Article 1 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
Subject matter 本法規目的
The opening clause that tells you what the CRA legislates: rules for placing PwDE on the market, essential cybersecurity requirements for design and vulnerability handling, and market surveillance. 本法規的開卷條文,告訴你 CRA 規範什麼:具數位元素產品於市場上提供的規則、設計與弱點處理的基本網路安全要求、以及市場監督。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
This Regulation lays down:
(a) rules for the making available on the market of products with digital elements to ensure the cybersecurity of such products;
(b) essential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity;
(c) essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes;
(d) rules on market surveillance, including monitoring, and enforcement of the rules and requirements referred to in this Article.
本法規制定:
(a) 為確保具數位元素產品的網路安全,該等產品於市場上提供的規則;
(b) 具數位元素產品的設計、開發、生產的基本網路安全要求,以及經濟經營者就該等產品的網路安全相關義務;
(c) 製造商為確保具數位元素產品於預期使用期間的網路安全所建立的弱點處理流程的基本網路安全要求,以及經濟經營者就該等流程的相關義務;
(d) 市場監督(含監控與執法)的規則,及本條所述規則與要求的執行。
Block 2 · Plain language 區塊 2 · 白話解讀
What CRA actually regulates — five buckets, not one CRA 究竟在規範什麼,五個面向、不是一件事
Article 1 is the regulatory equivalent of a table of contents. It tells you what the CRA covers and, by implication, what it doesn't. Most APAC manufacturers reading CRA for the first time think "cybersecurity rules for connected products" — and miss four of the five buckets. The missed buckets are usually the ones that hit hardest in operations.
Rules on making available — the market-access lever. Article 1(a) says CRA sets the conditions under which PwDE can be placed and made available on the EU market. Free movement (Article 4) flows from this. The single most consequential phrase across the entire regulation is "made available on the market" — every conformity, CE marking, and reporting duty is anchored to this regulatory event.
Essential requirements for design, development, production — the engineering rules. Article 1(b) is the source of Annex I Part I — secure-by-default, no-known-exploitable-vulnerabilities, secure-update-mechanism, etc. This is the bucket APAC engineering teams immediately recognise. It is also the bucket that is best mapped to existing standards (IEC 62443, EN 18031, ETSI EN 303 645).
Vulnerability handling — the lifecycle rules. Article 1(c) is the source of Annex I Part II — coordinated vulnerability disclosure (CVD), software bill of materials (SBOM), security update commitment for the support period, ENISA reporting. This bucket is where most APAC vendors discover they have insufficient infrastructure. Engineering can be retrofitted; PSIRT cannot be retrofitted in three months.
Market surveillance and enforcement — the regulator-side rules. Article 1(d) sets up the market surveillance machinery in Chapter VI. Member State market surveillance authorities, ENISA, the Commission, all have investigatory and corrective powers. The reach is broad — Article 53 lets authorities demand technical documentation, Article 54 escalates non-compliance, Article 64 imposes fines up to €15 million or 2.5% of worldwide annual turnover.
The relationship with other Union law — the carve-out and stack rules. Article 1 implies what Article 2 makes explicit: CRA does not apply to PwDE already governed by MDR, IVDR, the motor vehicle cybersecurity regulation, or civil aviation rules. CRA stacks with RED, EMC, LVD, GPSR, AI Act, Machinery Regulation, NIS2, DORA. Knowing which regimes are carve-outs versus stacks is the first GTM-level decision for an APAC manufacturer.
第 1 條相當於法規的目錄。它告訴你 CRA 涵蓋什麼、隱含也告訴你不涵蓋什麼。第一次讀 CRA 的 APAC 製造商多半以為「就是連網產品的網路安全規則」:然後漏掉五個面向中的四個。漏掉的那四個、在營運上往往打得最重。
市場提供規則,市場進入槓桿。第 1(a) 條說 CRA 設定具數位元素產品可被投入及在 EU 市場上提供之條件。自由流通(第 4 條)由此而來。整部法規最有後果的一個詞是「於市場上提供」:所有合規、CE 標示、通報義務都錨定在這個法規事件。
設計、開發、生產之基本要求,工程規則。第 1(b) 條是附件一第一部分的來源,預設安全、無已知可被利用之弱點、安全更新機制等。這是 APAC 工程團隊立刻認得的部分。也是跟現有標準(IEC 62443、EN 18031、ETSI EN 303 645)對應最清楚的部分。
弱點處理,生命週期規則。第 1(c) 條是附件一第二部分的來源,協調弱點揭露(CVD)、軟體物料清單(SBOM)、支援期間之安全更新承諾、ENISA 通報。這部分是多數 APAC 廠商發現自己基礎設施不足的地方。工程可以追加改裝、PSIRT 沒辦法三個月內追加改裝。
市場監督與執法,主管機關側規則。第 1(d) 條設立第六章的市場監督機制。會員國市場監督機關、ENISA、執委會、都有調查與矯正權限。涵蓋面廣:第 53 條讓主管機關要求技術文件、第 54 條升級不合規處置、第 64 條課最高 1,500 萬歐元或全球年營業額 2.5% 之罰款。
與其他歐盟法律的關係,例外與疊加規則。第 1 條隱含、第 2 條明文:CRA 不適用於已受 MDR、IVDR、機動車網路安全法規、民航規則規範的具數位元素產品。CRA 跟 RED、EMC、LVD、GPSR、AI Act、機械法規、NIS2、DORA 疊加。對 APAC 製造商來說、判斷哪些是例外、哪些是疊加、是 GTM 層級的第一個決定。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Five buckets and APAC compliance budget reality 五個面向跟 APAC 合規預算現實
For an APAC manufacturer that has never engaged with CRA, the natural mental model is "I need to test my product". This is the engineering bucket — Article 1(b). It is real, but it is roughly one-fifth of the actual scope. The other four buckets — market access, vulnerability handling, market surveillance, and the regulatory-stack interactions — drive operating costs that engineering testing cannot address.
對從未跟 CRA 打過交道的 APAC 製造商、自然心智模型是「我要把產品測一下」。這是工程那一塊:第 1(b) 條。是真的、但約是實際範圍的五分之一。其他四個面向,市場進入、弱點處理、市場監督、法規堆疊互動,驅動的營運成本、工程測試解決不了。
A realistic CRA cost breakdown for a Tier-2 APAC ICT exporter (typical Taiwan ODM with 5–10 SKUs going to EU):
一個 Tier-2 APAC ICT 出口商(典型 5-10 個 SKU 賣到 EU 的台灣 ODM)的現實 CRA 成本拆解:
| CRA bucketCRA 面向 | Typical Tier-2 APAC cost share典型 Tier-2 APAC 成本占比 | Cost driver成本驅動 |
|---|---|---|
| Article 1(a) — Market access第 1(a) 條:市場進入 | ~10%約 10% | CE marking process, EU DoC drafting, AR mandate negotiation. Mostly one-off.CE 標示流程、EU DoC 起草、AR 授權書談判。多為一次性。 |
| Article 1(b) — Engineering essential requirements第 1(b) 條:工程基本要求 | ~25%約 25% | Gap assessment + remediation against Annex I Part I; testing fees if NB involved (Class II products).針對附件一第一部分的落差評估與矯正;若涉及指定機構(Class II 產品)的測試費。 |
| Article 1(c) — Vulnerability handling第 1(c) 條:弱點處理 | ~40%約 40% | Largest bucket. PSIRT setup, SBOM tooling, CVD policy, secure-update infrastructure, support-period commitment cost. Recurring throughout product life.最大塊。PSIRT 建置、SBOM 工具、CVD 政策、安全更新基礎、支援期間承諾成本。在產品壽命中持續發生。 |
| Article 1(d) — Market surveillance response第 1(d) 條:市場監督回應 | ~10%約 10% | Reasoned-request response capability, technical documentation in EU-acceptable form, ability to act on Article 54 findings.對合理請求的回應能力、EU 可接受形式的技術文件、就第 54 條認定採取行動的能力。 |
| Article 1(e) — Regulatory stack mapping第 1(e) 條:法規堆疊對應 | ~15%約 15% | Determining which other regimes apply (RED, AI Act, Machinery, NIS2 customer impact). Often outsourced to legal / TIC partners.判定其他制度是否適用(RED、AI Act、機械、NIS2 客戶影響)。常外包給法律 / TIC 夥伴。 |
The 40% allocation to vulnerability handling is the surprise for most APAC manufacturers. Engineering testing is one-time per SKU; PSIRT and CVD are 24/7 ongoing operations. The sticker shock is real and usually arrives at month 3 of CRA preparation.
弱點處理佔 40% 是多數 APAC 製造商的意外。工程測試每個 SKU 一次;PSIRT 跟 CVD 是 24/7 持續運作。價格驚嚇是真的、通常在 CRA 準備的第三個月出現。
A useful pre-engagement question for APAC sales teams pitching to EU brand customers: "Have you mapped which of the five CRA buckets you bear, and which you push to your ODM supplier?" Most EU brand owners have a clear view on Article 1(a) (CE on their product), partial view on 1(b) (they want test reports), almost no view on 1(c)–(e). The contractual gap between brand owner and ODM around buckets 1(c)–(e) is where APAC ODMs can either over-commit (taking on costs they cannot bill back) or under-commit (losing the contract).
給 APAC 銷售團隊跟 EU 品牌客戶談判時的有用前置問題:「你們有對應過五個 CRA 面向中、哪些你們承擔、哪些推給 ODM 供應商嗎?」多數 EU 品牌商對第 1(a) 條(自家產品上的 CE)看得清楚、對 1(b) 條(要測試報告)看得部分、對 1(c) 到 (e) 條幾乎沒概念。品牌商跟 ODM 之間圍繞 1(c) 到 (e) 條的合約落差、是 APAC ODM 要嘛過度承擔(吸收沒辦法收回的成本)、要嘛承擔不足(失去合約)的所在。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
CRA's subject matter against parallel EU regulatory ambitions CRA 規範事項對照其他歐盟法規企圖
Article 1's five buckets are not unique to CRA. Each bucket has parallel rules in adjacent EU regimes. APAC manufacturers operating across regimes can identify shared infrastructure to amortise costs. 第 1 條的五個面向不是 CRA 獨有。每個面向在鄰近歐盟制度都有對應規則。跨制度運作的 APAC 製造商可以識別共用基礎設施、攤平成本。
RED 2014/53/EU — radio equipment, parallel structureRED 2014/53/EU:無線電設備、平行結構
RED Article 1 has the same five-bucket logic — market access, essential requirements, conformity assessment, market surveillance, regulatory relationships. The cybersecurity-related essential requirements activated by Delegated Act 2022/30 (since 1 Aug 2025) sit in Article 3(3)(d), (e), (f). APAC radio equipment makers already running RED-DA conformity have the regulatory mental model that translates to CRA.
RED 第 1 條有同樣的五面向邏輯,市場進入、基本要求、合規評鑑、市場監督、法規關係。授權行為 2022/30(自 2025 年 8 月 1 日)啟動的網路安全相關基本要求位在第 3(3)(d)、(e)、(f) 條。已經在跑 RED-DA 合規的 APAC 無線電設備製造商、有可以轉用到 CRA 的法規心智模型。
EU AI Act 2024/1689 — broader scope, similar structureEU AI Act 2024/1689:更廣範圍、類似結構
AI Act Article 1 lays down rules for placing AI systems on the market, essential requirements for high-risk AI systems, governance and conformity assessment, market surveillance, and cross-regime relationships. Same five-bucket logic. AI Act adds an extra bucket for prohibited practices (Article 5) that CRA does not have. Products bundling high-risk AI under PwDE need both regimes' five-bucket compliance simultaneously.
AI Act 第 1 條設下 AI 系統投入市場規則、高風險 AI 系統基本要求、治理與合規評鑑、市場監督、跨制度關係。同樣五面向邏輯。AI Act 多了一個 CRA 沒有的禁止行為面向(第 5 條)。同時搭配高風險 AI 在具數位元素產品下的產品、需要同時做兩個制度的五面向合規。
NIS2 Directive 2022/2555 — entity-level cybersecurity, not product-levelNIS2 指令 2022/2555:實體層級網路安全、非產品層級
NIS2 Article 1 sets entity-level cybersecurity duties on essential and important entities. The structure is similar — risk management, incident reporting, supervisory powers, sanctions — but the unit of regulation is the entity, not the product. CRA covers the product layer; NIS2 covers the operator layer. APAC vendors selling PwDE to NIS2 essential entities (utilities, transport, healthcare) have downstream NIS2 pressure on top of upstream CRA pressure.
NIS2 第 1 條對 essential 與 important entities 課實體層級網路安全義務。結構類似,風險管理、事件通報、監督權力、罰則,但規範單位是實體、不是產品。CRA 涵蓋產品層;NIS2 涵蓋營運者層。賣具數位元素產品給 NIS2 essential entities(電力、運輸、醫療)的 APAC 廠商、上游 CRA 壓力外、還有下游 NIS2 壓力。
Medical Devices Regulation 2017/745 — explicit CRA carve-out醫療器材法規 2017/745:CRA 明文例外
CRA Article 2(2)(a) explicitly carves out PwDE governed by MDR. MDR Article 1 covers placing on market, essential requirements, conformity assessment, surveillance — same five-bucket structure but specific to medical devices. Connected medical devices follow MDR exclusively for cybersecurity matters; CRA does not stack here. APAC medical device makers should not duplicate effort across MDR and CRA — but they should ensure MDR-side cybersecurity work meets the bar that CRA would have set.
CRA 第 2(2)(a) 條明文排除受 MDR 規範的具數位元素產品。MDR 第 1 條涵蓋投入市場、基本要求、合規評鑑、監督,同樣五面向結構但專屬醫療器材。連網醫療器材就網路安全事項專從 MDR;CRA 在此不疊加。APAC 醫療器材製造商不該在 MDR 跟 CRA 之間做重複工作,但應確保 MDR 側網路安全工作達到 CRA 會設定的水準。
EU Cyber Resilience Act and the Cybersecurity Act 2019/881EU CRA 與網路安全法 2019/881
CRA Article 1 explicitly anchors definitions to Cybersecurity Act 2019/881 (Article 3(3) of CRA points to Article 2(1) of CSA for the definition of cybersecurity). CSA established ENISA's permanent mandate, the EU certification framework (EUCC), and the conditions for Union-level cybersecurity schemes. CRA inherits CSA's institutional plumbing — ENISA runs the SRP, EUCC scheme connects to Article 8 mandatory certification triggers for critical products.
CRA 第 1 條明文把定義錨定到網路安全法 2019/881(CRA 第 3(3) 條指到 CSA 第 2(1) 條的網路安全定義)。CSA 設立 ENISA 常設職權、EU 認證框架(EUCC)、與歐盟層級網路安全計畫之條件。CRA 繼承 CSA 的機構配管,ENISA 跑 SRP、EUCC 計畫接到第 8 條對 critical products 的強制認證觸發。