Article 33 Regulation (EU) 2024/2847 · Chapter III 法規 (EU) 2024/2847 · 第三章
Support measures for microenterprises, SMEs and start-ups 支援措施,微型、中小企業與初創
Five concrete measures: training and awareness, dedicated communication channels, testing support, regulatory sandboxes, simplified technical documentation, financial-support visibility. Article 33 is the proportionality clause for the CRA — a deliberate signal that small players will not be crushed under uniform compliance. 五項具體措施:培訓與認知、專屬溝通管道、測試支援、法規沙盒、簡化技術文件、金融支援可見度。第 33 條為 CRA 的比例原則條款,刻意訊號表明小型業者不會被一致性合規壓垮。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. SME definitions follow Commission Recommendation 2003/361/EC. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。中小企業定義依《執委會建議 2003/361/EC》。
Member State actions for micro and small enterprises 會員國對微型與小企業之行動 ¶ 1
1. Member States shall, where appropriate, undertake the following actions, tailored to the needs of microenterprises and small enterprises:
1. 會員國應於適當情形下,採取下列因應微型與小企業需求量身打造之行動:
(a) organise specific awareness-raising and training activities about the application of this Regulation;
(a) 就本法規之適用組織特定之認知提升與培訓活動;
(b) establish a dedicated channel for communication with microenterprises and small enterprises and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation;
(b) 建立與微型及小企業之專屬溝通管道,並於適當時與地方公共機關建立管道,以提供建議並回應有關本法規實施之查詢;
(c) support testing and conformity assessment activities, including where relevant with the support of the European Cybersecurity Competence Centre.
(c) 支援測試與符合性評鑑活動,於相關時含歐洲網路安全能力中心之支援。
Cyber resilience regulatory sandboxes 網路韌性法規沙盒 ¶ 2
2. Member States may, where appropriate, establish cyber resilience regulatory sandboxes. Such regulatory sandboxes shall provide for controlled testing environments for innovative products with digital elements to facilitate their development, design, validation and testing for the purpose of complying with this Regulation for a limited period of time before the placing on the market. The Commission and, where appropriate, ENISA, may provide technical support, advice and tools for the establishment and operation of regulatory sandboxes. The regulatory sandboxes shall be set up under the direct supervision, guidance and support by the market surveillance authorities. Member States shall inform the Commission and the other market surveillance authorities of the establishment of a regulatory sandbox through ADCO. The regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Member States shall ensure open, fair, and transparent access to regulatory sandboxes, and in particular facilitate access by microenterprises and small enterprises, including start-ups.
2. 會員國得於適當情形下建立網路韌性法規沙盒。此等法規沙盒應為創新具數位元素產品提供受控測試環境,以便其於投放市場前之有限期間內進行符合本法規目的之開發、設計、驗證與測試。執委會與適當時 ENISA 得為法規沙盒之建立與運作提供技術支援、建議與工具。法規沙盒應於市場監督機關之直接監督、指引與支持下設立。會員國應透過 ADCO 告知執委會與其他市場監督機關有關法規沙盒之建立。法規沙盒不影響權限機關之監督與糾正權力。會員國應確保對法規沙盒開放、公平、透明之存取,特別應便利含初創在內之微型與小企業之存取。
Commission guidance and financial-support visibility 執委會指引與金融支援可見度 ¶ 3 – 4
3. In accordance with Article 26, the Commission shall provide guidance for microenterprises and small and medium-sized enterprises in relation to the implementation of this Regulation.
3. 執委會應依第 26 條提供與本法規實施有關之微型及中小企業指引。
4. The Commission shall advertise available financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and small enterprises.
4. 執委會應於既有聯盟計畫之規管框架內廣告可用之金融支援,特別為減輕微型與小企業之金融負擔。
Simplified technical documentation form 簡化技術文件表式 ¶ 5
5. Microenterprises and small enterprises may provide all elements of the technical documentation specified in Annex VII by using a simplified format. For that purpose, the Commission shall, by means of implementing acts, specify the simplified technical documentation form targeted at the needs of microenterprises and small enterprises, including how the elements set out in Annex VII are to be provided. Where a microenterprise or small enterprise opts to provide the information set out in Annex VII in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept that form for the purposes of conformity assessment. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).
5. 微型與小企業得以簡化格式提供附件七所定技術文件之所有要素。為此,執委會應以執行法規規定針對微型與小企業需求量身打造之簡化技術文件表式,包括附件七所列要素應如何提供。微型或小企業選擇以簡化方式提供附件七所定資訊者,應使用本項所指之表式。指定機構為符合性評鑑目的應接受該表式。該等執行法規應依第 62(2) 條所定之審查程序採納。
Important: §5 applies to "microenterprises and small enterprises" only — medium enterprises are excluded from the simplified-form benefit. Medium enterprises remain entitled to fee proportionality (Article 32(6)) and to general guidance (Article 33(3)).
重要:§5 僅適用於「微型與小企業」,中型企業排除於簡化表式之益處外。中型企業仍享有費用比例性(第 32(6) 條)與一般指引(第 33(3) 條)。
SME definitions per Recommendation 2003/361/EC 依《建議 2003/361/EC》之 SME 定義 Reference
Recital 5 of the CRA confirms the entire Annex to Recommendation 2003/361/EC applies, including Article 6 on partner and linked enterprises. The thresholds:
CRA Recital 5 確認《建議 2003/361/EC》附件全部適用,含關於合夥企業與關係企業之第 6 條。門檻為:
· Microenterprise: < 10 staff, ≤ €2 million annual turnover or balance sheet
· 微型企業:員工 < 10 人、年營業額或資產負債表 ≤ €200 萬
· Small enterprise: < 50 staff, ≤ €10 million annual turnover or balance sheet
· 小企業:員工 < 50 人、年營業額或資產負債表 ≤ €1,000 萬
· Medium enterprise: < 250 staff, ≤ €50 million annual turnover OR ≤ €43 million balance sheet
· 中型企業:員工 < 250 人、年營業額 ≤ €5,000 萬或資產負債表 ≤ €4,300 萬
Linked enterprise rule: when a parent company holds > 50 % control of an EU sales entity, the parent's headcount and financials are aggregated. An APAC ODM with 5,000 staff cannot have its EU sales subsidiary qualify as a "small enterprise" by counting only the subsidiary's local headcount.
關係企業規則:母公司持有歐盟銷售實體 > 50% 控制權時,母公司之員工數與財務數彙總計算。具 5,000 名員工之 APAC ODM 不能僅以歐盟子公司本地員工數計,使其符合「小企業」資格。
Block 2 · Plain language 區塊 2 · 白話解讀
Five concrete entitlements — and the gates that limit them 五項具體權利,以及限制它們的關卡
Article 33 reads more like a programme charter than a typical regulatory clause. It assigns concrete obligations to Member States and the Commission, and creates one direct entitlement for the regulated entity (the simplified Annex VII form in §5). Each entitlement has gates — eligibility tests, proportionality conditions, or implementation prerequisites — that determine how much benefit a given enterprise actually gets.
第 33 條讀起來比較像「計畫憲章」、不像典型的規管條款。它對會員國跟執委會加上具體義務,也對受規管實體創造一項直接權利(§5 簡化附件七表式)。每項權利都有把關點,資格測試、比例性條件、或實施前提,決定一家特定企業實際能拿到多少。
| Entitlement權利 | Beneficiary scope受益範圍 | Gate / condition閘門 / 條件 |
|---|---|---|
| Awareness-raising and training認知提升與培訓 §1(a) | Microenterprises & small enterprises微型與小企業 | "Where appropriate" — soft Member State obligation. Implementation depends on national administrative capacity. Quality varies between Member States.「於適當情形」,軟性會員國義務。實施依國家行政能力。會員國間品質差異。 |
| Dedicated communication channel專屬溝通管道 §1(b) | Microenterprises & small enterprises微型與小企業 | "Where appropriate" — same softness. In practice may be a hotline, dedicated email, or SME-focused information page on the market surveillance authority website.「於適當情形」,同樣軟性。實務上可能為熱線、專屬電郵、或市場監督機關網站上之中小企業導向資訊頁。 |
| Testing & conformity-assessment support測試與符合性評鑑支援 §1(c) | Microenterprises & small enterprises微型與小企業 | May involve European Cybersecurity Competence Centre (ECCC). Subject to ECCC programme priorities and funding.可能涉及歐洲網路安全能力中心(ECCC)。視 ECCC 計畫優先順序與資金而定。 |
| Cyber resilience regulatory sandbox網路韌性法規沙盒 §2 | All enterprises; SMEs and start-ups have facilitated access所有企業;中小企業與初創有便利的存取 | Member State must establish ("may, where appropriate"). As of early 2026, no CRA-specific sandbox is verified as established. Distinct from AI Act Article 57 sandbox.會員國須建立(「得,於適當情形」)。截至 2026 年初,無經驗證的 CRA 特定沙盒已建立。與 AI Act 第 57 條沙盒不同。 |
| Commission guidance執委會指引 §3 | Microenterprises, small & medium enterprises微型、小、中型企業 | Per Article 26 — Commission obligation. The CRA FAQ is one element of this. Detailed guidance on FOSS, support periods, substantial modification, etc., is being developed.依第 26 條,執委會義務。CRA FAQ 為此一要素。關於 FOSS、支援期間、實質修改等的詳細指引發展中。 |
| Financial-support visibility金融支援可見度 §4 | Microenterprises & small enterprises微型與小企業 | Commission obligation. Limited to existing EU programmes — Digital Europe Programme, Horizon Europe, EU4Health, etc. No new dedicated CRA financial instrument.執委會義務。限於既有 EU 計畫,Digital Europe Programme、Horizon Europe、EU4Health 等。無新設專屬 CRA 金融工具。 |
| Simplified Annex VII form簡化附件七表式 §5 | Microenterprises & small enterprises only — medium excluded僅微型與小企業,中型排除 | Requires Commission implementing act. As of early 2026, the implementing act has not been adopted. Once adopted, NBs must accept the simplified form.需執委會執行法案。截至 2026 年初尚未採納。採納後,NB 須接受簡化表式。 |
Two interlocking observations on §5 worth holding. First, the simplified form is narrower in beneficiary scope than the rest of Article 33 — micro and small only, no medium. This means a 100-staff EU SME with €15 million turnover qualifies as "medium" under Recommendation 2003/361/EC and is shut out of the simplified form benefit, while still entitled to fee proportionality and Commission guidance. Second, the simplified form is gated on a Commission implementing act not yet adopted as of early 2026. Until that act lands, even fully eligible micro and small enterprises must produce full Annex VII technical files.
關於 §5 兩個互相扣連的觀察值得記下來。第一,簡化表式的受益範圍比第 33 條其餘部分窄,只有微型跟小型,沒有中型。這代表一家有 100 名員工、€1,500 萬營業額的歐盟 SME,依 Recommendation 2003/361/EC 資格屬於「中型」,會被排除在簡化表式的好處之外,但仍然享有費用比例性跟執委會指引。第二,簡化表式被一份還沒採納的執委會 implementing act 卡住,截至 2026 年初還沒採納。在這個法案實施之前,就算是完全合格的微型跟小企業也必須產出完整附件七技術檔案。
A separate but related provision sits in Article 32(6): conformity assessment fees set by notified bodies must be proportionate to SME interests and needs, and reduced where appropriate. This benefits all sizes of SME (micro, small, and medium) — broader scope than §5 — but the operational impact depends on individual NB pricing policy. Negotiating fee proportionality requires the SME to actively raise the issue with the chosen NB; it does not happen automatically.
第 32(6) 條另有一個獨立但相關的條款:指定機構所定的 conformity assessment 費用必須對 SME 的利益與需求成比例、適當時要降低。這對各規模的 SME(微型、小、中)都有好處,範圍比 §5 廣,但實際運作的影響要看個別 NB 的定價政策而定。協商費用比例性需要 SME 主動向所選 NB 提出,不會自動發生。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Why most APAC manufacturers won't qualify — and what to do anyway 為什麼多數 APAC 製造商沒資格,以及無論如何該做的事
Article 33's SME provisions are designed to protect EU-based startups and small manufacturers. APAC manufacturers selling into the EU rarely meet the eligibility criteria, and confusion about how the SME test applies costs time. Three structural realities to internalise.
第 33 條的 SME 條款設計來保護歐盟設立的新創跟小型製造商。出貨歐盟的 APAC 製造商很少符合資格條件,但對 SME 測試怎麼適用的困惑會耗掉時間。三個結構性現實值得抓住:
Linked-enterprise rule eliminates most APAC SME claims. Recital 5 of the CRA explicitly invokes Article 6 of Recommendation 2003/361/EC's annex on partner and linked enterprises. When an APAC parent (say, a Taiwan ODM with 800 staff and €120 million turnover) sets up an EU sales subsidiary with 5 staff and €1 million turnover, the subsidiary cannot claim "small enterprise" status because the parent's headcount and financials must be aggregated under the linked-enterprise rule. The 100% parent-controlled relationship triggers full aggregation. Result: the subsidiary inherits the parent's "large enterprise" classification.
關係企業規則排除掉多數 APAC SME 主張。CRA Recital 5 明確援引 Recommendation 2003/361/EC 附件第 6 條關於合夥企業跟關係企業的規定。APAC 母公司(例如有 800 名員工、€120M 營業額的台灣 ODM)在歐盟設一家 5 名員工、€1M 營業額的銷售子公司時,這個子公司沒辦法主張「小企業」地位,因為依關係企業規則,母公司的員工數跟財務數必須彙總計算。母公司 100% 控制這個關係會觸發完整彙總。結果:子公司繼承母公司的「大型企業」分類。
Genuinely small APAC start-ups can claim — but only if they are the manufacturer. A 12-person Taiwanese hardware start-up with €1.8 million turnover, no parent and no linked entities, qualifies as a microenterprise. If that start-up directly places a CRA-scoped product on the EU market (perhaps via Amazon EU or a small reseller), it can use the simplified Annex VII form once the implementing act lands. But if the same start-up is OEM-supplying a larger brand and the larger brand is the entity placing the product on the EU market, the larger brand is the manufacturer under CRA Article 3 point 13 and the start-up's SME status is irrelevant — the larger brand's status governs.
真正小型的 APAC 新創可以主張,但只有在它自己就是製造商時。一家 12 人、€1.8M 營業額、沒有母公司、沒有關係企業的台灣硬體新創,符合微型企業資格。如果這家新創直接把 CRA 範圍內產品投入歐盟市場(例如透過 Amazon EU 或小型經銷商),它可以在 implementing act 實施後使用簡化附件七表式。但如果同一家新創 OEM 供應給某個大型品牌、而大型品牌是把產品投入歐盟市場的實體,依 CRA 第 3(13) 條那個大型品牌就是製造商,新創的 SME 地位無關,由大型品牌的地位主導。
The sandbox is the most realistically accessible benefit for APAC presence. Article 33(2) cyber resilience regulatory sandboxes, when established, are open to all enterprises — and Member States must facilitate SME / start-up access. As of early 2026, no Member State has publicly notified ADCO of a CRA-specific sandbox. The first ones to appear are likely to be in Member States with strong existing fintech/AI sandbox infrastructure (Lithuania, Estonia, France, the Netherlands). APAC manufacturers planning EU market entry could engage directly with sandboxes in these countries — sandbox access is not gated by entity nationality, only by whether the product activity has a clear placement-on-market pathway in that Member State.
沙盒是 APAC 實際上最容易取用的權利。第 33(2) 條的網路韌性法規沙盒一旦建立,對所有企業都開放,會員國必須協助 SME / 新創存取。截至 2026 年初,沒有任何會員國公開向 ADCO 通報過 CRA 特定的沙盒。第一批出現的可能會在已經有強大金融科技 / AI 沙盒基礎建設的會員國(立陶宛、愛沙尼亞、法國、荷蘭)。規劃進入歐盟市場的 APAC 製造商可以直接參與這些國家的沙盒,沙盒存取不以實體國籍為門檻,只看這個產品的活動在該會員國是否有明確的投入市場路徑。
A practical conclusion. Most APAC ODMs and OEMs should plan their CRA programmes assuming none of Article 33's SME-specific entitlements applies. The SME-aware fee proportionality of Article 32(6) may yield modest pricing flexibility through negotiation. Sandbox engagement in receptive Member States is the genuinely useful unlock. Article 33's main value to APAC strategy is therefore not its eligibility benefits but its existence as a signal that the CRA's drafters anticipated proportionality concerns and built specific machinery to address them — machinery that some APAC subsidiaries with genuinely independent EU operations may eventually use.
實務結論:多數 APAC ODM 跟 OEM 規劃 CRA 計畫時,應該假設第 33 條的 SME 特定權利都不適用。第 32(6) 條的 SME 費用比例性,可以透過協商產生溫和的定價彈性。在接納性高的會員國參與沙盒,是真正有用的解鎖。第 33 條對 APAC 策略的主要價值不是它的資格利益,而是它作為訊號存在,CRA 起草者已經預期了比例性顧慮、並建立了具體機制因應,這些機制有些具備真正獨立歐盟營運的 APAC 子公司,最終可能會用得到。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
SME-support patterns across EU digital regulations EU 數位法規中的 SME 支援模式
Recent EU digital regulations all include SME-friendly provisions, but the specific entitlements differ. The table below maps how Article 33's machinery compares to similar provisions in adjacent regulations.
近期 EU 數位法規都含 SME 友善條款,但具體權利不同。下表比較第 33 條機制與相鄰法規類似條款的差異。
AI Act (EU) 2024/1689
Artificial Intelligence
人工智慧
Article 57 AI regulatory sandboxes (free for SMEs); Article 62 priority access for SMEs and start-ups; Article 11 reduced technical-documentation form for SMEs (Annex IV simplified). AI Act sandbox is free for SMEs; CRA sandbox has no explicit cost provision. AI Act Article 11 simplified form is in force; CRA's Article 33(5) form awaits implementing act. Article 12(4) lets CRA-scoped manufacturers participate in AI Act sandboxes — bridging the two regimes.
第 57 條 AI 法規沙盒(SME 免費);第 62 條 SME 與初創優先存取;第 11 條 SME 簡化技術文件表式(附件四簡化)。 AI Act 沙盒對 SME 免費;CRA 沙盒無明確成本條款。AI Act 第 11 條簡化表式已生效;CRA 第 33(5) 條表式待執行法案。第 12(4) 條允 CRA 範圍製造商參與 AI Act 沙盒,橋接兩制度。
NIS2 Directive (EU) 2022/2555
Network and Information Security
網路與資訊安全
Article 21 size-based proportionality of cybersecurity measures; Article 31(3) ENISA & Member State capacity-building support to SMEs. NIS2 applies to entities (not products); CRA Article 33 applies to manufacturers. NIS2's proportionality is built into the substantive obligations themselves; CRA's proportionality is procedural (form, sandbox, fees).
第 21 條網路安全措施依規模的比例性;第 31(3) 條 ENISA 與會員國對 SME 的能力建構支援。 NIS2 適用於實體(非產品);CRA 第 33 條適用於製造商。NIS2 比例性內建於實質義務本身;CRA 比例性為程序性(表式、沙盒、費用)。
GDPR (EU) 2016/679
Data Protection
資料保護
Article 30(5) records-of-processing exemption for organisations < 250 staff (subject to risk conditions); Recital 13 SME-friendly framing. GDPR's only true SME exemption is the records exemption — narrowly conditional. Most GDPR obligations apply uniformly. CRA Article 33 has more concrete entitlements but is similarly limited in actual exemption power.
第 30(5) 條 < 250 員工組織之處理記錄豁免(受風險條件約束);Recital 13 SME 友善取態。 GDPR 唯一真正 SME 豁免為記錄豁免,狹窄條件性。多數 GDPR 義務一致適用。CRA 第 33 條有更具體權利但實際豁免力同樣有限。
Digital Services Act (EU) 2022/2065
Online intermediaries
線上中介
Article 19 small/micro intermediary exemption from certain Section 4 obligations; Article 25 transparency reporting reduced for non-VLOPs/VLOSEs. DSA carves out genuine substantive exemptions for small intermediaries — full obligations don't apply. CRA Article 33 is procedurally proportional but substantively obligations remain identical. Different model.
第 19 條小型 / 微型中介在某些第 4 節義務的豁免;第 25 條對非 VLOP / VLOSE 的透明度報告減輕。 DSA 為小型中介開出真正實質豁免,完整義務不適用。CRA 第 33 條為程序性比例但實質義務維持一致。不同模型。
EU Data Act (EU) 2023/2854
Data sharing & access
資料分享與存取
Article 14 data-holder obligations exclude SMEs unless they are linked enterprises with non-SME parents; Article 26 dispute settlement bodies free for SMEs. Data Act provides genuine SME exemption from data-holder obligations — substantive carve-out. CRA Article 33 does not exempt micro/small from substantive Annex I obligations; only the documentation form is simplified.
第 14 條資料持有人義務排除 SME(除非為非 SME 母公司的關係企業);第 26 條 SME 免費爭議解決機構。 資料法案對資料持有人義務提供真正 SME 豁免,實質切出。CRA 第 33 條不對微型 / 小型企業豁免實質附件一義務;僅文件表式簡化。