Article 14 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Reporting obligations of manufacturers 製造商的通報義務
The nearest CRA deadline. From 11 September 2026, every manufacturer — regardless of product tier — must report actively exploited vulnerabilities and severe incidents on a 24h / 72h cadence, with final reports at 14 days for vulnerabilities or one month for severe incidents. This obligation also reaches back to products already on the EU market. CRA 最近在眼前的期限。自 2026 年 9 月 11 日起,每一家製造商,不論產品層級,都必須以 24 小時 / 72 小時節奏通報被積極利用的弱點與重大事件,final report 弱點 14 天、嚴重事件 1 個月。此義務也溯及已在歐盟市場的產品。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。
Single Reporting Platform & the 24-hour early warning 單一通報平台與 24 小時早期警訊 ¶ 1 – 2(a)
1. A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.
1. 製造商知悉其具數位元素產品含有被積極利用之弱點時,應依本條第 7 項所定,同時向指定為協調者之 CSIRT 及 ENISA 通報。該通報應透過依第 16 條建立之單一通報平台為之。
2(a). An early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available.
2(a). 就被積極利用之弱點,於製造商知悉後應無不當遲延,並於 24 小時內提交早期警訊通報;於適用時,應指出製造商所知其具數位元素產品已於哪些會員國境內可供取得。
72-hour notification & 14-day final report 72 小時通報與 14 天最終報告 ¶ 2(b) – 2(c)
2(b). Unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take.
2(b). 除相關資訊已於前揭早期警訊提供外,製造商知悉被積極利用之弱點後應無不當遲延,並於 72 小時內提交弱點通報;通報應就相關具數位元素產品、利用與弱點之一般性質、以及已採取之矯正或緩解措施、使用者可採之矯正或緩解措施,提供可取得之一般資訊。
2(c). Unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: a description of the vulnerability, including its severity and impact; where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; details about the security update or the corrective or mitigating measures that have been made available to address the vulnerability.
2(c). 除相關資訊已提供外,於矯正或緩解措施可供使用後 14 日內提交最終報告;內容至少應包括:弱點之描述(含嚴重性與影響);於可取得時,涉及利用該弱點之惡意行為者之資訊;為處理該弱點所提供之安全更新或矯正/緩解措施之細節。
Severe incidents (parallel timeline) 重大事件(平行時程) ¶ 3 – 4
3. A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements simultaneously to the CSIRT designated as coordinator and to ENISA, via the single reporting platform.
3. 製造商應就任何影響其具數位元素產品安全之重大事件,透過單一通報平台同時向指定為協調者之 CSIRT 與 ENISA 通報。
4. The manufacturer shall submit: (a) an early warning within 24 hours; (b) an incident notification within 72 hours; (c) a final report within one month after the submission of the incident notification in (b). The content mirrors paragraph 2 requirements, adapted for incidents rather than vulnerabilities.
4. 製造商應提交:(a) 24 小時內之早期警訊;(b) 72 小時內之事件通報;(c) 於 (b) 事件通報提交後 1 個月內之最終報告。內容比照第 2 項之要求,就事件(非弱點)調整適用。
Third-party components & user notification 第三方元件與使用者通知 ¶ 4(third-party) – 8
4. Where a manufacturer becomes aware of an actively exploited vulnerability in a component, including in an open-source component, that is integrated into the product with digital elements, they shall report the vulnerability to the person or entity manufacturing or maintaining the component, and shall address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I.
4. 製造商知悉已整合於其產品之元件(含開源元件)含有被積極利用之弱點時,應向製造或維護該元件之人或機構報告該弱點,並依附件一第二部分所定之弱點處理要求,予以處理並修正。
8. After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, and where applicable, after taking corrective or mitigating measures, the manufacturer shall inform the users of the product with digital elements and, where appropriate, all users, about the vulnerability or the incident and, where necessary, about any corrective or mitigating measures that the users can deploy to mitigate the impact of that vulnerability or incident, in a structured, machine-readable format that is easily automatically processable.
8. 製造商知悉被積極利用之弱點或影響產品安全之重大事件後,於適當情形並於採取矯正或緩解措施後,應以結構化、易於機器自動處理之格式,告知其具數位元素產品之使用者(必要時告知所有使用者)該弱點或事件,以及必要時使用者可採行以減輕該弱點或事件影響之矯正或緩解措施。
Single-submission rule & SME carve-out 單一提交原則與中小企業豁免 ¶ 7 · cross-ref Article 64(10)
7. The CSIRT designated as coordinator for the Member State where the manufacturer has its main establishment shall be the initial recipient. That CSIRT, upon receipt of the notification, shall share it without undue delay with the other CSIRTs designated as coordinators in Member States where the product with digital elements has been made available. One submission reaches all relevant CSIRTs and ENISA; no separate national filings required.
7. 製造商主要設立地所在會員國之 CSIRT 為初始收件方。該 CSIRT 收到通報後,應無不當遲延,分享予其具數位元素產品已可供取得之其他會員國所指定之 CSIRT。單一提交即可觸及相關所有 CSIRT 與 ENISA;無需向各國分別通報。
Article 64(10)(a) — SME exception. Microenterprises and small enterprises (fewer than 50 employees, annual turnover or balance sheet total up to EUR 10 million) are exempt from administrative fines for breaching the 24-hour early warning timing specifically — but the obligation to report still applies.
第 64 條第 10 項 (a) — 中小企業豁免。微型與小型企業(員工 50 人以下、年營業額或資產負債表總額不超過 1,000 萬歐元)就 24 小時早期警訊時程之違反,豁免行政罰,但通報義務本身仍適用。
Block 2 · Plain language 區塊 2 · 白話解讀
What this actually means 這其實在說什麼
The three clocks that decide everything
Article 14 runs on three stopwatches, and all of them start the moment the manufacturer becomes aware. Not the moment you confirm, not the moment you finish forensic analysis — the moment a reasonably informed engineer could say "this looks like an actively exploited vulnerability in our product." The CRA defines "actively exploited" as a vulnerability where reliable evidence shows a malicious actor has used it without the system owner's permission. That is a lower bar than criminal-proof confirmation.
24 hours gets you an early warning — product name, a sentence of context, affected Member States if you know. 72 hours adds technical detail. 14 days delivers a final report, but the 14-day clock only starts when a corrective or mitigating measure is available, not at discovery. For severe incidents, the final report window extends to one month.
Why September 2026 bites before December 2027
The rest of the CRA — conformity assessment, CE marking, technical documentation — applies from 11 December 2027 and only to products placed on the market from that date. Article 14 is the exception. It applies from 11 September 2026 and it reaches back to every CRA-covered product already sitting in EU buyers' hands. A product shipped in 2023 is still covered in 2026 if it is still being made available on the EU market.
That single design choice transforms Article 14 from a "future compliance project" into a "now operational obligation." If your PSIRT, SBOM inventory, and ENISA SRP account do not exist by August 2026, you will miss the window on your first real incident.
→ Long read: what 11 September 2026 actually binds you to (and what it doesn't)
One submission, not twenty-seven — but pick the right CSIRT
Article 14(7) solves a problem many APAC exporters have feared: that shipping to 27 Member States might mean 27 parallel notifications. It does not. You submit once, the receiving CSIRT forwards to ENISA and to all other relevant national CSIRTs, and your legal team needs to identify one CSIRT, not twenty-seven.
The trickier question for non-EU manufacturers is which CSIRT. Most articles online describe it as "the authorised representative's Member State" and stop there. The actual rule is a strict four-step waterfall, and each step uses a highest-number tie-breaker:
- The Member State where the authorised representative acting on behalf of the manufacturer for the highest number of products is established.
- If no auth. rep, then the Member State of the importer placing on the market the highest number of products.
- If no importer, then the Member State of the distributor making available the highest number of products.
- If none of the above can be identified, then the Member State with the highest number of users.
Two consequences APAC exporters routinely miss. First: a Taiwan ODM that sells through five different EU importers without designating an authorised representative will land at step (b) — the importer with the highest unit volume — regardless of where the OEM brand sits. Second: distribution patterns shift. The CSIRT you reported to in Q3 may not be the right one in Q1 next year if your importer mix moves. The regulation lets you keep using the same CSIRT once you reach step (d), but not earlier in the waterfall — for steps (a) through (c) you have to re-evaluate when your distribution shifts. Build that re-evaluation into your incident response plan now, not on day one of an actual incident.
The small-company carve-out you should not rely on
Article 64(10)(a) gives microenterprises and small enterprises (under 50 employees, up to €10M turnover) a narrow reprieve: you cannot be fined specifically for missing the 24-hour early warning deadline. This is timing relief only. You still must report, still must meet the 72-hour and 14-day deadlines, and still face fines for those. And the moment you cross 50 employees or €10M, the relief evaporates. Treat it as a soft landing for scale-ups, not a strategy.
The OSS-steward sub-regime almost everyone missed
If you are an open-source software steward — a legal person systematically supporting the development of FOSS products that are eventually placed on the market — Article 24 carves you out of most of Article 14. Two exceptions only. Article 14(1) (the duty to notify actively exploited vulnerabilities) applies to stewards only to the extent they are involved in the development of the product. Article 14(3) and 14(8) (the duty to report severe incidents and to inform users) apply only when the severe incident affects the network and information systems the steward provides for the development. Everything else — the 24/72/14-day clocks of 14(2), the incident clocks of 14(4), the CSIRT cascade of 14(7), the delegated and implementing acts of 14(9) and 14(10) — does not apply to stewards.
And then, even more decisively, Article 64(10)(b) makes stewards completely fine-exempt for any infringement of the CRA. This is the strongest carve-out in the entire regulation. The legislative intent is to avoid chilling the foundations the rest of the digital economy depends on. The practical implication is that a steward like the Apache Software Foundation, the Linux Foundation, the OpenSSL Foundation, or the OpenJDK community has obligations to write a security policy and to cooperate with market surveillance authorities, but cannot be compelled by fines to operate the same incident-reporting machinery a commercial manufacturer does.
Why this matters for APAC: many Asian hardware vendors fund and contribute to upstream OSS projects. The vendor's commercial product is fully in scope; the upstream steward is mostly out of scope. Do not conflate the two regimes when designing your supply-chain due diligence under Article 13(5).
三個倒數時鐘決定一切
第 14 條靠三個碼錶運作,三個都是在製造商「知悉」的那一刻起算。不是確認的那一刻,也不是完成鑑識分析的那一刻,而是一個合理專業的工程師能說「這看起來是我們產品中一個被積極利用的弱點」的那一刻。CRA 把「被積極利用」定義為有可信證據顯示惡意行為者在系統擁有者沒授權的情況下利用這個弱點。這個門檻比「刑事級證明」低得多。
24 小時要交早期警訊,產品名稱、一段背景說明、已知受影響的會員國。72 小時要補技術細節。14 天交最終報告,但 14 天時鐘是從「矯正或緩解措施可用」那一刻起算,不是從知悉起算。重大事件再延到 1 個月。
2026 年 9 月的這個時點,比 2027 年 12 月先咬到你
CRA 其餘條文(conformity assessment、CE 標示、技術文件)2027 年 12 月 11 日才適用,且只適用於那天之後投入市場的產品。第 14 條是例外。它從 2026 年 9 月 11 日就適用,而且溯及已經在歐盟買家手上的每一台 CRA 受管產品。2023 年出貨的產品,到 2026 年只要還在歐盟市場上可以取得,照樣受管。
這一個設計選擇,把第 14 條從「未來的合規專案」變成「當下的營運義務」。如果你的 PSIRT、SBOM 清單、ENISA SRP 帳號 2026 年 8 月還沒準備好,第一次真實事件你就會錯過時間窗口。
→ 長文:2026 年 9 月 11 日真正綁住你的是什麼(跟不是什麼)
一次提交就好,不是 27 次——但要挑對 CSIRT
第 14(7) 條解決了很多 APAC 出口商擔心的問題:出貨到 27 個會員國,是不是要交 27 份通報?答案是不用。你只要一次提交,那個 CSIRT 會把通報轉發給 ENISA 跟其他相關國家的 CSIRT。你的法務只要認一個 CSIRT,不用認 27 個。
對非歐盟製造商來說,比較棘手的問題是「哪一個 CSIRT」。網路上多數文章寫成「authorised representative 所在會員國」就停了。實際的規則是一個嚴格的四步階序,每一步都用「數量最多」做 tie-breaker:
- 「代表最多產品的 authorised representative」所在的會員國。
- 如果沒有 auth. rep,就改用「placed on the market 數量最多的進口商」所在的會員國。
- 如果也沒有進口商,就改用「made available 數量最多的經銷商」所在的會員國。
- 以上都無法確定,才落到「用戶數量最多」的會員國。
有兩個後果 APAC 出口商常常沒注意到。第一:台灣 ODM 透過 5 個不同的歐盟進口商出貨、卻沒有指定 auth. rep,落點是第 (b) 步——出貨量最高的那個進口商所在地、不是 OEM 品牌所在地。第二:通路結構會變動。你 Q3 報過的 CSIRT,到隔年 Q1 可能因為進口商組合改變、就不是正確的 CSIRT 了。法規允許你在落到第 (d) 步後繼續用同一個 CSIRT、但 (a) 到 (c) 步沒這個延續性——通路一變就要重新判定。把這個重新判定流程現在就寫進事件應變計畫,不要等真的事件發生那天才想。
中小企業有條窄縫,但不要靠它
第 64(10)(a) 條給微型跟小型企業(50 人以下、年營收不超過 €10M)一個窄縫:你不會專門因為違反 24 小時早期警訊期限而被罰。這只是時程豁免。你還是必須通報、還是要遵守 72 小時跟 14 天的期限、那些違反還是會被罰。而且你一跨過 50 人或 €10M,這條豁免立刻消失。當作 scale-up 期的軟著陸就好,不要當策略用。
幾乎沒人注意到的 OSS steward 子規範
如果你是 open-source software steward——也就是有系統地支持最終會被 placed on the market 的 FOSS 產品開發的法人——第 24 條把你從第 14 條大部分義務中拉出來。只有兩個例外。第 14(1) 條(通報被積極利用的弱點的義務)對 steward 僅限於其涉入該產品開發的範圍內適用。第 14(3) 跟 14(8) 條(嚴重事件通報跟通知使用者)僅當嚴重事件影響到 steward 為產品開發提供的網路與資訊系統時適用。其他全部——14(2) 的 24/72/14 天時鐘、14(4) 的事件時鐘、14(7) 的 CSIRT 階序、14(9) 跟 14(10) 的 delegated act 跟 implementing act——都不對 steward 適用。
而且更決定性的是第 64(10)(b) 條讓 steward 對任何違反 CRA 的行為完全免罰。這是整部法規最強的豁免條款。立法意圖是避免讓數位經濟其他部分賴以存在的基礎建設受寒蟬效應影響。實務含義是:像 Apache Software Foundation、Linux Foundation、OpenSSL Foundation、OpenJDK 社群這種 steward,仍要寫網路安全政策、配合市場監督機關、但不能用罰款逼他們建構商業製造商等級的事件通報機制。
為什麼 APAC 要在意這點:很多亞洲硬體業者出資贊助、貢獻上游 OSS 專案。業者的商業產品完全在 CRA 範圍內;上游 steward 大部分不在。設計第 13(5) 條的供應鏈盡職調查時,不要把這兩種制度混為一談。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
How this lands in Taiwan, Japan, and Korea 這一條在台日韓怎麼落地
Taiwan: PSIRT capacity is the gap, not monitoring 台灣:缺的是 PSIRT 能量,不是監控能力
Taiwanese hardware makers — especially the Tier-1 server ODMs and networking equipment manufacturers — already have mature monitoring: SOC teams, SBOM inventories from ISO 27001 and IEC 62443-4-1 programmes. What is typically missing is a published PSIRT function: a security.txt, a CVE coordination workflow, a designated on-call rotation that a Dutch researcher at 3am can reach. Becoming Article 14-ready in Taiwan is less about adding monitoring and more about making existing monitoring reachable from outside.
台灣硬體業者,尤其是 Tier-1 伺服器 ODM 跟網通設備廠,監控其實相當成熟:有 SOC 團隊、有從 ISO 27001 跟 IEC 62443-4-1 專案累積下來的 SBOM 庫存。真正缺的是對外公開的 PSIRT 功能:security.txt、CVE 協調工作、荷蘭研究員凌晨 3 點能聯繫到的 on-call 輪值。台灣要達到第 14 條 ready,與其說是加裝監控,不如說是把既有監控改成外部能聯繫到。
Japan: JC-STAR already built the muscle 日本:JC-STAR 已把肌肉練好
Japan's JC-STAR IoT security labelling scheme (METI + IPA) includes vulnerability handling and coordinated disclosure as a core requirement. Japanese manufacturers that achieved JC-STAR Level ★★ or above have, in effect, already built most of what Article 14 asks for — with the exception of the 24-hour clock, which is stricter than JC-STAR's timelines. For Japan, Article 14 is less about starting from zero and more about compressing existing processes.
日本 JC-STAR IoT 安全標示計畫(METI + IPA)把弱點處理跟協調揭露納為核心要求。拿到 JC-STAR ★★ 以上的日本製造商,實質上已經建好第 14 條要的大部分能量,唯一例外是24 小時時程,這比 JC-STAR 嚴。對日本業者來說,第 14 條不是從零開始,而是把既有流程壓縮。
Korea: K-ISMS-P and KISA reporting overlap — but don't substitute 韓國:K-ISMS-P 跟 KISA 通報有重疊,但不能取代
Korean entities subject to K-ISMS-P already report incidents to KISA under the Act on Promotion of Information and Communications Network Utilization. The temptation for a Korean manufacturer exporting to the EU is to treat KISA reporting as the primary process and let Article 14 run on a parallel track. That is a mistake. KISA notifications do not satisfy ENISA SRP obligations, and the 24-hour CRA clock runs independently of Korean timelines. Build the CRA process as a first-class peer, not a bolt-on.
K-ISMS-P 管轄下的韓國實體,已經依《資訊通信網路利用促進法》向 KISA 通報事件。對出口歐盟的韓國製造商來說,誘惑是把 KISA 通報當主流程、第 14 條走平行軌道。這是錯的。KISA 通報無法滿足 ENISA SRP 義務,CRA 的 24 小時時鐘也獨立於韓國時程運轉。把 CRA 流程建成一級公民,不要當成附加。
The awareness bar: lower than engineers think 知悉門檻:比工程師以為的低
The 24-hour clock starts at awareness, not confirmation. "We're still investigating" is not a defence. A credible researcher email describing exploitation in the wild, a KEV listing involving a component in your SBOM, a customer incident report that fits known exploit patterns — any of these can start the clock. APAC engineering cultures trained on "verify before escalating" will need to shift: verification happens after the early warning, not before.
24 小時時鐘的起算點是知悉,不是確認。「我們還在調查」不是抗辯。一封描述「in the wild」利用的可信研究員來信、一筆涉及你 SBOM 元件的 KEV 項目、一份符合已知利用模式的客戶事件報告,任何一個都可能啟動時鐘。APAC 工程文化訓練的是「先驗證再升級」,這裡要反過來:驗證發生在早期警訊之後,不是之前。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Where Article 14 touches other reporting regimes 第 14 條與其他通報制度的交集
Article 14 is not the only deadline clock your security operations will face. Four other EU regimes impose parallel incident-reporting timelines, and they do not substitute for each other — an event that touches personal data, critical infrastructure, financial services, or AI can produce simultaneous filings under multiple regulators. 第 14 條不是你安全營運唯一要面對的時鐘。另外有四部歐盟法規加上平行的事件通報時程,而且彼此無法互相取代,一個涉及個資、關鍵基礎設施、金融服務、或 AI 的事件,可能同時對多個監管機關產生通報義務。
GDPR · Article 33
Personal data breach notification
個資外洩通報
If the CRA incident involves personal data, GDPR Article 33's 72-hour notification to the supervisory authority runs in parallel. Legal teams need to harmonise templates so the same event doesn't produce inconsistent narratives across regulators.
如果 CRA 事件涉及個資,GDPR 第 33 條的 72 小時通報(對主管機關)會平行跑。法務必須整合範本,避免同一事件對不同監管機關出現不一致的版本。
NIS2 · Article 23
Essential entity incident reporting
重要實體事件通報
NIS2 Article 23 uses a similar 24h / 72h / 1-month cadence for "significant incidents". If you are both an NIS2 essential entity and a CRA manufacturer (some utilities, some network operators), you have two parallel reporting chains. The CRA SRP does not satisfy NIS2 and vice versa.
NIS2 第 23 條對「重大事件」採類似的 24h / 72h / 1 個月節奏。如果你同時是 NIS2 essential 實體跟 CRA 製造商(部分公用事業、網路營運商),就有兩條平行通報鏈。CRA SRP 無法滿足 NIS2,反過來也一樣。
NIS2 · Article 12(1), 14, 18
The three NIS2 hooks Article 14 actually relies on
第 14 條真正掛在 NIS2 上的三個鉤子
Beyond the parallel reporting cadence, Article 14 is structurally wired into NIS2 in three places. (1) NIS2 Article 12(1) is the legal basis for coordinated vulnerability disclosure (CVD) procedures — and CRA Article 16(2) lets a CSIRT delay dissemination of your notification specifically when a vulnerability is subject to a CVD process under NIS2 Article 12(1). If your security advisory has a coordinated disclosure window, that window survives the CRA. (2) NIS2 Article 14 establishes the Cooperation Group of Member States — ENISA's biennial CRA technical report under CRA Article 17(3) is submitted to that Group, not to the Commission. (3) NIS2 Article 18 requires ENISA's biennial state-of-cybersecurity report — your CRA notifications feed that report. What you submit to the SRP becomes part of how the EU describes its own cyber posture two years later.
除了平行的通報節奏之外,第 14 條在三個地方跟 NIS2 結構性相連。(1) NIS2 第 12(1) 條是協調式弱點揭露(CVD)程序的法源依據——而 CRA 第 16(2) 條允許 CSIRT 在你的通報落在 NIS2 第 12(1) 條 CVD 程序中時延遲對其他 CSIRT 的轉發。如果你的安全公告有協調式揭露的時間窗口,這個窗口在 CRA 之下還是有效的。(2) NIS2 第 14 條建立了會員國之間的合作小組——ENISA 依 CRA 第 17(3) 條每兩年一份的 CRA 技術報告是交給這個合作小組、不是交給執委會。(3) NIS2 第 18 條要求 ENISA 出版兩年一份的歐盟網路安全現況報告——你提交到 SRP 的內容會餵進這份報告。你今天往 SRP 送什麼,兩年後就會變成歐盟對自己網路安全姿態的描述的一部分。
DORA · Article 19
Financial-sector ICT incident reporting
金融業 ICT 事件通報
DORA (Regulation (EU) 2022/2554) applies to ICT service providers to financial entities. If your product is used by a bank and triggers an incident, you may be simultaneously reportable under CRA Article 14 (as manufacturer), DORA Article 19 (via your financial customer), and GDPR Article 33.
DORA(Regulation (EU) 2022/2554)適用於金融實體的 ICT 服務供應商。如果你的產品被銀行使用、觸發事件,你可能同時要依 CRA 第 14 條(身為製造商)、DORA 第 19 條(透過金融客戶)、跟 GDPR 第 33 條通報。
AI Act · Article 73
Serious incident reporting for high-risk AI
高風險 AI 重大事件通報
AI Act Article 73 (applicable from Aug 2026) requires high-risk AI system providers to report serious incidents to market surveillance authorities within 15 days (or 2 days for widespread infringement). Where a cybersecurity event in an AI-enabled product qualifies under both, you file under both.
AI Act 第 73 條(2026 年 8 月起適用)要求高風險 AI 系統供應商在 15 天內(大規模侵害是 2 天)向市場監管機關通報重大事件。AI 產品的網路安全事件如果同時符合兩部法律,兩邊都要通報。