Article 2 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
Scope 範圍
Eight paragraphs that decide whether the CRA applies to your product. Sector-specific exclusions for medical devices, automotive, civil aviation, and marine equipment; carve-out for spare parts; the national security/defence carve-out at paragraph 7. 八段條文決定 CRA 是否適用你的產品。對醫療器材、汽車、民航、船舶設備的部門排除;備品的特殊規定;第 7 項的國家安全 / 國防排除。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
2. This Regulation does not apply to products with digital elements to which the following Union legal acts apply:
(a) Regulation (EU) 2017/745 [Medical Devices];
(b) Regulation (EU) 2017/746 [In Vitro Diagnostic Medical Devices];
(c) Regulation (EU) 2019/2144 [Motor vehicle type-approval cybersecurity].
3. This Regulation does not apply to products with digital elements that have been certified in accordance with Regulation (EU) 2018/1139 [Civil aviation].
4. This Regulation does not apply to equipment that falls within the scope of Directive 2014/90/EU [Marine Equipment].
5. The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in Annex I may be limited or excluded where:
(a) such limitation or exclusion is consistent with the overall regulatory framework that applies to those products; and
(b) the sectoral rules achieve the same or a higher level of protection as that provided for by this Regulation.
The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying whether such limitation or exclusion is necessary, the products and rules concerned, as well as the scope of the limitation, if relevant.
6. This Regulation does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components that they are intended to replace.
7. This Regulation does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information.
8. The obligations laid down in this Regulation shall not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States' national security, public security or defence.
1. 本法規適用於提供於市場的具數位元素產品,且其預期用途或合理可預見的使用包含與裝置或網路的直接或間接邏輯或物理資料連線。
2. 本法規不適用於下列歐盟法律所適用的具數位元素產品:
(a) 法規 (EU) 2017/745【醫療器材】;
(b) 法規 (EU) 2017/746【體外診斷醫療器材】;
(c) 法規 (EU) 2019/2144【汽車型式認證網路安全】。
3. 本法規不適用於依法規 (EU) 2018/1139【民航】認證的具數位元素產品。
4. 本法規不適用於落入指令 2014/90/EU【船舶設備】範圍內的設備。
5. 對於受其他歐盟規則規範、涵蓋附件一基本網路安全要求所及全部或部分風險的具數位元素產品,本法規之適用得受限制或排除,如:
(a) 該等限制或排除與適用於該等產品的整體規管框架一致;且
(b) 部門規則達到本法規所定的相同或更高保護水準。
執委會有權依第 61 條採行授權法案、補充本法規,明定該等限制或排除是否必要、所涉產品與規則、以及限制範圍(如適用)。
6. 本法規不適用於以下備品:為置換具數位元素產品中相同元件而提供於市場、且依與其所擬置換元件相同規格製造之備品。
7. 本法規不適用於專為國家安全或國防用途而開發或修改的具數位元素產品、或專為處理機密資訊而設計的產品。
8. 本法規所定義務不包含提供其揭露將違反會員國國家安全、公共安全或國防根本利益的資訊。
Block 2 · Plain language 區塊 2 · 白話解讀
Scope is the article that decides whether you have a CRA problem at all 適用範圍,決定你到底有沒有 CRA 問題的條文
Article 2 is the gate. Before any APAC manufacturer asks "how do we comply with CRA?", they should ask "does CRA apply to this product, in this distribution path, on this date?" Three components in Article 2 give the answer: the affirmative scope (Article 2(1)), the carve-outs to other Union law (Article 2(2)–(6)), and the substantial-modification trigger (Article 2(7)).
The affirmative scope is broader than "connected products". Article 2(1) covers any PwDE "the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network". "Indirect" is the dangerous word. A product that connects only to a paired smartphone, which then connects to the internet, is in scope via indirect connection. A USB stick that copies firmware updates from one machine to another is in scope. "Air-gapped" is not a CRA defence if the air gap is bridged by intended use.
Three full carve-outs by Union legal act. Article 2(2) excludes products covered by MDR (medical devices, Reg 2017/745), IVDR (in vitro diagnostic, Reg 2017/746), and motor vehicle type-approval cybersecurity (Reg 2019/2144). Article 2(3) excludes civil aviation products certified under Reg 2018/1139. Article 2(4) excludes marine equipment under Directive 2014/90/EU. These carve-outs are categorical — if your product is governed by these regimes, CRA does not apply. The carve-outs are by Union legal act, not by industry vertical, so a connected medical wearable that is not a medical device under MDR (e.g., a wellness tracker) is back in CRA scope.
Spare parts, services, security research carve-outs. Article 2(5) excludes spare parts that replace identical components for which they are intended. Article 2(6) excludes "non-commercial activity" — security research, hobby development, FOSS dev outside commercial activity. The Commission Guidance (2026 published draft) elaborates the FOSS scope further: legal persons can be software stewards (Article 24); natural persons cannot. Free hobby projects stay outside CRA; FOSS distributed by a foundation or company is potentially in scope.
Substantial modification re-triggers scope. Article 2(7) — a PwDE on the market before CRA application date is generally not retroactively in scope, except where a substantial modification (Article 3(30)) is made on or after the application date. A 2026-launched product that gets a major firmware update in 2028 changing functionality or risk profile becomes in scope from that update onwards. "Old products" don't stay old forever.
第 2 條是那道門。任何 APAC 製造商在問「我們要怎麼符合 CRA」之前、應該先問「CRA 對這個產品、在這條通路、在這個日期、是不是適用?」第 2 條裡有三個成分給答案:正面範圍(第 2(1) 條)、對其他歐盟法律的例外(第 2(2) 到 (6) 條)、實質修改觸發(第 2(7) 條)。
正面範圍比「連網產品」更廣。第 2(1) 條涵蓋任何具數位元素產品「其預期用途或合理可預見之使用包括直接或間接的邏輯或實體資料連線到裝置或網路」。「間接」是危險的字。只連到配對手機、再透過手機連網的產品、透過間接連線進入範圍。把韌體更新從一台機器複製到另一台的 USB 隨身碟、進入範圍。預期使用會跨過 air gap 時、「實體隔離」不是 CRA 抗辯。
三個按歐盟法律行為的完整例外。第 2(2) 條排除受 MDR(醫療器材、法規 2017/745)、IVDR(體外診斷、法規 2017/746)、機動車輛型式認可網路安全(法規 2019/2144)涵蓋的產品。第 2(3) 條排除依法規 2018/1139 認證之民航產品。第 2(4) 條排除指令 2014/90/EU 下之船舶設備。這些例外是分類性的,你的產品若受這些制度規範、CRA 不適用。例外按歐盟法律行為、不是按產業垂直、所以未被 MDR 認定為醫療器材的連網醫療穿戴(如健康追蹤器)回到 CRA 範圍。
備品、服務、資安研究例外。第 2(5) 條排除取代其所為之相同元件之備品。第 2(6) 條排除「非商業活動」:資安研究、業餘開發、商業活動之外的 FOSS 開發。執委會指引(2026 公開草案)進一步細化 FOSS 範圍:法人可作為 software steward(第 24 條)、自然人不可。免費業餘計畫留在 CRA 外;由基金會或公司分發的 FOSS 可能進入範圍。
實質修改重啟範圍。第 2(7) 條:CRA 適用日之前已在市場上的具數位元素產品、一般不會被追溯適用、惟在適用日當日或之後做實質修改(第 3(30) 條)者除外。2026 年發表的產品在 2028 年做大幅韌體更新、改變功能或風險特徵、自該更新起進入範圍。「舊產品」不會永遠保持舊。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Scope analysis for APAC product portfolios APAC 產品組合的範圍分析
Most APAC manufacturers do scope analysis incorrectly the first time. The instinct is to ask "is this a connected product?". The correct question is "by what intended purpose or reasonably foreseeable use does this product contain a data connection?" — and then to walk through each carve-out by Union legal act.
多數 APAC 製造商第一次做範圍分析會做錯。直覺是問「這是不是連網產品」。正確的問題是「這個產品按什麼預期用途或合理可預見之使用含有資料連線」:然後逐一走過每一個按歐盟法律行為的例外。
A working scope analysis template that Taiwan / Japan / Korea OEM/ODMs can use:
台 / 日 / 韓 OEM / ODM 可用的範圍分析作業模板:
| Question問題 | If yes是的話 | If no否的話 |
|---|---|---|
| Q1. Does the product contain hardware or software, or remote data processing solutions designed by the manufacturer?Q1. 產品是否含硬體或軟體、或由製造商設計的遠端資料處理解決方案? | PwDE candidate, continue候選具數位元素產品、繼續 | Out of scope範圍外 |
| Q2. Is direct or indirect data connection part of intended use or reasonably foreseeable use?Q2. 直接或間接資料連線是否屬於預期使用或合理可預見之使用? | In affirmative scope, continue在正面範圍、繼續 | Out of scope (rare for modern products)範圍外(現代產品少見) |
| Q3. Is the product covered by MDR / IVDR / motor vehicle / civil aviation / marine equipment regulation?Q3. 產品是否受 MDR / IVDR / 機動車 / 民航 / 船舶設備法規涵蓋? | CRA carve-out, those regimes applyCRA 例外、適用其他制度 | Continue繼續 |
| Q4. Is it an identical replacement spare part?Q4. 是否為相同零件之備品? | Out of scope (Article 2(5))範圍外(第 2(5) 條) | Continue繼續 |
| Q5. Is the placing on market a non-commercial activity?Q5. 投入市場是否為非商業活動? | Out of scope (Article 2(6))範圍外(第 2(6) 條) | In CRA scope在 CRA 範圍 |
Common scope mistakes APAC manufacturers make: (a) treating products with offline-only firmware updates via USB as out of scope (the USB connection counts as indirect data connection); (b) assuming a smart-home device sold by an EU brand owner is the brand owner's problem, not the ODM's (correct in some structures, wrong in others — depends on Article 21/22 trigger); (c) thinking medical wellness trackers are in MDR carve-out (only true if they meet MDR's medical device definition; pure consumer wellness products are not).
APAC 製造商常見的範圍錯誤:(a) 把只能透過 USB 做離線韌體更新的產品當作範圍外(USB 連線算間接資料連線);(b) 假設由 EU 品牌商銷售的智慧家庭裝置是品牌商的問題、不是 ODM 的問題(某些結構下對、某些結構下錯,看第 21 / 22 條觸發);(c) 以為醫療健康追蹤器在 MDR 例外(只有符合 MDR 醫療器材定義時才對;純消費端健康產品不在)。
A practical observation about Article 2(7) substantial modification — for APAC ODMs that ship long-life industrial products, the substantial modification trigger is operationally more important than the day-zero scope analysis. A product made before 11 Dec 2027 may stay outside CRA — until it gets its first major firmware update afterwards. The result: APAC manufacturers should treat any future firmware update on a pre-2027 SKU as a scope-evaluation event. "Pre-CRA legacy" is not a permanent status.
關於第 2(7) 條實質修改的實務觀察,對出貨長壽命工業產品的 APAC ODM 來說、實質修改觸發在營運上比第零天範圍分析更重要。2027 年 12 月 11 日前製造的產品可能留在 CRA 之外,直到它之後第一次大幅韌體更新。結果:APAC 製造商應該把任何未來韌體更新對 2027 前 SKU 的更新當成範圍評估事件。「CRA 前 legacy」不是永久狀態。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
CRA scope against the EU regulatory grid CRA 範圍對照 EU 法規網格
CRA Article 2 carves around five other Union legal acts. Knowing where the lines are matters more than knowing the contents — APAC manufacturers usually have one or two products straddling the lines. CRA 第 2 條繞著五個其他歐盟法律行為畫線。知道線在哪、比知道內容更重要,APAC 製造商通常有一兩個產品橫跨在線上。
MDR 2017/745 — full carve-out for medical devicesMDR 2017/745:醫療器材完整例外
Connected medical devices that meet MDR's definition of "medical device" follow MDR exclusively for cybersecurity. MDCG 2019-16 provides MDR-side cybersecurity guidance and is the working benchmark. The carve-out is by classification under MDR, not by physical resemblance — wellness wearables that don't make medical claims are not MDR devices and stay in CRA scope. APAC manufacturers with a portfolio including both fitness trackers and oxygen meters need to map each SKU separately.
符合 MDR「醫療器材」定義的連網醫療器材就網路安全專從 MDR。MDCG 2019-16 提供 MDR 側網路安全指引、是運作中的基準。例外按 MDR 分類、不是按外觀相似,不做醫療宣稱的健康穿戴不是 MDR 器材、留在 CRA 範圍。產品組合同時含健身追蹤器與血氧計的 APAC 製造商、要逐一 SKU 對應。
UN R155 / R156 — motor vehicle cybersecurity carve-outUN R155 / R156:機動車網路安全例外
Reg 2019/2144 implements UN R155 (cybersecurity management system) and R156 (software update management) for type-approval. Cars sold in the EU follow R155/R156 + ISO 21434 framework, not CRA. Tier 1/2 automotive component suppliers face a complicated reality: components shipped only into automotive supply chains are CRA-carved-out; the same component shipped into industrial markets falls in CRA scope. APAC Tier 2 chip vendors selling into both automotive and industrial markets need parallel compliance tracks.
法規 2019/2144 對型式認可實施 UN R155(網路安全管理系統)跟 R156(軟體更新管理)。在 EU 銷售的車輛走 R155 / R156 + ISO 21434 框架、不是 CRA。Tier 1 / 2 汽車零件供應商面對複雜現實:只出貨到汽車供應鏈的零件、CRA 例外;同一零件出貨到工業市場、進入 CRA 範圍。同時賣到汽車與工業市場的 APAC Tier 2 晶片廠商、需要平行合規軌道。
RED Delegated Act 2022/30 — overlap, not carve-outRED 授權行為 2022/30:重疊、非例外
RED-DA cybersecurity essential requirements (since 1 Aug 2025) and CRA stack — they do not carve each other out. A Wi-Fi router faces both: RED-DA Article 3(3)(d), (e), (f) for radio-spectrum-related cybersecurity, CRA Annex I for general cybersecurity. The harmonised standards EN 18031 series serve both regimes. APAC ICT exporters with radio products run a single technical conformity exercise that satisfies both — provided the EU DoC and technical documentation cover both regulatory references.
RED-DA 網路安全基本要求(自 2025 年 8 月 1 日)跟 CRA 疊加,彼此不互為例外。一台 Wi-Fi router 同時面對:RED-DA 第 3(3)(d)、(e)、(f) 條的無線電頻譜相關網路安全、CRA 附件一的一般網路安全。EN 18031 系列調和標準同時服務兩個制度。具無線電產品的 APAC ICT 出口商、跑一次技術合規作業同時滿足兩者,前提是 EU DoC 跟技術文件涵蓋兩個法規引用。
EU AI Act 2024/1689 — overlap, complementaryEU AI Act 2024/1689:重疊、互補
AI Act Article 2 covers AI systems regardless of whether they are PwDE. CRA covers PwDE regardless of whether they include AI. A product bundling high-risk AI under PwDE — say, an AI-powered industrial defect detection camera — falls under both regimes. AI Act Article 8 explicitly says compliance with applicable Union harmonisation legislation (which includes CRA) is a precondition for AI Act conformity. APAC manufacturers should not run AI Act compliance and CRA compliance as fully independent tracks — the AI Act conformity assessment can leverage CRA conformity work.
AI Act 第 2 條涵蓋 AI 系統、無論是否為具數位元素產品。CRA 涵蓋具數位元素產品、無論是否含 AI。同時搭配高風險 AI 在具數位元素產品下的產品,譬如 AI 工業瑕疵偵測攝影機,同時落入兩個制度。AI Act 第 8 條明文:符合適用的歐盟調和立法(含 CRA)是 AI Act 合規的前置條件。APAC 製造商不該把 AI Act 合規跟 CRA 合規當成完全獨立軌道,AI Act 合規評鑑可以借用 CRA 合規工作。
GPSR 2023/988 — residual safety, not carved outGPSR 2023/988:剩餘安全、未例外
GPSR is the catch-all consumer product safety regulation. CRA Article 11 explicitly carves cybersecurity-related risks out of GPSR (CRA takes precedence on cybersecurity); GPSR remains in force for non-cybersecurity safety risks of the same product. A consumer connected device faces both: CRA for cybersecurity, GPSR for everything else (chemical safety, electrical safety, mechanical safety beyond LVD/EMC scope). The same market surveillance authority typically enforces both.
GPSR 是涵蓋所有消費端產品安全的法規。CRA 第 11 條明文把網路安全相關風險從 GPSR 中切出(網路安全部分以 CRA 為先);GPSR 對同一產品的非網路安全的安全風險仍然有效。一台消費連網裝置同時面對:CRA 管網路安全、GPSR 管其他(化學安全、電氣安全、超出 LVD / EMC 範圍的機械安全)。通常由同一個市場監督機關執法兩者。