Article 11 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
General product safety 一般產品安全
CRA derogates from parts of the General Product Safety Regulation 2023/988 — CRA-covered products do not also fall under GPSR market surveillance for the same risks. CRA 對《一般產品安全法規 2023/988》部分規定設有例外,CRA 涵蓋之產品就同一風險不再額外受 GPSR 市場監督。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text. 來源。節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
By way of derogation from Article 2(1), third subparagraph, point (b), of Regulation (EU) 2023/988, Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of that Regulation shall apply to products with digital elements falling within the scope of this Regulation with regard to safety risks not covered by this Regulation, where those risks are not covered by other Union harmonisation legislation as defined in Article 3, point (27), of Regulation (EU) 2023/988.
作為對《法規 (EU) 2023/988》第 2(1) 條第三段第 (b) 款之例外,該法規第三章第一節、第五章與第七章、以及第九章至第十一章,應適用於落入本法規範圍之具數位元素產品,限於本法規未涵蓋之安全風險、且該等風險未受《法規 (EU) 2023/988》第 3 條第 (27) 款所定其他歐盟調和立法涵蓋者。
Block 2 · Plain language 區塊 2 · 白話解讀
Where CRA carves out of GPSR — and where they coexist CRA 在哪裡切出 GPSR:又在哪裡並存
Article 11 is the bridge clause between CRA and the General Product Safety Regulation (GPSR, Regulation 2023/988). For consumer connected products, both regimes potentially apply. Article 11 says: for risks covered by CRA, CRA is the rule; GPSR does not apply to those specific risks. For all other safety risks, GPSR continues to apply.
Carve-out is risk-by-risk, not product-by-product. A consumer smart camera is not entirely "out of GPSR". The cybersecurity risks are governed by CRA; the electrical safety, mechanical safety, and chemical safety risks of the same camera continue under GPSR. The same product, two regulatory regimes for different risk categories.
The carve-out is one-way. Article 11 says GPSR does not apply to risks already covered by CRA. The reverse is not true — CRA does not exclude GPSR's residual safety net. If a CRA-compliant product has a non-cybersecurity safety defect, GPSR market surveillance authorities can still act on that defect.
GPSR applies to consumer products; CRA applies to PwDE. The category overlap is in the consumer-connected-product space. Industrial equipment, B2B IIoT, professional networking gear sit primarily in CRA scope; GPSR has limited reach. Conversely, mass-market consumer connected goods (smart toys, smart-home devices, fitness wearables) face the largest overlap and therefore the most operational complexity.
Recall obligations are coordinated, not duplicated. A connected product with a cybersecurity flaw triggers CRA Article 14 / 53 / 54 corrective actions. A product safety defect triggers GPSR Article 19 corrective actions. These are different reporting and recall pipelines, but in practice the same market surveillance authority handles both. APAC manufacturers should design recall procedures that satisfy both regimes simultaneously rather than maintaining parallel processes.
第 11 條是 CRA 跟一般產品安全法規(GPSR、法規 2023/988)之間的橋接條款。對消費端連網產品、兩個制度可能都適用。第 11 條說:CRA 涵蓋的風險、由 CRA 規範;GPSR 對那些特定風險不適用。對所有其他安全風險、GPSR 繼續適用。
例外是按風險、不是按產品。一台消費端智慧攝影機不是完全「在 GPSR 之外」。網路安全風險由 CRA 規範;同一台攝影機的電氣安全、機械安全、化學安全風險仍在 GPSR 下。同一個產品、兩個法規制度、針對不同風險類別。
例外是單向的。第 11 條說 GPSR 對 CRA 已涵蓋之風險不適用。反過來則不成立,CRA 不排除 GPSR 的剩餘安全網。CRA 合規產品有非網路安全的安全缺陷時、GPSR 市場監督機關仍可就該缺陷採取行動。
GPSR 適用消費產品;CRA 適用具數位元素產品。類別重疊在消費連網產品空間。工業設備、B2B IIoT、專業網路設備主要在 CRA 範圍;GPSR 觸及有限。反之、大眾消費連網商品(智慧玩具、智慧家庭裝置、健身穿戴)面對最大重疊、因此營運最複雜。
召回義務協調、不是重複。具網路安全瑕疵的連網產品、觸發 CRA 第 14 / 53 / 54 條矯正措施。產品安全缺陷、觸發 GPSR 第 19 條矯正措施。這是不同的通報跟召回管道、但實務上同一市場監督機關處理兩者。APAC 製造商應設計同時滿足兩個制度的召回程序、而不是維持平行流程。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
CRA-GPSR overlap and APAC consumer product makers CRA 與 GPSR 重疊及 APAC 消費產品製造商
For APAC consumer product makers — particularly Taiwan smart-home, Japan IoT, Korea consumer electronics — Article 11 is the article that determines whether their products face one or two market surveillance regimes for safety. The answer is: both, on different risk categories, simultaneously.
對 APAC 消費產品製造商,特別是台灣智慧家庭、日本 IoT、韓國消費電子:第 11 條決定他們的產品在安全上面對一個或兩個市場監督制度。答案是:同時兩個、針對不同風險類別。
A risk-mapping table that APAC consumer product teams can use:
APAC 消費產品團隊可用的風險對應表:
| Risk category風險類別 | Regime制度 | APAC engineering ownerAPAC 工程負責方 |
|---|---|---|
| Cybersecurity (vulnerabilities, attacks, data exfiltration)網路安全(弱點、攻擊、資料外流) | CRA — Annex I + Article 14 reporting + ENISA SRP.CRA:附件一 + 第 14 條通報 + ENISA SRP。 | PSIRT, security engineering team.PSIRT、安全工程團隊。 |
| Electrical safety (shock, fire, overheat)電氣安全(電擊、起火、過熱) | LVD 2014/35/EU + GPSR for residual.LVD 2014/35/EU + GPSR 作為剩餘。 | Hardware engineering, regulatory compliance team.硬體工程、法規合規團隊。 |
| Chemical safety (RoHS, REACH, conflict minerals)化學安全(RoHS、REACH、衝突礦物) | RoHS / REACH directly + GPSR for residual.RoHS / REACH 直接 + GPSR 作為剩餘。 | Material engineering, supply chain compliance.材料工程、供應鏈合規。 |
| Mechanical / physical safety (sharp edges, choking, ergonomics)機械 / 物理安全(銳利邊緣、窒息、人因工程) | GPSR primary + sectoral (toy safety, etc.).GPSR 為主 + 部門別(玩具安全等)。 | Industrial design, mechanical engineering.工業設計、機械工程。 |
| Privacy / personal data隱私 / 個資 | GDPR — separate regime, not GPSR. CRA Annex I touches privacy-supporting features but GDPR governs personal data.GDPR:獨立制度、非 GPSR。CRA 附件一觸及支援隱私的特徵、但個資由 GDPR 規範。 | DPO, legal, privacy engineering.DPO、法務、隱私工程。 |
A practical observation: APAC organisations often have one team owning "EU compliance" without internal differentiation across regimes. As CRA scales up, the team typically needs to split into a CRA / cybersecurity track and a GPSR / safety track, or reorganise to make the regime distinction explicit. Without this, recall response time degrades — the same incident hits two regimes and the team flips between portals.
實務觀察:APAC 組織常有一個團隊管「EU 合規」、內部不分制度。CRA 規模擴大時、團隊通常需要分成 CRA / 網路安全軌道跟 GPSR / 安全軌道、或重組讓制度區分明確。沒做、召回回應時間會劣化,同一事件打到兩個制度、團隊在入口間切換。
For APAC ODMs that supply consumer brands in multiple regulatory zones, a structural insight: GPSR-equivalents in other zones (US CPSC under CPSA, UK GPSR transposition, Japan PSE, Korea KC) all coexist with their cybersecurity-related counterparts. The CRA-GPSR pattern is one instance of a broader global pattern. APAC ODMs that build clean risk-category separation for EU compliance can reuse the architecture for US CPSC / FDA premarket, Japan PSE + JC-STAR, etc.
對供應多個法規區消費品牌的 APAC ODM、結構性洞察:其他區域的 GPSR 等價物(美國 CPSA 下的 CPSC、英國 GPSR 轉化、日本 PSE、韓國 KC)都跟自己的網路安全對應規定並存。CRA-GPSR 模式是更廣全球模式的一個實例。為 EU 合規建立穩健風險類別分離的 APAC ODM、可以把架構重用於美 CPSC / FDA 上市前、日本 PSE + JC-STAR 等。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 11 in the EU consumer product safety landscape 第 11 條在 EU 消費產品安全全景中
CRA Article 11 sits at the intersection of horizontal product safety law (GPSR) and sectoral safety legislation (LVD, EMC, RED, RoHS, REACH). Knowing the structure helps APAC manufacturers map which regime owns which risk. CRA 第 11 條坐落於橫向產品安全法(GPSR)與部門別安全立法(LVD、EMC、RED、RoHS、REACH)的交集。了解結構、有助於 APAC 製造商對應哪個制度管哪個風險。
GPSR 2023/988 — the consumer safety netGPSR 2023/988:消費安全網
GPSR is the residual horizontal safety regulation for consumer products not specifically covered by sector-specific legislation. CRA Article 11 carves cybersecurity-related risks out of GPSR. The structural design: GPSR is the floor; sectoral regulations (CRA, LVD, EMC, RED, etc.) raise the bar for specific risk categories. Where CRA applies, GPSR steps back on cybersecurity.
GPSR 是非特定部門別立法涵蓋的消費產品的剩餘橫向安全法規。CRA 第 11 條把網路安全相關風險從 GPSR 切出。結構設計:GPSR 是地板;部門別法規(CRA、LVD、EMC、RED 等)為特定風險類別提高門檻。CRA 適用時、GPSR 在網路安全上退場。
LVD 2014/35/EU — electrical safety carve-outLVD 2014/35/EU:電氣安全切出
LVD covers electrical safety in the 50–1000V AC / 75–1500V DC range. Most consumer connected products fall partly under LVD (the power supply, the mains-side electronics) and partly under CRA (the digital functions). The two regimes complement, not overlap. APAC manufacturers map LVD work to one set of harmonised standards (EN 60950 family, EN 62368-1) and CRA work to a different set (EN 18031, EN 304 6XX series).
LVD 涵蓋 50-1000V AC / 75-1500V DC 範圍的電氣安全。多數消費連網產品部分落在 LVD(電源、市電側電子)、部分落在 CRA(數位功能)。兩個制度互補、不重疊。APAC 製造商把 LVD 工作對應到一組調和標準(EN 60950 系列、EN 62368-1)、CRA 工作對應到另一組(EN 18031、EN 304 6XX 系列)。
RED 2014/53/EU — radio + cybersecurity stackRED 2014/53/EU:無線電 + 網路安全疊加
RED already covers cybersecurity for radio equipment (Article 3(3)(d), (e), (f) since 1 Aug 2025). RED-DA cybersecurity stacks with CRA — they do not carve each other out. A Wi-Fi smart camera faces RED-DA + CRA on the cybersecurity side, plus LVD on the electrical side, plus GPSR / Toy Safety on the mechanical / safety side. Article 11 governs only the CRA-vs-GPSR boundary; the RED-CRA boundary follows separate rules.
RED 已涵蓋無線電設備的網路安全(自 2025 年 8 月 1 日的第 3(3)(d)、(e)、(f) 條)。RED-DA 網路安全跟 CRA 疊加,彼此不互為例外。一台 Wi-Fi 智慧攝影機在網路安全側面對 RED-DA + CRA、加上電氣側的 LVD、加上機械 / 安全側的 GPSR / 玩具安全。第 11 條只規範 CRA-vs-GPSR 邊界;RED-CRA 邊界走獨立規則。
Toy Safety Directive 2009/48/EC — sectoral overlap玩具安全指令 2009/48/EC:部門別重疊
Connected toys (smart toys, learning robots, AR/VR for children) fall under the Toy Safety Directive plus CRA. Toy Safety covers physical, chemical, mechanical, and some electrical safety; CRA covers cybersecurity. Both apply simultaneously. APAC smart toy makers — particularly Taiwan and Korea — should map both regimes' essential requirements at design phase to avoid late-stage rework.
連網玩具(智慧玩具、學習機器人、兒童 AR/VR)受玩具安全指令加 CRA 規範。玩具安全涵蓋物理、化學、機械、部分電氣安全;CRA 涵蓋網路安全。兩者同時適用。APAC 智慧玩具製造商,特別是台灣與韓國,應在設計階段對應兩個制度的基本要求、避免後期返工。
Reg 2019/1020 — common market surveillanceReg 2019/1020:共同市場監督
2019/1020 is the horizontal market surveillance regime that enforces all of GPSR, CRA, LVD, EMC, RED, RoHS at the national level. Different regimes feed into the same market surveillance authority. APAC manufacturers facing a market surveillance inspection in Germany or France encounter one inspector applying multiple regulatory hats — they need a single, consolidated technical file that addresses all applicable regimes.
2019/1020 是在國家層級執法 GPSR、CRA、LVD、EMC、RED、RoHS 全部的橫向市場監督制度。不同制度匯入同一市場監督機關。在德國或法國面對市場監督檢查的 APAC 製造商、遇到一名檢查員戴多頂法規帽子,他們需要一份單一整合的技術檔、處理所有適用制度。