Twenty-six product categories. Three classes — Class I, Class II, Critical. Three different conformity assessment paths. One Implementing Regulation that nobody reads end to end because it’s written like a tax code, and one APAC manufacturer’s entire CRA budget riding on whether their product matches one of those technical descriptions or not. 26 個產品類別。三個層級——Class I、Class II、Critical。三條不同的 conformity assessment 路徑。一份幾乎沒人從頭讀到尾的執行法規(因為它寫得像稅法),跟一家 APAC 製造商的整個 CRA 預算——賭在「他們的產品有沒有對應到那些技術描述其中之一」這件事上。
This page is the map. It’s the consolidated picture of Commission Implementing Regulation (EU) 2025/2392, the document that sits between CRA Annex III/IV (which lists category names) and your product (which has features). The Regulation was adopted on 28 November 2025 and became binding on 1 December 2025. It is law. It does not have a draft asterisk. It decides who needs a Notified Body and who doesn’t. 這頁就是那張地圖。整合的是 Commission Implementing Regulation (EU) 2025/2392,這份文件,夾在 CRA 附件三/四(只列類別名稱)跟你的產品(有具體功能)之間。法規 2025-11-28 通過、2025-12-01 生效。它是法律。沒有「草案」星號。它決定誰要 Notified Body、誰不用。
There’s a rule that runs through the whole regulation, hiding in Recital 4: the fact that a product performs additional functions other than those in the technical description does not in itself mean the product does not have the core functionality of that category. Translation: don’t hope to escape Class I by adding extra features. The category sticks to the core, not the surface. 整份法規裡有一條貫穿性的規則,藏在 Recital 4:產品執行了技術描述以外的額外功能,不會因此就不算具有那個類別的 core functionality。翻成白話講:別指望靠加功能逃出 Class I。類別跟著 core 走,不跟著表面走。
Class IClass INineteen categories, three conformity paths.19 個類別,3 條 conformity 路徑。
Class I products can take any of three paths under Article 32(2): (a) self-assessment if a harmonised standard has been applied; (b) a third-party EU-type examination (module B + C) by a Notified Body; or (c) full quality assurance (module H). The harmonised standard option is the cheap one — if the standard exists. For most Class I categories, the relevant harmonised standards are still being drafted under Mandate 606 and won’t be cited in the OJ until 2026-Q4 at the earliest. Until then, you’re looking at module B+C. Class I 產品依第 32 條第 2 項可走三條路:(a) 套上 harmonised standard 後做 self-assessment;(b) 第三方 EU-type examination(module B + C),由 Notified Body 做;或 (c) 全面品質保證(module H)。Harmonised standard 那條最便宜——前提是標準存在。多數 Class I 類別的 harmonised standard 還在 Mandate 606 之下起草中,最快 2026 年第 4 季才會被 OJ 引用。在那之前,你能走的只有 module B+C。
| №編號 | Class I category (CRA Annex III)Class I 類別(CRA 附件三) | Where APAC tripsAPAC 容易踩坑的點 |
|---|---|---|
| 1 | Identity management & privileged access management software/hardware (incl. biometric readers)身份管理與特權存取管理軟硬體(含生物辨識讀取器) | Door access controllers with badge + face recognition門禁系統,刷卡加人臉那種 |
| 2 | Standalone and embedded browsers獨立及內嵌瀏覽器 | WebView component embedded in a smart TV智慧電視內嵌的 WebView 元件 |
| 3 | Password managers密碼管理器 | In-app password vault for an enterprise mobile app企業 mobile app 內建的 password vault |
| 4 | Antimalware / antivirus software防毒、反惡意軟體 | Endpoint security agents shipped with NAS devices隨 NAS 出貨的 endpoint security agent |
| 5 | VPN productsVPN 產品 | Site-to-site VPN built into a router (also category 12)路由器內建的 site-to-site VPN(同時也屬類別 12) |
| 6 | Network management systems網路管理系統 | SDN controllers shipped to data-centre customers出貨給資料中心客戶的 SDN controller |
| 7 | SIEM systemsSIEM 系統 | SOAR is NOT SIEM — Recital 5 makes this explicitSOAR 不是 SIEM——Recital 5 講得很清楚 |
| 8 | Boot managersBoot manager | UEFI/BIOS firmware on a Taiwan-made server motherboard台製伺服器主板上的 UEFI/BIOS firmware |
| 9 | Public key infrastructure & digital certificate issuance softwarePKI 與數位憑證發行軟體 | In-house CA tooling shipped as a product當成產品出貨的內部 CA 工具 |
| 10 | Physical and virtual network interfaces實體與虛擬網路介面 | SmartNICs, SR-IOV virtual functions on enterprise switchesSmartNIC、企業 switch 上的 SR-IOV virtual function |
| 11 | Operating systems作業系統 | A smartphone is not an OS even if it integrates one (Recital 5)智慧手機就算內建 OS,也不算 OS(Recital 5) |
| 12 | Routers, modems for internet, switches路由器、用於連網的數據機、交換器 | CPE devices shipped to ISPs across the EU出貨給歐盟 ISP 的 CPE 設備 |
| 13 | Microprocessors with security-related functionalities具安全相關功能的微處理器 | Confusable with Class II tamper-resistant variants — AVA_VAN level decides容易跟 Class II tamper-resistant 混淆——靠 AVA_VAN level 來分 |
| 14 | Microcontrollers with security-related functionalities具安全相關功能的微控制器 | Same AVA_VAN cut-off as 13跟 13 同一條 AVA_VAN 分界 |
| 15 | ASICs and FPGAs with security-related functionalities具安全相關功能的 ASIC 與 FPGA | Custom silicon for crypto offload密碼運算 offload 用的客製化矽晶片 |
| 16 | Smart home general-purpose virtual assistants智慧家庭通用虛擬助理 | Voice-activated home hubs from Taiwan/Korea OEMs台、韓 OEM 做的聲控家庭 hub |
| 17 | Smart home products with security functionalities (smart locks, security cameras, baby monitors, alarm systems)具安全功能的智慧家庭產品(智慧鎖、安全攝影機、嬰兒監視器、警報系統) | A regular smart bulb is not here. Security functionality is the trigger.一般智慧燈泡不在這裡。觸發點是「安全功能」。 |
| 18 | Internet-connected toys with social interactive features or location tracking具社交互動或位置追蹤功能的聯網玩具 | Educational tablets marketed for kids; talking dolls針對兒童的教育平板、會講話的玩偶 |
| 19 | Personal wearables for health monitoring (excluding medical devices) or wearables for children個人健康監測穿戴裝置(不含醫療器材)或兒童專用穿戴裝置 | Fitness trackers right at the MDR boundary在 MDR 邊界上的健身追蹤器 |
Class IIClass IIFour categories. Module B+C or H. No self-assessment.4 個類別。只能走 Module B+C 或 H。沒有 self-assessment。
Class II is where the “notified body required” rule kicks in unconditionally. Article 32(3) does not give Class II products the harmonised-standard-as-self-assessment exit. You’re going to a Notified Body. The four categories are deliberately narrow: Class II 是「強制 Notified Body」無條件啟動的地方。第 32 條第 3 項不給 Class II「套 harmonised standard 換 self-assessment」這個出口。你必須走 Notified Body。這 4 個類別刻意定得很窄:
| №編號 | Class II categoryClass II 類別 | What makes it Class II, not Class I為什麼是 Class II 不是 Class I |
|---|---|---|
| 1 | Hypervisors and container runtimesHypervisor 與 container runtime | Single point of failure for whole virtualised stacks整個虛擬化堆疊的單點失效 |
| 2 | Firewalls, intrusion detection and prevention systems防火牆、入侵偵測與預防系統 | Defensive perimeter products — trust assumption is total防禦周界的產品——信任假設是 100% |
| 3 | Tamper-resistant microprocessors具防篡改的微處理器 | AVA_VAN.4 or higher (Recital 8); below that = Class IAVA_VAN.4 或更高(Recital 8);以下 = Class I |
| 4 | Tamper-resistant microcontrollers具防篡改的微控制器 | Same AVA_VAN.4+ rule as 3跟 3 同一條 AVA_VAN.4+ 規則 |
The AVA_VAN cut-off in categories 3 and 4 is the cleanest legal line in the entire Implementing Regulation. AVA_VAN is the Common Criteria vulnerability analysis level — below 4, the chip is Class I; at 4 or above, it’s Class II. If you’re a Taiwan secure-MCU vendor and your existing CC certificate sits at AVA_VAN.5, the Regulation has just told you exactly which side of the line you’re on. No room for argument. 第 3、4 類的 AVA_VAN 分界,是整份執行法規裡最乾淨的一條法律分界線。AVA_VAN 是 Common Criteria 的弱點分析等級——低於 4 算 Class I,4 含以上算 Class II。如果你是台灣的 secure-MCU 廠,既有的 CC 認證落在 AVA_VAN.5——法規直接告訴你你站在哪一邊。沒得吵。
Critical (Annex IV)Critical(附件四)Three categories. EU cybersecurity certification or Module B+C / H.3 個類別。歐盟資安認證,或 Module B+C / H。
Critical products are the smallest set: three categories total. They sit at the top of the conformity hierarchy. Article 32(4) says you go through a European cybersecurity certification scheme — if one is mandated by delegated act — or fall back to module B+C or H. The European Common Criteria-based scheme (EUCC, Implementing Regulation 2024/482) is the obvious target. AVA_VAN levels apply here too, this time at 5+. Critical 是最小的集合:總共 3 個類別。它們站在 conformity 階層的最頂端。第 32 條第 4 項說:走歐盟 cybersecurity certification scheme(如果有 delegated act 強制要走的話),不然就退回到 module B+C 或 H。歐盟的 Common Criteria-based scheme(EUCC、Implementing Regulation 2024/482)是明擺著的選擇。AVA_VAN level 在這也適用——這次門檻是 5 含以上。
| №編號 | Annex IV (Critical) category附件四(Critical)類別 | APAC manufacturers affected受影響的 APAC 製造商 |
|---|---|---|
| 1 | Hardware Devices with Security Boxes (HSBs)具 Security Box 的硬體設備(HSB) | HSMs, secure key vaults shipped to EU banks出貨給歐盟銀行的 HSM、secure key vault |
| 2 | Smart meter gateways and devices for advanced security purposes (incl. secure cryptoprocessing)智慧電表閘道,及進階安全用途設備(含 secure cryptoprocessing) | Taiwan smart-meter ODMs supplying European DSOs供應歐洲 DSO 的台灣智慧電表 ODM |
| 3 | Smartcards and similar devices, including secure elements智慧卡與類似裝置,含 secure element | eSIM modules, secure elements in payment terminalseSIM 模組、支付終端裡的 secure element |
Twenty-six categories. Three classes. The line that decides your conformity assessment cost is drawn at category, not at product. Read your product through the categories — not the other way around. 26 個類別、3 個層級。決定你 conformity assessment 成本的那條線,畫在「類別」上,不畫在「產品」上。從類別讀你的產品——不要反過來。
The borderline cases邊界案例Where APAC manufacturers actually trip.APAC 製造商真正踩坑的地方。
Three patterns recur in scoping conversations. They’re all the same root cause: confusing “my product has function X” with “my product’s core functionality is X”. Recital 4 and Recital 5 of the Implementing Regulation tell you these are different things. 在 scoping 對話裡反覆出現三個模式。根本原因都一樣:把「我的產品有 X 功能」跟「我的產品 core functionality 是 X」搞混了。執行法規 Recital 4 跟 Recital 5 直接告訴你這是兩件事。
Pattern 1: The smartphone trap. A Taipei smartphone OEM thinks they need to certify their phone as a Class I “Operating System” because Android sits inside it. Recital 5 of 2025/2392 directly addresses this: a smartphone’s core functionality is enabling users to communicate, access information and run third-party applications — not running an operating system. The OS is a component. The smartphone as a whole sits in the default category. The OEM saved themselves a year of Notified Body work by reading one Recital. 模式一:智慧手機陷阱。一家台北手機 OEM 以為手機要當 Class I「Operating System」認證,因為裡面有 Android。2025/2392 的 Recital 5 直接處理這個:智慧手機的 core functionality 是讓使用者通訊、存取資訊、執行第三方應用——不是「跑作業系統」。OS 是元件。手機整體在 default 類別。讀一則 Recital 就省下一整年的 Notified Body 工作。
Pattern 2: The SOAR-vs-SIEM error. A Korean security software vendor classifies their SOAR platform as Class I “SIEM” because it correlates events. Recital 5 again: SOAR has the ability to perform SIEM functions, but its core functionality is orchestration and automated response, not security information and event management. SOAR is generally not in Class I category 7. Save the documentation budget for proving what your core actually is — that’s where the burden has shifted. 模式二:SOAR-vs-SIEM 誤判。一家韓國資安軟體廠把自家 SOAR 平台分類為 Class I「SIEM」,因為它做事件關聯。Recital 5 再次出場:SOAR 有執行 SIEM 功能的能力,但 core functionality 是 orchestration 跟自動回應,不是 security information and event management。SOAR 一般不在 Class I 第 7 類。把文件預算省下來,花在「證明你的 core 究竟是什麼」這件事上——舉證責任已經移到那邊。
Pattern 3: The router-firewall double count. A Taiwan home-router OEM with built-in firewall functionality wonders if they’re Class II (firewall) or Class I (router). Recital 4 settles it: a router that integrates firewall functionality is still a router — the router’s core functionality decides. So the product sits in Class I category 12, not Class II category 2. The firewall is a feature, not the core. The Notified Body engagement budget is module B+C, not the harder Class II path. Reading Recital 4 carefully is worth at least €50,000 in saved scope. 模式三:路由器 / 防火牆雙重計算。一家台灣家用 router OEM 內建防火牆功能,搞不清楚自己是 Class II(firewall)還是 Class I(router)。Recital 4 結案:整合 firewall 功能的 router 還是 router——是 router 的 core functionality 決定。產品在 Class I 第 12 類,不是 Class II 第 2 類。Firewall 是功能,不是 core。Notified Body 預算是 module B+C,不是更難的 Class II 路徑。仔細讀 Recital 4,範圍上至少省 €50,000。
What to do tomorrow明天就做的事Run your product against the 26 entries. Once.把產品對 26 類跑一次。一次就好。
Take this map. For each of your products, write down which of the 26 entries (if any) matches its core functionality. Not its features. Its core functionality — what the product is actually for, in the words of your own technical documentation and marketing materials. 拿這張地圖。對你每個產品,寫下它的 core functionality 對應到 26 類裡哪一類(如果有對應到的話)。不是寫它有什麼功能。寫它的 core functionality——用你自己技術文件跟行銷素材的字眼,它是用來做什麼的。
If the answer is “none of the 26”, you’re in the default category. Module A self-assessment. The cheap path. If the answer is one of the 26, the path is set: Class I gets three options, Class II gets two, Critical gets two. Total cost varies by an order of magnitude across these paths. The map is the cheapest decision document you can produce; the rest of compliance flows from it. 如果答案是「26 個都沒對應到」,你在 default 類別。Module A self-assessment——便宜的那條路。如果答案是其中一個,路徑就定了:Class I 三選一,Class II 二選一,Critical 二選一。三條路的總成本差一個量級。這張地圖是你能產出最便宜的一份決策文件;其他合規工作從這裡開始展開。