Article 13 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Obligations of manufacturers 製造商的義務
The 25-paragraph backbone of the CRA. Every APAC exporter selling a product with digital elements into the EU lives under this article. CRA 的 25 段骨幹條文。每一家把「具數位元素產品」賣進歐盟的 APAC 出口商,都活在這一條裡。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。
Group 1 — Design-time obligations 第一組 —— 設計階段義務 ¶ 1, 2, 3
1. When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I.
1. 製造商將具數位元素產品投放市場時,應確保該產品係依附件一第一部分所定之必要網路安全要求進行設計、開發與生產。
2. For the purposes of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with the product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product.
2. 為遵守第一項之規定,製造商應就產品之網路安全風險進行評估,並於產品之規劃、設計、開發、生產、交付及維護各階段,將該評估結果納入考量。
Paragraph 3 abbreviated here — defines what the cybersecurity risk assessment must analyse (intended purpose, foreseeable use, conditions of use). Full text on EUR-Lex.
第 3 項於此略 —— 規定網路安全風險評估必須分析的內容(預期用途、可預見之使用方式、使用條件)。完整條文見 EUR-Lex。
Group 2 — Supply-chain due diligence 第二組 —— 供應鏈盡職調查 ¶ 5, 6
5. When placing a product with digital elements on the market, and for the support period, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product.
5. 於將具數位元素產品投放市場時及於整個支援期間內,製造商整合第三方提供之元件時,應善盡注意義務,確保該等元件不致損害產品之網路安全。
Paragraph 6 abbreviated here — when manufacturers find a vulnerability in an integrated component (including open-source), they must report it back to whoever maintains that component and remediate.
第 6 項於此略 —— 製造商在已整合的元件(含開源元件)中發現弱點時,須通報該元件的維護方並協助 remediate。
Group 3 — Documentation as evidence 第三組 —— 文件作為證據 ¶ 4, 7, 13
13. Manufacturers shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.
13. 製造商應將技術文件與歐盟符合性宣告,於具數位元素產品投放市場後至少 10 年或整個支援期間內(取較長者),提供市場監督機關取用。
Paragraphs 4 and 7 abbreviated here — ¶4 requires the cybersecurity risk assessment to be included in the technical documentation; ¶7 requires manufacturers to systematically document cybersecurity aspects and update the risk assessment.
第 4、7 項於此略 —— 第 4 項要求網路安全風險評估納入技術文件;第 7 項要求製造商有系統地書面記錄網路安全相關面向並更新風險評估。
Group 4 — Post-market vulnerability handling 第四組 —— 上市後弱點處理 ¶ 8, 9, 10, 11, 21
8. Manufacturers shall ensure, when placing a product with digital elements on the market and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I. The support period shall be at least five years, unless the product is expected to be in use for less than five years.
8. 製造商於投放具數位元素產品時及於整個支援期間內,應確保該產品(含其元件)之弱點依附件一第二部分所定必要網路安全要求有效處理。支援期間應至少 5 年,除非產品預期使用時間少於 5 年。
Paragraphs 9, 10, 11, 21 abbreviated here — ¶9 each issued security update must remain available for at least 10 years; ¶10 substantially modified versions; ¶11 unsupported software risk notice; ¶21 immediate corrective action when non-compliance identified.
第 9、10、11、21 項於此略 —— 第 9 項每個安全更新須維持可取得至少 10 年;第 10 項實質修改版本;第 11 項未受支援軟體風險告知;第 21 項發現不合規時立即採取矯正措施。
Group 5 — Conformity, CE marking, identification & user-facing artefacts 第五組 —— 符合性、CE 標示、識別與使用者面向交付物 ¶ 12, 14, 15, 16, 17, 18, 19, 20
12. Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 31 and carry out the relevant conformity assessment procedures referred to in Article 32, or have them carried out on their behalf. Where compliance has been demonstrated, manufacturers shall draw up the EU declaration of conformity in accordance with Article 28 and affix the CE marking in accordance with Article 30.
12. 於投放具數位元素產品前,製造商應依第 31 條編製技術文件,並依第 32 條進行或委由他人進行相關符合性評鑑程序。經程序確認符合者,製造商應依第 28 條簽發歐盟符合性宣告,並依第 30 條貼附 CE 標示。
17. For the purposes of this Regulation, manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilities of the product with digital elements.
17. 為本法規之目的,製造商應指定一個單一聯絡點,使使用者得以直接、快速地與其聯繫,特別是為了便於通報具數位元素產品之弱點。
Paragraphs 14, 15, 16, 18, 19, 20 abbreviated here — ¶14 series production conformity procedures; ¶15 product type/batch/serial identification; ¶16 manufacturer name and contact details on product; ¶18 user information per Annex II; ¶19 end date of support period at purchase; ¶20 simplified DoC per Annex VI.
第 14、15、16、18、19、20 項於此略 —— 第 14 項系列生產合規程序;第 15 項產品型號/批號/序號識別;第 16 項製造商名稱與聯絡資訊;第 18 項依附件二之使用者資訊;第 19 項購買時清楚標示支援期間結束日;第 20 項依附件六之簡化符合性宣告。
Group 6 — Authority interaction & Commission powers 第六組 —— 機關互動與委員會權力 ¶ 22, 23, 24, 25
22. Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Annex I. Manufacturers shall cooperate with that authority on any measures taken to eliminate the cybersecurity risks posed by the product.
22. 市場監督機關提出附理由之請求時,製造商應提供展示具數位元素產品符合附件一所定必要網路安全要求所需之全部資訊與文件。製造商應就消除該產品所造成之網路安全風險所採取之任何措施,與該機關合作。
Paragraphs 23, 24, 25 abbreviated here — ¶23 cessation of operations notification; ¶24 Commission may, by implementing acts, specify the format and elements of the SBOM referred to in Annex I Part II(1); ¶25 ADCO may decide to conduct a Union-wide dependency assessment, in which case market surveillance authorities can request manufacturers to submit SBOMs.
第 23、24、25 項於此略 —— 第 23 項停止營運通報;第 24 項委員會得以 implementing acts 規定附件一第二部分第 (1) 點所指 SBOM 之格式與要素;第 25 項 ADCO 可決定進行歐盟範圍依賴性評估,市場監督機關得請求製造商提交 SBOM。
Block 2 · Plain language 區塊 2 · 白話解讀
What this actually means 這其實在說什麼
Article 13 is the load-bearing wall of the entire CRA. If you manufacture anything with a chip and a network connection that ends up on the EU market — whether it is a router, a toy, a CNC controller, or a Linux-based industrial gateway — this is the article that tells you what you must do. All 25 paragraphs orbit four duties: design it securely, assess the risk, handle vulnerabilities for the support period, and prove it on paper.
The paragraph that surprises people most is paragraph 5 — due diligence on third-party components. If you put a Realtek chip or an open-source cryptography library inside your product, you are on the hook for its vulnerabilities. Not the original author. You.
"Security is no longer a feature you can add late. Under Article 13(1), it has to be baked in from the design phase — or the product cannot bear CE marking."
The other trap is paragraph 8 — vulnerability handling for the support period. You declare how long you'll support the product. That clock is now a legal commitment, not a marketing sticker. Under-declare and you lose market access; over-declare and you carry a multi-year compliance burden.
How vulnerability handling actually decomposes — six phases, not one duty
Article 13 says manufacturers shall handle vulnerabilities. It does not tell you how. The how lives in prEN 40000-1-3, the harmonised standard CEN-CENELEC JTC 13 WG 9 is drafting against this article. The standard divides vulnerability handling into six sequential phases, each with its own requirement IDs and its own expected outputs. Reading these in order is the cleanest mental model I've found for what Article 13(8) is actually asking for.
1. [PRE] Preparation — write the policies and build the receipts
This is everything you do before the first vulnerability ever lands in your inbox. Ten requirements (PRE-1 to PRE-10) covering: an internal vulnerability handling policy [PRE-1-RQ-01]; a public coordinated vulnerability disclosure (CVD) policy [PRE-2-RQ-01]; operational security for sensitive vulnerability data [PRE-3]; secure communication channels [PRE-5]; product identification (SKU, version, build) [PRE-6]; and — the heaviest two — software bill of materials [PRE-7] and hardware bill of materials [PRE-8]. PRE is where most APAC manufacturers will spend their first six months of remediation work, because the SBOM/HBOM requirement is structural: you cannot add it after the fact, you have to build it into your CI/CD.
2. [RCP] Receipt — make sure reports actually reach you
Seven requirements covering how vulnerability reports come in. RCP-1 demands a documented capability to receive reports — in practice, a security.txt file at /.well-known/security.txt, an email alias, a CVD coordinator relationship. RCP-2 requires monitoring — you have to actively watch CVE feeds, vendor security advisories of your upstream components, NVD, and your own bug bounty pipeline. RCP-3 and RCP-4 require you to map a newly disclosed CVE in any of your software or hardware components back to the products that contain them; this is where the SBOM from PRE-7 becomes operational. RCP-6 and RCP-7 require regular tests and reviews on your own product, not just reactive intake.
3. [VRF] Verification — triage
Two requirements (VRF-1, VRF-2). VRF-1 is the assessment: is the report credible, reproducible, applicable to your product, and what is the severity? VRF-2 is the prioritisation: given the severity and exploitability, what's the queue position? The deliverable is "a tracked, verified vulnerability report including an assessment of the vulnerability and its severity" — which becomes the input to remediation and, if the bar is met, the input to your Article 14 SRP notification.
4. [RMD] Remediation — decide, build, test
Three requirements (RMD-1 to RMD-3). RMD-1 is the decision (patch, mitigate, accept, withdraw), RMD-2 is the actual fix development, RMD-3 is testing the fix for effectiveness and compatibility. Compatibility is the trap APAC OEMs underestimate: a fix that breaks customer integrations is a fix that gets rejected. The deliverable is a tested remediation, ready to ship.
5. [RLS] Release — ship the update, publish the advisory
Two requirements. RLS-1 covers the security update distribution itself — secure channel, integrity verification, automatic update for consumer products, installation instructions. RLS-2 covers the advisory: a publication that lists the vulnerability, identifier (CVE), affected product, impact, severity, and remediation steps. RLS-2-RQ-03-RE specifies a machine-readable format, and the standard explicitly references CSAF 2.0 (ISO/IEC 20153:2025). RLS-2-RC-01 expects the information to land in the EU Vulnerability Database (EUVD). If you've never published a CSAF document before, this is the requirement that will surprise your engineering organisation the most.
6. [PRA] Post-release — measure, learn, improve
One requirement (PRA-1) but a heavy one. After the patch is out, you monitor adoption (did users actually install it?), capture lessons learned, and feed those learnings back into PRE — better policies, sharper detection, faster triage next time. This is the loop that makes vulnerability handling a process, not a project.
Reading Article 13(8) without this six-phase decomposition makes the obligation feel like a single black box. Reading it through prEN 40000-1-3 makes it operational: each phase has named outputs, and a notified body or market surveillance authority can ask you for any of them by name. Build your evidence binder along these six phases and audit becomes recognition, not surprise.
第 13 條是整部 CRA 的承重牆。如果你做的任何「帶晶片、可連網」產品最後會進歐盟市場,不管是家用 router、玩具、CNC 控制器、還是 Linux-based 工控閘道,這一條就是告訴你「該做什麼」的那一條。25 段條文圍繞四個核心義務:安全地設計、評估風險、在 support period 處理弱點、用文件證明你做到了。
讀到時最會被嚇到的是第 5 項:對第三方元件的盡職調查。只要你把一顆 Realtek 晶片或一個開源密碼函式庫放進你的產品,那個元件的弱點就是你的責任,不是原作者的。
「安全不是事後可以加上去的功能。依第 13(1) 條,它必須從設計階段就做進去,否則這個產品拿不到 CE 標示。」
另一個陷阱在第 8 項:support period 內的弱點處理。你宣告產品支援多久,這個宣告現在是法律承諾,不是行銷貼紙。宣告太短會失去市場;宣告太長要背好幾年的合規成本。
弱點處理實際上怎麼拆解,六個階段、不是一個義務
第 13 條只說製造商「應」處理弱點、沒告訴你「怎麼」處理。「怎麼處理」的細節在 prEN 40000-1-3 裡,CEN-CENELEC JTC 13 WG 9 為了對齊這條條文正在起草的調和標準。標準把弱點處理切成六個依序的階段、每個階段有自己的 requirement ID、自己預期的產出文件。依序讀過這六個階段,是我目前找到對「第 13(8) 條到底要你做什麼」最乾淨的心智模型。
1. [PRE] 準備,寫好政策、建好接收通道
這是「第一個弱點還沒進到你信箱之前」要做完的所有事。10 個 requirement(PRE-1 到 PRE-10)涵蓋:內部弱點處理政策 [PRE-1-RQ-01];對外的協調式弱點揭露(CVD)政策 [PRE-2-RQ-01];敏感弱點資料的營運安全 [PRE-3];安全通訊通道 [PRE-5];產品識別(型號、版本、build 編號)[PRE-6];以及最重的兩項,軟體物料清單 SBOM [PRE-7] 跟硬體物料清單 HBOM [PRE-8]。多數 APAC 製造商剛開始補強合規時,前六個月會花在 PRE 上,因為 SBOM/HBOM 是結構性的需求,不能事後補、必須做進 CI/CD 流程裡。
2. [RCP] 接收,確保報告真的進得來
7 個 requirement,講弱點報告怎麼進來。RCP-1 要求有文件化的接收能力,實務上是 /.well-known/security.txt 檔、一個 email alias、一個 CVD 協調人關係。RCP-2 要求監測,你必須主動關注 CVE feed、上游元件的 vendor security advisory、NVD、跟自己的 bug bounty 管道。RCP-3 跟 RCP-4 要求把新揭露的 CVE 反向對應到含有該元件的產品,這就是 PRE-7 SBOM 開始發揮作用的地方。RCP-6 跟 RCP-7 要求對自己產品做定期測試跟審查、不只是被動接收。
3. [VRF] 驗證,分流
2 個 requirement(VRF-1、VRF-2)。VRF-1 是評估:報告可信嗎、可重現嗎、適用於我的產品嗎、嚴重度多少?VRF-2 是優先級判斷:依嚴重度跟可利用性決定隊伍位置。產出是「一份追蹤過、驗證過、含嚴重度評估的弱點報告」,這份報告會變成 RMD(修復)的輸入;如果跨過了 Article 14 的門檻,也會變成 SRP 通報的輸入。
4. [RMD] 修復,決策、開發、測試
3 個 requirement(RMD-1 到 RMD-3)。RMD-1 是決策(修補、緩解、接受風險、下架);RMD-2 是實際開發修補;RMD-3 是測試修補的有效性跟相容性。相容性這個陷阱 APAC OEM 容易低估:一個會打壞客戶系統整合的修補就是會被退回的修補。產出是一份測試過、可以出貨的修補。
5. [RLS] 發佈,出修補、發公告
2 個 requirement。RLS-1 涵蓋安全更新本身的散發,安全通道、完整性驗證、消費性產品的自動更新、安裝說明。RLS-2 涵蓋公告:一份說明弱點、識別碼(CVE)、受影響產品、影響、嚴重度、修補步驟的發佈。RLS-2-RQ-03-RE 規定要有機讀格式、標準明確引用 CSAF 2.0(ISO/IEC 20153:2025)。RLS-2-RC-01 期待這個資訊也進歐盟弱點資料庫(EUVD)。如果你的工程組織以前沒發過 CSAF 文件,這個 requirement 會是最讓人意外的。
6. [PRA] 發佈後,量、學、改
1 個 requirement(PRA-1)但份量重。修補出去之後,你監控採用率(用戶真的有裝嗎?)、整理教訓、把學到的東西回饋到 PRE,下次政策更好、偵測更銳利、分流更快。這是讓弱點處理變成「流程」、而不是「專案」的回饋迴圈。
不用這六階段拆解、第 13(8) 條讀起來像一個大黑盒子。透過 prEN 40000-1-3 來讀,這條條文就變成可以操作的:每個階段有名字明確的產出,公告機構或市場監督機關可以按名稱索取任何一份。沿著這六個階段建立你的證據夾,稽核就會變成「展示」、不是「驚訝」。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
How this lands in Taiwan, Japan, and Korea 這一條在台日韓怎麼落地
Mapping against local frameworks 與當地框架的對照
First, get the layers straight. The CRA is a Regulation — directly applicable EU-wide law, with penalties under Article 64. To match that layer in Taiwan: the Cybersecurity Management Act (資通安全管理法) is organisation-facing and does not regulate products directly; the Commodity Inspection Act (商品檢驗法) plus BSMI mandatory inspection is the legal instrument that imposes product-level obligations. But Taiwan has no central product-cybersecurity statute today. BSMI is set to begin mandatory inspection of IoT products from 1 January 2028 — that is Taiwan's first concrete step toward the CRA's legal layer. Until then, Taiwan-based manufacturers facing the CRA are responding to EU statutory force without an equivalent domestic statute to lean on — they cannot patch CRA exposure together from existing local compliance.
先把層級分清楚。CRA 是 Regulation,歐盟全境直接適用的法律,違反有第 64 條罰則。要對應這個層級的台灣對照是:資通安全管理法是組織面的、不直接管產品;商品檢驗法搭配 BSMI 強制檢驗才是台灣對「產品」課強制義務的法律工具。但目前台灣沒有針對網路安全的中央級產品法規,BSMI 規劃 2028 年 1 月 1 日起對 IoT 產品施加強制檢驗,這才是台灣往 CRA 法律層級走的第一步。在這之前,台灣製造商面對 CRA 時、是用 EU 的法律強度應對台灣沒有的法律強度,不是把既有國內合規拼起來就能應對。
Japan needs to be read in two layers. Statutory layer: the Economic Security Promotion Act (経済安全保障推進法 / 重要設備等安全確保推進法, 2022; amended 2024 to add seaports) imposes mandatory prior review on Core Infrastructure operators procuring critical equipment; the Active Cyber Defense Act (ACDA, May 2025) strengthens incident-reporting duties on critical infrastructure operators; the Act on the Promotion of Information Processing, currently under revision, sits closer to the CRA on vulnerability handling but is narrower than the CRA's broader PwDE scope. The Electrical Appliance and Material Safety Act (PSE) is a traditional electrical-safety statute that does not directly contain cybersecurity content and does not connect to the CRA. Labelling / policy layer: JC-STAR — not a law, but a labelling scheme plus policy push run by METI together with IPA. Reaching ★★★ does not satisfy any legal obligation and does not exempt a product from CRA obligations. Its role is closer to the EU's EUCC scheme (voluntary certification): a useful CRA reference, not a substitute. Net: Japan has not yet reached the CRA's position of imposing mandatory legal obligations on cybersecurity at the product level — the Economic Security Promotion Act covers procurement-side review for Core Infrastructure, not the product itself. For Korea, the statutory layer is the Network Act (정보통신망법) and the Telecommunications Business Act (전기통신사업법) — K-ISMS and TTA IoT certification are certification schemes, not laws, and lean toward ISO 27001 organisational posture rather than CRA-style per-product obligations.
日本要分兩層看。法律層有:經濟安保法(2022 年立法、2024 年修法把港灣納入;正式名稱「重要設備等安全確保推進法」/ Economic Security Promotion Act)對 Core Infrastructure 業者採購關鍵設備課強制事前審查義務;ACDA(Active Cyber Defense Act,2025 年 5 月制定)強化關鍵基礎設施業者的事件通報義務;正在修法中的資訊處理促進法在弱點處理面接近 CRA、但範圍仍窄於 CRA 的全面 PwDE 義務。電氣用品安全法(PSE)是傳統的電氣安全法、不直接含網路安全內容、跟 CRA 不對接。標示 / 政策層是 JC-STAR:這不是法律、是 METI 加上 IPA 推動的「標示計畫」加「政策推動」,拿到 ★★★ 不等於滿足任何法律義務、不等於免於 CRA 義務。它的角色比較像 EU 的 EUCC scheme(自願認證),對 CRA 而言是參考、不是替代。整體看:日本目前還沒走到「對網路安全在產品層級施加全面強制法律義務」這個 CRA 的位置,經濟安保法只管 Core Infrastructure 採購端、不管產品本身。韓國的法律層是 정보통신망법(網路利用促進與資訊保護法)跟 전기통신사업법,K-ISMS 跟 TTA IoT 驗證是認證制度、不是法律,且偏 ISO 27001 的組織體系,離 CRA 這種對單一產品施加義務的層級還有一段距離。
The misconception I hear most often 我最常聽到的誤解
"We're just an ODM — our customer handles CE marking." Article 13 does not care. If you are the entity that designs or produces the product, you are the manufacturer. If your brand customer rebrands and places it on the EU market, Article 22 makes them the manufacturer — but only for their branded version. For your own-label exports, the obligation is yours.
「我們只是 ODM,CE 標示是客戶的事。」第 13 條不理你這套。只要你是設計或生產產品的主體,你就是製造商。如果品牌客戶重貼牌後再投入歐盟市場,第 21 條會讓他們變成那個品牌版本的製造商,但只針對他們自有品牌的版本。你自有品牌出口的產品,義務還是在你身上。
Where APAC has an actual advantage APAC 真正的優勢在哪
Article 13(17)'s single-point-of-contact obligation is a 24/7 commitment. APAC hardware makers running tight support operations already have this muscle — what's missing is the public-facing disclosure channel. This is where APAC firms can outpace European SMEs who have the channels but lack the engineering depth.
第 13(17) 條的「單一聯絡窗口」義務,實質上是 24/7 的承諾。APAC 硬體業者本來就有紮實的售後能量,缺的是「對外公開」的揭露管道。這正是 APAC 業者可以勝過歐洲中小企業的地方:歐洲業者有公開管道但缺工程深度,APAC 業者有工程深度但欠缺公開管道。把後者補上,反超是可能的。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Where Article 13 touches other EU regimes 第 13 條與其他歐盟法規的交集
Article 13 does not live alone. It overlaps with four other European regimes in ways that matter for APAC exporters. 第 13 條不是孤立存在的。它跟其他四部歐盟法規實質重疊,這些重疊對 APAC 出口商特別重要。
AI Act · Article 15
AI accuracy & robustness
AI 準確性與穩健性
Article 12 of CRA declares: if your product is a high-risk AI system under Regulation (EU) 2024/1689, compliance with CRA's Annex I is deemed to satisfy the AI Act's Article 15 cybersecurity requirements.
CRA 第 12 條規定:如果產品是 Regulation (EU) 2024/1689 下的高風險 AI 系統,符合 CRA 附件一就推定滿足 AI Act 第 15 條的網路安全要求。一份技術檔案、一組證據、兩部法規共用。
RED DA · (EU) 2022/30
Radio Equipment Delegated Act
無線電設備授權法案
RED DA Article 3(3)(d)(e)(f) applies from Aug 2025 to radio equipment. CRA Article 13 goes further: it covers wired products too, and extends to the full support period. Wireless IoT makers will comply with both.
RED DA 第 3(3)(d)(e)(f) 條從 2025 年 8 月起適用於無線電設備。CRA 第 13 條範圍更廣,連有線產品都涵蓋,而且延伸到整個 support period。出貨無線 IoT 的業者,兩套都要遵循。
NIS2 · (EU) 2022/2555
Network & Information Security
網路與資訊系統安全
NIS2 governs operators; CRA governs products. But CRA Article 13(2) risk assessment dovetails with NIS2 Article 21 risk management — manufacturers supplying NIS2 essential entities will face diligence audits on their Article 13 records.
NIS2 管的是營運商、CRA 管的是產品。但 CRA 第 13(2) 條的風險評估、跟 NIS2 第 21 條的風險管理是緊扣在一起的,供貨給 NIS2 essential 實體的製造商,會被要求提出 CRA 紀錄供稽核。
MDR · (EU) 2017/745
Medical Device Regulation
醫療器材法規
CRA Article 2(2) excludes MDR-regulated medical devices from the CRA — but only where MDR covers equivalent cybersecurity requirements. For hybrid products (e.g., home telehealth hardware), a gap analysis is essential before relying on exclusion.
CRA 第 2(2) 條把 MDR 規範的醫療器材排除在 CRA 之外,但僅限於 MDR 實際涵蓋的範圍。混合型產品(例如居家遠距醫療硬體)主張排除之前,務必做一次缺口分析。第 2 條的範圍問題有更詳細討論。