Article 22 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Other cases of manufacturer obligations 製造商義務適用的其他情形
Anyone other than the original manufacturer, importer, or distributor who carries out a substantial modification — including system integrators and third-party customisers — becomes a CRA manufacturer for the modified parts. 原製造商、進口商、經銷商以外、進行實質修改的人,包括系統整合商跟第三方客製化業者,對修改的部分成為 CRA 製造商。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.
2. The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.
1. 製造商、進口商、通路以外的自然人或法人,對具數位元素產品執行實質修改並將該產品提供在市場時,為本法規的目的視為製造商。
2. 本條第 1 項所指的人,就受實質修改影響的具數位元素產品部分適用第 13 條與第 14 條義務,或於實質修改影響具數位元素產品整體網路安全時,就整體產品適用該等義務。
Block 2 · Plain language 區塊 2 · 白話解讀
When a third party — not even in your supply chain — becomes the manufacturer 什麼時候、連你供應鏈裡都沒有的第三方、會成為製造商
Article 21 covers importers and distributors who flip into manufacturer status by re-branding or substantial modification. Article 22 picks up everyone else who substantially modifies a PwDE — system integrators, value-added resellers, customisers, third-party service providers, even end users in some commercial settings. Article 22(1) says: any natural or legal person other than the original manufacturer, importer, or distributor that carries out a substantial modification becomes the CRA manufacturer for the modified product.
Three operational realities make this article more powerful than its sparse text suggests.
The substantial modification test is the same as Article 21. Article 3(30) defines it once and applies it across the regulation. Substantial modification = a change to functionality, security, or risk profile after the product was placed on the market that the original manufacturer did not anticipate. The same firmware customisation that triggers Article 21 for a distributor triggers Article 22 for a non-distributor third party.
The scope is for the modified part only. Article 22(2) clarifies — the new manufacturer's obligations are limited to "the part of the product that is affected by the substantial modification, or, if the substantial modification has an impact on the cybersecurity of the product as a whole, on the entire product". This is a key relief valve: a small modification to a localisation file does not necessarily turn the integrator into the manufacturer of the entire underlying product. But a modification that touches the security model — adding a network service, changing authentication, modifying privilege boundaries — typically does affect the whole product.
End-user modifications can trigger Article 22 too. The text says "any natural or legal person other than the manufacturer, importer or distributor". This includes end users — particularly enterprise IT departments and managed-service providers that take a PwDE and substantially modify it before re-deploying or re-shipping. Recital 38 confirms the legislative intent. A managed-service provider that substantially modifies a vendor's appliance and re-deploys to multiple end customers is, for those re-deployed copies, the CRA manufacturer.
The modification record is the new technical documentation. When Article 22 hits, the new manufacturer needs to assemble new technical documentation that reflects the modified product. They cannot inherit the original manufacturer's technical file — they have changed something the original manufacturer did not anticipate. They are responsible for re-running the relevant Annex I conformity analysis on the modified parts (or whole product, if security-affecting).
第 21 條涵蓋進口商與經銷商透過重新貼牌或實質修改翻轉為製造商身份。第 22 條接住其他所有對具數位元素產品做實質修改的人,系統整合商、加值經銷商、客製化業者、第三方服務商、甚至商業情境下的某些終端使用者。第 22(1) 條說:原製造商、進口商、經銷商以外的任何自然人或法人、做實質修改後成為被修改產品的 CRA 製造商。
三個營運現實、讓這條的影響力比文字篇幅顯示的更大。
實質修改的測試跟第 21 條相同。第 3(30) 條定義一次、跨整部法規適用。實質修改 = 產品投入市場後、原製造商沒預期到的功能性、安全、或風險特徵的變更。對經銷商觸發第 21 條的同一個韌體客製、對非經銷商的第三方就觸發第 22 條。
範圍只限於被修改的部分。第 22(2) 條釐清,新製造商的義務限於「被實質修改影響的產品部分、或、如該實質修改影響整體產品的網路安全、則為整體產品」。這是關鍵的緩衝閥:對在地化檔案的小改動、不一定讓整合商變成整個底層產品的製造商。但碰到安全模型的修改,加上網路服務、變更認證、修改權限邊界,通常會影響整體產品。
終端使用者的修改也可能觸發第 22 條。條文說「製造商、進口商、經銷商以外的任何自然人或法人」。這包括終端使用者,特別是企業 IT 部門跟 managed-service 業者、把具數位元素產品做實質修改後再部署或再出貨。Recital 38 確認立法意圖。把廠商 appliance 做實質修改、再部署給多個終端客戶的 managed-service 業者、就那些再部署的副本而言、就是 CRA 製造商。
修改紀錄就是新的技術文件。第 22 條觸發時、新製造商要組裝反映被修改產品的新技術文件。他們不能繼承原製造商的技術檔,他們改了原製造商沒預期到的東西。他們對被修改部分(或整體產品、若影響安全)重新跑相關附件一合規分析、自己負責。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Article 22 and the APAC system integrator economy 第 22 條跟 APAC 系統整合商生態
APAC has a deep system-integrator ecosystem. Taiwan SIs do industrial and IT integration for Greater China and ASEAN markets. Japan SIs (NEC, Fujitsu, NTT Data, Hitachi Solutions) build heavy IIoT, factory automation, and smart-city solutions across Asia. Korean SIs (Samsung SDS, LG CNS, SK C&C) operate similarly. Many of these SIs sell solutions into Europe — and many of those solutions involve substantial modification of upstream vendor products.
APAC 有很深的系統整合商生態。台灣 SI 為大中華跟東協做工業跟 IT 整合。日本 SI(NEC、富士通、NTT Data、日立 Solutions)做亞洲跨區的重型 IIoT、工廠自動化、智慧城市方案。韓國 SI(三星 SDS、LG CNS、SK C&C)類似運作。這些 SI 很多賣方案到歐洲,而很多方案涉及對上游廠商產品的實質修改。
For APAC SIs, the realistic posture under Article 22 is: do not assume the upstream vendor's certifications protect you. Run an internal substantial-modification check on every project, and budget CRA-conformity work as a line item in EU project pricing.
對 APAC SI、第 22 條下的務實立場是:不要假設上游廠商的認證保護你。對每個案子做內部實質修改檢查、把 CRA 合規工作當成 EU 案子定價的一條預算項。
Decision matrix for APAC SIs deciding whether a project triggers Article 22.
APAC SI 判斷案子是否觸發第 22 條的決策矩陣。
| SI activitySI 活動 | Substantial modification?實質修改? | Practical posture實務立場 |
|---|---|---|
| Configure vendor product per documented options (firewall rules, network settings, user accounts)依產品手冊選項配置(防火牆規則、網路設定、使用者帳號) | No — operating within manufacturer's anticipated configuration space.否,在製造商預期的配置範圍內。 | Vendor remains CRA manufacturer. SI carries no Article 22 burden.廠商仍是 CRA 製造商。SI 沒有第 22 條負擔。 |
| Install vendor-supplied plugins / extensions sold via vendor channel安裝廠商通路上銷售的廠商提供的 plugin / 擴充 | Generally no — extensibility was anticipated by manufacturer.一般否,可擴充性是製造商預期的。 | Vendor remains CRA manufacturer for the core; plugin manufacturer responsible for plugin.廠商仍是核心的 CRA 製造商;plugin 製造商對 plugin 負責。 |
| Inject custom firmware extending protocol support, adding network services, modifying auth flow灌入會擴充協定、加上網路服務、修改認證流程的客製韌體 | Yes — security model changes; original manufacturer did not anticipate.是,安全模型改變;原製造商沒預期。 | SI becomes Article 22 manufacturer. Re-do relevant Annex I conformity analysis. Issue new EU DoC for modified SKU.SI 成為第 22 條製造商。重做相關附件一合規分析。對修改 SKU 發出新 EU DoC。 |
| Bundle vendor product with new external interfaces, new APIs, new integration logic把廠商產品搭配新外部介面、新 API、新整合邏輯 | Probably yes — the bundled solution's risk profile differs from the original product.可能是,搭配解決方案的風險特徵跟原產品不同。 | SI takes Article 22 manufacturer role for the bundle. Document where the modification line is drawn.SI 對組合方案承擔第 22 條製造商角色。記錄修改線畫在哪。 |
| Outdated firmware version installed; SI applies vendor-issued patch已過時的韌體版本;SI 套用廠商發布的修補 | No — patches are anticipated maintenance.否,修補是預期的維護。 | Vendor remains CRA manufacturer. SI documenting patching history is good hygiene but not regulatory inheritance.廠商仍是 CRA 製造商。SI 紀錄 patching 歷史是好習慣、但不是法規繼承。 |
A pragmatic GTM response from APAC SIs: tier projects by Article 22 risk and price accordingly. Tier 1 (no substantial modification) — standard SI margin. Tier 2 (modification within manufacturer's anticipated extension space) — same margin + paperwork overhead. Tier 3 (substantial modification triggering Article 22) — premium pricing covering CRA conformity work, technical documentation, EU DoC issuance, and ongoing Article 14 PSIRT capability. Many APAC SIs are restructuring quotes along these lines for EU-bound work.
APAC SI 的實務 GTM 回應:依第 22 條風險把案子分層、相應定價。Tier 1(無實質修改),標準 SI 毛利。Tier 2(在製造商預期擴充範圍內的修改),同毛利 + 文件 overhead。Tier 3(觸發第 22 條的實質修改),溢價定價、涵蓋 CRA 合規工作、技術文件、EU DoC 發出、與持續性的第 14 條 PSIRT 能力。許多 APAC SI 對 EU 案子已沿此重組報價。
A second response: refuse Tier 3 work for EU and route the requirement upstream to the original manufacturer. "You want this firmware customisation? Take it back to MOXA / Schneider / Advantech and have them issue a new SKU." This shifts the manufacturer obligation back to a party that already has CRA infrastructure.
第二個回應:對 EU 案子拒絕 Tier 3 工作、把需求往上游推到原製造商。「你要這個韌體客製?拿回去找 MOXA / Schneider / Advantech、請他們發新 SKU。」這把製造商義務推回給已經有 CRA 基礎設施的一方。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
The third-party modifier rule across EU regimes 第三方修改者規則在 EU 各制度間的對照
Article 22 closes the back door that NLF compliance frameworks would otherwise have. If only re-branding triggered the manufacturer flip, the SI ecosystem could absorb manufacturer-grade modifications without taking manufacturer obligations. Article 22 stops that. 第 22 條把 NLF 合規架構本來會留的後門關起來。如果只有重新貼牌會觸發製造商翻轉、SI 生態就能吸收製造商等級的修改、卻不承擔製造商義務。第 22 條把這條路堵住。
Machinery Regulation 2023/1230, Article 23機械法規 2023/1230 第 23 條
Same third-party modifier logic for machinery. A SI that integrates separate machines into an "assembly of machinery" with its own integration logic becomes the manufacturer of that assembly. Crucially, the Machinery Regulation explicitly contemplates assemblies of machinery as a separate category — APAC factory-automation SIs face Machinery Article 23 + CRA Article 22 simultaneously.
機械的同樣第三方修改者邏輯。SI 把分別的機械整合成有自己整合邏輯的「機械組合」、就成為該組合的製造商。關鍵是、機械法規明文把機械組合視為獨立類別,APAC 工廠自動化 SI 同時面對機械法規第 23 條 + CRA 第 22 條。
Reg 2019/1020, Article 4(2)(c)Reg 2019/1020 第 4(2)(c) 條
2019/1020 includes "the natural or legal person established in the Union who has placed the product on the market" as an economic operator. Article 22 modifiers fit this definition for the modified products they place on the market. Market surveillance authorities can reach Article 22 modifiers through the same 2019/1020 enforcement mechanisms used for original manufacturers.
2019/1020 把「在歐盟設立、把產品投入市場的自然人或法人」納入經濟經營者。第 22 條的修改者就他們投入市場的修改產品來說、符合這個定義。市場監督機關可以透過用在原製造商身上的同樣 2019/1020 執法機制、找到第 22 條的修改者。
Medical Devices Regulation 2017/745, Article 16(2)醫療器材法規 2017/745 第 16(2) 條
MDR Article 16(2) is stricter than CRA Article 22 — it explicitly carves out activities that do not count as substantial modification (translation, repackaging within limits, supplying additional info). For connected medical devices that are SIs' modification targets, both the MDR carve-out test and the CRA substantial-modification test must be applied. They overlap in spirit but the bar is set differently.
MDR 第 16(2) 條比 CRA 第 22 條更嚴,明文排除一些不算實質修改的活動(翻譯、限度內重新包裝、提供額外資訊)。對作為 SI 修改目標的連網醫療器材、MDR 排除測試跟 CRA 實質修改測試都要做。精神重疊、但門檻設定不同。
EU AI Act 2024/1689, Article 25EU AI Act 2024/1689 第 25 條
AI Act's third-party-becomes-provider rule. Same shape as CRA Article 22 — but AI Act's scope is broader because it captures "intended-purpose modifications" too. A SI that re-deploys a vendor's AI system for a different intended purpose can become a provider under AI Act even without technical modification. For products bundling high-risk AI under PwDE, both regimes' third-party-modifier rules can fire.
AI Act 的第三方變提供者規則。形狀跟 CRA 第 22 條相同,但 AI Act 範圍更廣、因為也涵蓋「預期用途修改」。SI 把廠商 AI 系統重新部署到不同預期用途、即使沒做技術修改也可能在 AI Act 下成為提供者。對搭配具數位元素產品下高風險 AI 的產品、兩個制度的第三方修改者規則都可能觸發。
NIS2 Directive 2022/2555 — orthogonal regimeNIS2 指令 2022/2555:交叉但獨立的制度
NIS2 imposes cybersecurity duties on essential and important entities — many of which are exactly the SIs that Article 22 also applies to. A managed-service provider that triggers Article 22 by substantially modifying products is also subject to NIS2 if it qualifies as an essential or important entity. Two regimes layered on the same legal entity, each with its own incident-reporting clock and obligations.
NIS2 對 essential 跟 important entities 課網路安全義務,這些往往正是第 22 條也適用的 SI。透過實質修改產品觸發第 22 條的 managed-service 業者、若符合 essential 或 important entity、也受 NIS2 規範。兩個制度疊在同一個法律實體上、各有自己的事件通報時鐘跟義務。