Article 18 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Authorised representatives 授權代表
A non-EU manufacturer may appoint a written-mandated authorised representative in the Union to handle declared duties — but not Article 13(1) to (11), 13(12) first subparagraph, or 13(14). 非歐盟製造商得書面授權設立於歐盟內之授權代表處理特定任務,但不包括第 13(1) 到 (11) 條、13(12) 條第一段、13(14) 條。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text. 來源。節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. A manufacturer may, by a written mandate, appoint an authorised representative.
2. The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative mandate.
3. An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The mandate shall allow the authorised representative to do at least the following:
(a) keep the EU declaration of conformity referred to in Article 28 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer;
(b) further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements;
(c) cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by a product with digital elements covered by the authorised representative mandate;
(d) terminate the mandate if the manufacturer acts contrary to its obligations under this Regulation, and inform the manufacturer of such termination immediately.
4. The authorised representative shall provide the contact details of the manufacturer to the market surveillance authority concerned upon request.
1. 製造商得以書面授權指派授權代表。
2. 第 13(1) 至 (11) 條、第 13(12) 條第一段、第 13(14) 條所定義務不在授權代表之授權範圍內。
3. 授權代表應執行其受製造商授權所訂之任務。授權書應使授權代表至少能執行下列事項:
(a) 將第 28 條所指歐盟符合性聲明與第 31 條所指技術文件、於該具數位元素產品投入市場後至少 10 年、或於其支援期間(以較長者為準)內、置於市場監督機關可取得狀態;
(b) 經市場監督機關合理請求時、向該機關提供證明該具數位元素產品合規所需之全部資訊與文件;
(c) 應市場監督機關之請求、就消除其授權範圍內具數位元素產品所致風險之任何行動、與該機關合作;
(d) 製造商違反本法規義務時、終止授權、並立即通知製造商該終止。
4. 授權代表應於相關市場監督機關請求時、向其提供製造商之聯絡資料。
Block 2 · Plain language 區塊 2 · 白話解讀
When you need an authorised representative — and what they can't do 什麼時候需要授權代表,以及他們不能做的事
Article 18 is procedural in tone but consequential in operation. For a Taiwan, Japan, or Korea manufacturer that places PwDE on the EU market without a Union establishment, the authorised representative (AR) is the only legal anchor in the EU — the contact point market surveillance authorities will reach when something goes wrong.
The AR is not a legal substitute for the manufacturer. Article 18(2) is the line that defines what the AR is not: Article 13(1) to (11) — design, development, conformity, technical documentation, internal vulnerability handling — stays with the manufacturer. Article 13(12) first subparagraph (the actual reporting duty under Article 14) and Article 13(14) (corrective action obligations) likewise stay with the manufacturer. The AR can hold the documentation; the AR cannot generate it. Substantial decisions about the product remain in Taipei, Tokyo, or Seoul.
What the AR can do is in Article 18(3). Four duties: (a) keep the EU DoC and technical documentation available for 10 years or the support period (whichever is longer); (b) reply to reasoned requests from market surveillance authorities; (c) cooperate on corrective actions for products in the AR's mandate; (d) terminate the mandate if the manufacturer goes off the rails, and notify the manufacturer of termination. Termination is a one-way exit. The AR is not a hostage.
The mandate is in writing. Article 18(1) is one sentence: "A manufacturer may, by a written mandate, appoint an authorised representative." "May" — not "shall". Article 18 does not require an AR. Article 19 (importer obligations) does, indirectly: a non-EU manufacturer placing PwDE on the EU market without an EU establishment will trigger the importer's obligation under Article 19(2) to verify that the manufacturer has either an EU presence or an AR. No AR, no compliant import path.
Reporting obligations stay home. Article 14 incident reporting (severe incidents, actively exploited vulnerabilities) is explicitly excluded from the AR mandate by reference to Article 13(12) first subparagraph. Why this matters: a Taiwan PSIRT in Hsinchu cannot delegate the 24-hour early warning to a Frankfurt-based AR. The notification itself must come from the manufacturer (or under the manufacturer's direct authority) into ENISA's single reporting platform. The AR can support, advise, route — but the legal notifying entity is the manufacturer.
第 18 條語氣是程序性的、但運作上影響深遠。對沒有歐盟設立地、卻把具數位元素產品投入 EU 市場的台日韓製造商來說、授權代表(AR)是 EU 唯一的法律錨點,市場監督機關出事時會聯絡的對口。
AR 不是製造商的法律替身。第 18(2) 條畫出 AR不是什麼:第 13(1) 到 (11) 條:設計、開發、合規、技術文件、內部弱點處理,留在製造商。第 13(12) 條第一段(依第 14 條的實際通報義務)跟第 13(14) 條(矯正措施義務)一樣留在製造商。AR 可以保管文件、但 AR 不能產出文件。產品的實質決定還是留在台北、東京、首爾。
AR可以做的事在第 18(3) 條。四項任務:(a) 將 EU DoC 與技術文件保管至少 10 年或支援期間(以較長者為準);(b) 回應市場監督機關的合理請求;(c) 就 AR 授權範圍內產品的矯正措施與機關合作;(d) 製造商失控時終止授權、並通知製造商。終止是單向出口。AR 不是被綁架的人質。
授權書是書面的。第 18(1) 條只有一句話:「製造商得以書面授權指派授權代表。」用「得」、不是「應」。第 18 條本身不要求 AR。第 19 條(進口商義務)間接要求:非歐盟製造商沒有歐盟設立地、卻把具數位元素產品投入 EU 市場、會觸發第 19(2) 條進口商的義務、要驗證製造商有 EU 設立地或有 AR。沒 AR、就沒有合規進口路徑。
通報義務留在原廠。第 14 條的事件通報(嚴重事件、主動受利用弱點)、透過第 13(12) 條第一段被明確排除在 AR 授權範圍外。為什麼這重要:台灣新竹的 PSIRT 不能把 24 小時早期警報委託給法蘭克福的 AR。通報本身必須從製造商(或在製造商直接權限下)送進 ENISA 的單一通報平台。AR 可以支援、建議、轉送,但法律上的通報主體是製造商。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
How APAC manufacturers actually choose an AR APAC 製造商實際上怎麼選 AR
The AR market is fragmented and the wrong choice is expensive. Most Taiwan ICT exporters, Japan IIoT vendors, and Korean device makers default to one of three patterns. Each has a different cost structure and different risk profile.
AR 市場零散、選錯成本很高。大多數台灣 ICT 出口商、日本 IIoT 廠商、韓國裝置製造商會落入三種模式之一。每種模式成本結構跟風險特徵都不同。
| AR patternAR 模式 | Pros優點 | Cons缺點 | Typical APAC user典型 APAC 使用者 |
|---|---|---|---|
| Captive EU subsidiary as AR自己的 EU 子公司當 AR | Tight control, integrated workflows, single legal entity for tax/AR/sales.控制力強、流程整合、稅務 / AR / 業務同一法人。 | Fixed cost — staffing, office, compliance overhead. Only viable above ~€10M/year EU revenue.固定成本,人員、辦公室、合規 overhead。EU 年營收約 1,000 萬歐元以上才划算。 | Tier-1 Taiwan ODMs, Samsung, Sony, Panasonic, larger Korean B2B exporters.Tier-1 台灣 ODM、Samsung、Sony、Panasonic、較大的韓國 B2B 出口商。 |
| Third-party specialist AR firm第三方專業 AR 公司 | Variable cost (per-product or annual fee), expert in CRA + RED + EMC + LVD stack.可變成本(按產品或年費)、CRA + RED + EMC + LVD 堆疊的專家。 | Quality varies wildly. Some are mailbox AR — they pass mail and nothing else. Verify capability before signing.品質落差很大。有些只是信箱 AR:只轉信、其他什麼都不做。簽約前驗證能力。 | Mid-tier Taiwan ODMs, Japan IIoT specialists, mid-tier Korean device makers.中型台灣 ODM、日本 IIoT 專業廠、中型韓國裝置製造商。 |
| EU distributor / importer doubling as AREU 通路 / 進口商兼任 AR | Bundled, simpler contract, distributor has commercial incentive to keep your product compliant.綁在一起、合約簡單、通路有讓你產品保持合規的商業誘因。 | Conflict of interest: if you switch distributors, you lose your AR. Termination of mandate by AR (Art 18(3)(d)) leaves you exposed.利益衝突:你換通路、就會失去 AR。AR 依第 18(3)(d) 條終止授權、會讓你處於暴露狀態。 | Smaller Taiwan brands entering EU through a single distributor, Japan SME exporters with one EU partner.透過單一通路進入 EU 的小型台灣品牌、有單一 EU 夥伴的日本中小企業出口商。 |
Country choice for the AR matters more than most APAC exporters realise. Article 16(2) routes ENISA notifications to the CSIRT designated as coordinator of the Member State where the AR is established. Different national CSIRTs have different responsiveness, different sectoral expertise, different language. A Taiwan industrial-cybersecurity vendor whose AR is in Germany routes through BSI CSIRT. The same vendor with an Irish AR routes through NCSC-IE. The distance to a competent regulator on a Saturday at midnight when an actively exploited vulnerability lands is not a procedural curiosity.
AR 設在哪一國、比大多數 APAC 出口商以為的更重要。第 16(2) 條把 ENISA 通報導到 AR 所在會員國指定為協調者的 CSIRT。各國 CSIRT 的回應速度、領域專長、語言都不同。AR 在德國的台灣工業網路安全廠商、走 BSI CSIRT。同一廠商 AR 在愛爾蘭、走 NCSC-IE。週六半夜出現主動受利用弱點時、到稱職主管機關的距離、不是程序上的細節。
For APAC exporters, the practical short-list is: Germany (BSI is a strong technical regulator, but procedures heavy in German), Netherlands (English-friendly, NCSC-NL technically capable), Ireland (English-only, lighter touch but capable), Belgium (Brussels-based, useful for institutional access). France and Italy are also options but skew French/Italian-speaking.
對 APAC 出口商、實務 short-list 是:德國(BSI 技術規範強、但程序大量用德文)、荷蘭(對英文友善、NCSC-NL 技術能力強)、愛爾蘭(純英文、規範較輕但能力到位)、比利時(布魯塞爾、機構溝通方便)。法國跟義大利也是選項、但偏法 / 義文。
The AR mandate has to evolve as your CRA program matures. Year 1: minimum-viable AR (mailbox + DoC custody). Year 2: AR upgraded to handle market surveillance reasoned requests (Article 53). Year 3: AR with PSIRT-coordination capability for Article 14 escalation paths. The AR you sign today is not the AR you need in 2028. Plan for the upgrade path — and for the cost of switching ARs mid-product-lifecycle if needed.
AR 授權範圍會隨 CRA 計畫成熟度演進。第 1 年:最小可行 AR(信箱 + DoC 保管)。第 2 年:AR 升級到處理市場監督的合理請求(第 53 條)。第 3 年:AR 具備 PSIRT 協調能力、可處理第 14 條的 escalation 路徑。今天簽的 AR、不是 2028 年你需要的 AR。要規劃升級路徑,必要時、產品生命週期中換 AR 的成本也要計入。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
The AR concept across the EU regulatory family AR 概念在 EU 法規家族中的對照
"Authorised representative" is a recurring concept in EU product law. Each instance has subtle differences in scope and exclusions. APAC manufacturers usually need to map the same physical AR entity to multiple regulatory regimes simultaneously. 「授權代表」是 EU 產品法律裡反覆出現的概念。每次出現的範圍跟例外都有細微差異。APAC 製造商通常需要把同一個實體 AR 同時對應到多個法規制度。
RED 2014/53/EU, Article 11 — AR for radio equipmentRED 2014/53/EU 第 11 條:無線電設備的 AR
Same structure as CRA Article 18 — written mandate, AR keeps DoC and technical documentation, AR cooperates with market surveillance. Most APAC ICT exporters can use the same AR entity for RED and CRA, but the mandate has to be drafted to cover both regimes explicitly. A RED-only mandate does not extend to CRA automatically.
結構跟 CRA 第 18 條相同,書面授權、AR 保管 DoC 與技術文件、AR 跟市場監督合作。大多數 APAC ICT 出口商可以用同一個 AR 實體處理 RED 跟 CRA、但授權書要明文涵蓋兩個制度。RED 專用的授權書、不會自動延伸到 CRA。
Reg 2019/1020 on Market Surveillance, Article 4 — economic operator市場監督法規 2019/1020 第 4 條:經濟經營者
2019/1020 introduces the broader concept of "economic operator responsible for products placed on the market". For products without an EU manufacturer, this responsible person is normally the AR (or in some cases the importer or fulfilment service provider). CRA Article 18 stacks on top of 2019/1020 — the AR designated under CRA also functions as the responsible person under 2019/1020 for the same products.
2019/1020 引入更廣泛的「對市場上提供產品負責的經濟經營者」概念。對沒有 EU 製造商的產品、這個負責人通常是 AR(有時是進口商或物流服務商)。CRA 第 18 條疊加在 2019/1020 之上,CRA 下指定的 AR、就同一產品也是 2019/1020 下的負責人。
Medical Devices Regulation 2017/745, Article 11 — MDR AR醫療器材法規 2017/745 第 11 條:MDR AR
MDR AR is a heavier role than CRA AR. MDR AR can verify EU DoC, has explicit liability provisions (Article 11(5)), and must register in EUDAMED. Connected medical devices that fall under both MDR and CRA need an AR mandate that covers both — and most MDR ARs already have CRA-compatible workflows because their procedural muscle is heavier.
MDR AR 的角色比 CRA AR 重。MDR AR 可以驗證 EU DoC、有明確的責任條款(第 11(5) 條)、且必須在 EUDAMED 登錄。同時落入 MDR 跟 CRA 的連網醫療器材、需要涵蓋兩個制度的 AR 授權書,大多數 MDR AR 已經有 CRA 相容的工作流程、因為它們的程序量能本來就比較重。
EU AI Act 2024/1689, Article 22 — AI authorised representativeEU AI Act 2024/1689 第 22 條:AI 授權代表
The AI Act introduced its own AR concept for high-risk AI systems. Products that bundle high-risk AI and qualify as PwDE under CRA (an AI-driven security camera, an AI medical scanner) need ARs under both regimes. The same legal entity can serve both, but the mandate has to address two regulatory clocks: AI Act tier-by-tier application from 2026 to 2027, CRA full application 11 Dec 2027.
AI Act 為高風險 AI 系統引入自己的 AR 概念。同時包含高風險 AI且符合 CRA 下具數位元素產品的產品(AI 驅動的監視攝影機、AI 醫療掃描器)、需要兩個制度下的 AR。同一個法律實體可以擔任兩者、但授權書要處理兩個法規時程:AI Act 2026 到 2027 分階段適用、CRA 2027 年 12 月 11 日全面適用。
UKCA — UK post-Brexit AR equivalentUKCA:英國脫歐後的 AR 對應
Post-Brexit, products placed on the GB market need a UK Responsible Person (UKRP) under the relevant UK statutory instrument (e.g., Radio Equipment Regulations 2017 SI 2017/1206). UKRP is structurally similar to EU AR but legally separate. APAC manufacturers selling into UK + EU need both: UKRP for GB, AR for EU/EEA. Northern Ireland operates under EU rules per the Windsor Framework — products for NI route through the EU AR.
脫歐後、投入 GB 市場的產品需要在相關英國法規(如 Radio Equipment Regulations 2017 SI 2017/1206)下指定 UK Responsible Person(UKRP)。UKRP 結構上跟 EU AR 相似、但法律上分開。賣到 UK + EU 的 APAC 製造商需要兩個:UKRP 給 GB、AR 給 EU/EEA。北愛爾蘭依《Windsor Framework》適用 EU 規則,出貨北愛爾蘭走 EU AR。