2026 — Year One of the CRA 2026 - CRA 元年
Regulation (EU) 2024/2847 becomes fully applicable on 11 December 2027. Most APAC manufacturers will need to understand it by then. So I am reading it — article by article, in plain language, with the cross-regulation map written down. The notes I take are public. 《法規 (EU) 2024/2847》在 2027 年 12 月 11 日全面適用。屆時多數 APAC 製造商必須讀過它。所以我在讀,依序讀、白話寫、跨法規對照都一起記下來。筆記是公開的。
Find your seat 先找你的位置
A manufacturer's Article 13 is not an importer's Article 19, is not a distributor's Article 20. Pick the role you actually play in the supply chain — I have written a tailored reading for each. 製造商的第 13 條、不是進口商的第 19 條、也不是經銷商的第 20 條。先挑你在供應鏈裡實際扮演的角色,我為每一個角色寫了一份對應的讀法。
Role 1 角色 1
The CRA's centre of gravity. If you put a product on the EU market under your own name or trademark, this is your reading. CRA 的重心。產品以你的名字或商標進入歐盟市場、就是你的讀法。
Anchor: Articles 13, 14, 15, 28, 31, 32 主軸:第 13、14、15、28、31、32 條
Role 2 角色 2
If you place a non-EU manufacturer's product on the EU market, you carry an inheritable obligation set, not a passive one. 把非歐盟製造商的產品放到歐盟市場、義務會接到你身上、不是被動的。
Anchor: Articles 19, 23 主軸:第 19、23 條
Role 3 角色 3
Lightest obligations of the three — but the threshold to inherit a manufacturer's full set sits surprisingly low. 三個角色裡義務最輕,但繼承製造商整套義務的門檻、比想像低得多。
Anchor: Articles 20, 21 主軸:第 20、21 條
Six reading paths 六門選讀
The site is six things at once. Different doors, same regulation. Walk in through whichever one matches what you came for. 這個站同時是六樣東西。不同入口、同一部法規。從你來的目的對應的那個門進去就好。
01
71 articles · 8 annexes 71 條 · 8 附件
The regulation, article by article. Official text, plain reading, APAC perspective, cross-regulation map. The backbone of the site. 依序讀法規。官方原文、白話解讀、APAC 觀點、跨法規對照。本站骨幹。
02
Role · SBOM · Annex VII 角色 · SBOM · 附件七
Question-led entry points. Three running today: which role you fit, who must see your SBOM, whether your technical file is ready. 問題式入口。目前三個:你是哪種角色、誰要看你的 SBOM、你的技術檔案準備好了嗎。
03
Close readings · op-ed length 細讀 · 觀點文章
Long-form pieces on individual articles. Where I take more space than a four-block reading allows, and try to say something the regulation does not say out loud. 針對單一條文寫的長文。比四區塊讀法給更多空間、試著說出法規沒明講的東西。
04
Commission draft · Feb 2026 執委會草案 · 2026/2
A reading of the Commission's CRA application guidance. Where the legislator clarifies what the text was meant to do — including the FOSS examples and substantial-modification criteria. 執委會 CRA 適用指引草案的讀法。立法者自己解釋條文原意,含 FOSS 範例與實質修改認定。
05
Dates that bind 具約束力的日期
Which article applies when. From entry into force on 11 Dec 2024, through reporting obligations on 11 Sept 2026, to full applicability on 11 Dec 2027. 哪一條什麼時候開始算。從 2024/12/11 生效、到 2026/9/11 通報義務啟動、再到 2027/12/11 全面適用。
06
51 defined terms 51 個定義用語
Article 3 has 51 definitions. The dictionary that decides whether you are or are not in scope. Bilingual, anchored back to article references. 第 3 條有 51 個定義。決定你在不在 CRA 範圍內的字典。雙語、回引至條文。
Key topics 關鍵主題
Article 6CORE
The engine clause. Annex I split into Part I (product properties) and Part II (vulnerability handling). Everything else hangs off here. 引擎條款。附件一分為第一部分(產品屬性)跟第二部分(弱點處理)。其餘條文都從這裡延伸。
Article 13CORE
Twenty-five paragraphs. The load-bearing wall — design duty, risk assessment, support-period commitment, third-party diligence, single PoC. 25 段。整部 CRA 的主結構,設計義務、風險評估、support period 承諾、第三方盡職調查、單一聯絡窗口。
Article 14CORE
The 24h / 72h cadence with parallel final-report tracks — 14 days for vulnerabilities, one month for severe incidents. Non-negotiable timing. ENISA + CSIRT routing. 24h / 72h 節奏加兩條 final report 軌道——弱點 14 天、嚴重事件 1 個月。時程不可商量。ENISA + CSIRT 路由。
Article 32ROUTING
The decision tree. Where every product gets routed to Module A, B+C, H, or EUCC. Class I conditional self-assessment vs Class II mandatory NB. 決策樹。每件產品被分流到 Module A、B+C、H 或 EUCC。Class I 條件式自我評鑑 vs Class II 強制 NB。
Article 64ENFORCEMENT
Up to €15M or 2.5% of worldwide turnover for the heaviest breaches. The number that turns this from policy into commercial reality. 最重違規可達 €15M 或全球營業額 2.5%。這個數字讓 CRA 從政策變成商業現實。
Key annexes 重要附件
Annex ICORE
13 product properties (Part I) plus 8 vulnerability-handling duties (Part II). The actual checklist your product must satisfy. Article 6 references it; this is where the work sits. 13 項產品屬性(第一部分)加上 8 項弱點處理義務(第二部分)。產品必須通過的實際檢核清單。第 6 條指向它,工作量在這裡。
Annex IIIIMPORTANT
Two classes, 23 categories. Determines whether your product can self-assess (Class I + hEN cited) or must engage a Notified Body (Class II). The single most cost-determining classification. 兩個 Class、23 類。決定產品能自我評鑑(Class I 且 hEN 已引用)還是必須引入 NB(Class II)。單一最關鍵的成本分類。
Annex IVCRITICAL
Three categories: hardware security boxes, smartcards, smart meter gateways. Mandatory EUCC substantial+ certification once a Commission delegated act activates the obligation. 三類:硬體安全盒、智慧卡、智慧電表閘道。執委會 delegated act 觸發後、強制 EUCC substantial+ 認證。
Annex VIIDOCUMENTATION
Five top-level items: general description, design and development, vulnerability handling, conformity assessment, applied standards. The file an auditor opens during a Module B/C/H review. 5 大項:一般描述、設計開發、弱點處理、符合性評鑑、適用標準。Module B/C/H 稽核時稽核員會打開的那份檔案。
Annex VIIIMODULES
Modules A, B, C, H — what each one actually requires. NB engagement, periodic audits, 10-year documentation retention. Article 32 picks the route; this annex describes the work. Module A、B、C、H:各模組實際要求。NB 介入、定期稽核、10 年文件保存。第 32 條決定路徑、本附件描述工作內容。
The scope article looks like throat-clearing. It isn't. Three overlapping fences — product, conduct, exclusions — and you're not outside the regulation until you're outside all three. 範圍條看起來像背景,其實是門票。三道重疊的圍欄,產品、行為、排除,三道都站在外面才真的在 CRA 之外。
Fifty-one definitions. Most readers skim them like a glossary. They're not. They're where conformity assessment cost, support period budget, and supply-chain liability quietly get decided. 51 個定義。多數人把它們當辭典翻過。它們不是。它們是 conformity assessment 成本、support period 預算、供應鏈責任分配安靜地被決定的地方。
Twenty-five paragraphs long. The place where every APAC hardware exporter's compliance fate actually gets decided. A close reading. 全文 25 個段落。每一家 APAC 硬體出口商的合規命運,實質上都在這裡決定。細讀一遍。
Most readers stop at Article 3(13)'s manufacturer definition. Article 22 is the second way into the club — one nobody applies for, one that activates by behaviour. 多數讀者讀完 Art 3(13) 的 manufacturer 定義就停了。Art 22 是進俱樂部的第二條路,沒有人主動申請,而是由行為觸發。
The SBOM you can produce measures how much of your own supply chain you can see. The CRA requires the document; the document matters because of what it forces you to know. 你真正能產出的 SBOM,是一個量度,量度你能看見自己供應鏈的多少。CRA 要求那份文件。文件之所以重要,是因為它逼你必須知道那些東西。
About this project 關於這個專案
The EU CRA content I keep subscribing to and collecting falls into roughly four categories: posts from CRA specialists, marketing collateral from law firms, service catalogues from TIC bodies, second-hand summaries from trade press. None of them is the same thing as a first-hand reading of the regulation itself, written in the everyday language of APAC manufacturing.
關於 EU CRA 的內容、我經常訂閱搜集的大致分為四類:CRA 專家的分享;法律事務所的文宣;TIC 機構的服務型錄;產業媒體的二手摘要。但沒有一個是「就條文本身、第一手讀過、用 APAC 製造業日常語言寫」的東西。
So I’ll write one myself.
那就自己寫吧!
The gap between the regulation as text and the regulation as it lands in an APAC manufacturer’s operating reality is wide enough that bridging it from primary sources, in plain language, has its own value. And the act of reading the regulation closely enough to write it down is itself useful for the writer.
法規條文是一回事、它落到 APAC 製造商營運現實裡又是一回事;兩者之間的落差夠大、從一手資料出發、用白話銜接這個落差、本身就有價值。把法規讀到能寫下來、對寫的人本身就值得。