firewall functions. An operating system has browser functions. A smartphone has — well, it has everything. None of these is automatically classified by the embedded function. The Commission has been explicit about this in two places, with two different authority levels. SOAR 有 SIEM 功能。Router 有 firewall 功能。作業系統有 browser 功能。智慧手機嘛——什麼都有。這些都不會被那個內嵌功能自動分類。執委會在兩個地方明確講過這件事,兩種不同的權威等級。
Two definitions, two authority levels, one operational test. Read the binding line first — extra functions don’t un-classify you. Then read the draft definition — core is what the product needs to fulfil its intended purpose. The combination is what an APAC product manager has to live with. 兩個定義、兩種權威等級、一個操作測試。先讀有拘束力那條——額外功能不會把你「去分類」。再讀草案定義——core 是產品為了達成 intended purpose 所必需的東西。APAC 產品經理就活在這個組合裡。
Test 1第一道What does the product need, in order to be the product?這個產品「為了是這個產品」,需要什麼?
Strip the product. Take away features one by one. At what point does the product stop being itself? Whatever’s left at that point is the core. The Draft Guidance phrases this as “main features and technical capabilities, without which it would not be able to meet its intended purpose”. That’s the test in two clauses. 把產品拆開來看。功能一個個拿掉。在哪一刻,產品就不再是它自己?剩下的,就是 core。指引草案的講法是「主要特徵與技術能力——少了它們,產品就無法達成它的 intended purpose」。測試就在這兩個子句裡。
The intended purpose is the anchor. The Commission says this is found in your technical documentation, your instructions for use, your promotional materials, your sales statements (Draft Guidance § 6.1, paragraph 124). In other words: what you yourself say the product is for. The legal test is read against your own marketing. Intended purpose 是錨點。執委會說,它寫在你的技術文件、使用說明、行銷素材、銷售文宣裡(指引草案 §6.1 第 124 段)。換句話說:你自己說這個產品是用來做什麼的。法律測試是對著你自己的行銷材料讀的。
Test 2第二道Does the product perform the function as a feature, or is it the function?產品是把那個功能當「特色」做,還是它就「是」那個功能?
This is where Recital 5 of 2025/2392 does the heavy lifting. The example the Commission supplies is sharp: a SOAR (security orchestration, automation and response) software often has the ability to perform the functions of a SIEM — gathering data, analysing it, presenting it as actionable information for security purposes. But its core functionality is orchestration and automated response, not security information and event management. So SOAR is generally not in Class I category 7 (SIEM). 這道是 2025/2392 Recital 5 真正出力的地方。執委會給的例子很精準:SOAR(security orchestration, automation and response)軟體常常具有能力執行 SIEM 的功能——蒐集資料、分析、把它呈現為可行動的安全資訊。但它的 core functionality 是 orchestration 跟自動回應,不是 security information and event management。所以 SOAR 一般不在 Class I 第 7 類(SIEM)。
The same Recital handles smartphones the same way. A smartphone integrates components that perform the functions of several Annex III categories — an operating system, an integrated password manager, possibly an embedded browser, possibly biometric identity management. None of these makes the smartphone an “Operating System”, “Password Manager”, “Browser” or “Identity Management System” for CRA purposes. Its core functionality is communication, information access, third-party application execution. It sits in the default category. 同一條 Recital 對智慧手機也是這樣處理。智慧手機整合了好幾個 Annex III 類別會做的功能——OS、內建 password manager、可能有 embedded browser、可能有生物辨識身份管理。但這些都不會讓智慧手機在 CRA 眼中變成「Operating System」、「Password Manager」、「Browser」或「Identity Management System」。它的 core functionality 是通訊、資訊存取、執行第三方應用。它在 default 類別。
A product that has the ability to perform a category’s function is not a product whose core functionality is that function. 一個有能力執行某類別功能的產品,不等於 core functionality 是那個功能的產品。
Test 3第三道Are extra functions covering up a core, or pretending to be one?額外功能是在「蓋住」一個 core,還是在「假裝」是一個 core?
Recital 4 of 2025/2392 deals with the symmetric case: a product that does have a Class I core, but that also performs other functions. The example: an operating system that includes a calculator and a simple graphics editor. The calculator and the editor are ancillary. They don’t change the fact that the product is fundamentally an operating system. Adding features cannot un-classify you. 2025/2392 的 Recital 4 處理對稱的另一面:一個產品確實有 Class I 的 core,但也做別的事。例子:作業系統內含計算機、簡單的繪圖編輯器。計算機跟繪圖編輯器是附屬。它們不會改變產品本質上就是 OS 的事實。加功能不會讓你「去分類」。
The same Recital extends this rule to embedded important products. A router that integrates firewall functionality is still a router — the firewall is a feature of the router, not what the router is for. Likewise, an operating system that integrates browser functionality is still an operating system. The router stays in Class I category 12. The OS stays in Class I category 11. They do not get promoted. 同一條 Recital 把這個規則延伸到內嵌的 important 產品。整合 firewall 功能的 router,還是 router——firewall 是 router 的特色,不是 router 為了什麼而存在。同樣的,整合 browser 功能的 OS,還是 OS。Router 留在 Class I 第 12 類。OS 留在 Class I 第 11 類。它們不會被「升等」。
The asymmetric reading: extra functions don’t lift you out of your core, and they don’t pull you into a heavier classification either. The classification follows the centre of gravity, not the surface area. 不對稱的讀法:額外功能不會把你抬出 core,也不會把你拖進更重的分類。分類跟著重心走,不跟著表面積走。
The integrator’s rule整合者規則The smartphone test, written for everyone.智慧手機測試,寫給所有人看。
The smartphone example in Recital 5 generalises into the integrator’s rule: integrating an important component does not, by itself, render the integrated product important. The Commission states this explicitly in CRA Article 7(1) and again in Recital 4 of the Implementing Regulation. The rule has its own dedicated topic on this site (see « Component integration does not propagate »), but it’s the same engine running underneath. Recital 5 的智慧手機例子可以一般化成「整合者規則」:整合一個 important 元件,不會讓被整合的產品自動變 important。執委會在 CRA 第 7 條第 1 項已經明確講過,在執行法規 Recital 4 又講一次。這條規則在本站有獨立主題(見「元件整合不傳染分類」),但底層運作的是同一個機制。
Why does this matter for an APAC integrator specifically? Because Taiwan and Korea have a structural advantage in integration — ODMs assemble products from components. If integrating an important component automatically promoted the assembled product to important, every Taipei smart-home brand would inherit Notified Body engagements they don’t need. The CRA closed that door. 為什麼這件事對 APAC 整合者特別重要?因為台灣跟韓國在整合上有結構優勢——ODM 把元件組成產品。如果整合一個 important 元件就自動讓組裝後的產品升等成 important,每一家台北智慧家庭品牌都會繼承不需要做的 Notified Body engagement。CRA 把這扇門關了。
APAC implicationsAPAC 落地Three patterns from the field.現場常見的三個模式。
Pattern 1: Over-classification by inheritance. A Taipei OEM building enterprise videoconferencing endpoints embeds an open-source SIP stack and a hardware-based identity reader. They classify the product as Class I “Identity Management System” because of the reader. Wrong. The endpoint’s core functionality is enabling videoconferencing — not identity management. The reader is a component. The product is in the default category. 模式一:用「繼承」過度分類。一家台北 OEM 做企業視訊終端,內嵌一個開源 SIP stack 跟一個硬體身份讀取器。他們因為那個讀取器,把產品分類為 Class I「Identity Management System」。錯。終端的 core functionality 是視訊會議——不是身份管理。讀取器是元件。產品在 default 類別。
Pattern 2: Strategic feature naming to escape Class II. A Korean security appliance vendor with a firewall product tries to rename it “application gateway” or “next-gen network traffic platform” in the technical documentation, hoping to argue it’s not in Class II category 2. This does not work. Recital 4 says the function decides, not the name. If the product’s primary technical capability is filtering traffic according to security policy and detecting intrusion attempts, the name on the label is irrelevant. The Notified Body will read the technical documentation. 模式二:靠功能改名想逃 Class II。一家韓國資安設備廠賣 firewall 產品,試著在技術文件裡把它改名為「application gateway」或「next-gen network traffic platform」,想主張它不在 Class II 第 2 類。行不通。Recital 4 說決定權在功能、不在名字。如果產品的主要技術能力就是依資安政策過濾流量、偵測入侵企圖——標籤上的名字沒有意義。Notified Body 讀的是技術文件。
Pattern 3: The dual-product split. A Taiwan smart-meter manufacturer ships a single device that does (a) electricity metering, and (b) cryptographic processing of metering data for grid security. They’re thinking of Annex IV category 2 (smart meter gateway / advanced security purposes). The right question: is the cryptographic processing part of how the product fulfils its intended purpose, or a separate feature? If the meter cannot do its job without secure cryptoprocessing — if that’s the intended purpose — it’s Critical. If the cryptoprocessing is a reporting-channel feature with the meter still functional without it, it might be Class I or default. This one needs to be reasoned out, not assumed. 模式三:雙產品分裂。一家台灣智慧電表廠出貨一台同時做 (a) 電力計量、(b) 為電網安全所做的計量資料密碼處理的單一設備。他們在想 Annex IV 第 2 類(智慧電表閘道 / 進階安全用途)。對的問題是:密碼處理是產品達成 intended purpose 的一部分、還是一個獨立功能?如果電表沒有 secure cryptoprocessing 就不能做它的工作——如果那是 intended purpose——它是 Critical。如果 cryptoprocessing 只是個回報通道功能、沒它電表還是能用,那可能是 Class I 或 default。這個要推理,不能假設。
What to do tomorrow明天就做的事Write the “intended purpose” sentence first.先把「intended purpose」那一句寫好。
Before you classify, write one sentence: “This product is for [users] to [verb] [object] in [context].” That’s the intended purpose. The features that this sentence requires you to deliver are the core functionality. Everything else is ancillary. Recital 4 of 2025/2392 lives or dies on the rigour of this sentence. 分類之前,先寫一句話:「這個產品是給 [使用者],在 [情境] 中、[動詞] [對象] 的。」那就是 intended purpose。為了達成這一句,產品必須提供的功能就是 core functionality。其他的都是附屬。2025/2392 Recital 4 能不能用,全看這一句的精準度。
Then test against the 26 categories. Does the verb match a category’s technical description? If it does, you’re in that category. If it doesn’t, you’re in default. The features that look like other categories are not other categories — they’re ancillary. The CRA does not care about ancillary features for classification purposes; it cares about them for risk assessment, but that’s a different conversation. 然後對 26 類測試。那句話裡的動詞對應到某個類別的技術描述了嗎?對應到,就在那類。沒對應到,就在 default。看起來像其他類別的功能——它們不是其他類別、是附屬。CRA 在「分類」這件事上不在乎附屬功能;在「風險評估」上會在乎,但那是另一個話題。