Article 19 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Importers — the EU gateway to APAC manufacturers 進口商,APAC 製造商的歐盟入口
For most APAC OEMs and ODMs without an EU subsidiary, the importer is the legal-person counterparty who actually places product on the market. Article 19 lists eight paragraphs of pre-placement checks and post-placement cooperation duties — the operational interface between APAC manufacturing and EU market access. 對多數無歐盟子公司的 APAC OEM 與 ODM 來說,進口商是實際把產品置於市場上的法人對手方。第 19 條列出八段投放前檢查與投放後合作義務,APAC 製造與歐盟市場進入之間的操作介面。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Article 19, as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text. 來源。條文自《法規 (EU) 2024/2847》第 19 條整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。中文為非官方翻譯。
Compliance threshold + pre-placement checks 符合性門檻 + 投放前檢查 ¶ 1 – 2
1. Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.
1. 進口商僅得將符合附件一第一部分基本網路安全要求之具數位元素產品投放市場,且製造商所建立之流程須符合附件一第二部分基本網路安全要求。
2. Before placing a product with digital elements on the market, importers shall ensure that:
2. 投放具數位元素產品於市場前,進口商應確保:
(a) the appropriate conformity assessment procedures as referred to in Article 32 have been carried out by the manufacturer;
(a) 製造商已執行第 32 條所指之適當符合性評鑑程序;
(b) the manufacturer has drawn up the technical documentation;
(b) 製造商已製備技術文件;
(c) the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;
(c) 該具數位元素產品攜有第 30 條所指之 CE 標示,並隨附第 13(20) 條所指之歐盟符合性聲明、以及附件二所定使用者資訊與指示,且皆以使用者及市場監督機關易於理解之語言;
(d) the manufacturer has complied with the requirements set out in Article 13(15), (16) and (19).
(d) 製造商已遵循第 13(15)、(16) 與 (19) 條之要求。
For the purposes of this paragraph, importers shall be able to provide the necessary documents proving the fulfilment of the requirements set out in this Article.
為本項目的,進口商應能提供必要文件證明本條要求之履行。
Article 13(15), (16), (19) referenced in (d): §15 = single point of contact for vulnerability reporting; §16 = product type identification + traceability info; §19 = name and registered trade name / mark + postal / digital contact info on product or packaging.
(d) 所引第 13(15)、(16)、(19) 條:§15 = 弱點通報之單一聯絡點;§16 = 產品型式識別 + 可追溯性資訊;§19 = 名稱與註冊商號 / 商標 + 郵政 / 數位聯絡資訊置於產品或包裝上。
Non-conformity & risk-significance handling 不符合與重大風險之處理 ¶ 3 – 4
3. Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.
3. 進口商認為或有理由相信具數位元素產品或製造商所建立之流程不符合本法規時,於該產品或流程符合本法規前不得將該產品投放市場。再者,當該具數位元素產品構成重大網路安全風險時,進口商應通知製造商及市場監督機關。
Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).
進口商基於非技術性風險因素而有理由相信具數位元素產品可能構成重大網路安全風險時,進口商應通知市場監督機關。市場監督機關於收到該等資訊後應依第 54(2) 條程序處理。
4. Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.
4. 進口商應於該具數位元素產品、其包裝、或隨附文件上載明其名稱、註冊商號或商標、郵政地址、電郵或其他數位聯絡方式,以及(適用時)可供聯絡之網址。聯絡資訊應以使用者與市場監督機關易於理解之語言記載。
Post-placement obligations 投放後義務 ¶ 5 – 8
5. Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate. Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken.
5. 進口商知悉或有理由相信其已投放市場之具數位元素產品不符合本法規時,應立即採取必要之矯正措施使該產品符合本法規,或於適當時撤回、召回該產品。進口商於知悉產品中之弱點時,應毫不延遲地通知製造商。再者,當該具數位元素產品構成重大網路安全風險時,進口商應立即通知其於該等會員國內已提供該產品之市場監督機關,特別載明不符合性與所採取之矯正措施。
6. Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request.
6. 進口商應於該具數位元素產品投放市場後至少 10 年或支援期間(兩者較長者)內,保有歐盟符合性聲明副本供市場監督機關取用,並確保經請求時可提供技術文件予該等機關。
7. Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.
7. 經市場監督機關書面合理請求,進口商應以該機關易於理解之語言,提供所有必要之資訊與文件(紙本或電子形式皆可),以證明該具數位元素產品符合附件一第一部分之基本網路安全要求、且製造商所建立之流程符合附件一第二部分之基本網路安全要求。進口商應於該機關請求時,配合所採取以消除其投放市場之具數位元素產品所構成網路安全風險之任何措施。
8. Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.
8. 具數位元素產品之進口商知悉該產品之製造商已停止營運、因而無法履行本法規所定義務時,進口商應將此情形通知相關市場監督機關,並以一切可用方式並於可能範圍內,通知所投放市場之該具數位元素產品之使用者。
Block 2 · Plain language 區塊 2 · 白話解讀
The importer is the EU's gate-keeper, not the messenger 進口商是歐盟的把關人,不是傳話的
A common misreading: the importer is just a logistics counterparty who moves boxes from a port to a warehouse. Article 19 reads differently. The importer is the legal-person gate-keeper who, by placing the product on the EU market, asserts that an APAC manufacturer's compliance work is real and verifiable. That assertion carries documentation, contact, and cooperation duties spanning ten years post-placement.
Three structural points to absorb before treating Article 19 as procedural fine print.
The "ensure" verb in §2 is not casual. Art 19(2) requires importers to ensure conformity assessment is done, technical documentation is drawn up, CE marking is affixed, EU DoC and Annex II information accompany the product, and Article 13(15)(16)(19) requirements are met. The closing sentence requires importers to "be able to provide the necessary documents proving the fulfilment". This is not "trust the manufacturer's word" — this is "obtain and retain the documentary evidence". An importer who places product on the market without seeing the technical-documentation reference, the CE certificate (where applicable), and the manufacturer's contact details on the product or packaging is non-compliant under Art 19 from day one.
Vulnerability cooperation is two-way and asymmetric. Art 19(5) creates two distinct obligations on the importer once a vulnerability is known: (i) inform the manufacturer "without undue delay" — this applies to any vulnerability, regardless of severity; (ii) inform market surveillance authorities "immediately" — this applies only when the product presents a "significant cybersecurity risk". The importer is therefore both upstream-facing (alerting the manufacturer) and downstream-facing (alerting authorities) in the same incident, with different cadences. APAC manufacturers should expect their EU importers to ping them on routine vulnerability findings; an importer who only escalates significant-risk cases to the manufacturer is reading the article wrong.
Article 21 is the trap door — the moment an importer becomes a manufacturer. Article 21 (separate article) provides that an importer who places a product on the EU market under its own name or trademark, OR who carries out a substantial modification, is "considered to be a manufacturer" and assumes Articles 13 and 14 in full. A common APAC-EU pattern: APAC ODM ships unbranded product, EU importer applies its own brand, then sells. Under Art 21 + Art 19 read together, that EU "importer" is actually a CRA manufacturer with all 25 paragraphs of Article 13 obligations — full conformity assessment, technical documentation, support period, vulnerability handling. The "importer" label here is a misdirect; the legal substance is "manufacturer". This is the most common cause of mis-scoped CRA programmes in APAC-to-EU supply chains.
A practical layout. The importer's documentary load is similar to but lighter than the manufacturer's: a copy of the EU DoC for 10 years (vs the manufacturer's full technical-file retention), the ability to surface technical documentation upon market-surveillance request (vs the manufacturer's continuous maintenance obligation), and the importer's own contact details on product / packaging / accompanying document (vs the manufacturer's product-identity + traceability obligation under Art 13(16) + (19)). The importer is a smaller-perimeter version of the manufacturer's documentary obligations, not a different-in-kind document set.
常見誤讀:進口商不過是把箱子從港口搬到倉庫的物流方。第 19 條的讀法不一樣。進口商是法人把關者,藉由把產品投入歐盟市場、主張 APAC 製造商的合規工作是真實的、可驗證的。這個主張帶來投入市場後 10 年內的文件、聯絡、合作義務。
把第 19 條當成程序性細則之前,三個結構性要點:
第 2 項裡的「確保」這個動詞不是隨便擺上去的。第 19(2) 條要求進口商確保 conformity assessment 已執行、技術文件已備齊、CE 標示已加上、EU Declaration of Conformity 跟附件二資訊隨附產品、且第 13(15)(16)(19) 條要求已達成。這項最後一句要求進口商「能提供證明這些事項已履行的必要文件」。這不是「相信製造商口頭說的」:這是「取得並保留書面證據」。沒看到技術文件參照、(適用時)CE 證書、產品或包裝上的製造商聯絡資訊就把產品投入市場的進口商,從第一天起就不符第 19 條。
弱點合作是雙向、不對稱的。第 19(5) 條在弱點被知悉時、給進口商加上兩項獨立義務:(i)「毫不延遲」通知製造商,這對任何弱點都適用,不論嚴重度;(ii)「立刻」通知市場監督機關,這只有產品構成「重大網路安全風險」時才適用。所以進口商在同一個事件中同時要面向上游(通知製造商)跟面向下游(通知機關),但節奏不一樣。APAC 製造商該預期歐盟進口商會就例行弱點發現向自己發出通知;只把嚴重風險案件向製造商升報的進口商,是把條文讀錯了。
第 21 條是後門,進口商變成製造商的那一刻。第 21 條(獨立條文)規定,以自己名義或商標把產品投入歐盟市場、或執行實質修改的進口商,「視同 manufacturer」並承擔完整第 13 跟 14 條義務。APAC-EU 常見型態:APAC ODM 出貨無品牌產品、歐盟進口商貼自己品牌再賣。把第 21 條跟第 19 條合著讀,那家歐盟「進口商」其實就是 CRA 意義下的製造商,要承擔第 13 條全部 25 段,完整 conformity assessment、技術文件、support period、弱點處理。「進口商」這個標籤在這裡是誤導,法律實質就是「製造商」。這是 APAC 到 EU 供應鏈中 CRA 專案範圍誤判最常見的原因。
實務面:進口商的文件負擔跟製造商類似,但比較輕:10 年保留 EU Declaration of Conformity 副本(vs. 製造商完整技術檔案保存)、能在市場監督機關請求時提供技術文件(vs. 製造商持續性維護義務)、進口商自己的聯絡資訊放在產品 / 包裝 / 隨附文件上(vs. 製造商在第 13(16)(19) 條下的產品識別 + 可追溯性義務)。進口商是製造商文件義務的「縮小版」,不是另一類完全不同的文件組。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Three contractual gaps APAC manufacturers should close with their EU importers APAC 製造商應該跟歐盟進口商補上的三個合約缺口
For APAC OEMs and ODMs without an EU subsidiary, the importer relationship is a contract relationship. Article 19's obligations sit on the importer in EU law, but practically much of the data they need to discharge those obligations comes from the APAC manufacturer. A misaligned contract leaves the EU importer non-compliant — and a non-compliant importer often translates into stopped shipments. Three contractual gaps recur in practice.
對沒有歐盟子公司的 APAC OEM 跟 ODM 來說,進口商關係就是合約關係。第 19 條義務在歐盟法上落在進口商身上,但實務上進口商履行義務需要的資料多半來自 APAC 製造商。合約沒對齊會讓歐盟進口商變不合規,不合規的進口商常常等於停止出貨。實務上反覆出現的三個合約缺口:
Documentation handover before first shipment. Art 19(2) requires the importer to verify, before placing on market, that conformity assessment was done, the technical documentation was drawn up, and CE + DoC + Annex II info accompany the product. In practice this means the APAC manufacturer needs to deliver — to the importer, before the first container ships — a documentation packet containing: (a) reference to the technical-documentation file (not the file itself, but a verifiable identifier and access path), (b) a copy of the EU DoC, (c) the Annex II user information in the EU language(s) the importer specifies, (d) photo evidence of CE marking placement on product or packaging, (e) NB certificate where the product is Class II / Critical. Many APAC ODM contracts handle CE compliance documentation as a "best efforts" deliverable; under CRA, missing one of these items is grounds for the importer to refuse placement under Art 19(3). Contracts should explicitly list these items and tie them to incoterms / delivery milestones.
首批出貨前的文件交接。第 19(2) 條要求進口商在投入市場前確認 conformity assessment 已做、技術文件已備齊、CE + DoC + 附件二資訊隨附產品。實務上代表 APAC 製造商必須在首櫃出貨前交給進口商一份文件包,含:(a) 技術文件的參照(不是檔案本身,是可驗證的識別子加存取路徑);(b) EU DoC 副本;(c) 進口商指定歐盟語言的附件二使用者資訊;(d) 產品或包裝上 CE 標示的照片證據;(e) 產品是 Class II / Critical 時的 NB certificate。很多 APAC ODM 合約把 CE 合規文件當成「盡力交付」事項;CRA 下少一項,就是進口商依第 19(3) 條拒絕投放的理由。合約應該明列這些項目,綁進 incoterms / 交期里程碑。
Vulnerability notification routing. Art 19(5) requires the importer to notify the manufacturer "without undue delay" upon vulnerability awareness. APAC manufacturers should specify the receiving channel: who in the manufacturer's organisation is the named PSIRT contact, what's the documented submission format (CVE-style report? structured email?), what's the acknowledgement SLA. Without specification, a typical importer will dump a vulnerability report to a sales contact, which lands in commercial inbox triage and may not reach engineering for days. Art 14 timer pressure on the manufacturer side — 24h early warning, 72h notification, 14-day final report for vulnerabilities (one month for severe incidents) — starts running as soon as the manufacturer becomes aware. Late delivery via a misrouted importer notification is a real risk to the timer. Contracts should mirror Art 13(15) PSIRT contact and require importers to use it.
弱點通報的路由。第 19(5) 條要求進口商一知悉弱點就「毫不延遲」通知製造商。APAC 製造商應該明訂接收管道:製造商組織內哪個人是具名的 PSIRT 聯絡人、書面提交格式是什麼(CVE 式報告?結構化 email?)、受理 SLA 是多少。沒明訂、典型進口商會把弱點報告丟到業務聯絡人,落進商業 inbox 分流,可能好幾天後才到工程那邊。製造商側的第 14 條計時壓力——24h 早期警訊、72h 通報、弱點 14 天 final report(嚴重事件 1 個月)——在製造商知悉的瞬間就開始,進口商走錯路由、通報晚到,對計時是真實風險。合約應該對應到第 13(15) 條的 PSIRT 聯絡點,並要求進口商使用。
End-of-life and manufacturer-cessation handling. Art 19(8) requires importers to inform market surveillance and users when they become aware that the manufacturer has ceased operations. For APAC ODMs, business-as-usual events (acquisition, restructuring, product-line discontinuation) often produce situations functionally equivalent to "ceased operations" from the importer's perspective. A 5-year-old product line getting dropped from the APAC factory's roster is, for the EU importer holding inventory, indistinguishable from operational cessation. Contracts should specify (a) advance notice (12 months minimum is reasonable) of any decision to discontinue support for placed-on-market products, (b) handover obligations for technical documentation if the APAC entity is dissolved or sold, (c) rights for the importer to take over support obligations directly with appropriate IP licence — this last point is critical because it converts the importer into Art 21 manufacturer status.
產品 EOL 跟製造商停業的處理。第 19(8) 條要求進口商一知悉製造商停業就通知市場監督機關跟使用者。對 APAC ODM 來說,業務上的常態事件(併購、重整、產品線停產)常常產生「在進口商眼中等同於停業」的情境。一條 5 年老產品線從 APAC 廠商型錄上被砍掉,對歐盟進口商手上的庫存來說,跟營運停業在運作上沒有區別。合約應該明訂:(a) 任何停止支援已投入市場產品的決定,至少 12 個月的預先通知;(b) APAC 主體解散或被收購時的技術文件交接義務;(c) 進口商在適當 IP 授權下直接接手支援義務的權利,最後一點關鍵,因為它會讓進口商轉成第 21 條的製造商地位。
A practical conclusion. APAC manufacturers should treat their EU importer agreements as CRA-instrument-grade contracts, not as commercial-distribution boilerplate. The importer's CRA obligations under Article 19 cannot be discharged without the manufacturer's cooperation; an importer who fails will not be able to keep placing product on the EU market, which translates directly to lost APAC revenue. Reviewing existing distributor / importer contracts for Article 19 alignment before December 2027 is operationally cheaper than discovering misalignments after enforcement begins.
實務結論:APAC 製造商應該把歐盟進口商協議當成 CRA 法定文書等級的合約,不是商業分銷的範本。第 19 條下進口商的 CRA 義務沒有製造商配合就無法履行;履行不了的進口商沒辦法繼續把產品投入歐盟市場,直接等於 APAC 營收損失。在 2027 年 12 月之前審視既有經銷商 / 進口商合約對第 19 條的對齊,比執法開始後才發現對不上、營運成本便宜得多。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Importer obligations across EU product regulations EU 產品法規中的進口商義務
EU product regulations follow a common importer-obligation template inherited from Decision 768/2008/EC. The same eight pre-placement / post-placement / cooperation themes appear in RED, Machinery Regulation, EMC, MDR. CRA's Article 19 mostly follows the template, with cybersecurity-specific additions to the vulnerability notification chain.
EU 產品法規遵循一個由 Decision 768/2008/EC 繼承的共通進口商義務模板。相同八個投放前 / 投放後 / 合作主題出現於 RED、機械規章、EMC、MDR。CRA 第 19 條多半遵循該模板,並針對弱點通報鏈做網路安全特定增補。
RED Directive 2014/53/EU Article 12
RED Directive 2014/53/EU Article 12
RED Directive 2014/53/EU Article 12
Conformity assessment done; technical documentation drawn up; CE marking; DoC accompanies; importer name + contact on equipment / packaging. RED has no CRA-equivalent vulnerability notification on the importer; only post-placement non-conformity reporting. CRA Article 19(5) adds explicit upstream-to-manufacturer vulnerability obligations.
符合性評鑑已做;技術文件已製備;CE 標示;DoC 隨附;進口商名稱 + 聯絡置於設備 / 包裝。 RED 對進口商無 CRA 對等的弱點通報;僅有投放後不符合性回報。CRA 第 19(5) 條加入明示的向上游製造商的弱點義務。
Machinery Regulation (EU) 2023/1230 Article 13
Machinery Regulation (EU) 2023/1230 Article 13
Machinery Regulation (EU) 2023/1230 Article 13
Conformity assessment + tech file + CE marking + DoC + safety / health information; non-conformity refusal to place; 10-year DoC retention. Machinery's "person authorised to compile technical documentation" role is separate from importer; CRA does not have this. Machinery requires permanent post-placement maintenance of safety information; CRA's vulnerability information cycle is faster (without undue delay) and more incident-driven.
符合性評鑑 + 技術檔案 + CE 標示 + DoC + 安全 / 健康資訊;不符合就拒絕投放;10 年 DoC 保存。 機械之「獲授權彙整技術文件的人」與進口商分立;CRA 無此角色。機械要求投放後永久維護安全資訊;CRA 的弱點資訊循環較快(毫不延遲)且更為事件驅動。
EMC Directive 2014/30/EU Article 8
EMC Directive 2014/30/EU Article 8
EMC Directive 2014/30/EU Article 8
Conformity assessment + tech doc + CE + DoC + non-conformity refusal; 10-year DoC retention; importer contact on apparatus. EMC importer obligations are simpler — no NB involvement at any tier (pure self-declaration), no vulnerability concept. CRA layers Class II / Critical NB-engagement onto the same template, plus vulnerability notification.
符合性評鑑 + 技術文件 + CE + DoC + 不符合就拒絕;10 年 DoC 保存;進口商聯絡置於設備。 EMC 進口商義務較簡,任何層級都無 NB 介入(純自我宣告)、無弱點概念。CRA 於相同模板上加上 Class II / Critical 的 NB 介入,加上弱點通報。
Medical Devices Regulation (EU) 2017/745 Article 13
Medical Devices Regulation (EU) 2017/745 Article 13
Medical Devices Regulation (EU) 2017/745 Article 13
Verify conformity, technical documentation, EU DoC, CE marking, UDI, IFU translation, manufacturer authorised representative; 10-year retention; report incidents and non-compliance. MDR is much heavier — UDI verification, IFU translation responsibility, post-market surveillance feedback to manufacturer. Cybersecurity is dealt with separately under MDR Annex I §17.2 + dedicated MDCG guidance. CRA does not duplicate; medical devices are out of CRA scope.
驗證符合性、技術文件、EU DoC、CE 標示、UDI、IFU 翻譯、製造商授權代表;10 年保存;通報事件與不符合性。 MDR 沉重得多,UDI 驗證、IFU 翻譯責任、向製造商的投放後市場監督回饋。網路安全於 MDR 附件一第 17.2 點 + 專屬 MDCG 指引下單獨處理。CRA 不重疊;醫療器材於 CRA 範圍外。
Reg. (EU) 2019/1020 (Market Surveillance) Article 4
Reg. (EU) 2019/1020 (Market Surveillance) Article 4
Reg. (EU) 2019/1020 (Market Surveillance) Article 4
Defines the broader "economic operator responsible for compliance" framework that CRA Article 19 sits within. Reg. 2019/1020 Article 4 enumerates four roles (manufacturer / importer / authorised representative / fulfilment service provider) any of which can be the responsible economic operator. CRA Article 19 specifies importer-specific obligations within this framework — fulfilment service provider gets a separate scope only when no other operator exists.
定義 CRA 第 19 條所處的較廣「合規負責經濟經營者」框架。 Reg. 2019/1020 第 4 條列舉四種角色(製造商 / 進口商 / 授權代表 / 履約服務提供者)中的任一者可為負責經濟經營者。CRA 第 19 條於此框架內規定進口商特定義務,履約服務提供者僅在無其他經營者存在時取得獨立範圍。