Article 21 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Cases where importer or distributor becomes manufacturer 進口商 / 經銷商視為製造商的情形
Re-branding or substantial modification turns an importer or distributor into a manufacturer for CRA purposes. Article 13 and Article 14 obligations follow them, not the original manufacturer. 重新貼牌或實質修改、會讓進口商 / 經銷商在 CRA 下視為製造商。第 13 條跟第 14 條義務跟著新身份走、不再落在原製造商身上。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
An importer or distributor shall be considered to be a manufacturer for the purposes of this Regulation and shall be subject to Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification of a product with digital elements already placed on the market.
進口商或通路為本法規的目的,於以其名義或商標將具數位元素產品投放市場時、或對已投放市場的具數位元素產品執行實質修改時,視為製造商,並適用第 13 條與第 14 條。
Block 2 · Plain language 區塊 2 · 白話解讀
When you buy a product and become its manufacturer 什麼時候、買來的產品讓你變成它的製造商
Article 21 is the article that re-writes commercial relationships in the white-label and OEM/ODM economy. It says: an importer or distributor that places PwDE on the market under their own name or trade mark, or that substantially modifies a PwDE already placed on the market, becomes the manufacturer for CRA purposes. All Article 13 design obligations and all Article 14 reporting obligations follow them — not the original manufacturer.
Two trigger paths, very different operationally.
Re-branding trigger. If a German distributor takes a Taiwan-made router from a generic ODM, slaps their own brand on it, and sells it under "Brand X by GermanCo", GermanCo is now the CRA manufacturer. They inherit Article 13(1)–(11) — design conformity, technical documentation, vulnerability handling — even though they did not design or build the router. Practical consequence: white-label as a business model gets significantly more expensive under CRA.
Substantial modification trigger. Article 3(30) defines substantial modification — change to functionality, security, or risk profile after a product has been placed on the market that the original manufacturer did not anticipate. A Polish distributor that takes a Korean industrial gateway and installs custom firmware that adds new network functions before reselling, has substantially modified the gateway. The Polish distributor is now the CRA manufacturer for the modified gateway. (Note: if the same fact pattern were performed by a system integrator or other third party rather than a distributor, the pathway would be Article 22, not Article 21 — see Article 22 for that case.)
The transfer of obligations is total, not partial. Article 21 does not say "you take on some of the manufacturer's duties". It says you become the manufacturer. Full Article 13 + Article 14 stack. CE marking with your own name. EU DoC issued by you. Technical documentation kept by you. Annex I cybersecurity requirements verified by you. PSIRT and Article 14 reporting under your name to ENISA.
Original manufacturer is not off the hook for products it placed on the market. Article 21 does not retroactively erase the original manufacturer's obligations for the original product. If GermanCo re-brands a Taiwan ODM router, the Taiwan ODM still has Article 13 obligations for any router it places on the market under its own original name. Article 21 only shifts duties for the re-branded SKU.
第 21 條重寫了白牌與 OEM / ODM 經濟下的商業關係。它說:進口商或經銷商以自己的名稱或商標把具數位元素產品投入市場、或對已投入市場的具數位元素產品做實質修改、就 CRA 而言視為製造商。所有第 13 條設計義務跟所有第 14 條通報義務、跟著新身份走、不再落在原製造商。
兩條觸發路徑、運作上差很大。
重新貼牌的觸發。如果德國經銷商從通用 ODM 拿一台台灣製 router、貼上自己的品牌、以「Brand X by GermanCo」販售、GermanCo 現在是 CRA 製造商。他們繼承第 13(1) 到 (11) 條:設計合規、技術文件、弱點處理,即使他們沒設計或製造這台 router。實務後果:白牌作為商業模式、在 CRA 下顯著變貴。
實質修改的觸發。第 3(30) 條定義實質修改,產品投入市場後、原製造商沒預期到的功能性、安全、或風險特徵的變更。波蘭經銷商拿一台韓國工業 gateway、轉售前灌入會加上新網路功能的客製韌體、就對該 gateway 做了實質修改。波蘭經銷商現在是該被修改 gateway 的 CRA 製造商。(註:相同情況若由系統整合商或其他第三方執行、適用的是第 22 條而非第 21 條,詳見第 22 條。)
義務轉移是完整的、不是部分的。第 21 條沒說「你承擔部分製造商的義務」。它說你成為製造商。完整的第 13 條 + 第 14 條堆疊。以你自己名稱加施 CE 標示。由你發出 EU DoC。由你保管技術文件。附件一網路安全要求由你驗證。PSIRT 跟第 14 條的通報、以你的名義送到 ENISA。
原製造商對自己投入市場的產品、義務沒解除。第 21 條沒有回溯抹消原製造商對原產品的義務。如果 GermanCo 對台灣 ODM 的 router 重新貼牌、台灣 ODM 對自己以原名稱投入市場的任何 router 仍有第 13 條義務。第 21 條只移轉重新貼牌 SKU 的義務。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
How Article 21 reshapes the APAC ODM business 第 21 條怎麼重塑 APAC ODM 生意
Article 21 is the single most consequential CRA article for Taiwan's ODM business model. Taiwan's ICT export industry runs on white-label production: Quanta, ASRock, Wistron, Inventec, Compal, MiTAC, Foxconn build for global brands. The traditional contract structure says the brand owner is the customer; the brand owner sells under their own name; the ODM is the supplier in the background. Article 21 shifts the regulatory weight onto the brand owner — but it also creates a derivative pressure on the ODM.
第 21 條是對台灣 ODM 商業模式影響最大的單一 CRA 條文。台灣 ICT 出口產業以白牌生產運作:廣達、華擎、緯創、英業達、仁寶、神達、富智康為全球品牌生產。傳統合約結構是:品牌商是客戶、品牌商以自己名稱銷售、ODM 是背後的供應商。第 21 條把法規重量推到品牌商身上,但也在 ODM 端創造衍生壓力。
The derivative pressure: brand owners now demand CRA-ready ODM deliverables. SBOM, Annex I cybersecurity evidence, vulnerability handling artefacts, technical documentation in EU-acceptable form. The ODM contract is no longer just "deliver hardware"; it is "deliver hardware + the compliance evidence pack the brand owner needs to be a CRA manufacturer". Taiwan ODMs that don't adapt see brand owners route to ODMs that do.
衍生壓力:品牌商現在要求 CRA 就緒的 ODM 交付物。SBOM、附件一網路安全證據、弱點處理 artefact、EU 可接受形式的技術文件。ODM 合約不再只是「交付硬體」、而是「交付硬體 + 品牌商成為 CRA 製造商所需的合規證據包」。沒有跟上的台灣 ODM、會看到品牌商轉去找跟得上的 ODM。
Three Article 21 scenarios that APAC ODMs and brand owners need to map.
APAC ODM 跟品牌商必須釐清的三種第 21 條情境。
| Scenario情境 | Who is the CRA manufacturer誰是 CRA 製造商 | Operational consequence營運後果 |
|---|---|---|
| Pure white-label純白牌 Taiwan ODM ships unbranded; EU brand owner re-brands and sells.台灣 ODM 出貨不貼牌;EU 品牌商貼牌再賣。 |
EU brand owner (Article 21).EU 品牌商(第 21 條)。 | Brand owner needs full Article 13 + Article 14 stack. ODM provides evidence pack but is not the legal manufacturer in EU.品牌商需要完整第 13 + 14 條堆疊。ODM 提供證據包、但不是 EU 法律上的製造商。 |
| Co-brand / endorsement聯名 / 背書 Taiwan ODM brand visible alongside EU brand on product (e.g., "Powered by [Taiwan ODM]").產品上同時出現台灣 ODM 跟 EU 品牌(如「Powered by [Taiwan ODM]」)。 |
Ambiguous — depends on which name appears "as the manufacturer" on the product. The placing-on-market party is decisive.模糊,看產品上哪個名稱是「作為製造商」呈現。投入市場的一方是決定性的。 | Contract must clearly state which party is the CRA manufacturer. Default to the EU placing-on-market party unless explicitly otherwise.合約必須明訂哪一方是 CRA 製造商。除非明文相反、否則預設為 EU 投入市場的一方。 |
| ODM original brandODM 原品牌 Taiwan ODM places product in EU under its own brand (e.g., MOXA, Advantech direct sales).台灣 ODM 以自己品牌在 EU 投入市場(如 MOXA、Advantech 自有品牌直銷)。 |
Taiwan ODM is the CRA manufacturer (Article 13, not Article 21).台灣 ODM 是 CRA 製造商(第 13 條、不是第 21 條)。 | Taiwan ODM needs full Article 13 + 14 + AR (Article 18). This is structurally simpler — single legal manufacturer, no transfer.台灣 ODM 需要完整第 13 + 14 條 + AR(第 18 條)。結構上比較簡單,單一法律製造商、沒有移轉。 |
A separate trigger that hits APAC OEM/ODMs through their EU distribution chain: substantial modification by the EU distributor. A Spanish distributor that buys a Korean IIoT gateway from an APAC OEM and reflashes it with localised firmware before selling on to Spanish customers is doing a substantial modification. Under Article 21, the Spanish distributor becomes the CRA manufacturer for the modified gateway when it places the modified version on the EU market. The Korean original manufacturer's certifications no longer cover the modified version — they cover the original. (If the modification is performed by a system integrator or other third party rather than a distributor, the trigger is Article 22 — see that page.)
另一個觸發、會透過 EU 經銷鏈打到 APAC OEM/ODM:EU 經銷商所做的實質修改。西班牙經銷商從 APAC OEM 買進韓國 IIoT gateway、轉售給西班牙客戶前、灌入在地化客製韌體、就在做實質修改。依第 21 條、西班牙經銷商把修改版投入 EU 市場時、就修改版來說、它成了 CRA 製造商。韓國原廠的認證不再涵蓋修改版,它們只涵蓋原版。(修改若由系統整合商或其他第三方執行、觸發的是第 22 條,見該頁。)
For APAC OEM/ODMs, this changes the supply-chain math. Letting EU distributors customise firmware before resale now means losing visibility over the modified SKU's compliance — the original manufacturer's certifications stop applying, and the distributor inherits the manufacturer obligations. Some APAC OEMs are responding by tightening distributor agreements to forbid firmware modification, or by handling all customisation upstream so the products reach EU distributors as final SKUs.
對 APAC OEM/ODM 來說、這改變了供應鏈算式。讓 EU 經銷商在轉售前客製韌體、現在意味著對該修改 SKU 的合規失去能見度,原廠認證停止適用、經銷商繼承製造商義務。一些 APAC OEM 的回應是、收緊經銷協議禁止韌體修改、或在上游處理所有客製化、讓產品以最終 SKU 抵達 EU 經銷商。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 21 in the family of "importer becomes manufacturer" rules 「進口商成為製造商」規則家族裡的第 21 條
The role-flip rule is a consistent EU regulatory pattern. Article 21 sits in a family with parallel provisions across multiple Union harmonisation regimes — but each has subtle scope differences. 角色翻轉規則是 EU 規範一貫的模式。第 21 條跟多個歐盟調和制度下的對應條款組成一個家族,但每個的範圍細節不同。
Reg 765/2008 / Reg 2019/1020 — the model definitionReg 765/2008 / Reg 2019/1020:模板定義
The original "importer / distributor flips to manufacturer" rule is in Decision 768/2008/EC and the New Legislative Framework (NLF). All sector-specific Union harmonisation legislation inherits the same logic. CRA Article 21 is a direct application of this NLF template — "places under own name or trade mark" + "substantial modification" — adapted for cybersecurity.
「進口商 / 經銷商翻轉為製造商」的原始規則在 Decision 768/2008/EC 跟 New Legislative Framework(NLF)。所有部門別歐盟調和立法都繼承同樣邏輯。CRA 第 21 條直接套用這個 NLF 模板,「以自己名稱或商標投入」+「實質修改」:調整為網路安全用途。
Machinery Regulation 2023/1230, Article 22機械法規 2023/1230 第 22 條
Same role-flip logic for machinery. An SI that integrates safety-related logic into a machine "as a manufacturer" inherits all Annex III essential health and safety requirements. APAC machine integrators selling into the EU need to map both Machinery Regulation Article 22 and CRA Article 22 — when an integrator (not the original manufacturer) substantially modifies connected machinery, both regimes flip them into manufacturer status. (Note: in CRA, the SI/integrator pathway is Article 22; Article 21 is the parallel pathway for importers and distributors specifically. Connected machinery can trigger Machinery Reg Art 22 plus either CRA Art 21 or Art 22 depending on who performs the role-flip.)
機械的同樣角色翻轉邏輯。SI 把安全相關邏輯整合進機械、「作為製造商」繼承附件三所有基本健康安全要求。賣到 EU 的 APAC 機械整合商、要同時對應機械法規第 22 條跟 CRA 第 22 條,整合商(非原製造商)對連網機械做實質修改時,兩個制度都把它們翻轉為製造商身份。(註:CRA 中 SI/整合商路徑是第 22 條;第 21 條是進口商與經銷商專用的平行路徑。連網機械可能同時觸發機械法規第 22 條、再加上 CRA 第 21 條或第 22 條,視角色翻轉者身分而定。)
RED 2014/53/EU, Article 12RED 2014/53/EU 第 12 條
RED uses identical phrasing for radio equipment. APAC vendors with Wi-Fi or Bluetooth-enabled PwDE that get re-branded by EU distributors trigger both RED Article 12 and CRA Article 21. The brand owner inherits both regimes' manufacturer obligations.
RED 對無線電設備用相同措辭。被 EU 經銷商重新貼牌、具 Wi-Fi 或 Bluetooth 的 APAC 具數位元素產品、會同時觸發 RED 第 12 條跟 CRA 第 21 條。品牌商繼承兩個制度的製造商義務。
Medical Devices Regulation 2017/745, Article 16醫療器材法規 2017/745 第 16 條
MDR Article 16 has stricter rules than CRA Article 21 — it explicitly lists what does not count as substantial modification (relabelling, translation, repackaging within limits) and what does. For connected medical devices that fall under both MDR and CRA, the substantial modification analysis must be done twice, against each regulation's definition. They overlap but are not identical.
MDR 第 16 條比 CRA 第 21 條規則更嚴格,明文列出哪些不算實質修改(重貼標、翻譯、限度內重新包裝)跟哪些算。同時落入 MDR 跟 CRA 的連網醫療器材、實質修改的分析必須做兩次、各依各法規的定義。兩者重疊但不相同。
EU AI Act 2024/1689, Article 25 — "providers along the AI value chain"EU AI Act 2024/1689 第 25 條:「AI 價值鏈上的提供者」
AI Act takes a broader view than CRA. Article 25 says any party that puts their name on an AI system, makes substantial modifications, or modifies intended purpose becomes a "provider" of that AI system, with full provider obligations. For products that bundle high-risk AI and qualify as PwDE under CRA, the role-flip happens under both regimes simultaneously — and AI Act's scope is broader (intended-purpose changes count).
AI Act 的視角比 CRA 廣。第 25 條說任何把名字放上 AI 系統、做實質修改、或修改預期用途的一方、都成為該 AI 系統的「提供者」、有完整提供者義務。同時包含高風險 AI且符合 CRA 下具數位元素產品的產品、角色翻轉在兩個制度下同時發生,而 AI Act 的範圍更廣(預期用途變更也算)。