Article 15 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Voluntary reporting — the optional channel that the CRA needs to work 自願通報,CRA 需要它運作的選擇性管道
Article 14 carries the mandatory clock — 24 hours and 72 hours for both tracks, then 14 days (vulnerabilities) or 1 month (severe incidents) for the final report. Article 15 is the optional twin: the channel anyone — manufacturer, security researcher, downstream user, FOSS maintainer — uses to surface a vulnerability, a cyber threat, an incident, or a near miss without facing additional regulatory obligations as a result. The CRA's incident-data quality depends substantially on Article 15 being used. 第 14 條承載強制計時,24 小時跟 72 小時兩條軌道相同,最終報告分軌:弱點 14 天,嚴重事件 1 個月。第 15 條是其選擇性對偶:任何人,製造商、安全研究者、下游使用者、FOSS 維護者,用以浮現弱點、網路威脅、事件、近失誤的管道,且通報後不會因此承擔額外規範義務。CRA 的事件資料品質實質上取決於第 15 條被使用的程度。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Article 15, as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text. 來源。條文自《法規 (EU) 2024/2847》第 15 條整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。中文為非官方翻譯。
Voluntary reporting scope (¶ 1 – 2) 自願通報之範圍(第 1 – 2 項) ¶ 1 – 2
1. Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.
1. 製造商以及其他自然人或法人,得就具數位元素產品內所含之任何弱點、以及可能影響該具數位元素產品風險輪廓之網路威脅,自願通報予指定為協調者之 CSIRT 或 ENISA。
2. Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.
2. 製造商以及其他自然人或法人,得就影響具數位元素產品安全之任何事件、以及可能導致該等事件之近失誤,自願通報予指定為協調者之 CSIRT 或 ENISA。
Compare with Art 14 mandatory scope: actively exploited vulnerabilities (Art 14(1)) and severe incidents impacting PwDE security (Art 14(3)). Article 15 is wider — any vulnerability (not only actively exploited), any cyber threat (not only realised), any incident (not only severe), and near misses (not in Art 14 at all).
與第 14 條強制範圍比較:主動利用之弱點(第 14(1) 條)與影響 PwDE 安全之重大事件(第 14(3) 條)。第 15 條較廣,任何弱點(不限主動利用)、任何網路威脅(不限已實現)、任何事件(不限重大)、以及近失誤(第 14 條完全未涵蓋)。
Processing & manufacturer notification (¶ 3 – 4) 處理 + 製造商通知(第 3 – 4 項) ¶ 3 – 4
3. The CSIRT designated as coordinator or ENISA shall process the notifications referred to in paragraphs 1 and 2 of this Article in accordance with the procedure laid down in Article 16. The CSIRT designated as coordinator may prioritise the processing of mandatory notifications over voluntary notifications.
3. 指定為協調者之 CSIRT 或 ENISA 應依第 16 條所定程序處理本條第 1 項與第 2 項所指之通報。指定為協調者之 CSIRT 得優先處理強制通報而後處理自願通報。
4. Where a natural or legal person other than the manufacturer notifies an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements in accordance with paragraph 1 or 2, the CSIRT designated as coordinator shall without undue delay inform the manufacturer.
4. 製造商以外之自然人或法人依第 1 項或第 2 項通報主動利用之弱點、或影響具數位元素產品安全之重大事件時,指定為協調者之 CSIRT 應毫不延遲地通知該製造商。
The §4 trigger is narrower than §1 / §2 voluntary scope. CSIRT-to-manufacturer notification is required only when the voluntary report concerns an actively-exploited vulnerability OR a severe incident — not for any vulnerability or any incident. Many voluntary reports therefore stay within CSIRT / ENISA without reaching the manufacturer at all.
§4 之觸發要件比 §1 / §2 自願範圍窄。CSIRT 對製造商之通知僅於自願報告涉及「主動利用之弱點」或「重大事件」時為必要,非任一弱點或任一事件皆觸發。許多自願報告因此停留於 CSIRT / ENISA 內部,根本不會到達製造商。
Confidentiality + no extra obligations (¶ 5) 機密性 + 無額外義務(第 5 項) ¶ 5
5. The CSIRTs designated as coordinators as well as ENISA shall ensure the confidentiality and appropriate protection of the information provided by a notifying natural or legal person. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon a notifying natural or legal person to which it would not have been subject had it not submitted the notification.
5. 指定為協調者之 CSIRT 與 ENISA 應確保通報之自然人或法人所提供資訊之機密性與適當保護。在不影響犯罪行為之預防、調查、偵查與起訴前提下,自願通報不應對通報之自然人或法人課加任何於未通報情形下不會承擔之額外義務。
The "no additional obligations" rule is the key non-deterrent guarantee. A security researcher who voluntarily reports a vulnerability does not thereby become subject to Article 13 manufacturer obligations or Article 14 mandatory reporting follow-up. Recital 75 separately encourages Member States to address potential criminal / civil liability of vulnerability researchers under national law — that protection is national, not in the CRA itself.
「無額外義務」規則是關鍵之非嚇阻保證。自願通報弱點之安全研究者不因此而受第 13 條製造商義務或第 14 條強制通報後續義務之約束。Recital 75 另外鼓勵會員國處理弱點研究者於國內法下之刑事 / 民事責任,該保護屬國內法,不在 CRA 本文中。
Block 2 · Plain language 區塊 2 · 白話解讀
The optional twin to Article 14 — wider scope, lower stakes 第 14 條的可選對偶版,範圍更廣、門檻更低
Article 14 and Article 15 are designed to be read together. Article 14 is the obligation; Article 15 is the option. They share infrastructure (Article 16's single reporting platform — the SRP — handles both) but differ in scope, who can report, and what consequences attach to a report.
第 14 條跟第 15 條設計上是要合著讀的。第 14 條是強制義務;第 15 條是選項。兩者共用基礎建設(第 16 條的 Single Reporting Platform 同時處理兩條),但在範圍、誰可以通報、通報後會發生什麼這幾點上不一樣。
| Dimension維度 | Article 14 (mandatory)第 14 條(強制) | Article 15 (voluntary)第 15 條(自願) |
|---|---|---|
| Who must / may report誰須 / 得通報 | Manufacturers only (mandatory)僅製造商(強制) | Manufacturers OR any other natural / legal person製造商或任何其他自然人 / 法人 |
| What is reportable何者可通報 | (a) Actively-exploited vulnerabilities; (b) severe incidents impacting PwDE security(a) 主動利用的弱點;(b) 影響 PwDE 安全的重大事件 | Any vulnerability (regardless of exploitation status); any cyber threat affecting risk profile; any incident; near misses任何弱點(不論利用狀態);任何影響風險輪廓的網路威脅;任何事件;近失誤 |
| Time pressure時間壓力 | 24h early warning / 72h notification / 14d (or 30d for incidents) final report24h 早期預警 / 72h 通知 / 14d(事件 30d)最終報告 | No deadline. Voluntary by definition.無期限。本質為自願。 |
| Consequences for the reporter對通報者之後續 | Compliance with Art 14 is required to satisfy the manufacturer's CRA obligations. Failure to report = enforcement risk.遵循第 14 條為履行製造商 CRA 義務的必要。未通報 = 執法風險。 | No additional obligations created by the report itself (Art 15(5)). Reporting is shielded from triggering further regulatory burden on the reporter.通報本身不創造額外義務(第 15(5) 條)。通報者被屏蔽於通報所觸發的進一步規範負擔之外。 |
| CSIRT processing priorityCSIRT 處理優先性 | Mandatory notifications may be prioritised over voluntary (Art 15(3) second sentence)強制通報可優先於自願通報處理(第 15(3) 條第二句) | Same processing path (Art 16) but lower priority allowed同處理路徑(第 16 條)但允許較低優先性 |
Three structural points worth absorbing.
三個結構性要點值得先抓住:
-
Article 15 is wider than the routine framing suggests. A common reading treats Article 15 as the security-researcher channel — a place for external bug reporters to surface what they find. That is one use case but not the only one. Article 15 covers: (i) any vulnerability in a PwDE — including ones the manufacturer already knows about and is dealing with internally, (ii) any cyber threat that could affect the risk profile of a PwDE — threat intelligence, not just realised exploitation, (iii) any incident impacting PwDE security — even non-severe ones that don't trigger Article 14, (iv) near misses — events that almost became incidents. The fourth category in particular is worth noting because it has no Article 14 counterpart at all.
第 15 條的範圍比一般框架以為的廣。常見的讀法把第 15 條當成「安全研究員的管道」:讓外部 bug 通報者把發現的東西報出來。那只是一種用途,不是唯一。第 15 條涵蓋:(i) PwDE 裡的任何弱點,包括製造商已經知道、正在內部處理的;(ii) 可能影響 PwDE 風險輪廓的任何網路威脅,是 threat intel、不只是已實現的攻擊;(iii) 影響 PwDE 安全的任何事件,即使不嚴重、不觸發第 14 條也算;(iv) 險些發生的事件,差一點就出事但沒出。第四類特別值得注意,因為它在第 14 條裡完全沒有對應。
-
The "no additional obligations" guarantee is narrower than it sounds. Art 15(5) is the non-deterrent core. But it shields only against obligations that arise from the act of voluntarily reporting. It does not shield against pre-existing obligations the reporter already had. A manufacturer who voluntarily reports a vulnerability that turns out to be actively exploited still owes Article 14(1) reporting at the same time — Article 15 does not let a manufacturer convert mandatory reporting into voluntary. Similarly, criminal liability under national law for unauthorised access (the type of liability Recital 75 invites Member States to address) is not abolished by Article 15(5) — the second clause of §5 explicitly preserves criminal prosecution. This matters for security researchers in jurisdictions where vulnerability research itself carries legal exposure.
「沒有額外義務」這個保證比聽起來窄。第 15(5) 條的核心是「不嚇阻通報」。但它只擋掉因為自願通報這個行為而產生的義務,不會擋掉通報者本來就有的既存義務。製造商自願通報後發現是主動被利用的弱點,仍然要走第 14(1) 條的強制通報:第 15 條不讓製造商把強制通報換成自願通報。一樣地,依國內法對未授權存取的刑事責任(Recital 75 邀請會員國處理的那一類),不會被第 15(5) 條廢止,§5 第二句明確保留刑事起訴。對某些司法管轄區內、做弱點研究本身就帶法律風險的安全研究員,這一點實務上很重要。
-
The CSIRT-to-manufacturer notification (§4) creates a partial information bridge, not a full one. When a third party voluntarily reports an actively-exploited vulnerability or severe incident, §4 requires the CSIRT to inform the manufacturer "without undue delay". This means a manufacturer's Article 14 mandatory reporting clock can start running because of someone else's voluntary report — once the CSIRT relays the information, the manufacturer is "aware" within the meaning of Article 14, and the 24h / 72h cadence engages, with the final report at 14 days for vulnerabilities or one month for severe incidents. But §4 is narrowly scoped: it triggers only on active-exploitation or severe-incident reports, not on every Art 15 voluntary report. A voluntary report of a non-exploited vulnerability or near miss does not automatically reach the manufacturer through this mechanism.
CSIRT 對製造商的通知(§4)只是部分資訊橋樑,不是完整橋樑。當第三方自願通報主動利用的弱點或嚴重事件時,§4 要求 CSIRT 「毫不延遲」通知製造商。這代表製造商第 14 條強制通報的時鐘,可能因為別人的自願通報而開始算,CSIRT 把資訊轉過來後,製造商在第 14 條意義下就算「知悉」,24h / 72h 節奏啟動,final report 弱點 14 天、嚴重事件 1 個月。但 §4 的範圍很窄:只有主動利用或嚴重事件的通報才會觸發,不是每一筆第 15 條自願通報都會觸發。對未被利用的弱點或近乎發生的事件,自願通報不會自動透過這個機制傳到製造商手上。
A practical conclusion. Article 15 changes the manufacturer's situational awareness in ways that Article 14 alone does not. A manufacturer cannot rely solely on its own internal vulnerability discovery and Art 14 monitoring; voluntary reports submitted by external parties to CSIRTs may flow into the manufacturer's awareness through Art 15(4) without warning. Operationally, a manufacturer's PSIRT inbox under Art 13(15) and the CSIRT-relayed Art 15(4) channel are two distinct ingestion paths that need to feed the same triage queue.
實務上的結論:第 15 條讓製造商的態勢感知能力有第 14 條單獨無法做到的延伸。製造商不能只靠自己內部的弱點發現跟第 14 條的監測;外部當事人向 CSIRT 提交的自願通報,可能在沒有預警的情況下、透過第 15(4) 條流進製造商的知悉範圍。營運上,製造商在第 13(15) 條下的 PSIRT 收件匣,跟透過 CSIRT 轉達的第 15(4) 條管道,是兩條獨立的進入路徑,必須匯流到同一個 triage queue。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Three operational implications for APAC manufacturers and researchers 對 APAC 製造商跟研究者的三個營運意涵
Article 15 is short but it lands in three different APAC contexts at once: APAC manufacturers building vulnerability-handling discipline, APAC security researchers operating in jurisdictions with varying vulnerability-research legal regimes, and APAC bug-bounty platforms and CERTs sitting between the two.
第 15 條很短,但同時在三種 APAC 情境裡落地:建立弱點處理紀律的 APAC 製造商;在弱點研究法律規範各異的司法管轄區工作的 APAC 安全研究員;以及位於兩者之間的 APAC bug-bounty 平台跟 CERT。
For APAC manufacturers: Art 15(4) is an unannounced ingest channel into your PSIRT. When a researcher in Berlin voluntarily reports a vulnerability in your Taiwan-manufactured router to the German CSIRT, and the CSIRT determines it is actively exploited, your manufacturer-side Article 14(1) clock starts running when the CSIRT informs you. This is true even if the researcher never contacted you directly. Operationally, this means: (i) your Article 13(15) single-point-of-contact for vulnerability reports must be able to receive CSIRT-channel notifications, not just direct researcher submissions; (ii) the lookup direction matters — when an EU CSIRT wants to reach your manufacturer-side PSIRT, they need to find you, which means your contact details published per Art 13(15) and Art 13(19) must be discoverable from outside Asia. A PSIRT email at a domain only resolvable inside the manufacturer's intranet is operationally useless; (iii) the language requirement of Art 19 + Art 13(20) (information in language easily understood by users / market surveillance) extends in spirit to Art 15(4) — the CSIRT will reach you in their working language, and you need to handle that.
對 APAC 製造商:第 15(4) 條是一條沒預警就進入你 PSIRT 的攝入管道。柏林的研究員把你台灣製 router 的弱點自願通報給德國 CSIRT、CSIRT 判定為主動利用時,CSIRT 通知你的那一刻、你製造商側的第 14(1) 條時鐘就開始算了。即使這個研究員從來沒直接聯繫過你,也一樣。實務上代表:(i) 你在第 13(15) 條的弱點通報單一聯絡點,必須能接收 CSIRT 管道通知,不只是直接研究員提交;(ii) 反向查找的方向很重要,歐盟 CSIRT 要聯繫你的製造商側 PSIRT 時必須找得到你,所以你依第 13(15) 條跟第 13(19) 條公布的聯絡資訊必須從亞洲以外可以發現。只在製造商內網才解析得到的網域上的 PSIRT email、實務上沒用;(iii) 第 19 條加第 13(20) 條的語言要求(使用者 / 市場監督機關容易理解的語言)精神上延伸到第 15(4) 條:CSIRT 會用他們的工作語言聯繫你,你必須處理。
For APAC security researchers: confidentiality + non-additional-obligations are the EU-side guarantees, but national-law liability is not addressed by Article 15. Art 15(5) gives confidentiality at the EU side and ensures voluntary reporting will not impose new EU regulatory obligations. It does not address whether the act of finding the vulnerability — testing, fuzzing, reverse engineering — was itself lawful in the researcher's home jurisdiction. Recital 75 invites Member States (read: EU Member States) to clarify their national criminal law on this. APAC researchers should not assume that submitting an Art 15 voluntary report retroactively legalises research methods that may be unlawful under their home country's computer crime law (Taiwan's 刑法第 358–363 條, Japan's 不正アクセス禁止法, Korea's 정보통신망법, India's IT Act §66 etc.). The CRA's voluntary reporting channel is a destination, not a safe harbour for the journey.
對 APAC 安全研究員:機密性 + 不增加義務是歐盟側的保證,但國內法責任不在第 15 條處理範圍。第 15(5) 條在歐盟側給予機密性、確保自願通報不會加上新的歐盟法規義務。它不處理發現弱點這個行為本身(測試、fuzzing、逆向工程)在研究員母國司法管轄區是不是合法的。Recital 75 邀請會員國(指歐盟會員國)澄清各自國內刑法。APAC 研究員不應該假設提交第 15 條自願通報,會回溯地讓母國電腦犯罪法(台灣刑法第 358 到 363 條、日本不正アクセス禁止法、韓國 정보통신망법、印度 IT Act §66 等)下可能不合法的研究方法變成合法。CRA 自願通報管道是目的地,不是旅程的安全港。
For APAC bug-bounty platforms and CERTs: Article 15 reframes their role as relay, not endpoint. JPCERT/CC, Taiwan's TWCERT/CC, KrCERT, CERT-In are sometimes treated as the "obvious" first reporting destination by APAC-located reporters. Under CRA Art 15, when the affected product is a CRA-scoped PwDE on the EU market, the legally-relevant reporting destinations are the EU CSIRT designated as coordinator OR ENISA — not the APAC CERT. This does not stop reporters from also notifying their APAC CERT, and good operational practice often involves both. But for an APAC bug-bounty platform that wants to provide a "compliant for CRA" reporting workflow to its researchers, the platform's reporting routing must include direct EU CSIRT / ENISA submission paths, not just APAC CERT escalation. Bug-bounty programmes operated by APAC manufacturers themselves can satisfy Art 13(15) point-of-contact obligations on the manufacturer side, but they do not substitute for the Art 15 EU-side voluntary channel.
對 APAC bug-bounty 平台跟 CERT:第 15 條把它們的角色重新定為轉達者、不是終點。JPCERT/CC、台灣 TWCERT/CC、KrCERT、CERT-In 有時候被在 APAC 的通報者當成「顯而易見」的首選通報目的地。在 CRA 第 15 條下,當受影響產品是歐盟市場上 CRA 範圍內的 PwDE 時,法律上相關的通報目的地是被指定為協調者的歐盟 CSIRT 或 ENISA,不是 APAC CERT。這不阻止通報者同時通知 APAC CERT,好的實務通常兩邊都通報。但 APAC bug-bounty 平台如果想對研究員提供「CRA 合規」的通報流程,平台的通報路由必須包含直接送到歐盟 CSIRT / ENISA 的路徑,不能只靠 APAC CERT 往上升報。APAC 製造商自營的 bug-bounty 計畫可以在製造商側滿足第 13(15) 條聯絡點義務,但無法替代第 15 條歐盟側的自願管道。
A practical conclusion. Article 15 looks like a low-stakes optional clause and is genuinely lower-stakes than Article 14. But the asymmetry it creates — anyone can report on your product, you may learn about it via §4 with no warning — means manufacturers should treat the Art 15 inbound path as part of their PSIRT design, not as a separate research-channel concern. For researchers in APAC, the EU-side guarantees are real but home-jurisdiction legal exposure for the act of finding the vulnerability is unaffected.
實務結論:第 15 條看起來像低門檻的選擇性條款,實際上也確實比第 14 條低門檻。但它創造的不對稱性,任何人可以通報你的產品,你可能毫無預警地透過 §4 知悉,代表製造商應該把第 15 條入站路徑當成 PSIRT 設計的一部分,不是當成獨立的研究管道問題。對 APAC 研究員來說,歐盟側保證是真實的,但「發現弱點」這個行為在母國司法管轄區的法律暴險不受影響。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Voluntary reporting under other regimes 其他規範下的自願通報
Voluntary vulnerability reporting channels exist under several regimes adjacent to the CRA. They differ in scope, who runs them, and what protections they offer.
CRA 的相鄰規範中存在多個自願弱點通報管道。其於範圍、運作方、提供的保護各異。
NIS2 Article 30 (EU)
NIS2 Article 30 (EU)
NIS2 Article 30 (EU)
Voluntary notification by entities not in NIS2 mandatory scope, on significant incidents / cyber threats / near misses to CSIRTs. NIS2 voluntary reporting is for operating organisations (entities); CRA Art 15 is for products (PwDE). Same near-miss concept; same CSIRT routing. Compatible — an organisation can use both.
非 NIS2 強制範圍內的實體就重大事件 / 網路威脅 / 近失誤自願通知 CSIRT。 NIS2 自願通報為運作組織(實體);CRA 第 15 條為產品(PwDE)。相同近失誤概念;相同 CSIRT 路由。相容,組織可同時使用兩者。
EN ISO/IEC 29147:2020
EN ISO/IEC 29147:2020
EN ISO/IEC 29147:2020
Vendor-side coordinated vulnerability disclosure (CVD) framework. Recommended practice for receiving and handling external vulnerability reports. 29147 governs the manufacturer's intake of reports; CRA Art 15 governs the regulatory channel that runs in parallel. Manufacturers complying with 29147 are well-placed to handle Art 15(4) CSIRT-relayed reports.
廠商側協調弱點揭露(CVD)框架。接收並處理外部弱點報告的建議實務。 29147 規範製造商的報告攝入;CRA 第 15 條規範並行的規範管道。遵循 29147 的製造商於處理第 15(4) 條 CSIRT 轉達報告上有良好基礎。
NIST SP 800-216 (US)
NIST SP 800-216 (US)
NIST SP 800-216 (US)
Federal vulnerability disclosure guidelines. Federal agencies must establish vulnerability disclosure policies; researchers can submit to agency channels. US framework focuses on federal-government-operated systems and federally-procured products; not a product-on-market regime. CRA Art 15 covers any PwDE on the EU market regardless of who operates downstream systems.
聯邦弱點揭露指引。聯邦機關須建立弱點揭露政策;研究者可向機關管道提交。 美國框架聚焦於聯邦政府運作的系統與聯邦採購的產品;非市場上產品的規範。CRA 第 15 條涵蓋歐盟市場上任何 PwDE,不論誰運作下游系統。
Japan IT Security Early Warning Partnership
Japan IT Security Early Warning Partnership
Japan IT Security Early Warning Partnership
Voluntary partnership between IPA, JPCERT/CC, vendors, and researchers for coordinated vulnerability handling in Japan. Japan-domestic coordination layer. JPCERT/CC may receive a report on a CRA-scoped product, but the report needs to reach an EU CSIRT or ENISA to satisfy CRA Art 15. JPCERT/CC could act as a relay but is not itself a CRA Art 15 destination.
日本 IPA、JPCERT/CC、廠商、研究者間的自願夥伴關係,於日本協調弱點處理。 日本國內協調層。JPCERT/CC 可能收到 CRA 範圍內產品的報告,但報告須抵達歐盟 CSIRT 或 ENISA 以符合 CRA 第 15 條。JPCERT/CC 可作為轉達者,但其本身非 CRA 第 15 條之目的地。
EU GDPR Article 33
EU GDPR Article 33
EU GDPR Article 33
Mandatory data-breach notification to supervisory authority within 72 hours of awareness; high-risk to data subjects also requires notification to data subjects (Art 34). GDPR is mandatory, not voluntary; addresses personal-data breach, not product cybersecurity per se. A single incident can trigger BOTH GDPR Art 33 (personal-data breach) AND CRA Art 14 (severe incident impacting PwDE security) — different authorities, different timelines, different content. Voluntary CRA Art 15 reporting does not substitute for mandatory GDPR notification.
於知悉後 72 小時內向監督機關強制通報資料外洩;對資料主體高風險時也須通知資料主體(第 34 條)。 GDPR 是強制的非自願;處理個人資料外洩,非產品網路安全本身。單一事件可同時觸發 GDPR 第 33 條(個人資料外洩)與 CRA 第 14 條(影響 PwDE 安全的重大事件),不同機關、不同時間軸、不同內容。CRA 第 15 條自願通報不替代 GDPR 強制通報。