Article 12 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
High-risk AI systems — the bridge clause 高風險 AI 系統,橋接條款
Article 12 decides how the Cyber Resilience Act talks to the AI Act when both apply to the same product. The headline: comply with CRA Annex I, declare it on the EU DoC, and you are presumed to have met AI Act Article 15 cybersecurity — but only until Article 12(3) pulls Class II / Critical products back into CRA Article 32. 第 12 條決定當一件產品同時受 CRA 與 AI Act 規範時,兩部法規如何對話。核心:符合 CRA 附件一、於歐盟符合性聲明上宣告,即推定符合 AI Act 第 15 條網路安全要求,但第 12(3) 條會將 Class II 與關鍵產品拉回 CRA 第 32 條。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. References to "Regulation (EU) 2024/1689" point to the AI Act (OJ L, 12 July 2024). Translation is unofficial; refer to EUR-Lex for binding text. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。所引《規章 (EU) 2024/1689》為《AI Act》(OJ L,2024 年 7 月 12 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
Presumption bridge: CRA compliance → AI Act Article 15 compliance 推定橋接:符合 CRA → 符合 AI Act 第 15 條 ¶ 1
1. Without prejudice to the requirements relating to accuracy and robustness set out in Article 15 of Regulation (EU) 2024/1689, products with digital elements which fall within the scope of this Regulation and which are classified as high-risk AI systems pursuant to Article 6 of that Regulation shall be deemed to comply with the cybersecurity requirements set out in Article 15 of that Regulation where:
1. 在不影響《規章 (EU) 2024/1689》第 15 條所定準確性與強韌性要求之前提下,落入本法規適用範圍內、且依《規章 (EU) 2024/1689》第 6 條歸為高風險 AI 系統之具數位元素產品,於下列情形時推定符合該法規第 15 條所定之網路安全要求:
(a) those products fulfil the essential cybersecurity requirements set out in Part I of Annex I;
(a) 該產品符合附件一第一部分所定之基本網路安全要求;
(b) the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I; and
(b) 製造商所建立之流程符合附件一第二部分所定之基本網路安全要求;且
(c) the achievement of the level of cybersecurity protection required under Article 15 of Regulation (EU) 2024/1689 is demonstrated in the EU declaration of conformity issued under this Regulation.
(c) 依本法規簽發之歐盟符合性聲明中,證明已達成《規章 (EU) 2024/1689》第 15 條所要求之網路安全保護水平。
AI Act Article 43 procedure applies; dual-competent notified bodies 走 AI Act 第 43 條程序;雙重資格指定機構 ¶ 2
2. For the products with digital elements and cybersecurity requirements referred to in paragraph 1 of this Article, the relevant conformity assessment procedure provided for in Article 43 of Regulation (EU) 2024/1689 shall apply. For the purposes of that assessment, notified bodies which are competent to control the conformity of the high-risk AI systems under Regulation (EU) 2024/1689 shall also be competent to control the conformity of high-risk AI systems which fall within the scope of this Regulation with the requirements set out in Annex I to this Regulation, provided that the compliance of those notified bodies with the requirements laid down in Article 39 of this Regulation has been assessed in the context of the notification procedure under Regulation (EU) 2024/1689.
2. 就本條第 1 項所指之具數位元素產品與網路安全要求,適用《規章 (EU) 2024/1689》第 43 條所定之相關符合性評鑑程序。為該評鑑之目的,依《規章 (EU) 2024/1689》有權管控高風險 AI 系統符合性之指定機構,亦有權管控本法規範圍內之高風險 AI 系統是否符合本法規附件一要求,惟該等指定機構對本法規第 39 條要求之符合性,須已於《規章 (EU) 2024/1689》下之指定程序中被評估。
The carve-back: Class II / Critical pull back to CRA Article 32 保留條款:Class II / 關鍵產品拉回 CRA 第 32 條 ¶ 3
3. By way of derogation from paragraph 2 of this Article, important products with digital elements as listed in Annex III to this Regulation, which are subject to the conformity assessment procedures referred to in Article 32(2), points (a) and (b), and Article 32(3) of this Regulation and critical products with digital elements as listed in Annex IV to this Regulation which are required to obtain a European cybersecurity certificate pursuant to Article 8(1) of this Regulation or, absent that, which are subject to the conformity assessment procedures referred to in Article 32(3) of this Regulation, and which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, and to which the conformity assessment procedure based on internal control as referred to in Annex VI to Regulation (EU) 2024/1689 applies, shall be subject to the conformity assessment procedures provided for in this Regulation in so far as the essential cybersecurity requirements set out in this Regulation are concerned.
3. 本條第 2 項之例外:凡同時滿足下列全部條件之產品,就本法規所定基本網路安全要求而言,應適用本法規之符合性評鑑程序,(i) 為附件三所列並依本法規第 32(2)(a)、(b) 或第 32(3) 條進行符合性評鑑之重要產品,或為附件四所列並依第 8(1) 條須取得歐洲網路安全證書之關鍵產品(如無則依第 32(3) 條進行);且 (ii) 依《規章 (EU) 2024/1689》第 6 條歸為高風險 AI 系統;且 (iii) 適用《規章 (EU) 2024/1689》附件六所指之內部管制符合性評鑑程序。
Plain reading: if an AI system would otherwise take the lightweight AI Act Annex VI internal-control route, but the underlying product is also a CRA Important Class II or Critical product, the cybersecurity-specific assessment is done under CRA Article 32 instead. Recital 51 explains the rationale — preventing the AI Act's internal-control procedure from reducing assurance below what CRA requires for higher-risk product tiers.
白話:若一個 AI 系統原本會走 AI Act 附件六的輕量內部管制路徑,但該產品本身又是 CRA 的 Class II 重要產品或關鍵產品,則網路安全特定之符合性評鑑改走 CRA 第 32 條。Recital 51 解釋理由,防止 AI Act 內部管制路徑把更高風險產品層級的保證水平降到 CRA 要求之下。
AI regulatory sandboxes AI 法規沙盒 ¶ 4
4. Manufacturers of products with digital elements as referred to in paragraph 1 of this Article may participate in the AI regulatory sandboxes referred to in Article 57 of Regulation (EU) 2024/1689.
4. 本條第 1 項所指具數位元素產品之製造商,得參加《規章 (EU) 2024/1689》第 57 條所指之 AI 法規沙盒。
Block 2 · Plain language 區塊 2 · 白話解讀
How the two regulations share a product 兩部法規如何共用一件產品
The CRA and the AI Act each have their own scope, their own conformity assessment procedures, and their own Annex III. The two Annex IIIs are unrelated — CRA Annex III lists product categories (routers, firewalls, boot managers), AI Act Annex III lists AI use-cases (biometrics, critical infrastructure, law enforcement). A single physical product can fall into both. Article 12 is the traffic-control clause that decides which regulation's procedure governs the cybersecurity aspects when that happens.
CRA 與 AI Act 各自有各自的適用範圍、符合性評鑑程序、附件三。兩部附件三互不相關,CRA 附件三列產品類別(路由器、防火牆、boot managers);AI Act 附件三列 AI 使用情境(生物辨識、關鍵基礎設施、執法)。單一實體產品可同時落入兩邊。第 12 條是交通管制條款,決定這種情況發生時,網路安全部分由哪一部法規的程序管轄。
The clause does three distinct jobs, stacked in a specific order.
這條做三件不一樣的事,按特定順序疊起來:
-
§1 — presumption of conformity upwards. If you comply with CRA Annex I Parts I and II and state this in your EU Declaration of Conformity (Article 28), you are presumed to meet AI Act Article 15's cybersecurity requirements. You do not need a separate cybersecurity compliance demonstration under the AI Act. This is genuine burden reduction — one technical file, one set of evidence, one DoC covering cybersecurity for both regimes. Accuracy and robustness obligations under AI Act Article 15 are explicitly not covered by this bridge — those remain AI-Act work.
§1:向上的合規推定。如果你符合 CRA 附件一第一部分跟第二部分、並在 EU Declaration of Conformity(第 28 條)裡聲明這件事,那就推定你也符合 AI Act 第 15 條的網路安全要求。你不需要在 AI Act 下另外做一份網路安全合規證明。這是真正的減負,一份技術檔案、一組證據、一份 DoC 涵蓋兩部法規的網路安全部分。AI Act 第 15 條的精準度跟強健性義務明確不在這個橋接內,那部分還是 AI Act 的工作。
-
§2 — procedure routed to the AI Act. The conformity assessment procedure that actually runs is AI Act Article 43, not CRA Article 32. Article 43 routes to one of two AI Act procedures — Annex VI (internal control, analogous to CRA Module A) or Annex VII (QMS-based with technical documentation examination, analogous to CRA Module H). Which one depends on AI Act Article 43(1) and (2). Notified bodies designated under the AI Act can handle the CRA Annex I part if they have also been assessed against CRA Article 39 during the AI Act notification process — one audit, one designation, two regulatory competences.
§2:程序走 AI Act。實際執行的 conformity assessment 程序是 AI Act 第 43 條,不是 CRA 第 32 條。第 43 條會路由到 AI Act 兩種程序之一:附件六(內部管制,類似 CRA Module A)或附件七(QMS 加技術文件檢驗,類似 CRA Module H)。走哪一個看 AI Act 第 43(1) 跟 (2) 條。在 AI Act 下被指定的指定機構,如果在 AI Act 指定流程中也對 CRA 第 39 條要求做過評估,就可以同時處理 CRA 附件一部分,一次稽核、一次指定、兩種法規資格。
-
§3 — carve-back for higher-risk CRA tiers. This is where it gets complex. If your AI system would otherwise take the AI Act's lightweight Annex VI (internal control) route, but the underlying product is a CRA Important Class II (Article 32(3)) or a Critical Annex IV product (Article 32(3) or Article 8(1) EUCC), then Article 12(3) pulls the cybersecurity assessment back into CRA Article 32. The AI Act internal-control route is not considered sufficient for CRA's higher-risk product tiers. Recital 51 of the CRA explicitly states this: "by way of derogation... high-risk AI systems... to which the conformity assessment procedure based on internal control referred to in Annex VI to Regulation (EU) 2024/1689 applies, should be subject to the conformity assessment procedures provided for in this Regulation in so far as the essential cybersecurity requirements set out in this Regulation are concerned".
§3:對較高風險 CRA 層級的反向收回。這裡是複雜的地方。如果你的 AI 系統本來會走 AI Act 比較輕的附件六(內部管制)路徑,但底層產品是 CRA 的 Important Class II(第 32(3) 條)或 Critical 附件四產品(第 32(3) 條或第 8(1) 條 EUCC),那麼第 12(3) 條會把網路安全評鑑拉回 CRA 第 32 條。AI Act 內部管制路徑被認為對 CRA 較高風險產品層級不夠。CRA Recital 51 明白寫了:「以 derogation 方式...對適用 Regulation (EU) 2024/1689 附件六內部管制 conformity assessment 程序的高風險 AI 系統...就本法規所定 essential cybersecurity requirements 而言,應適用本法規所定的 conformity assessment 程序」。這個設計是防止較輕的 AI Act 內部管制路徑、把較高風險產品的保證水平拉到 CRA 要求之下。
The quick decision tree for an APAC manufacturer whose product is both a CRA PwDE and a high-risk AI system under AI Act Article 6:
產品同時是 CRA 具數位元素產品、又是 AI Act 第 6 條下高風險 AI 系統的 APAC 製造商,簡易決策樹:
| Product also is…產品也屬於⋯ | AI Act routeAI Act 路徑 | Which Article governs cybersecurity conformity網路安全符合性由哪條管轄 |
|---|---|---|
| Default tier (not Annex III)預先設定層(非附件三) | Any AI Act Article 43 route (Annex VI or VII)任一 AI Act 第 43 條路徑(附件六或七) | AI Act Article 43 — CRA Article 12(1) presumption bridge applies.AI Act 第 43 條,CRA 第 12(1) 條推定橋接適用。 |
| CRA Annex III Class ICRA 附件三 Class I | Any AI Act Article 43 route任一 AI Act 第 43 條路徑 | AI Act Article 43 generally. CRA Article 32(2) applies only when Module A is chosen and the hEN / common spec / EUCC substantial+ is fully applied — in which case the bridge still works.一般為 AI Act 第 43 條。CRA 第 32(2) 僅於採 Module A 且完整適用 hEN / 共通規範 / EUCC substantial+ 時適用,此情形下橋接仍運作。 |
| CRA Annex III Class IICRA 附件三 Class II | AI Act Annex VI (internal control)AI Act 附件六(內部管制) | CRA Article 32(3) — Article 12(3) carve-back triggered. Module B+C, H, or EUCC substantial+ required for the cybersecurity portion.CRA 第 32(3) 條,第 12(3) 條保留觸發。網路安全部分要求 Module B+C、H 或 EUCC substantial+。 |
| CRA Annex III Class IICRA 附件三 Class II | AI Act Annex VII (QMS-based third-party)AI Act 附件七(以 QMS 為基礎的第三方) | AI Act Article 43 with dual-competent notified body. Article 12(3) does not trigger — the AI Act is already doing a heavy route.AI Act 第 43 條加雙重資格指定機構。第 12(3) 不觸發,AI Act 已走重路徑。 |
| CRA Annex IV CriticalCRA 附件四關鍵 | Any AI Act route任一 AI Act 路徑 | CRA Article 8(1) EUCC if delegated act triggered; otherwise CRA Article 32(3). Article 12(3) carve-back activates when AI Act Annex VI would otherwise apply.若授權法案觸發,採 CRA 第 8(1) 條 EUCC;否則 CRA 第 32(3) 條。AI Act 附件六原本適用時,第 12(3) 保留啟動。 |
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Where AI hardware meets both regulations at once AI 硬體同時碰到兩部法規的地方
APAC exports into the EU are overwhelmingly hardware. AI Act exposure is sometimes dismissed as "a software regulation that mainly affects OpenAI, Mistral, Google" — but that mental model misses the large category of AI-capable hardware products shipped from Taiwan, Korea and Japan that now sit squarely inside both regulatory regimes. Four exposure patterns are worth naming.
APAC 對歐盟出口壓倒性是硬體。AI Act 暴露常被當成「主要影響 OpenAI、Mistral、Google 的軟體法規」,但這個慣性思維漏掉一大類從台、韓、日出貨、現在已經確實落入兩部法規的 AI 能力硬體產品。值得指出四種暴露模式。
Biometric hardware. Identity-management readers, fingerprint modules, facial-recognition cameras, palm-vein scanners. These are CRA Annex III Class I (1) "Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers" and AI Act Annex III(1) biometric use-cases. Taiwan and Korea hold large global share. Under Article 12(1) the AI Act Article 43 conformity route governs; a dual-competent notified body can handle cybersecurity via the CRA Annex I bridge. Practical upside: one procedural engagement instead of two.
生物辨識硬體。身分管理讀取器、指紋模組、人臉辨識攝影機、掌紋掃描器。這些是 CRA 附件三 Class I (1)「身分管理系統與特權存取管理軟硬體,含認證與存取控制讀取器,含生物辨識讀取器」,同時是 AI Act 附件三第 1 項的生物辨識使用情境。台、韓持有大量全球市佔。依第 12(1) 條,由 AI Act 第 43 條 conformity 路徑管轄;雙重資格指定機構可以透過 CRA 附件一橋接處理網路安全。實務好處:一次程序介入、不用兩次。
Edge AI silicon. NPUs, AI accelerators, ASICs/FPGAs with AI-specific features. If classified under CRA Annex III Class I (13) "microprocessors with security-related functionalities", (14) "microcontrollers with security-related functionalities" or (15) "ASIC/FPGA with security-related functionalities" and the chip is also embedded into a deployed high-risk AI system under AI Act Article 6, the Article 12 bridge may apply at the component level. But the integration clause of CRA Article 7(1) matters — the chip is the Annex III product, not the finished device. This is where APAC silicon suppliers need to be precise: their customer's AI product classification does not fall on them, but their own chip classification does.
邊緣 AI 晶片。NPU、AI 加速器、具 AI 特性的 ASIC / FPGA。如果歸類在 CRA 附件三 Class I (13)「具安全相關功能的微處理器」、(14)「具安全相關功能的微控制器」、或 (15)「具安全相關功能的 ASIC / FPGA」,而且這顆晶片嵌入了 AI Act 第 6 條下的高風險 AI 系統,第 12 條的橋接可能在元件層級適用。但 CRA 第 7(1) 條的整合條款很重要,晶片本身才是附件三產品、不是最終裝置。這是 APAC 晶片供應商必須精確的地方:客戶的 AI 產品分類不歸你管,但你自己的晶片分類是你的事。
Industrial AI gateways and control systems. The case where Article 12(3) carve-back most often triggers in APAC manufacturing. An industrial gateway running an AI model for predictive maintenance might be CRA Annex III Class II (2) firewall/IDS/IPS territory if the same appliance also runs firewall functions, and classify as high-risk AI under AI Act Annex III critical infrastructure (transport, electricity, gas, water). In that case, if the provider was expecting to use AI Act Annex VI (internal control) — Article 12(3) pulls the cybersecurity piece back to CRA Article 32(3), meaning Module B+C, H, or EUCC substantial+ becomes mandatory. Planning impact: the Class II × Annex VI combination is the trap to flag early.
工業 AI 閘道與控制系統。這是在 APAC 製造業最常觸發第 12(3) 條反向收回的情境。一台執行預測性維護 AI 模型的工業閘道,如果同一台設備同時跑防火牆功能,可能落入 CRA 附件三 Class II (2) 防火牆 / IDS / IPS 範圍,而且依 AI Act 附件三的關鍵基礎設施(運輸、電力、瓦斯、供水)被歸為高風險 AI。這時候如果供應商原本打算走 AI Act 附件六(內部管制),第 12(3) 條會把網路安全部分拉回 CRA 第 32(3) 條,Module B+C、H 或 EUCC substantial+ 變成強制。規劃影響:「Class II × 附件六」這個組合是要及早標記的陷阱。
Smart-home AI products. Voice assistants, AI-equipped security cameras with local inference. CRA Annex III Class I (16) "smart home general purpose virtual assistants" and (17) "smart home products with security functionalities" overlap heavily with consumer-facing AI features. Most of these do not qualify as AI Act Annex III high-risk — so Article 12 does not apply to them on the AI side. They remain pure CRA cases. But manufacturers should still watch AI Act Article 50 transparency obligations that apply to certain general-purpose AI and AI-content-generation features.
智慧家庭 AI 產品。語音助理、做本地推論的 AI 安全攝影機。CRA 附件三 Class I (16)「智慧家庭通用虛擬助理」跟 (17)「具安全功能的智慧家庭產品」,跟面向消費者的 AI 功能高度重疊。其中大部分不算 AI Act 附件三的高風險,所以從 AI 側看第 12 條不適用,純屬 CRA 案例。但製造商還是要注意 AI Act 第 50 條,那條對某些通用 AI 跟 AI 內容生成功能加了透明度義務。
Timeline point worth internalising: the AI Act and CRA do not apply on the same day. The AI Act's high-risk system obligations become applicable on 2 August 2027 — four months before CRA full application on 11 December 2027. An APAC manufacturer shipping an AI-enabled Annex III product into the EU in October 2027 lives under the AI Act alone for those four months, then both from 11 December onwards. Planning assumption: structure the conformity work to meet the earlier AI Act deadline; CRA compliance then layers on top.
值得記住的時程點:AI Act 跟 CRA 不是同一天適用。AI Act 高風險系統義務從 2027 年 8 月 2 日起適用,比 CRA 全面適用(2027 年 12 月 11 日)早四個月。如果 APAC 製造商在 2027 年 10 月把 AI 啟用的附件三產品出貨到歐盟,那四個月間只受 AI Act 規範,從 12 月 11 日起則兩者都適用。規劃假設:把合規作業架構成先達成 AI Act 較早的截止日,CRA 合規再層疊上去。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
The CRA-AI Act seam in detail CRA-AI Act 接縫詳解
Article 12 is easiest to read alongside the specific AI Act articles and annexes it refers to. The table below lists every external reference in Article 12, what it points to, and how the two legal instruments connect at that point.
第 12 條最容易的讀法是對照所引的 AI Act 具體條文與附件。下表列出第 12 條所有外部引用、所指何物,以及兩部法律工具在那點如何連接。
AI Act Article 6
Classification rules for high-risk AI systems
高風險 AI 系統分類規則
Two routes to high-risk classification. Route 1: the AI system is a safety component of, or itself, a product covered by Union harmonisation legislation listed in AI Act Annex I (e.g., Machinery Regulation, Toy Safety, Medical Devices). Route 2: the AI system falls within an Annex III use-case (biometrics, critical infrastructure, education, employment, etc.). The trigger for Article 12 to apply at all. If the product is not a high-risk AI system per Article 6, Article 12 does nothing.
兩條高風險分類路徑。路徑一:AI 系統為 AI Act 附件一所列聯盟調和立法(例如機械規章、玩具安全、醫療器材)涵蓋的產品本身或其安全元件。路徑二:AI 系統落入附件三使用情境(生物辨識、關鍵基礎設施、教育、就業等)。 第 12 條適用的觸發條件。若產品非依第 6 條為高風險 AI 系統,第 12 條完全不動作。
AI Act Article 15
Accuracy, robustness and cybersecurity
準確性、強韌性與網路安全
High-risk AI systems shall achieve appropriate accuracy, robustness and cybersecurity. Cybersecurity requirements in Article 15(5) include resilience against third-party attempts to alter use/outputs/performance, and measures against AI-specific vulnerabilities such as data poisoning and adversarial examples. The destination of CRA Article 12(1)'s presumption. CRA Annex I compliance substitutes for a separate Article 15 cybersecurity compliance demonstration. Article 15's accuracy and robustness parts remain separately required.
高風險 AI 系統應達成適當的準確性、強韌性與網路安全。第 15(5) 條的網路安全要求含抵禦第三方變更使用 / 輸出 / 效能的企圖,以及針對資料毒化、對抗樣本等 AI 特有弱點的防護。 CRA 第 12(1) 條推定的目的地。CRA 附件一符合性取代另作第 15 條網路安全符合性示範。第 15 條準確性與強韌性部分仍須另行符合。
AI Act Article 43
Conformity assessment procedure
符合性評鑑程序
Routes a high-risk AI system to either Annex VI (internal control) or Annex VII (QMS + technical documentation assessment). The default for Annex III point 1 (biometrics) is Annex VI when harmonised standards/common specifications are fully applied; otherwise Annex VII. Annex III points 2–8 default to Annex VI. The procedure CRA Article 12(2) routes to — replacing CRA Article 32 in §1 cases. Article 12(3) carve-back reverses this for higher-risk CRA tiers.
將高風險 AI 系統導向附件六(內部管制)或附件七(QMS + 技術文件評鑑)。附件三第 1 項(生物辨識)的預設:若完整適用調和標準 / 共通規範則走附件六,否則走附件七。附件三第 2–8 項預設為附件六。 CRA 第 12(2) 條所路由的程序,於 §1 情形取代 CRA 第 32 條。第 12(3) 條保留於較高 CRA 層級下反轉之。
AI Act Annex VI
Conformity assessment based on internal control
以內部管制為基礎的符合性評鑑
AI Act's light-touch conformity route — the provider verifies its own QMS against Article 17, examines technical documentation, and verifies the design/development/post-market monitoring conforms. No notified body. Analogous in form to CRA Module A. The CRA deliberately blocks this route for Important Class II and Critical products via Article 12(3). Annex VI is considered insufficient assurance for those CRA tiers.
AI Act 輕量符合性路徑,提供者自行驗證其 QMS 符合第 17 條、檢驗技術文件、確認設計 / 開發 / 上市後監測符合。無指定機構。形式上類似 CRA Module A。 CRA 透過第 12(3) 條刻意對重要 Class II 與關鍵產品封鎖此路徑。附件六對這些 CRA 層級來說保證不足。
AI Act Annex VII
Conformity based on assessment of QMS and technical documentation
以 QMS 與技術文件評鑑為基礎的符合性
AI Act's third-party route — a notified body examines the provider's QMS and the technical documentation for every AI system. Analogous in form to CRA Module H (full quality assurance). Does not trigger Article 12(3) carve-back because notified-body engagement is already happening. The bridge to CRA Article 12(1) works naturally.
AI Act 第三方路徑,指定機構檢驗提供者的 QMS 與每件 AI 系統的技術文件。形式上類似 CRA Module H(完全品質保證)。 不觸發第 12(3) 條保留,因指定機構介入已發生。對 CRA 第 12(1) 條的橋接自然運作。
AI Act Article 57
AI regulatory sandboxes
AI 法規沙盒
Member States establish AI regulatory sandboxes providing a controlled environment for pre-market testing of innovative AI systems. Free participation for SMEs; priority access for them. Article 12(4) confirms that CRA-scoped PwDE manufacturers are eligible to participate — a useful testbed for APAC manufacturers building toward AI Act compliance before EU full application date.
會員國建立 AI 法規沙盒,為創新 AI 系統之上市前測試提供受控環境。中小企業免費參與、優先使用。 第 12(4) 條確認 CRA 範圍內的具數位元素產品製造商合格參與,於歐盟全面適用前,對準備 AI Act 合規的 APAC 製造商為有用測試平台。