Article 3 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
Definitions 定義
Fifty-one defined terms. Anchors how manufacturer, importer, distributor, remote data processing, substantial modification, support period, actively exploited vulnerability, FOSS — and forty-three others — are read across the rest of the text. 51 項定義。奠定製造商、進口商、經銷商、遠端資料處理、實質修改、支援期間、主動受利用弱點、FOSS:以及其他 43 項:在全文的解讀基礎。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
(1)–(11) Product, software, hardware, connection(1) 到 (11) 產品、軟體、硬體、連線
(1) ‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;
(2) ‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;
(3) ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;
(4) ‘software’ means the part of an electronic information system which consists of computer code;
(5) ‘hardware’ means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;
(6) ‘component’ means software or hardware intended for integration into an electronic information system;
(7) ‘electronic information system’ means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;
(8) ‘logical connection’ means a virtual representation of a data connection implemented through a software interface;
(9) ‘physical connection’ means a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;
(10) ‘indirect connection’ means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;
(11) ‘end-point’ means any device that is connected to a network and serves as an entry point to that network;
(1)「具數位元素產品」是指軟體或硬體產品及其遠端資料處理解決方案,包括分別投入市場之軟體或硬體元件。
(2)「遠端資料處理」是指由製造商設計與開發、或在製造商責任下進行設計與開發之軟體所支援之遠端資料處理;該等遠端資料處理之缺失將使具數位元素產品無法執行其功能之一。
(3)「網路安全」是指法規 (EU) 2019/881 第 2 條第 (1) 款所定義之網路安全。
(4)「軟體」是指電子資訊系統中由電腦程式碼所構成之部分。
(5)「硬體」是指實體電子資訊系統,或其能處理、儲存、傳送數位資料之部分。
(6)「元件」是指預定整合至電子資訊系統中之軟體或硬體。
(7)「電子資訊系統」是指能處理、儲存、傳送數位資料之系統,含電氣或電子設備。
(8)「邏輯連線」是指透過軟體介面實作之資料連線之虛擬表現。
(9)「物理連線」是指電子資訊系統或元件之間以實體方式實作之連線,包括透過電氣、光學或機械介面、電線、或無線電波。
(10)「間接連線」是指對裝置或網路之連線,雖非直接,但作為更大系統之一部分而與該等裝置或網路直接可連。
(11)「端點」是指連接於網路、作為該網路進入點之任一裝置。
(12)–(19) Economic operators & enterprise size(12) 到 (19) 經濟經營者與企業規模
(12) ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;
(13) ‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;
(14) ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;
(15) ‘authorised representative’ means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;
(16) ‘importer’ means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;
(17) ‘distributor’ means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;
(18) ‘consumer’ means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;
(19) ‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;
(12)「經濟經營者」是指製造商、授權代表、進口商、經銷商、或其他依本法規對具數位元素產品之製造、或對具數位元素產品在市場上提供負有義務之自然人或法人。
(13)「製造商」是指開發或製造具數位元素產品、或委託他人設計、開發、製造具數位元素產品,並以其名義或商標將其投入市場之自然人或法人,無論是有償、商業營利或免費。
(14)「開源軟體 steward」是指除製造商以外之法人,其宗旨或目的為持續且系統性地支援特定具數位元素產品之開發;該等產品須符合自由及開源軟體定義並用於商業活動,且該法人應確保該等產品之延續性。
(15)「授權代表」是指設立於歐盟內、依製造商書面授權、就特定任務代表製造商行事之自然人或法人。
(16)「進口商」是指設立於歐盟內、將設立於歐盟外之自然人或法人之名義或商標所示之具數位元素產品投入市場之自然人或法人。
(17)「經銷商」是指供應鏈中、製造商或進口商以外、將具數位元素產品於歐盟市場上提供而不影響其屬性之自然人或法人。
(18)「消費者」是指出於其交易、業務、手工藝或職業以外目的而行事之自然人。
(19)「微型企業」、「小型企業」及「中型企業」分別指建議 2003/361/EC 附件所定義之微型企業、小型企業及中型企業。
(20)–(25) Support, market, intended use(20) 到 (25) 支援、市場、預期用途
(20) ‘support period’ means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;
(21) ‘placing on the market’ means the first making available of a product with digital elements on the Union market;
(22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
(23) ‘intended purpose’ means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;
(24) ‘reasonably foreseeable use’ means use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;
(25) ‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;
(20)「支援期間」是指製造商依附件一第二部分所定基本網路安全要求、有效處理具數位元素產品弱點之期間。
(21)「投入市場」是指具數位元素產品首次於歐盟市場上提供。
(22)「於市場上提供」是指於商業活動過程中、為配銷或使用之目的、將具數位元素產品供應於歐盟市場,無論有償或免費。
(23)「預期用途」是指製造商所預定之具數位元素產品之使用,包括具體脈絡及使用條件,依製造商於使用說明、宣傳或銷售素材與聲明、以及技術文件中所提供之資訊判定。
(24)「合理可預見之使用」是指雖非製造商於使用說明、宣傳或銷售素材與聲明、技術文件中所提供之預期用途,但可能因合理可預見之人類行為或技術操作互動而產生之使用。
(25)「合理可預見之誤用」是指不符合預期用途、但可能因合理可預見之人類行為或與其他系統之互動而產生之具數位元素產品使用。
(26)–(36) Conformity assessment & standards(26) 到 (36) 合規評鑑與標準
(26) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;
(27) ‘conformity assessment’ means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;
(28) ‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;
(29) ‘notified body’ means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;
(30) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;
(31) ‘CE marking’ means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;
(32) ‘Union harmonisation legislation’ means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;
(33) ‘market surveillance authority’ means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;
(34) ‘international standard’ means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;
(35) ‘European standard’ means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;
(36) ‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;
(26)「通報機關」是指負責建立並執行合規評鑑機構之評估、指定、通報、監督相關必要程序之國家機關。
(27)「合規評鑑」是指核驗附件一所定基本網路安全要求是否已被滿足之程序。
(28)「合規評鑑機構」是指法規 (EC) 第 765/2008 號第 2 條第 (13) 款所定義之合規評鑑機構。
(29)「指定機構」是指依第 43 條及其他相關歐盟調和立法所指定之合規評鑑機構。
(30)「實質修改」是指具數位元素產品於投入市場後所為之變更,該變更影響其與附件一第一部分所定基本網路安全要求之合規、或致使其受評鑑時所依據之預期用途有所修改。
(31)「CE 標示」是指製造商藉以表明具數位元素產品及其所建立之流程符合附件一所定基本網路安全要求、以及規定 CE 標示加施之其他適用歐盟調和立法之標示。
(32)「歐盟調和立法」是指列於法規 (EU) 2019/1020 附件一之歐盟立法、以及其他將該法規所適用之產品行銷條件予以調和之歐盟立法。
(33)「市場監督機關」是指法規 (EU) 2019/1020 第 3 條第 (4) 款所定義之市場監督機關。
(34)「國際標準」是指法規 (EU) 第 1025/2012 號第 2 條第 (1)(a) 款所定義之國際標準。
(35)「歐洲標準」是指法規 (EU) 第 1025/2012 號第 2 條第 (1)(b) 款所定義之歐洲標準。
(36)「調和標準」是指法規 (EU) 第 1025/2012 號第 2 條第 (1)(c) 款所定義之調和標準。
(37)–(51) Risk, vulnerability, incident, FOSS, recall(37) 到 (51) 風險、弱點、事件、FOSS、召回
(37) ‘cybersecurity risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;
(38) ‘significant cybersecurity risk’ means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;
(39) ‘software bill of materials’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;
(40) ‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;
(41) ‘exploitable vulnerability’ means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;
(42) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;
(43) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
(44) ‘incident having an impact on the security of the product with digital elements’ means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;
(45) ‘near miss’ means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;
(46) ‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;
(47) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
(48) ‘free and open-source software’ means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;
(49) ‘recall’ means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020;
(50) ‘withdrawal’ means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;
(51) ‘CSIRT designated as coordinator’ means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.
(37)「網路安全風險」是指事件造成之損失或中斷之潛在程度,應以該損失或中斷之規模及該事件發生機率之組合表示。
(38)「重大網路安全風險」是指依其技術特性可推定為事件發生機率高、且該事件可能導致嚴重負面影響(含造成重大物質或非物質損失或中斷)之網路安全風險。
(39)「軟體物料清單」是指記載具數位元素產品軟體部分所含元件之詳情及其供應鏈關係之正式紀錄。
(40)「弱點」是指具數位元素產品中可被網路威脅利用之弱點、易受性或瑕疵。
(41)「可利用弱點」是指於實際營運條件下、可能被對手有效利用之弱點。
(42)「主動受利用弱點」是指有可信證據顯示、惡意行為者於未經系統擁有者許可之情況下利用之弱點。
(43)「事件」是指指令 (EU) 2022/2555 第 6 條第 (6) 款所定義之事件。
(44)「對具數位元素產品安全有影響之事件」是指對具數位元素產品保護資料或功能之可用性、真實性、完整性或機密性之能力有負面影響、或可能造成負面影響之事件。
(45)「險失」是指指令 (EU) 2022/2555 第 6 條第 (5) 款所定義之險失。
(46)「網路威脅」是指法規 (EU) 2019/881 第 2 條第 (8) 款所定義之網路威脅。
(47)「個人資料」是指法規 (EU) 2016/679 第 4 條第 (1) 款所定義之個人資料。
(48)「自由及開源軟體」是指其源碼公開分享之軟體,並依自由及開源授權方式提供,該等授權賦予各方自由存取、使用、修改、再散布之全部權利。
(49)「召回」是指法規 (EU) 2019/1020 第 3 條第 (22) 款所定義之召回。
(50)「撤回」是指法規 (EU) 2019/1020 第 3 條第 (23) 款所定義之撤回。
(51)「指定為協調者之 CSIRT」是指依指令 (EU) 2022/2555 第 12 條第 (1) 項指定為協調者之 CSIRT。
Block 2 · Plain language 區塊 2 · 白話解讀
The definitions that decide whether you bear which obligation 決定你承擔哪個義務的定義
Article 3 contains 51 definitions. Reading them sequentially is unhelpful — the operationally consequential definitions are scattered. Five definitions decide most of the regulatory landing for an APAC manufacturer.
"Product with digital elements" (Article 3(1)). A software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately. Three things matter: (a) hardware and software are both in scope, (b) remote data processing solutions are bundled into the product definition, (c) components placed separately are themselves PwDE. The third point is the one APAC silicon vendors and software-component vendors miss most often — they assume "my chip is just inside someone else's product, the chip itself is not a PwDE". It can be.
"Remote data processing solution" (Article 3(2)). Data processing at a distance for which the software is designed and developed by the manufacturer, or under the manufacturer's responsibility, and the absence of which would prevent the PwDE from performing one of its functions. This brings cloud-side companion services into the manufacturer's CRA obligations. A smart camera that depends on the manufacturer's cloud for motion detection has the cloud as part of its CRA scope. The cloud is not a separate product — it is the PwDE's data processing solution.
"Substantial modification" (Article 3(30)). A change to the PwDE following its placing on the market, which affects the compliance of the PwDE with the essential requirements set out in Annex I, Part I, or which results in a modification to the intended use for which the PwDE has been assessed. This is the trigger for Article 21 and Article 22 — when does someone other than the original manufacturer become the manufacturer? When they substantially modify the product. The bar is "affects compliance with Annex I Part I" or "modifies intended use". The Commission Guidance (2026 published draft) clarifies that software updates can constitute substantial modifications when they meet these criteria.
"Software bill of materials" / SBOM (Article 3(36)). A formal record containing details and supply chain relationships of components included in the software elements of a PwDE. Annex I Part II requires manufacturers to identify and document vulnerabilities and components contained in the product, including by drawing up an SBOM. SBOM is not optional — and the format is implicitly the SPDX or CycloneDX industry-standard machine-readable form, not a free-text component list.
"Actively exploited vulnerability" (Article 3(42)). A vulnerability for which there is reliable evidence that a malicious actor has exploited the vulnerability in a system without permission. This is the trigger for the 24-hour Article 14(2) early warning. "Reliable evidence" is the operative phrase — speculation about exploitation does not start the clock; confirmed exploitation does. APAC PSIRT teams need a documented protocol for assessing whether the threshold is met.
第 3 條有 51 條定義。順著讀沒幫助,對營運有後果的定義分散各處。五個定義決定 APAC 製造商法規落地的大半。
「具數位元素產品」(第 3(1) 條)。軟體或硬體產品及其遠端資料處理解決方案、含分別投入市場之軟體或硬體元件。三件事重要:(a) 硬體跟軟體都在範圍內、(b) 遠端資料處理解決方案捆在產品定義內、(c) 分別投入市場的元件本身是具數位元素產品。第三點是 APAC 晶片廠商跟軟體元件廠商最常漏的,他們以為「我的晶片只是放在別人的產品裡、晶片本身不是具數位元素產品」。可以是。
「遠端資料處理解決方案」(第 3(2) 條)。製造商設計開發、或在製造商責任下設計開發、且若不存在則具數位元素產品無法執行其某項功能的遠端資料處理。這把雲端伴隨服務拉進製造商的 CRA 義務。靠製造商雲端做動作偵測的智慧攝影機、雲端就是 CRA 範圍的一部分。雲端不是另一個產品,它是具數位元素產品的資料處理解決方案。
「實質修改」(第 3(30) 條)。具數位元素產品於投入市場後所為之變更、影響該產品符合附件一第一部分所訂基本要求之合規、或導致已被評鑑之預期用途之修改。這是第 21 與第 22 條的觸發,什麼時候原製造商以外的人會成為製造商?當他們對產品做實質修改時。門檻是「影響附件一第一部分合規」或「修改預期用途」。執委會指引(2026 公開草案)釐清、軟體更新符合此等標準時可構成實質修改。
「軟體物料清單」/ SBOM(第 3(36) 條)。正式紀錄、含具數位元素產品軟體元素中所含元件之詳細資訊與供應鏈關係。附件一第二部分要求製造商識別並記錄產品中所含弱點與元件、包括起草 SBOM。SBOM 不是選項:格式隱含為 SPDX 或 CycloneDX 等業界標準機讀格式、不是自由文字元件清單。
「主動受利用弱點」(第 3(42) 條)。有可信證據顯示惡意行為者未經許可在系統中利用該弱點之弱點。這是 24 小時第 14(2) 條早期警報的觸發。「可信證據」是關鍵語,對被利用的推測不啟動時鐘;確認的被利用才啟動。APAC PSIRT 團隊需要記錄程序、評估門檻是否達到。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Definitions that change APAC engineering and supply chain 改變 APAC 工程與供應鏈的定義
Article 3 looks like a glossary. For an APAC manufacturer, several definitions are operationally weighty enough to drive multi-year roadmap changes.
第 3 條看起來像詞彙表。對 APAC 製造商、好幾個定義在營運上重到足以驅動多年期 roadmap 變更。
| Definition定義 | APAC operational impactAPAC 營運影響 | Common APAC misreadingAPAC 常見誤讀 |
|---|---|---|
| PwDE (3(1))具數位元素產品(3(1)) | Components placed separately are themselves PwDE — silicon vendors, software-component vendors are first-class CRA economic operators.分別投入市場的元件本身是具數位元素產品,晶片廠商、軟體元件廠商是一等 CRA 經濟經營者。 | "Components are inside someone else's product, the regulation does not apply to me."「元件在別人的產品裡面、法規對我不適用。」 |
| Remote data processing (3(2))遠端資料處理(3(2)) | Cloud companion services bundled into PwDE. APAC IoT platforms operating manufacturer-controlled clouds carry cloud-side CRA obligations.雲端伴隨服務捆在具數位元素產品內。運作製造商控管雲端的 APAC IoT 平台、承擔雲端側 CRA 義務。 | "Cloud is a separate service, not part of the product." Wrong if functionality depends on it.「雲端是另外的服務、不是產品的一部分。」功能依賴就錯。 |
| Substantial modification (3(30))實質修改(3(30)) | Triggers Articles 21 / 22 / 2(7). Re-runs scope and re-routes manufacturer obligations. Major firmware updates are the typical APAC trigger event.觸發第 21 / 22 / 2(7) 條。重新跑範圍、重新路由製造商義務。大幅韌體更新是典型 APAC 觸發事件。 | "It's just an update, not a new product." Wrong if functionality, security, or risk profile changes.「只是更新、不是新產品。」功能、安全、或風險特徵改變、就錯。 |
| SBOM (3(36))SBOM(3(36)) | Mandatory machine-readable component listing. Most APAC ODMs do not have current-state SBOM tooling; build/buy decision is needed.強制機讀元件列表。多數 APAC ODM 沒有現有 SBOM 工具;需要做自建 / 採購決定。 | "We have a parts list in Excel." Excel is not an SBOM under any reasonable reading of CRA + Annex I Part II.「我們有 Excel 零件表。」按 CRA + 附件一第二部分任何合理解讀、Excel 不是 SBOM。 |
| Actively exploited vulnerability (3(42))主動受利用弱點(3(42)) | Triggers 24-hour ENISA early warning. Reliable evidence of exploitation, not theoretical exposure, starts the clock.觸發 24 小時 ENISA 早期警報。可信被利用證據、不是理論暴露、啟動時鐘。 | "We have to report every CVE within 24 hours." Wrong — only actively exploited ones, with reliable evidence.「每個 CVE 都要 24 小時內通報。」錯,只有具可信證據的主動受利用弱點。 |
A particularly consequential nuance for APAC supply chains: Article 3(13) defines "manufacturer" as the natural or legal person who develops or manufactures, or who has PwDE designed, developed, or manufactured, and markets them under its name or trade mark, whether for payment, for monetisation, or free of charge. The phrase "or who has [products] designed, developed, or manufactured" is the legal hook that lets EU brand owners be the CRA manufacturer for products physically built in Taiwan / Korea ODM lines. The ODM is not the CRA manufacturer if the product carries the brand owner's name. This is the textual basis for the white-label re-routing under Article 21.
對 APAC 供應鏈特別有後果的細節:第 3(13) 條把「製造商」定義為開發或生產、或委託他人設計、開發、生產之具數位元素產品、以其自己名稱或商標於市場上提供之自然人或法人、無論收費、貨幣化或免費。「或委託他人設計、開發、生產」這句、是讓 EU 品牌商成為實體在台 / 韓 ODM 線生產之產品的 CRA 製造商的法律依據。產品掛品牌商名字、ODM 就不是 CRA 製造商。這是第 21 條白牌重新路由的條文依據。
A second consequential nuance: Article 3(14) defines "importer" as a natural or legal person established in the Union who places on the market a PwDE that bears the name or trade mark of a natural or legal person established outside the Union. Definition of "distributor" (Article 3(15)) excludes manufacturers and importers and covers any other supplier in the chain. APAC manufacturers selling through complex multi-tier distribution into the EU need to map each intermediary against these definitions — the role assignment determines who carries which Article 13 / 19 / 20 / 21 obligation.
第二個有後果的細節:第 3(14) 條定義「進口商」為設立於歐盟的自然人或法人、將承載歐盟外自然人或法人之名稱或商標的具數位元素產品投入市場。「經銷商」(第 3(15) 條)的定義排除製造商與進口商、涵蓋鏈中其他任何供應者。透過複雜多層通路賣到 EU 的 APAC 製造商、要將每個中間人對應到這些定義,角色指派決定誰承擔哪個第 13 / 19 / 20 / 21 條義務。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
CRA definitions and parallel EU vocabulary CRA 定義跟其他歐盟法規的對應詞彙
CRA Article 3 inherits some definitions verbatim, anchors others to companion regulations, and creates a few new ones. Knowing where each definition comes from helps APAC manufacturers reuse compliance work across regimes. CRA 第 3 條有些定義是逐字繼承、有些錨定到伴隨法規、有些是新建。了解每個定義的來源、有助於 APAC 製造商跨制度重用合規工作。
Cybersecurity Act 2019/881 — definitional anchor網路安全法 2019/881:定義錨點
CRA Article 3(3) explicitly anchors the definition of "cybersecurity" to Article 2(1) of the Cybersecurity Act. CRA does not redefine cybersecurity — it borrows the CSA definition wholesale. This means the EUCC scheme and ENISA's broader cybersecurity work flow into CRA's vocabulary by reference. APAC manufacturers familiar with EUCC certification work translate immediately.
CRA 第 3(3) 條明文把「網路安全」定義錨定到網路安全法第 2(1) 條。CRA 不重新定義網路安全,整段借用 CSA 定義。這意味著 EUCC 計畫跟 ENISA 更廣的網路安全工作、透過引用流入 CRA 詞彙。熟悉 EUCC 認證工作的 APAC 製造商可立即轉用。
NLF Decision 768/2008/EC — manufacturer / importer / distributor templateNLF Decision 768/2008/EC:製造商 / 進口商 / 經銷商模板
CRA's definitions of manufacturer (3(13)), importer (3(14)), distributor (3(15)) follow the New Legislative Framework template. Same template is used in RED, EMC, LVD, GPSR, MDR, Machinery Regulation. APAC manufacturers operating across these regimes work with consistent role definitions — no need to re-train sales and operations teams on the role taxonomy.
CRA 對製造商(3(13))、進口商(3(14))、經銷商(3(15))的定義採 New Legislative Framework 模板。RED、EMC、LVD、GPSR、MDR、機械法規都用同一模板。跨這些制度運作的 APAC 製造商、面對一致的角色定義,銷售跟營運團隊不必對角色分類做重訓。
Reg 765/2008 / Reg 2019/1020 — economic operatorReg 765/2008 / Reg 2019/1020:經濟經營者
CRA Article 3(12) defines "economic operator" as the umbrella term for manufacturer, AR, importer, distributor, and any other entity subject to CRA obligations. The umbrella term is borrowed from Reg 765/2008 / 2019/1020 — the same horizontal market-surveillance regime that enforces RED, EMC, LVD, GPSR. Investigatory powers, identification rules, and traceability obligations are consistent across regimes.
CRA 第 3(12) 條把「經濟經營者」定義為製造商、AR、進口商、經銷商、與其他受 CRA 義務規範實體的傘狀詞。這個傘狀詞借自 Reg 765/2008 / 2019/1020:執法 RED、EMC、LVD、GPSR 的同一個橫向市場監督制度。調查權力、識別規則、可追溯義務跨制度一致。
EU AI Act 2024/1689 — high-risk AI as a separate vocabularyEU AI Act 2024/1689:高風險 AI 是獨立詞彙
AI Act has its own role taxonomy — "provider", "deployer", "importer", "distributor". The provider role in AI Act maps to manufacturer in CRA but is not identical (AI Act provider can also be a downstream party that fine-tunes a foundation model). APAC manufacturers with AI-bundled PwDE need to track both vocabularies and the small but consequential differences.
AI Act 有自己的角色分類,「provider」、「deployer」、「importer」、「distributor」。AI Act 的 provider 角色對應 CRA 的製造商、但不完全相同(AI Act provider 也可以是 fine-tune foundation model 的下游方)。具 AI 搭配具數位元素產品的 APAC 製造商、要同時追蹤兩個詞彙跟小但有後果的差異。
CRA Article 3 vs MDR Article 2 — overlapping but separateCRA 第 3 條 vs MDR 第 2 條:重疊但分立
MDR has 71 definitions in Article 2; CRA has 51 in Article 3. Several concepts overlap: manufacturer, AR, distributor, substantial modification. The CRA carve-out for medical devices means MDR definitions govern medical device cybersecurity work; CRA definitions govern non-medical-device PwDE. The vocabularies are kept separate because the legal contexts differ — though the operational meaning is often the same.
MDR 第 2 條有 71 個定義;CRA 第 3 條有 51 個。多項概念重疊:製造商、AR、經銷商、實質修改。CRA 對醫療器材的例外、意味著醫療器材的網路安全工作由 MDR 定義規範;非醫療器材的具數位元素產品由 CRA 定義規範。詞彙分立、因為法律脈絡不同,但營運意義常相同。