Annex V Regulation (EU) 2024/2847 · Annex V 法規 (EU) 2024/2847 · 附件五
The declaration form 符合宣告表單
Annex V lists the 8 information items every EU declaration of conformity (DoC) under the CRA must contain. Cross-referenced from Article 28, the DoC is the manufacturer's formal statement of CRA conformity, signed under the manufacturer's sole responsibility. Every CRA-compliant product on the EU market must carry one — though only the simplified version (Annex VI) needs to physically accompany the product. 附件五列出 CRA 下每一份歐盟符合宣告(DoC)必須包含的 8 項資訊。由第 28 條交叉引用,DoC 是製造商在其單獨責任下簽署、對 CRA 合規的正式陳述。EU 市場上每一個 CRA 合規產品都必須備有一份,但只有簡化版(附件六)需要實體隨附產品。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Annex V, as published in OJ L 2024/2847, 20 November 2024. Translations below are unofficial; the binding text is at EUR-Lex. 來源。條文自《法規 (EU) 2024/2847》附件五,發布於 OJ L 2024/2847,2024 年 11 月 20 日。以下中文為非官方翻譯;強制適用條文請見 EUR-Lex。
Mandatory information items in the EU DoC EU DoC 的強制資訊項目 Items 1 – 8
The EU declaration of conformity referred to in Article 28 shall contain all of the following information:
第 28 條所指的歐盟符合宣告應包含下列全部資訊:
1 Name and type and any additional information enabling the unique identification of the product with digital elements.
1 具數位元素產品之名稱、類型、與其他可獨特識別之資訊。
2 Name and address of the manufacturer or its authorised representative.
2 製造商或其授權代表之名稱與地址。
3 A statement that the EU declaration of conformity is issued under the sole responsibility of the provider.
3 一段陳述,表明本歐盟符合宣告由提供者單獨負責簽發。
4 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate).
4 宣告之對象(可追溯之具數位元素產品識別,適當時得含照片)。
5 A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation.
5 一段陳述,表明上述宣告對象符合相關歐盟調和立法。
6 References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared.
6 引用所使用之相關調和標準、共通規範、或所宣告合規之網路安全認證。
7 Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued.
7 適用時,指定機構之名稱與編號、所執行之合規評鑑程序之描述、與所簽發證書之識別。
8 Additional information: signed for and on behalf of: (place and date of issue): (name, function) (signature).
8 其他資訊:代表與其名義簽署:(簽發地點與日期):(姓名、職務)(簽名)。
Block 2 · Plain language 區塊 2 · 白話解讀
Why eight short items carry more weight than they look 為什麼八個短項目份量比看起來重
The EU DoC is administratively brief — eight items, one page when typeset properly. But a flawed DoC is one of the most common reasons for market surveillance challenges. Three operational realities matter for APAC manufacturers.
"A DoC that incorrectly references a harmonised standard, names the wrong notified body, or fails to identify the product accurately is itself a non-compliance event under Article 64 penalty regime."
The DoC is a legal commitment under the manufacturer's sole responsibility. Item 3 says the DoC is issued "under the sole responsibility of the provider". This is not boilerplate — it is the legal hook that lets market surveillance authorities pursue the manufacturer if the DoC is wrong. A DoC that incorrectly references a harmonised standard, names the wrong notified body, or fails to identify the product accurately is itself a non-compliance event under Article 64 penalty regime.
The DoC accumulates compliance evidence in items 5–7. Item 5 anchors compliance to applicable harmonisation legislation (CRA primarily, but also RED, EMC, LVD if stacking). Item 6 names the standards used (e.g., EN 18031-1, EN 304 627). Item 7 names the notified body when one is involved. Together these three items make the DoC a compact summary of the entire compliance file. APAC manufacturers should write the DoC last — only after the technical file (Annex VII) is complete — to ensure consistency.
The DoC supports machine readability requirements. Article 28 envisions DoC delivery in electronic form. Future Commission implementing acts may specify machine-readable formats (XML, JSON, or DCC-style structured DoC). APAC manufacturers should design their DoC generation tooling for both human-readable PDF output and machine-readable structured data — retrofitting later is more expensive than building once.
The DoC must be retained for 10 years or the support period, whichever is longer. Annex VIII Module A point 4.2 mandates 10-year retention from placing on market. For long-lifecycle industrial products, the support period (Article 13(8)) may exceed 10 years. APAC manufacturers should design records-management infrastructure for retention longer than typical IT infrastructure refresh cycles.
EU DoC 在行政上很簡短,八個項目、排版好就一頁。但有瑕疵的 DoC 是市場監督挑戰最常見的原因之一。對 APAC 製造商有三個營運現實要緊。
「錯誤引用調和標準、寫錯指定機構名稱、或未準確識別產品的 DoC、本身在第 64 條罰則制度下就是不合規事件。」
DoC 是製造商在其單獨責任下做出的法律承諾。第 3 項說 DoC 由「提供者單獨負責」簽發。這不是樣板文字,這是讓市場監督機關在 DoC 錯誤時可以追究製造商的法律掛鉤。錯誤引用調和標準、寫錯指定機構名稱、或未準確識別產品的 DoC、本身在第 64 條罰則制度下就是不合規事件。
DoC 在第 5 到 7 項累積合規證據。第 5 項把合規錨定到適用之調和立法(主要是 CRA、但也含 RED、EMC、LVD 若疊加)。第 6 項寫所用標準(如 EN 18031-1、EN 304 627)。第 7 項寫指定機構(若涉及)。這三項一起讓 DoC 成為整份合規檔案的精簡摘要。APAC 製造商應最後才寫 DoC,技術檔(附件七)完成後再寫,以確保一致性。
DoC 支援機讀要求。第 28 條設想 DoC 以電子形式交付。未來執委會實施法律行為可能指定機讀格式(XML、JSON、或 DCC 風格的結構化 DoC)。APAC 製造商應設計可同時產出人讀 PDF 與機讀結構化資料的 DoC 產生工具,之後改造比一次到位貴。
DoC 須保留 10 年或支援期間(以較長者為準)。附件八 Module A 第 4.2 項規定自投入市場起保留 10 年。對長壽命工業產品、支援期間(第 13(8) 條)可能超過 10 年。APAC 製造商應為比典型 IT 基礎更新週期更長的保留期、設計紀錄管理基礎。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
DoC drafting for APAC ICT exporters APAC ICT 出口商的 DoC 起草
For APAC manufacturers, the DoC sits at the boundary between technical compliance and legal accountability. APAC engineering teams produce the underlying compliance evidence; APAC legal / regulatory teams write the DoC. The handoff between these two teams is where most DoC errors originate.
對 APAC 製造商,DoC 位於技術合規與法律問責的邊界。APAC 工程團隊產出底層合規證據;APAC 法務 / 法規團隊寫 DoC。這兩個團隊之間的交接、是多數 DoC 錯誤的源頭。
| DoC fieldDoC 欄位 | Common APAC errorAPAC 常見錯誤 | Mitigation緩解 |
|---|---|---|
| Item 1 — Product identification第 1 項:產品識別 | Trade name only, no SKU / model number / firmware version. Insufficient for traceability.只有商品名稱、缺 SKU / 機型號 / 韌體版本。可追溯性不足。 | Include trade name + model number + initial firmware version covered.含商品名稱 + 機型號 + 涵蓋之初始韌體版本。 |
| Item 2 — Manufacturer / AR address第 2 項:製造商 / AR 地址 | APAC HQ address only when an AR exists; AR address omitted. Misalignment with Article 18(3) AR identification duty.有 AR 但只寫 APAC 總部地址;省略 AR 地址。跟第 18(3) 條 AR 識別義務不一致。 | Include both manufacturer and AR (if AR exists). Match to AR mandate document.同時含製造商與 AR(若存在)。對齊 AR 授權書。 |
| Item 5 — Harmonisation legislation第 5 項:調和立法 | CRA only listed; RED / EMC / LVD that also apply are omitted. DoC therefore does not actually cover all applicable regimes.只列 CRA;同時適用的 RED / EMC / LVD 被省略。DoC 因此實際上未涵蓋所有適用制度。 | List all applicable EU harmonisation acts. The DoC is multi-regime; the cybersecurity portion is just one block.列出所有適用的 EU 調和法律行為。DoC 是多制度的;網路安全部分只是其中一個區塊。 |
| Item 6 — Standards reference第 6 項:標準引用 | Reference to wrong version of EN 18031 (e.g., EN 18031:2024 instead of -1, -2, -3 sub-parts; or pre-publication draft).引用 EN 18031 錯誤版本(如寫 EN 18031:2024 而非 -1, -2, -3 子部分;或寫發布前草案)。 | Reference exact published EN reference and OJ publication date. EU has version-specific rules.引用確切發布之 EN 編號與 OJ 公告日期。EU 有版本特定規則。 |
| Item 7 — Notified body details第 7 項:指定機構細節 | NB number wrong; module identification (B+C, H) ambiguous; certificate number missing.NB 編號錯;模組識別(B+C、H)模糊;證書編號缺。 | Match exact NB NANDO number, exact module letter combination, exact certificate number.對齊確切 NB NANDO 編號、確切模組字母組合、確切證書編號。 |
| Item 8 — Signature第 8 項:簽名 | Signed by APAC engineering staff who don't have legal authority to bind the company; or signed by an authorised representative without proper mandate language in item 3.由不具拘束公司法律權限的 APAC 工程人員簽名;或由授權代表簽名而第 3 項未含適當授權書語言。 | Signed by a person with explicit corporate signing authority (typically QA Director, Regulatory Director, or above).由明確具公司簽署權限之人簽名(通常品保總監、法規總監、或更高)。 |
A practical observation about APAC ODM/OEM dynamics: when an APAC ODM ships product to an EU brand owner, the DoC is typically issued by the brand owner (who is the CRA manufacturer, per Article 3(13)). The APAC ODM provides supporting documentation that feeds into the brand owner's DoC drafting. ODMs should pre-draft the technical content for items 4, 5, 6, 7 in a format the brand owner can use directly. This is a sales-enablement and customer service play, not a regulatory requirement on the ODM directly.
對 APAC ODM / OEM 動態的實務觀察:APAC ODM 出貨給 EU 品牌商時,DoC 通常由品牌商(依第 3(13) 條為 CRA 製造商)簽發。APAC ODM 提供支援文件給品牌商起草 DoC。ODM 應為第 4、5、6、7 項預擬品牌商可直接使用的技術內容。這是銷售賦能與客戶服務作法,不是 ODM 直接的法規要求。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
The EU DoC across NLF regimes NLF 制度間的 EU DoC
EU DoC is a familiar instrument across all NLF (New Legislative Framework) regimes. The 8-item format in CRA Annex V follows a well-established template. APAC manufacturers familiar with one regime's DoC translate the others easily. EU DoC 是所有 NLF(新立法框架)制度中熟悉的工具。CRA 附件五的 8 項格式遵循一個建立良好的模板。熟悉一個制度 DoC 的 APAC 製造商容易轉用其他。
Decision 768/2008/EC — the NLF DoC reference templateDecision 768/2008/EC:NLF DoC 參考模板
Decision 768/2008/EC is the NLF reference framework. Annex III of that Decision provides the model DoC text used across CRA, RED, EMC, LVD, RoHS, MDR, and most other EU product directives / regulations. CRA Annex V is a CRA-tailored instance of this template — the 8 items map to the Decision 768 structure with cybersecurity-specific terminology.
Decision 768/2008/EC 是 NLF 參考框架。該 Decision 的附件三、提供 CRA、RED、EMC、LVD、RoHS、MDR、與多數其他 EU 產品指令 / 法規通用的 DoC 模型文字。CRA 附件五是該模板的 CRA 客製實例,8 個項目對應到 Decision 768 結構、加上網路安全特定詞彙。
RED 2014/53/EU Annex VI — radio equipment DoCRED 2014/53/EU 附件六,無線電設備 DoC
RED Annex VI sets the radio equipment DoC. Same 8-item structure as CRA Annex V. APAC radio equipment manufacturers already maintain RED-compliant DoCs; CRA DoC drafting is a parallel exercise with mostly the same vocabulary. For Wi-Fi routers facing both CRA and RED-DA, a single DoC can cover both regimes by listing both legislation references in item 5.
RED 附件六設定無線電設備 DoC。跟 CRA 附件五同 8 項結構。APAC 無線電設備製造商已維持符合 RED 的 DoC;CRA DoC 起草是平行作業、大半詞彙相同。對同時面對 CRA 與 RED-DA 的 Wi-Fi router、單一 DoC 可在第 5 項列兩個立法引用、同時涵蓋兩制度。
MDR 2017/745 Annex IV — medical device DoCMDR 2017/745 附件四,醫療器材 DoC
MDR has its own DoC format with extra fields (UDI-DI for unique device identification, post-market surveillance plan reference). MDR-governed medical devices are CRA-carved-out, so the MDR DoC stands alone — no CRA DoC is issued for MDR devices. Connected non-medical-device wearables that are NOT MDR scope have CRA DoC.
MDR 有自己的 DoC 格式、加額外欄位(UDI-DI 唯一裝置識別、上市後監督計畫引用)。受 MDR 規範的醫療器材在 CRA 例外,所以 MDR DoC 獨立,MDR 器材不簽發 CRA DoC。不在 MDR 範圍的連網非醫療器材穿戴、有 CRA DoC。
EU AI Act 2024/1689 Article 47 — AI declarationEU AI Act 2024/1689 第 47 條:AI 宣告
AI Act has its own EU DoC for high-risk AI systems. Same NLF template. Products bundling high-risk AI under PwDE need both: a CRA DoC for the cybersecurity side and an AI Act DoC for the AI side. Both DoCs reference the same product but via different legislation entries.
AI Act 對高風險 AI 系統有自己的 EU DoC。同 NLF 模板。同時搭配高風險 AI 在具數位元素產品下的產品需要兩份:網路安全側的 CRA DoC、AI 側的 AI Act DoC。兩份 DoC 引用同一產品、但透過不同立法條目。
CRA Annex VI — simplified EU DoC for use with the productCRA 附件六,隨附產品使用的簡化 EU DoC
Annex VI is the abbreviated DoC format that physically accompanies the product (or is referenced via URL). Annex V is the full DoC, available on request to authorities. The two coexist: full DoC for regulators, simplified DoC for users / customers / channel. APAC manufacturers should generate both versions from the same source-of-truth.
附件六是隨附產品(或透過 URL 引用)的簡化 DoC 格式。附件五是完整 DoC、應主管機關要求提供。兩者並存:完整 DoC 給主管機關、簡化 DoC 給使用者 / 客戶 / 通路。APAC 製造商應從同一個事實源頭產出兩個版本。