Annex II Regulation (EU) 2024/2847 · Annex 法規 (EU) 2024/2847 · 附件
Information and instructions to the user 使用者的資訊與說明
Nine items that must travel with every CRA-scoped product. The single point of contact, the coordinated vulnerability disclosure policy, the support-period end date, the decommissioning instructions. This is where Annex I's design obligations become visible to the person who installs and operates the product. 九項必須隨每件 CRA 範圍產品附帶之內容。單一聯絡窗口、協調弱點揭露政策、支援期間結束日期、下架說明。附件一設計義務於此對安裝與操作者可見。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。中文為非官方翻譯。
Preamble — what must accompany the product 前言,必須隨附之內容 Preamble
At minimum, the product with digital elements shall be accompanied by:
具數位元素產品至少應隨附下列各項:
Items 1 – 3: manufacturer identity, single point of contact, product identity 項次 1 – 3:製造商身分、單一聯絡窗口、產品身分 §§ 1 – 3
1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;
1. 製造商之名稱、註冊商業名稱或註冊商標,以及郵遞地址、電子郵件地址或其他數位聯絡方式,並於可提供時附上可聯繫製造商之網站;
2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer's policy on coordinated vulnerability disclosure can be found;
2. 可通報並接收具數位元素產品弱點資訊之單一聯絡窗口,及可取得製造商協調弱點揭露政策所在;
3. name and type and any additional information enabling the unique identification of the product with digital elements;
3. 具數位元素產品之名稱、類型以及可達成獨特識別之任何額外資訊;
Items 4 – 5: intended purpose, foreseeable risks 項次 4 – 5:預期用途、可預見之風險 §§ 4 – 5
4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product's essential functionalities and information about the security properties;
4. 具數位元素產品之預期用途,含製造商所提供之安全環境、以及產品之基本功能與關於安全屬性之資訊;
5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;
5. 任何依預期用途使用或於合理可預見誤用條件下使用具數位元素產品相關、可能導致重大網路安全風險之已知或可預見情境;
Items 6 – 7: DoC URL, support-period end date 項次 6 – 7:DoC 網址、支援期間結束日期 §§ 6 – 7
6. where applicable, the internet address at which the EU declaration of conformity can be accessed;
6. 適用時,可取得歐盟符合性聲明之網址;
7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;
7. 製造商所提供之技術安全支援類型,及使用者可預期弱點處理與接收安全更新之支援期間結束日期;
Item 8: detailed operational instructions (sub-items a – f) 項次 8:詳細操作說明(子項 a – f) § 8
8. detailed instructions or an internet address referring to such detailed instructions and information on:
8. 詳細說明或指向該等詳細說明之網址,及關於下列各項之資訊:
(a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use;
(a) 為確保安全使用,於初始部署與具數位元素產品整個生命週期內之必要措施;
(b) how changes to the product with digital elements can affect the security of data;
(b) 對具數位元素產品之變更如何影響資料安全;
(c) how security-relevant updates can be installed;
(c) 如何安裝安全相關之更新;
(d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;
(d) 具數位元素產品之安全下架,含如何安全移除使用者資料之資訊;
(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;
(e) 依附件一第一部分第 (2)(c) 點所要求啟用自動安裝安全更新之預設設定,如何關閉;
(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.
(f) 具數位元素產品擬整合進其他具數位元素產品時,整合商為符合附件一基本網路安全要求與附件七文件要求所需之資訊。
Item 9: SBOM disclosure (conditional) 項次 9:SBOM 揭露(條件性) § 9
9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.
9. 製造商若決定向使用者提供軟體物料清單,有關軟體物料清單可於何處取得之資訊。
Important: Item 9 is optional — CRA does not mandate public SBOM disclosure to users. Annex VII item 2(b), however, requires the SBOM in the technical file. Annex I Part II (2) also requires the manufacturer to identify and document components contained in the product. What is mandatory to the regulator is optional to the end user.
重要:項次 9 為選擇性,CRA 並未強制向使用者公開 SBOM。惟附件七項次 2(b) 要求 SBOM 置於技術檔案中。附件一第二部分 (2) 也要求製造商辨識並記載產品所含之元件。對監管者強制、對終端使用者選擇性。
Operating conditions (from Article 13) 運作條件(源自第 13 條) Art 13(18) – (20)
Article 13(18): The information and instructions shall accompany the product in paper or electronic form, in a language understood by users and market surveillance authorities, and shall be clear, understandable, intelligible, and legible. Manufacturers shall keep them available for at least 10 years after placing on the market or for the support period, whichever is longer. When provided online, they shall be accessible, user-friendly, and online-available for the same floor period.
第 13(18) 條:資訊與說明應以紙本或電子形式隨產品附帶,以使用者與市場監督機關易懂之語言,並應清晰、易懂、可解、可讀。製造商應於投放市場後至少 10 年或支援期間(取較長者)內維持可用。線上提供者,應可存取、友善、線上可用至相同底線期。
Article 13(19): The end-date of the support period (at least month and year) shall be clearly specified at the time of purchase in an easily accessible manner and, where applicable, on the product, its packaging, or by digital means. Where technically feasible, users shall be notified when the product reaches end-of-support.
第 13(19) 條:支援期間結束日期(至少月與年)應於購買時以易於取得之方式清楚載明,並於適用時載於產品本身、包裝或以數位方式提供。於技術可行時,產品到達支援期結束時應通知使用者。
Article 13(20): The manufacturer shall provide either the full EU declaration of conformity or a simplified declaration (Annex VI template) with the product. If simplified, it must contain the exact URL to the full DoC.
第 13(20) 條:製造商應隨產品提供完整歐盟符合性聲明或簡化聲明(附件六模板)。如為簡化,其須載明連至完整 DoC 之確切網址。
Block 2 · Plain language 區塊 2 · 白話解讀
The user-facing surface of the CRA CRA 在使用者眼睛裡的樣子
Annex II is the surface the CRA shows to people who buy and operate products. Most of the Regulation is invisible to end users — design obligations land in engineering, technical documentation lives in a filing cabinet, conformity assessments are between manufacturer and notified body. Annex II is different. Every item on the list exists because the CRA's drafters decided end users need to see it.
"Annex II item 7 — the end-date of the support period — is the single most operationally significant entry. At the point of sale, you are publicly committing to a date after which security updates stop."
The nine items cluster into three functional groups.
Who you are dealing with (items 1, 2, 3). Manufacturer identity and contact details (item 1); a single point of contact for vulnerabilities with CVD policy visible (item 2); unique product identification (item 3). The combined effect: a user finding a bug, a security researcher reporting responsibly, or a market surveillance authority investigating an incident can locate the right person without a treasure hunt. Item 2 is the consumer-visible face of Article 13(17)'s single-point-of-contact obligation — the same contact mentioned here cannot rely exclusively on automated tools.
What you are getting (items 4, 5, 6, 7). Intended purpose, security environment, essential functionalities, and security properties (item 4); known or foreseeable risks (item 5); a URL to the Declaration of Conformity (item 6); and — possibly the most important single piece of information — the end-date of the support period (item 7). Item 7 is operationally significant: it commits the manufacturer, publicly and at the point of sale, to a specific date after which the device will no longer receive security updates. This is a commitment artefact, not marketing copy.
How to operate, maintain, and dispose of it safely (items 8, 9). Item 8 is the workhorse — six sub-items covering commissioning, changes that affect security, how to install security updates, secure decommissioning including user-data deletion, how to turn off the auto-update default (required to be on by Annex I Part I (2)(c)), and — for components intended for integration into other products — the information downstream integrators need to demonstrate Annex I and Annex VII compliance. Item 9 is conditional: if the manufacturer publishes an SBOM to end users, it must indicate where to access it. Choosing not to publish an SBOM to end users means no Annex II obligation on this point — though the SBOM remains mandatory in the technical file under Annex VII.
Format and language. Annex II content can be paper or electronic. The Commission's CRA FAQ confirms "accompanying" the product does not mandate paper — an electronic user manual is equally compliant if accessible at the moment the user takes possession. The language requirement in Article 13(18) is "easily understood by users and market surveillance authorities". For a consumer product sold in Germany, that realistically means German (or at least bilingual German + English). Pure English is only safe for strictly B2B products where both parties are professional. The 10-year / support-period availability floor applies whether paper or electronic.
附件二是 CRA 在使用者眼裡看得到的那一面。法規大部分對終端使用者是隱形的,設計義務在工程那邊、技術文件鎖在檔案櫃、conformity assessment 是製造商跟指定機構之間的事。附件二不一樣。清單上每一項之所以存在,是因為 CRA 起草者決定終端使用者必須看到它。
「附件二項次 7:support period 結束日期,是清單上實務意義最大的一項。在銷售那一刻,你就公開承諾了「某個日期後安全更新停止」。」
9 項內容可以分成三組。
第一組:使用者該找誰(項次 1、2、3)。製造商身份跟聯絡方式(項次 1);弱點通報的單一聯絡窗口,包括公開可見的 CVD 政策(項次 2);這個產品的獨特識別碼(項次 3)。合起來的效果:發現 bug 的使用者、想負責任通報的資安研究員、或在調查事件的市場監督機關,都能直接找到對的人,不用四處摸索。項次 2 特別重要,它是第 13(17) 條單一聯絡窗口義務在消費者面的呈現,而且這個聯絡窗口不能完全靠自動化工具處理。
第二組:使用者會拿到什麼(項次 4、5、6、7)。intended purpose、安全運作環境、基本功能、安全屬性(項次 4);已知或可預見的風險(項次 5);連到 EU Declaration of Conformity 的網址(項次 6);以及最重要的一項:support period 結束日期(項次 7)。項次 7 實務上意義很大:它在銷售那一刻,就向使用者公開承諾「這個裝置在某個日期後不會再有安全更新」。這是承諾,不是行銷文案。
第三組:怎麼安全操作、維護、下架(項次 8、9)。項次 8 是重頭戲,六個子項涵蓋部署、影響安全的變更、怎麼安裝安全更新、怎麼安全下架(含使用者資料刪除)、怎麼關閉自動更新預設(依附件一第一部分 (2)(c) 必須預設啟用),以及,如果這是要被整合進其他產品的元件,下游整合商展現附件一跟附件七合規所需要的資訊。項次 9 是條件式的:如果製造商向終端使用者發布 SBOM,必須說明取得方式。製造商選擇不向終端使用者發布 SBOM,在這項就沒有附件二義務,但附件七下 SBOM 仍然必須在技術檔案裡。
格式跟語言。附件二內容可以是紙本或電子。執委會 CRA FAQ 確認「隨附」產品不強制紙本,電子使用者手冊只要在使用者拿到產品同一時間就能取得,一樣合規。第 13(18) 條的語言要求是「使用者跟市場監督機關都看得懂」。在德國賣的消費產品實際上意味德文(或至少德英雙語)。純英文只在嚴格 B2B 且雙方都是專業人士的情況下才安全。10 年 / support period 可取得的底線對紙本跟電子都適用,製造商必須能在 10 年後提出附件二內容。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Three operational shifts APAC manufacturers must plan for APAC 製造商必須規劃的三個營運轉變
APAC manufacturers already produce user documentation for RED, EMC, safety compliance, and various national-language consumer markets. Annex II is not documentation — it is a specific nine-item legal checklist that dictates what must appear and where. Three shifts deserve planning attention.
APAC 製造商已經為 RED、EMC、安全合規、各國語言消費市場產出過使用者文件。附件二不是「使用者文件」,而是一份 9 項的法律檢核表,規定必須包含什麼、放在哪裡。三個轉變值得規劃關注。
1. Single point of contact is a role, not an email address 1. 單一聯絡窗口是一個角色,不是一個 email 地址
Item 2 requires a single PoC where vulnerability reports are received. Article 13(17) adds that this PoC cannot rely exclusively on automated tools. For a mid-size APAC ODM with no dedicated security team, this means either (i) staffing an in-house PSIRT (Product Security Incident Response Team) that monitors the inbox and responds to external reports, or (ii) contracting a PSIRT-as-a-service provider. The cost of option (i) is roughly 1–2 FTE in the first year for a first-time programme; option (ii) runs €30k–€80k/year depending on scope. Treating the PoC as just an email address with an auto-responder breaches Article 13(17) regardless of whether the address appears in Annex II documentation. Many APAC ODMs currently route security reports through generic info@ addresses that auto-acknowledge and never escalate — this will not satisfy the CRA.
項次 2 要求一個接收弱點報告的單一 PoC。第 13(17) 條補充:這個 PoC 不能完全依賴自動化工具。對沒有專屬安全團隊的中型 APAC ODM 來說,這代表兩條路:(i) 建一個內部 PSIRT(Product Security Incident Response Team)負責看信跟回應外部報告,或 (ii) 找 PSIRT-as-a-service 供應商外包。(i) 的成本首年大約 1–2 FTE(首次建置計畫);(ii) 看範圍大概 €30k–€80k/年。把 PoC 當成「一個信箱加自動回信」就好,不管這個信箱有沒有出現在附件二文件裡,都違反第 13(17) 條。很多 APAC ODM 現在把安全報告往通用 info@ 信箱送、自動回信、永遠不升級,這個做法 CRA 過不去。
2. Support-period end-date is a public commitment, not an internal target 2. Support period 結束日期是公開承諾,不是內部目標
Item 7 requires the end-date at least to month and year. Article 13(19) requires it at point of sale, in an easily accessible manner. This does two things APAC ODMs have historically not done: it makes the support period externally auditable, and it couples the support period to the warranty / commercial agreement with EU distributors. A 2027 product claiming "support until at least December 2032" has committed to five years of security-update delivery — and if it stops delivering them at year three, market surveillance can act. The practical implication is that support-period decisions cannot be made by the product-management team alone; they need sign-off from engineering (can we realistically maintain this?), legal (are we OK publicly committing to this?), and finance (what does the multi-year maintenance reserve look like?). Many APAC OEM/ODM products today have no published support period at all — Annex II forces the choice to be made and recorded.
項次 7 要求結束日期至少寫到月跟年。第 13(19) 條要求在銷售時點以容易取得的方式提供。這做了兩件 APAC ODM 過去沒在做的事:讓 support period 對外可稽核,並把 support period 跟歐盟經銷商的保固 / 商業協議綁在一起。一台 2027 年的產品宣告「支援至少到 2032 年 12 月」就是承諾 5 年的安全更新交付,如果第 3 年停止交付,市場監督可以介入。實務影響是:support period 決定不能由產品管理團隊單獨拍板;要工程(這真的維護得起嗎?)、法務(公開承諾這件事 OK 嗎?)、財務(多年維護準備金怎麼編?)三方一起簽核。今天很多 APAC OEM/ODM 產品根本沒公開過 support period:附件二強迫做選擇並記錄下來。
3. Item 8(f) creates a B2B documentation dependency 3. 項次 8(f) 創造一條 B2B 文件依賴
For products intended for integration (chipsets, modules, OS images, SDKs, firmware components), item 8(f) requires providing information the downstream integrator needs to comply with Annex I and Annex VII. This includes cryptographic-hardware documentation, SBOM in a suitable machine-readable format, secure-default configuration descriptions, update interfaces, and so on. APAC silicon vendors and module makers supplying downstream OEMs now have a codified documentation obligation to those OEMs — the OEM can demand Annex-II item 8(f)-grade documentation and the supplier must provide it. Contract templates in 2027–2028 will increasingly cite Annex II item 8(f) specifically. This is a B2B workflow change, not just a B2C packaging change.
對要被整合進其他產品的元件(晶片組、模組、OS 映像、SDK、韌體元件),項次 8(f) 要求供應商提供下游整合商「符合附件一跟附件七所需的資訊」。這包括密碼硬體文件、適當 machine-readable 格式的 SBOM、預設安全設定描述、更新介面等等。供貨給下游 OEM 的 APAC 晶片廠跟模組廠,現在對這些 OEM 有了一條成文的文件義務,OEM 可以要求附件二項次 8(f) 等級的文件、供應商必須提供。2027–2028 年的合約範本會越來越常具體引用附件二項次 8(f)。這是 B2B 工作流程的改變,不只是 B2C 包裝的改變。
A closing practical note. Most APAC manufacturers will want to convert Annex II into a standard template that merges with existing product documentation — typically a "CRA User Guide" section appended to or integrated into the existing user manual. Treating Annex II as a separate document is legally fine but operationally burdens translation, version-control, and e-document hosting. Integrated approach wins if the existing manual already goes through the same multilingual review process.
實用結語:多數 APAC 製造商會想把附件二轉成標準模板、跟既有產品文件合併,通常是在使用者手冊裡附加或整合進去一個「CRA User Guide」章節。把附件二當成獨立文件法律上可行,但操作上會加重翻譯、版本控制、電子文件託管的負擔。既有手冊如果已經走過同一套多語審查流程,整合進去比較划算。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Annex II items mapped to related regulatory instruments 附件二項次與相關規管工具的對照
Several Annex II items overlap with existing EU and non-EU documentation regimes. The table below helps identify where existing compliance work can be reused and where new effort is required. 若干附件二項次與既有 EU 及非 EU 文件制度重疊。下表協助識別哪處既有合規工作可再用、哪處需新努力。
| Annex II item附件二項次 | Parallel regime平行制度 | Reuse potential / gap再用潛力 / 落差 |
|---|---|---|
| § 1 Manufacturer identity | All CE-marking directives (RED, EMC, Machinery); consumer protection laws; EU General Product Safety Regulation (GPSR)所有 CE 標示指令(RED、EMC、機械);消費者保護法;EU 一般產品安全規章(GPSR) | High reuse — manufacturer identity block is essentially identical. Add no new fields.高再用,製造商身分區塊基本相同。無新欄位。 |
| § 2 Single PoC + CVD policy | ISO/IEC 29147 (VDP); RED Delegated Act 2022/30 (pre-repeal); NIS2 Article 21(2)(b) incident handlingISO/IEC 29147(VDP);RED 授權法 2022/30(廢止前);NIS2 第 21(2)(b) 條事件處理 | Medium reuse — existing VDP policies typically lack the SPOC-level commitment or the regulatory-grade visibility CRA requires. Most APAC manufacturers will need to upgrade.中再用,既有 VDP 政策通常缺少 SPOC 層級承諾或 CRA 所要求的規管層級可見度。多數 APAC 製造商需升級。 |
| §§ 4, 5 Intended purpose + foreseeable misuse | Machinery Regulation (EU) 2023/1230 Annex III; GPSR Article 9; Medical Devices Regulation safety information requirements機械規章 (EU) 2023/1230 附件三;GPSR 第 9 條;醫療器材規章安全資訊要求 | Moderate reuse — the framing is similar (risks under intended use + reasonably foreseeable misuse) but the risk domain differs. Cyber risk commentary must be added.中度再用,框架相似(預期用途下的風險 + 合理可預見誤用)但風險領域不同。須加入網路風險評論。 |
| § 7 Support-period end date | Digital Content Directive (EU) 2019/770 Article 8 on conformity updates; Sale of Goods Directive (EU) 2019/771 Article 7(3) on updates; UK PSTI (security-update period statement)數位內容指令 (EU) 2019/770 第 8 條關於一致性更新;商品銷售指令 (EU) 2019/771 第 7(3) 條關於更新;英國 PSTI(安全更新期間聲明) | Low-to-medium reuse — concept exists elsewhere but specific form and placement rules differ. UK PSTI "minimum security update period" statement is the closest analogue. CRA wants month + year as a definite end-date, not a minimum duration.低至中再用,概念於他處存在但具體形式與置放規則不同。英國 PSTI「最低安全更新期間」聲明為最近類比。CRA 要求月 + 年為確定結束日期,非最低期間。 |
| § 8(d) Secure decommissioning incl. user-data removal | GDPR Article 17 right to erasure (organisation-level); NIST SP 800-88 Rev. 1 Media Sanitization; various national e-waste regimesGDPR 第 17 條擦除權(組織層級);NIST SP 800-88 Rev. 1 媒體清理;各國電子廢棄物制度 | Low reuse — CRA §8(d) is product-level (how does the user securely delete data from the device) which is a different granularity. Technical content may draw from NIST SP 800-88 but documentation format is new.低再用,CRA §8(d) 為產品層級(使用者如何從裝置安全刪除資料),粒度不同。技術內容可取材自 NIST SP 800-88 但文件格式為新。 |
| § 8(f) Integration information for downstream | IEC 62443-4-1 (secure product development); supplier documentation in industrial security; existing OEM datasheets and integration guidesIEC 62443-4-1(安全產品開發);工業安全中的供應商文件;既有 OEM 規格書與整合指南 | Medium reuse for industrial-oriented APAC makers already aligned to IEC 62443. For consumer-segment suppliers this is mostly net-new documentation effort.對已對齊 IEC 62443 的工業導向 APAC 廠商為中再用。對消費領域供應商則大致為全新文件工作。 |
| § 9 SBOM disclosure (optional) | US Executive Order 14028 (federal SBOM mandate); CISA SBOM guidance; SPDX / CycloneDX format standards; UK Online Safety Act references美國行政命令 14028(聯邦 SBOM 強制);CISA SBOM 指引;SPDX / CycloneDX 格式標準;英國線上安全法引用 | If manufacturer already publishes SBOM to customers or US-government buyers under EO 14028, the same artefact can support CRA item 9. Format is not specified — SPDX or CycloneDX are both acceptable.若製造商已依 EO 14028 向客戶或美國政府買方發布 SBOM,同一成品可支援 CRA 項次 9。格式未指定,SPDX 或 CycloneDX 都可接受。 |