Article 20 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Distributors — the lighter perimeter, the same trap door 通路,較輕的邊界、相同的活門
A distributor is, in CRA terms, anyone in the EU supply chain other than the manufacturer or importer who makes a product with digital elements available on the market. Article 20's six paragraphs assign a thinner verification load than Article 19 — visible attributes (CE marking, manufacturer / importer paperwork) rather than direct conformity assessment review. The thinner load is also why Article 21's "manufacturer-by-modification" trap door applies just as forcefully to distributors as to importers. 於 CRA 用語上,通路是指歐盟供應鏈中除製造商或進口商以外、將具數位元素產品提供於市場上的任何人。第 20 條之六段所派的驗證負載比第 19 條輕,可見屬性(CE 標示、製造商 / 進口商書面文件)而非直接審查符合性評鑑。較輕的負載也是為何第 21 條「經修改而成製造商」的活門對通路與對進口商一樣有力。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847, Article 20, as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text. 來源。條文自《法規 (EU) 2024/2847》第 20 條整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。中文為非官方翻譯。
Due care + pre-availability checks (¶ 1 – 2) 盡職注意 + 提供前檢查(第 1 – 2 項) ¶ 1 – 2
1. When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.
1. 經銷商於將具數位元素產品提供於市場上時,應就本法規所定要求盡職注意。
2. Before making a product with digital elements available on the market, distributors shall verify that:
2. 經銷商於將具數位元素產品提供於市場前,應驗證:
(a) the product with digital elements bears the CE marking;
(a) 該具數位元素產品攜有 CE 標示;
(b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article 19(4), and have provided all necessary documents to the distributor.
(b) 製造商與進口商已遵循第 13(15)、(16)、(18)、(19) 與 (20) 條與第 19(4) 條所定義務,並已將所有必要文件提供予經銷商。
Cross-reference inventory for §2(b): Art 13(15) = manufacturer's PSIRT contact for vulnerability reporting; Art 13(16) = product type / batch / serial / version identification; Art 13(18) = user information per Annex II; Art 13(19) = manufacturer's name + contact on product / packaging; Art 13(20) = EU DoC accompanying or web link; Art 19(4) = importer's name + contact on product / packaging. Art 20(2)(b) is therefore a six-fingered visible-attributes checklist that the distributor can perform without examining technical documentation.
§2(b) 之引用清單:第 13(15) 條 = 製造商弱點通報之 PSIRT 聯絡人;第 13(16) 條 = 產品型式 / 批號 / 序號 / 版本識別;第 13(18) 條 = 附件二之使用者資訊;第 13(19) 條 = 製造商名稱 + 聯絡資訊置於產品 / 包裝;第 13(20) 條 = EU DoC 隨附或網址連結;第 19(4) 條 = 進口商名稱 + 聯絡資訊置於產品 / 包裝。因此第 20(2)(b) 條是經銷商不需審查技術文件即可執行之六指可見屬性檢查清單。
Non-conformity refusal + significant-risk escalation (¶ 3) 不符合拒絕 + 重大風險升報(第 3 項) ¶ 3
3. Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.
3. 經銷商基於其所持資訊認為或有理由相信具數位元素產品、或製造商所建立之流程不符合附件一所定基本網路安全要求時,於該產品或流程符合本法規前不得將該具數位元素產品提供於市場。再者,當該具數位元素產品構成重大網路安全風險時,經銷商應毫不延遲地通知製造商與市場監督機關。
Post-availability corrective duties + vulnerability cooperation (¶ 4) 提供後矯正義務 + 弱點合作(第 4 項) ¶ 4
4. Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.
4. 經銷商基於其所持資訊知悉或有理由相信其已提供於市場之具數位元素產品、或製造商所建立之流程不符合本法規時,應確保已採取必要矯正措施使該具數位元素產品或製造商所建立之流程符合本法規、或於適當時撤回、召回該產品。經銷商於知悉產品中之弱點時,應毫不延遲地通知製造商。再者,當該具數位元素產品構成重大網路安全風險時,經銷商應立即通知其於該等會員國內已提供該產品之市場監督機關,特別載明不符合性與所採取之矯正措施。
Cooperation + manufacturer-cessation handling (¶ 5 – 6) 合作 + 製造商停業處理(第 5 – 6 項) ¶ 5 – 6
5. Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.
5. 經市場監督機關書面合理請求,經銷商應以該機關易於理解之語言,提供所有必要之資訊與文件(紙本或電子形式皆可),以證明該具數位元素產品與製造商所建立之流程符合本法規。經銷商應於該機關請求時,配合所採取以消除其提供於市場之具數位元素產品所構成網路安全風險之任何措施。
6. Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.
6. 具數位元素產品之經銷商基於其所持資訊知悉該產品之製造商已停止營運、因而無法履行本法規所定義務時,經銷商應毫不延遲地將此情形通知相關市場監督機關,並以一切可用方式並於可能範圍內,通知所投放市場之該具數位元素產品之使用者。
Block 2 · Plain language 區塊 2 · 白話解讀
A visible-attributes check, not a conformity audit 檢查看得見的屬性,不是做合規稽核
Article 20 deliberately keeps distributor obligations narrow and visible. A distributor cannot reasonably be expected to evaluate whether a manufacturer's vulnerability handling processes meet Annex I Part II — that requires technical-file access and is what notified bodies do under Annex VIII Modules B+C / H. Instead, Article 20(2)'s checklist is built around what a distributor can verify by looking at the product, the packaging, and the documents the manufacturer / importer hands them.
第 20 條刻意把通路義務保持在窄而可見的範圍內。你不能合理期望通路去評估製造商的弱點處理流程是否符合附件一第二部分,那需要技術檔案的存取權,是指定機構在附件八 Module B+C / H 下做的事。第 20(2) 條的檢查清單建立在「通路靠檢視產品、包裝、製造商 / 進口商交付的文件就能驗證」的事項上。
Compare distributor pre-availability checks against importer pre-placement checks side by side.
把通路在「提供前」做的檢查、跟進口商在「投入市場前」做的檢查並排比較:
| Check檢查 | Importer (Art 19(2))進口商(第 19(2) 條) | Distributor (Art 20(2))通路(第 20(2) 條) |
|---|---|---|
| Conformity assessment was carried out符合性評鑑已執行 | ✓ Required | — |
| Technical documentation was drawn up技術文件已製備 | ✓ Required | — |
| CE marking presentCE 標示存在 | ✓ Required | ✓ Required (§2(a)) |
| EU DoC + Annex II info accompany productEU DoC + 附件二資訊隨附產品 | ✓ Required | — (covered indirectly by §2(b) Art 13(20)) |
| Manufacturer + importer compliance with §13(15)(16)(18)(19)(20) + §19(4)製造商 + 進口商遵循第 13(15)(16)(18)(19)(20) + 19(4) 條 | — (§13(15)(16)(19) only) | ✓ Required (§2(b)) |
| Documentary evidence provided to distributor書面證據提供予通路 | — | ✓ Required (§2(b) trailing clause) |
Three structural points worth absorbing.
三個結構性要點值得抓住:
-
"Due care" in §1 is not a meaningless preamble. Some distributors read Art 20(1) as a soft introduction that is fully discharged by the §2 checklist. That reading underestimates §1. "Act with due care in relation to the requirements" extends beyond the §2 visible-attributes list and includes things like: not stocking products from manufacturers known to be non-compliant, not turning a blind eye to obvious tampering of CE markings, not continuing to supply when public information about a vulnerability is widely available even before the manufacturer formally notifies. A distributor that mechanically passes the §2 checklist while ignoring contextual non-compliance signals is not satisfying §1. Market surveillance authorities can — and in practice will — read §1 as the catch-all that fills the gaps in §2.
第 1 項的「盡職注意」不是沒意義的前言。有些通路把第 20(1) 條讀成「§2 檢查清單做完就履行了」的軟性引言。這種讀法低估了 §1。「就要求盡職注意」延伸超出 §2 可見屬性清單,包含:不販售已知不合規製造商的產品;CE 標示明顯被竄改不能視而不見;即使製造商還沒正式通知,弱點的公開資訊已經廣為可得時不能繼續供貨。機械式跑完 §2 檢查清單、卻忽略脈絡上的不合規訊號的通路,沒滿足 §1。市場監督機關可以,而且實務上會,把 §1 讀為填補 §2 缺口的概括條款。
-
The vulnerability cooperation chain in §4 is shorter than the importer's. Art 19(5) requires importers to inform the manufacturer "without undue delay" on any vulnerability and inform market surveillance "immediately" only on significant cyber risk. Art 20(4) does the same for distributors — same two-track cadence, same triggers. But Art 20(4) does not have an Art 19(7) equivalent — distributors are not specifically required to provide demonstrative documentation to surveillance authorities upon reasoned request beyond what §5 already covers. This is consistent with the lighter-perimeter design: distributors are visibility points and notification relays, not custodians of compliance documentation.
§4 的弱點合作鏈比進口商的短。第 19(5) 條要求進口商在任何弱點時「毫不延遲」通知製造商,只在嚴重網路風險時「立刻」通知市場監督機關。第 20(4) 條對通路是一樣的,同樣的雙軌節奏、同樣的觸發要件。但第 20(4) 條沒有第 19(7) 條的對等項:通路在 §5 已涵蓋的範圍之外,不會被具體要求在合理請求時向監督機關提供舉證文件。這跟「較輕邊界」的設計一致:通路是可見性點跟通知轉達者,不是合規文件的保管者。
-
Article 21 is identical in force for distributors and importers. Article 21 (separate from Art 20) provides that "an importer or distributor shall be considered to be a manufacturer... where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification". For distributors, this matters in three common patterns: (i) re-branding — the distributor sells under its own house brand instead of the manufacturer's; (ii) bundle modification — the distributor ships a bundle (e.g. router + extender) where the bundling itself constitutes substantial modification; (iii) firmware customisation — the distributor flashes its own firmware before resale. In all three, the distributor is no longer governed by the lighter Article 20 perimeter — it is fully under Article 13 + 14 with all 25 paragraphs of manufacturer obligations and the conformity-assessment routing of Article 32. This applies equally to brick-and-mortar retailers, online resellers, and operating-systems vendors that ship hardware with their own OS images.
第 21 條對通路跟進口商的效力是一樣的。第 21 條(跟第 20 條分立)規定:「進口商或通路在以自己名義或商標把具數位元素產品投入市場、或執行實質修改時,視同 manufacturer」。對通路來說,這在三種常見型態下實務意義很大:(i) 換貼品牌,通路用自家品牌、不是製造商品牌販售;(ii) 套件修改,通路出貨套件(例如 router + extender)時,套件組合本身構成實質修改;(iii) 韌體客製,通路在再販前燒進自家韌體。三種狀況下,通路就不再受較輕的第 20 條邊界規範,而是在第 13 + 14 條下承擔完整 25 段製造商義務、再加上第 32 條的 conformity assessment 路徑。這對實體零售商、線上經銷商、出貨自家 OS 映像給硬體的作業系統供應商,全部適用。
A practical conclusion. Article 20 looks like the lightest of the economic-operator obligations, and within its perimeter it genuinely is. The risk does not come from Article 20 itself — it comes from misjudging when Article 21 turns the distributor into a manufacturer. A distributor that runs a §2 checklist correctly, performs §4 vulnerability cooperation, and never modifies or rebrands the product is on solid ground. A distributor that does any of those manufacturer-style activities without Article 21 awareness is exposed to the full Article 13 weight without having designed for it.
實務結論:第 20 條看起來是經濟經營者義務中最輕的,在它自己的邊界內確實如此。風險不是來自第 20 條本身,是來自誤判第 21 條什麼時候會把通路變成製造商。確實執行 §2 檢查清單、做好 §4 弱點合作、從不修改或換貼品牌的通路,立足點穩固。執行了任何上述製造商式活動、卻沒有第 21 條意識的通路,會在沒準備的情況下,暴露在完整第 13 條重量之下。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Where APAC manufacturers' supply chains tend to trip Article 21 APAC 製造商供應鏈最容易絆倒第 21 條的地方
For APAC manufacturers, Article 20 itself rarely creates direct compliance load — APAC ODMs and OEMs are not usually distributors in the EU sense. The article matters because of what it tells the EU side of the supply chain about the upstream documentation flow APAC manufacturers must reliably feed. Three patterns recur where the Article 20 / Article 21 boundary becomes operationally tense.
對 APAC 製造商來說,第 20 條本身很少直接產生合規負擔,APAC ODM 跟 OEM 通常不是歐盟意義上的通路。這條重要的地方是它告訴歐盟側供應鏈:APAC 製造商必須可靠餵進去的上游文件流長什麼樣。第 20 / 21 條邊界在運作上會繃緊的三種型態,會反覆出現:
White-label and ODM-as-distributor patterns. An APAC ODM ships unbranded product to a European company; the European company applies its own brand to the chassis and resells. Under Art 21, that European "buyer" is treated as a CRA manufacturer for the rebranded product — full Article 13 + 14 obligations apply, not Article 20. From the APAC ODM's contractual perspective, this means: (i) the technical documentation handed to the European buyer must be sufficient for them to take on manufacturer-level CRA obligations, not just distributor-level; (ii) liability allocation in the contract should reflect that the European buyer is the CRA-recognised manufacturer and bears Art 13 + 14 weight, not the APAC ODM; (iii) the APAC ODM is not the EU-side CRA manufacturer in the legal sense, but its commercial reputation is bound up with the rebranded product's compliance — operational quality discipline matters even when CRA legal exposure is on the European partner. This is the most common APAC mismodel of CRA in white-label arrangements.
白牌跟 ODM-as-distributor 型態。APAC ODM 出貨無品牌產品給歐洲公司;歐洲公司在機殼貼自家品牌再販售。在第 21 條下,這家歐洲「買方」就換貼品牌的產品來說會被視同 manufacturer,完整第 13 跟 14 條義務適用,不是第 20 條。從 APAC ODM 的合約視角看,這代表:(i) 交給歐洲買方的技術文件,必須足以讓他們承擔製造商層級的 CRA 義務,不能只是通路層級;(ii) 合約中的責任分配應該反映「歐洲買方是 CRA 認定的製造商、承擔第 13 跟 14 條重量」,而不是 APAC ODM;(iii) APAC ODM 在法律意義上不是歐盟側 CRA 製造商,但商業聲譽跟那個換貼品牌產品的合規綁在一起,即使 CRA 法律暴險落在歐洲合作方,營運品質紀律還是重要的。這是白牌安排中 APAC 對 CRA 最常見的錯誤慣性思維。
Online marketplace operator pattern. Whether a marketplace operator is a distributor under Art 20 depends on whether they make products "available on the market" — a fact-finding exercise rather than self-declaration. A marketplace that operates a fulfilment service (warehousing inventory, shipping on the merchant's behalf, processing returns) is functionally closer to a distributor than a marketplace that simply lists third-party sellers' offers without taking custody. Reg. (EU) 2019/1020 Article 4 also designates fulfilment service providers as potential responsible economic operators where no manufacturer / importer / authorised representative is established in the EU. APAC manufacturers selling cross-border directly into EU through marketplaces should not assume the marketplace neutralises CRA exposure — the marketplace may itself become a distributor under Art 20 or even a fulfilment-service-provider under Reg 2019/1020 Art 4(2)(d), and may push obligations back to the APAC manufacturer through marketplace terms-of-service.
線上市集營運者型態。市集營運者是不是第 20 條下的通路,取決於它是不是把產品「提供在市場上」:這是事實調查的事,不是自我宣告。提供履約服務的市集(倉儲、代商家出貨、處理退貨)功能上比單純列出第三方賣家報價、不接手產品的市集更接近通路。Reg. (EU) 2019/1020 第 4 條也指定:當歐盟內沒有製造商 / 進口商 / 授權代表設立時,履約服務提供者是潛在的負責經濟經營者。透過市集跨境直銷到歐盟的 APAC 製造商,不應該假設市集會中和 CRA 暴險,市集本身可能在第 20 條下變成通路、甚至在 Reg 2019/1020 第 4(2)(d) 條下變成履約服務提供者,而且可能透過市集服務條款把義務推回 APAC 製造商。
Bundling and pre-loaded customisation by EU distributors. APAC ODMs that ship to EU distributors who then bundle products (e.g. router + Wi-Fi extender + access point as a single SKU), or pre-load distributor-supplied firmware images, or pre-configure devices for specific operator networks before resale — all of these can constitute "substantial modification" under Art 3(41). The bundle / preload / preconfigure activity converts the distributor into an Art 21 manufacturer for the modified product. Two practical implications for APAC manufacturers: (i) the contract with the EU distributor should clarify whether bundling / preloading / preconfiguring will occur and, if so, that the distributor takes on Art 13 + 14 obligations for the modified version; (ii) the technical documentation and risk assessment provided by the APAC manufacturer typically applies only to the unbundled / unmodified product and does not cover the bundle as a whole — the EU distributor's Art 21 manufacturer status means they need their own technical documentation for the bundle.
歐盟通路的套件組合跟預載客製。APAC ODM 出貨給歐盟通路,後者把產品組合起來(例如 router + Wi-Fi extender + access point 變成一個 SKU)、或預載通路提供的韌體映像、或在再販前針對特定電信業者網路預組態裝置,這些都可能構成第 3(41) 條下的「substantial modification」。套件 / 預載 / 預組態活動會讓通路就修改後產品變成第 21 條的製造商。對 APAC 製造商的兩個實務意涵:(i) 跟歐盟通路的合約應該釐清是否會發生套件 / 預載 / 預組態,如果會,通路要就修改版本承擔第 13 跟 14 條義務;(ii) APAC 製造商提供的技術文件跟風險評估通常只適用於未組合 / 未修改的產品,不涵蓋整個套件,歐盟通路的第 21 條製造商地位代表他們必須就套件擁有自己的技術文件。
A practical conclusion. Article 20 itself is light. Article 21 is where attention should focus. APAC manufacturers should map their EU supply chain end-to-end and identify every node where rebranding, bundling, preloading, or substantial modification occurs. At each such node, the entity performing the activity is the Art 21 CRA manufacturer for the modified product, and the upstream APAC entity is one step removed in the legal chain. Documenting these nodes and reflecting them in supply contracts converts an Article 21 surprise into an Article 20 + Article 21 pre-planned allocation.
實務結論:第 20 條本身很輕。第 21 條才是注意力該聚焦的地方。APAC 製造商應該端到端把歐盟供應鏈畫出來,辨識出每一個發生換貼品牌、套件組合、預載、或 substantial modification 的節點。在每一個這樣的節點上,執行該活動的實體就是修改後產品的第 21 條 CRA 製造商,上游 APAC 實體在法律鏈上往後退一步。把這些節點書面化、在供貨合約中反映出來,可以把第 21 條的意外,轉成第 20 + 21 條的預先規劃分配。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Distributor obligations across EU product regulations EU 產品法規中的通路義務
EU product regulations follow a common distributor-obligation template: visible-attributes check before making available + non-conformity refusal + post-availability cooperation + identification on supply. CRA Art 20 fits this template; the cybersecurity-specific add is the §4 vulnerability cooperation chain.
EU 產品法規遵循共通通路義務模板:提供前可見屬性檢查 + 不符合就拒絕 + 提供後合作 + 供應上的識別。CRA 第 20 條符合此模板;網路安全特定增補為 §4 弱點合作鏈。
RED Directive 2014/53/EU Article 13
RED Directive 2014/53/EU Article 13
RED Directive 2014/53/EU Article 13
CE marking present; required documents accompanied; manufacturer + importer marked; due care. RED has no §4 vulnerability cooperation. Distributor's role under RED is purely product-conformity-visible; CRA adds the cyber-incident notification dimension.
CE 標示存在;所需文件隨附;製造商 + 進口商標示;盡職注意。 RED 無 §4 弱點合作。RED 下通路角色純為產品可見符合性;CRA 增加網路事件通報維度。
Machinery Regulation (EU) 2023/1230 Article 14
Machinery Regulation (EU) 2023/1230 Article 14
Machinery Regulation (EU) 2023/1230 Article 14
CE + DoC + manufacturer/importer info + safety/health information; non-conformity refusal; cooperation with surveillance. Machinery requires distributors to take account of safety information specifically; CRA's analogue is more incident-driven (vulnerability awareness triggers immediate notification cycle, not safety-information stewardship).
CE + DoC + 製造商 / 進口商資訊 + 安全 / 健康資訊;不符合就拒絕;與監督合作。 機械要求通路具體考慮安全資訊;CRA 的對等項更為事件驅動(弱點知悉觸發立就通報循環,非安全資訊的保管)。
Reg. (EU) 2019/1020 (Market Surveillance) Article 4
Reg. (EU) 2019/1020 (Market Surveillance) Article 4
Reg. (EU) 2019/1020 (Market Surveillance) Article 4
Defines responsible economic operator hierarchy: manufacturer / importer / authorised rep / fulfilment service provider. Distributors are NOT in this list — they sit downstream. A distributor under CRA Art 20 is not the "responsible economic operator" under Reg 2019/1020. The two roles overlap operationally but legally a distributor's CRA Art 20 obligations sit alongside, not within, Reg 2019/1020 Art 4 framework.
定義負責經濟經營者層級:製造商 / 進口商 / 授權代表 / 履約服務提供者。通路不在此清單,其位於下游。 CRA 第 20 條下的通路非 Reg 2019/1020 下之「負責經濟經營者」。兩角色於運作上重疊但於法律上通路的 CRA 第 20 條義務並列於 Reg 2019/1020 第 4 條框架旁、非框架內。
Reg. (EU) 2023/988 (General Product Safety) Article 12
Reg. (EU) 2023/988 (General Product Safety) Article 12
Reg. (EU) 2023/988 (General Product Safety) Article 12
Distributors must verify product safety, refuse non-safe products, cooperate with surveillance, manage recalls. Applies to consumer products generally, not just electronic. GPSR is the sibling regulation for non-cyber product safety. A consumer PwDE that is also subject to GPSR is governed by both regimes simultaneously — distributors face overlapping (not duplicate) obligations on the same product.
通路須驗證產品安全、拒絕不安全產品、與監督合作、管理召回。一般適用於消費性產品,不只電子。 GPSR 是非網路產品安全的姊妹法規。同時受 GPSR 規範的消費性 PwDE 同時受兩制度管轄,通路於同一產品面對重疊(非重複)義務。
RED + GPSR + CRA stacking for consumer IoT
RED + GPSR + CRA stacking for consumer IoT
RED + GPSR + CRA stacking for consumer IoT
A consumer-IoT distributor (e.g. retailer of a Wi-Fi smart speaker) faces RED Art 13 (radio compliance), GPSR Art 12 (general safety), and CRA Art 20 (cybersecurity). All three regimes apply. The distributor's checklist becomes additive: visible-attributes for radio, visible-attributes for general safety, visible-attributes for cybersecurity. The triggering vulnerability / incident reporting chains are separate (RED has none in distributor's scope; GPSR escalates to safety surveillance; CRA escalates to cyber market surveillance).
消費性 IoT 通路(如 Wi-Fi 智慧音箱的零售商)面對 RED 第 13 條(無線電合規)、GPSR 第 12 條(一般安全)、與 CRA 第 20 條(網路安全)。 三制度都適用。通路檢查清單變為加成式:無線電可見屬性、一般安全可見屬性、網路安全可見屬性。觸發弱點 / 事件通報鏈分立(RED 於通路範圍內無;GPSR 升報至安全監督;CRA 升報至網路市場監督)。