The Act — Full table of contents

Reading in progress — translation only閱讀中 — 條文翻譯 Plain-language reading + APAC perspective白話解讀 + APAC 觀點

Chapter I · Article 1–12 第 I 章 · 第 1–12 條

Scope, Definitions and General Provisions 適用範圍、定義與一般規定

Subject matter主題事項

Subject matter of the Regulation法規的主題事項

Scope適用範圍

Which products in, which out哪些產品適用，哪些排除

Definitions定義

51 defined terms — manufacturer, PwDE, RDPS, support period51 項定義，製造商、PwDE、RDPS、支援期間

Free movement自由流通

Procurement or use of products with digital elements具數位元素產品的採購或使用

Requirements for products with digital elements具數位元素產品的要求

The engine clause — essential cybersecurity requirements核心條文，基本網路安全要求

Important products with digital elements重要產品（具數位元素）

Annex III — 23 categories, Class I / Class II附件三，23 類，Class I / Class II

Critical products with digital elements關鍵產品（具數位元素）

Annex IV — HSM, smart meter gateway, smartcards附件四，HSM、智慧電錶閘道、智慧卡

Stakeholder consultation利害關係人諮詢

Enhancing skills in a cyber resilient digital environment提升網路韌性數位環境的技能

General product safety一般產品安全

High-risk AI systems高風險 AI 系統

High-risk AI systems under the AI ActAI Act 下的高風險 AI 系統

Chapter II · Article 13–26 第 II 章 · 第 13–26 條

Obligations of economic operators and provisions in relation to free and open-source software 經營者義務及自由與開源軟體相關規定

Obligations of manufacturers製造商義務

The manufacturer's full obligations製造商完整義務

Reporting obligations of manufacturers製造商通報義務

24-hour / 72-hour / 14-day reporting clocks24 小時 / 72 小時 / 14 日通報時鐘

Voluntary reporting自願性通報

Voluntary channel — open to anyone自願管道，對任何人開放

Establishment of a single reporting platform單一通報平台的建立

Other provisions related to reporting通報相關其他規定

Authorised representatives授權代表

Obligations of importers進口商義務

Due diligence at EU import進口商盡職調查

Obligations of distributors通路義務

Downstream verification duties下游查核義務

Cases in which obligations of manufacturers apply to importers and distributors進口商與通路視為製造商的情形

White-labelling trap — you become the manufacturer白牌陷阱，你成為製造商

Other cases in which obligations of manufacturers apply製造商義務適用的其他情形

Substantial modification trap實質修改陷阱

Identification of economic operators經營者識別

10-year traceability chain10 年可追溯鏈

Obligations of open-source software stewards開源軟體管理者義務

OSS stewards — CRA's most contested roleOSS 管理者，CRA 爭議最大角色

Security attestation of free and open-source software自由及開源軟體的安全證明

Guidance指引

Chapter III · Article 27–34 第 III 章 · 第 27–34 條

Conformity of the product with digital elements 具數位元素產品的符合性

Presumption of conformity符合性推定

Harmonised standards & certification schemes調和標準與認證機制

EU declaration of conformity歐盟符合性聲明

Single DoC covering all applicable Union acts涵蓋所有適用聯盟法案的單一聲明

General principles of the CE markingCE 標誌一般原則

CE marking basicsCE 標誌基本原則

Rules and conditions for affixing the CE markingCE 標誌的標示規則與條件

Technical documentation技術文件

Annex VII file contents, 10-year retention附件七檔案內容，10 年保存

Conformity assessment procedures for products with digital elements具數位元素產品的符合性評估程序

Module A / B+C / H routes by product tier依產品層級走 Module A / B+C / H

Support measures for microenterprises and SMEs, including start-ups微型、中小企業及新創的支援措施

Simplified Annex VII form, regulatory sandboxes, training簡化附件七表式、法規沙盒、培訓

Mutual recognition agreements互認協定

Chapter IV · Article 35–51 第 IV 章 · 第 35–51 條

Notification of conformity assessment bodies 符合性評鑑機構指定

Notification指定通知

Notifying authorities通知機關

Requirements relating to notifying authorities通知機關的要求

Information obligation on notifying authorities通知機關的資訊義務

Requirements relating to notified bodies指定機構的要求

Presumption of conformity of notified bodies指定機構符合性推定

Subsidiaries of and subcontracting by notified bodies指定機構的子公司與外包

Application for notification指定申請

Notification procedure指定程序

Identification numbers and lists of notified bodies指定機構識別碼與名單

Changes to notifications指定變更

Challenge of the competence of notified bodies指定機構資格的質疑

Operational obligations of notified bodies指定機構營運義務

Appeal against decisions of notified bodies指定機構決定之上訴

Information obligation on notified bodies指定機構的資訊義務

Exchange of experience經驗交流

Coordination of notified bodies指定機構的協調

Chapter V · Article 52–60 第 V 章 · 第 52–60 條

Market surveillance and enforcement 市場監督與執法

Market surveillance and control of products with digital elements in the Union market聯盟市場對具數位元素產品的市場監督與控管

Article 2019/1020 + ENISA + ADCO第 2019/1020 號法規 + ENISA + ADCO

Access to data and documentation資料與文件的取得

Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk具重大網路安全風險的具數位元素產品：會員國層級程序

Union safeguard procedure聯盟保障程序

Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk具重大網路安全風險的具數位元素產品：聯盟層級程序

Compliant products with digital elements which present a significant cybersecurity risk符合規範但存在重大網路安全風險的產品

Formal non-compliance形式不符

Joint activities of market surveillance authorities市場監督機關的聯合活動

Sweeps掃查行動

Chapter VI · Article 61–62 第 VI 章 · 第 61–62 條

Delegated powers and committee procedure 授權權限與委員會程序

Exercise of the delegation授權的行使

Committee procedure委員會程序

Chapter VII · Article 63–65 第 VII 章 · 第 63–65 條

Confidentiality and penalties 保密與處罰

Confidentiality保密

Penalties處罰

Up to €15M / 2.5% turnover for essential-requirement breach違反基本要求最高 1,500 萬歐元 / 營業額 2.5%

Representative actions代表訴訟

Chapter VIII · Article 66–71 第 VIII 章 · 第 66–71 條

Transitional and final provisions 過渡與最終規定

Amendment to Regulation (EU) 2019/1020修訂規章 (EU) 2019/1020

Amendment to Directive (EU) 2020/1828修訂指令 (EU) 2020/1828

Amendment to Regulation (EU) No 168/2013修訂規章 (EU) 168/2013

Transitional provisions過渡規定

Substantial-modification carve-back for pre-2027 products2027 年前產品的實質修改保留條款

Evaluation and review評估與檢討

Entry into force and application生效與適用

Entry into force 10 Dec 2024, full application 11 Dec 20272024/12/10 生效，2027/12/11 全面適用

Annexes · I – VIII 附件 · 一至八

The annexes — where the real work lives 附件 — 實質工作所在

Annex I lists the essential cybersecurity requirements. Annex III and IV list the important and critical product categories. Most of the day-to-day compliance lives here, not in the articles. 附件一列出必要網路安全要求；附件三、四列出重要與關鍵產品類別。日常合規工作大多在附件裡，不在條文裡。

Annex I

Essential cybersecurity requirements必要網路安全要求

Part I: Product requirements. Part II: Vulnerability handling. Where "secure by design" actually gets defined.第一部分：產品要求；第二部分：弱點處理。「安全設計」的實質內容在此。

Annex II

Information to users使用者資訊

What the user-facing documentation must actually contain.對使用者文件實質要求的內容。

Annex III

Important products — Class I & II重要產品 — Class I 與 II

23 categories: identity management, browsers, password managers, antivirus, VPNs, NMS, SIEM, boot managers, PKI, network interfaces, OS, routers, MCU/MPU/ASIC/FPGA with security functions, smart home assistants, smart locks/cameras, connected toys, wearables. Plus 4 Class II categories.23 項類別：身份管理、瀏覽器、密碼管理、防毒、VPN、NMS、SIEM、開機管理、PKI、網路介面、作業系統、路由器、具安全功能之 MCU/MPU/ASIC/FPGA、智慧家庭助理、智慧門鎖 / 攝影機、連網玩具、穿戴。加 4 項 Class II。

Annex IV

Critical products關鍵產品

Three categories: hardware devices with security boxes (HSM-class), smart meter gateways, smartcards / secure elements. Conformity assessment under Article 32(2)(c) may require EUCC certification at "high" assurance level — the strictest path in the entire CRA framework.三項類別：具安全盒之硬體裝置（HSM 等級）、智慧電表 gateway、智慧卡 / secure element。第 32(2)(c) 條下的合規評鑑可能要求「高」保證等級的 EUCC 認證，整個 CRA 框架中最嚴的路徑。

Annex V

EU declaration of conformity歐盟符合宣告

The 8 mandatory information items in the EU DoC. Cross-referenced from Article 28. Required for every CRA-compliant product. Format follows NLF Decision 768/2008/EC template.EU DoC 的 8 項強制資訊。由第 28 條交叉引用。每個 CRA 合規產品必備。格式遵循 NLF Decision 768/2008/EC 模板。

Annex VI

Simplified EU declaration of conformity簡化歐盟符合宣告

The abbreviated DoC that physically accompanies the product or is referenced via URL. Two sentences plus a URL pointing to the full Annex V DoC. Required by Article 13(20). The form most APAC manufacturers will print on packaging or include in product literature.隨附產品或透過 URL 引用之精簡形式 DoC。兩句話加上指向完整附件五 DoC 的 URL。第 13(20) 條所要求。多數 APAC 製造商會實體印在包裝上或放在產品文件中的形式。

Annex VII

Contents of the technical documentation技術文件之內容

The complete list. Line by line.完整清單。逐項。

Annex VIII

Conformity assessment procedures符合性評鑑程序

Internal production control. EU type-examination. Conformity based on full quality assurance. The three routes.內部生產控制、歐盟型式檢驗、基於完整品保的符合性驗證，三條路徑。