Article 23 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Identification of economic operators 經濟經營者的識別
Ten-year supply-chain traceability. On request, every economic operator must name who supplied them and who they supplied — for ten years up and ten years down the chain. 十年供應鏈可追溯。經請求時、每一個經濟經營者都必須能提供誰供應了他們、以及他們供應給誰,往上十年、往下十年。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. Economic operators shall, on request, provide the market surveillance authorities with the following information:
(a) the name and address of any economic operator who has supplied them with a product with digital elements;
(b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements.
2. Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.
1. 經濟經營者經請求時應向市場監督機關提供下列資訊:
(a) 提供具數位元素產品予其的任何經濟經營者的名稱與地址;
(b) 取得時,其供貨的任何經濟經營者的名稱與地址。
2. 經濟經營者應能於收到該具數位元素產品後 10 年內、且於提供該具數位元素產品後 10 年內,呈交第 1 項所述的資訊。
Block 2 · Plain language 區塊 2 · 白話解讀
10 years up, 10 years down — the supply-chain memory rule 往上十年、往下十年,供應鏈記憶規則
Article 23 looks like a record-keeping rule. It is in fact the article that forces the entire CRA supply chain to keep a contemporaneous, retrievable identity log of every party they bought from and every party they sold to — for ten years up the chain, ten years down. On request from a market surveillance authority, every economic operator must be able to name the upstream supplier and downstream recipient. "We don't know" is not an answer the regulator accepts.
Two records, kept by every economic operator. Article 23(1) requires identification of "any economic operator who has supplied them with a product with digital elements" (upstream record) and "any economic operator to whom they have supplied a product with digital elements" (downstream record). Both records cover "a period of 10 years after the product with digital elements has been placed on the market". Both must be available "on request" to market surveillance authorities.
The 10-year clock starts at placing on market, not at sale. Article 23 is anchored to the regulatory event "placed on the market" (Article 3, point 11) — when a PwDE is first made available for distribution or use in the Union for the first time. A 2027 router placed on the EU market starts a clock that runs to 2037. A 2037 sale of remaining inventory does not extend the clock; the original placing-on-market event is what counts.
Identification means name, address, and the means to be reached. The regulation does not specify exactly which identifying fields, but "identification" in the NLF tradition means at minimum: full legal name, registered business address, contact details that work today (not a 10-year-old defunct phone number). For digital trade, this typically also means VAT number, EORI number for customs, and a designated point of contact email.
This is the article that breaks comfortable opacity. Many supply chains today are opaque by design — distributors do not want to expose the original manufacturer, and original manufacturers do not want to expose their downstream channels. Article 23 makes this opacity unsustainable. A market surveillance authority investigating a vulnerable batch of routers can pull the trace at any point in the chain and follow it both directions. The investigatory tool that 2019/1020 already gave authorities now has CRA-specific traction.
第 23 條看起來像紀錄保存規則。實際上、這條強迫整條 CRA 供應鏈為每一個進貨對象跟每一個出貨對象、保存當時、可被取出的身份紀錄,往上十年、往下十年。市場監督機關請求時、每一個經濟經營者必須能說出上游供應商跟下游收貨方。「我們不知道」不是主管機關會接受的答案。
每一個經濟經營者都要保存兩份紀錄。第 23(1) 條要求識別「向他們供應具數位元素產品的任何經濟經營者」(上游紀錄)跟「他們供應具數位元素產品的對象的任何經濟經營者」(下游紀錄)。兩份紀錄涵蓋「該具數位元素產品投入市場後 10 年期間」。兩份都必須在市場監督機關「請求時」可提供。
10 年的時鐘從投入市場開始、不是從銷售開始。第 23 條錨定在「投入市場」這個法規事件(第 3 條第 11 款),具數位元素產品第一次在歐盟內供分銷或使用時。2027 年投入 EU 市場的 router 開始一個跑到 2037 年的時鐘。2037 年把剩餘庫存賣掉、不延長時鐘;原本投入市場的事件才是關鍵。
識別就是姓名、地址、可被聯絡的方式。法規沒明確規定要哪些識別欄位、但 NLF 傳統下的「識別」至少意味著:完整法律名稱、登記營業地址、目前能用的聯絡方式(不是十年前已停用的電話號碼)。對數位貿易、通常還包括 VAT 號碼、海關 EORI 號碼、指定聯絡點 email。
這條打破舒適的不透明。很多供應鏈今天設計上就是不透明,經銷商不想暴露原製造商、原製造商不想暴露下游通路。第 23 條讓這種不透明難以為繼。市場監督機關調查一批有弱點的 router、可以從鏈條任何一點拉出追蹤、兩個方向都跟著走。2019/1020 已經給主管機關的調查工具、現在有了 CRA 專用的牽引力。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
10-year traceability and APAC supply-chain reality 10 年可追溯跟 APAC 供應鏈現實
APAC supply chains are characterised by long, multi-tier structures. A typical Taiwan ICT export product moves through: silicon vendor → IC distributor → ODM → trading company → EU importer → EU distributor → end customer. Six or seven tiers, often spread across Taiwan, China, Hong Kong, Singapore, the Netherlands, Germany. Each tier is an economic operator with its own Article 23 obligations.
APAC 供應鏈特徵是長、多層結構。典型台灣 ICT 出口產品會經過:晶片廠商 → IC 通路 → ODM → 貿易商 → EU 進口商 → EU 通路 → 終端客戶。六七層、往往跨台灣、中國、香港、新加坡、荷蘭、德國。每一層都是經濟經營者、各有自己的第 23 條義務。
The hard part for APAC: the trading-company tier and the IC-distributor tier are economic operators within the meaning of CRA if they handle PwDE for the EU market. They cannot offload Article 23 records onto the ODM or onto the importer. They keep their own records, for 10 years, retrievable on request.
APAC 的難點:貿易商層跟 IC 通路層、若處理供 EU 市場的具數位元素產品、就是CRA 意義下的經濟經營者。他們不能把第 23 條紀錄甩給 ODM 或進口商。他們保管自己的紀錄、十年、請求時可取出。
Common APAC supply-chain patterns and their Article 23 implications.
常見 APAC 供應鏈模式及其第 23 條意義。
| Supply-chain pattern供應鏈模式 | Article 23 challenge第 23 條挑戰 | Practical mitigation實務對策 |
|---|---|---|
| Multi-tier trading via Hong Kong / Singapore經由香港 / 新加坡的多層貿易 | Trading companies in HK/SG often turn over rapidly; the entity that imported a PwDE in 2027 may not exist in 2032. The chain breaks.香港 / 新加坡貿易商人事更迭快;2027 年進口某具數位元素產品的實體、2032 年可能不在了。鏈條斷掉。 | Move PwDE-related EU trade onto entities with stable existence (the ODM's direct EU sales arm, or established trading companies with Article 23 commitments in writing).把具數位元素產品的 EU 貿易、移到存在穩定的實體上(ODM 直接的 EU 銷售部門、或對第 23 條有書面承諾的成熟貿易商)。 |
| ODM ships ungrouped to multiple brandsODM 不分組出貨到多個品牌 | ODM has 50 brand-customer relationships, ships same generic SKU to all 50. Each downstream customer is a separate Article 23 record.ODM 跟 50 個品牌客戶有關係、同個通用 SKU 出貨給 50 個。每個下游客戶都是另一筆第 23 條紀錄。 | ERP system needs SKU-level customer-batch tracking. Most Taiwan ODM ERPs already have this for warranty purposes; needs export to a CRA-format identification record.ERP 系統需要 SKU 層級的客戶批次追蹤。多數台灣 ODM 的 ERP 為保固已有、需要匯出成 CRA 格式的識別紀錄。 |
| EU stockist / drop-ship from Asia歐洲庫存商 / 從亞洲 drop-ship | Drop-ship from APAC direct to EU end customer; the "importer" is a thin entity with limited records.從 APAC 直送 EU 終端客戶;「進口商」是紀錄有限的薄殼實體。 | Either thicken the EU importer (real records, real Article 23 capability) or restructure to use a stronger fulfilment provider that meets 2019/1020 + CRA Article 23.要嘛把 EU 進口商加厚(真實紀錄、真實第 23 條能力)、要嘛重整改用符合 2019/1020 + CRA 第 23 條的較強物流業者。 |
| Sub-component sourcing: silicon vendor identity子元件採購:晶片廠商身份 | Article 23 only goes one tier up — but Article 13(5) due diligence on FOSS components and supply-chain risks reaches deeper. ODM needs identity of silicon vendors, not just direct supplier.第 23 條只往上一層,但第 13(5) 條對 FOSS 元件跟供應鏈風險的盡職調查、往下挖更深。ODM 需要晶片廠商身份、不只是直接供應商。 | Build a separate Article 13(5) component register alongside the Article 23 supplier-of-record register. Two different obligations, two different registers.建立第 13(5) 條的元件登記簿、獨立於第 23 條的紀錄供應商登記簿之外。兩種不同義務、兩本登記簿。 |
A structural opportunity for APAC ODMs: become the single accountable manufacturer of record across the EU. Many EU brand owners are choosing to not trigger Article 21 by re-branding — instead, they ask Taiwan/Korea ODMs to sell directly under the ODM's own brand to EU customers, with the brand owner taking a distributor role under Article 20. Why? Because the manufacturer obligations are heavy, and the ODM is structurally better-positioned to bear them. Article 23 supports this: the ODM keeps the supplier record up the chain (silicon, FOSS components), the EU distributor keeps the record down (end-customer or sub-distributor). Cleaner chain, fewer broken links.
APAC ODM 的結構機會:成為 EU 的單一可追究的紀錄製造商。很多 EU 品牌商選擇不透過重新貼牌觸發第 21 條:而是請台 / 韓 ODM 以 ODM 自有品牌直接賣給 EU 客戶、品牌商在第 20 條下扮演通路角色。為什麼?因為製造商義務很重、而 ODM 結構上更適合承擔。第 23 條支持這個:ODM 保管往上的供應商紀錄(晶片、FOSS 元件)、EU 通路保管往下的紀錄(終端客戶或子通路)。鏈條更乾淨、斷點更少。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 23 in the family of EU traceability rules 第 23 條在 EU 可追溯規則家族中的位置
Traceability is not a CRA invention. The 10-year supply-chain identification rule is part of a broader EU pattern. Knowing where Article 23 fits helps APAC operators reuse existing record-keeping infrastructure. 可追溯不是 CRA 發明的。十年供應鏈識別規則是 EU 更廣模式的一部分。知道第 23 條落在哪、有助於 APAC 業者重用現有的紀錄保存基礎。
Reg 765/2008 — the NLF baselineReg 765/2008:NLF 底線
The NLF (New Legislative Framework) baseline is in Decision 768/2008/EC, which carries traceability obligations across all NLF-aligned product harmonisation legislation. The duty to identify upstream and downstream economic operators is a recurring NLF obligation, with the 10-year period being typical. CRA Article 23 reads almost identically to its NLF cousin clauses.
NLF(New Legislative Framework)底線在 Decision 768/2008/EC、把可追溯義務帶進所有 NLF 對齊的產品調和立法。識別上下游經濟經營者的義務是反覆出現的 NLF 義務、10 年期間是典型。CRA 第 23 條跟它的 NLF 兄弟條款讀起來幾乎相同。
RED 2014/53/EU, Article 15RED 2014/53/EU 第 15 條
RED has the same 10-year economic-operator-identification rule. APAC ICT exporters with Wi-Fi or BLE products fall under both RED 15 and CRA 23 — the same identity records satisfy both, but contractually they need to be made available across both regimes.
RED 有同樣的十年經濟經營者識別規則。具 Wi-Fi 或 BLE 的 APAC ICT 出口商產品同時受 RED 15 跟 CRA 23 規範,同樣的身份紀錄滿足兩者、但合約上要可在兩個制度下提供。
Reg 2019/1020 on Market Surveillance, Article 4市場監督法規 2019/1020 第 4 條
2019/1020 introduces "economic operator" as a horizontal concept. CRA Article 66 explicitly adds CRA to Annex I of 2019/1020. The investigatory tools that market-surveillance authorities use under 2019/1020 — including the right to demand traceability information — apply to CRA enforcement.
2019/1020 引入「經濟經營者」作為橫向概念。CRA 第 66 條明文把 CRA 加入 2019/1020 附件一。市場監督機關依 2019/1020 使用的調查工具,包括要求可追溯資訊的權力,適用於 CRA 執法。
Medical Devices Regulation 2017/745, Article 25 and UDI system醫療器材法規 2017/745 第 25 條與 UDI 制度
MDR goes much further than CRA on traceability. Each medical device gets a Unique Device Identifier (UDI) registered in EUDAMED, and the chain of custody is recorded at unit level for some device classes. Article 23 is much lighter — economic-operator-level, not unit-level. Connected medical devices that fall under both MDR and CRA already have richer records than CRA requires; the lighter CRA records are usually a subset.
MDR 在可追溯上走得比 CRA 遠得多。每個醫療器材有 EUDAMED 登錄的 Unique Device Identifier(UDI)、某些器材類別的監管鏈在單品層級紀錄。第 23 條輕得多,經濟經營者層級、不是單品層級。同時落入 MDR 跟 CRA 的連網醫療器材、已經有比 CRA 要求更豐富的紀錄;較輕的 CRA 紀錄通常是子集。
EU Customs / EORI registrationEU 海關 / EORI 登錄
Every economic operator that imports / exports goods to / from the EU has an EORI (Economic Operator Registration and Identification) number, registered with the Member State customs authority. The EORI registry is a natural identification source for Article 23 records — APAC exporters' EU import partners always have EORI numbers, and Article 23 records can reference EORI as the canonical identifier of the EU-side economic operator.
每一個進出口貨物到 EU 的經濟經營者、在會員國海關有 EORI(Economic Operator Registration and Identification)號碼。EORI 登錄是第 23 條紀錄自然的識別來源,APAC 出口商的 EU 進口夥伴一定有 EORI、第 23 條紀錄可以用 EORI 作為 EU 端經濟經營者的標準識別碼。