Article 5 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
Procurement or use of products with digital elements 具數位元素產品的採購或使用
CRA does not prevent Member States from imposing additional requirements on the procurement or use of PwDE for security purposes, provided those requirements comply with EU law. CRA 不阻止會員國為安全目的、對具數位元素產品的採購或使用加上額外要求、惟該等要求須符合歐盟法律。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text. 來源。節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. This Regulation shall not prevent Member States from imposing additional requirements on products with digital elements for the protection of essential national interests, provided that those requirements are consistent with the obligations laid down in international agreements concluded by the Union and they do not impede the making available on the market of products with digital elements that comply with this Regulation.
2. This Regulation shall not prevent Member States from imposing additional cybersecurity requirements on products with digital elements procured or used for specific purposes, including products with digital elements procured or used for national security or defence purposes. Such requirements should be consistent with the Member States obligations laid down in Union law. Member States shall ensure that, when those requirements are imposed in the context of public procurement, the obligations of this Regulation referred to in Article 64 are taken into consideration.
1. 本法規不阻止會員國為保護國家根本利益而對具數位元素產品加以額外要求,惟該等要求應符合歐盟所訂國際協定之義務、且不得阻礙符合本法規之具數位元素產品於市場上提供。
2. 本法規不阻止會員國對為特定目的而採購或使用之具數位元素產品(含為國家安全或國防目的而採購或使用者)加上額外網路安全要求。該等要求應符合會員國於歐盟法律下之義務。會員國應確保當該等要求於公共採購脈絡中被加上時,本法規第 64 條所述義務有被納入考量。
Block 2 · Plain language 區塊 2 · 白話解讀
When Member States can stack national requirements on top of CRA 什麼時候會員國可以在 CRA 之上加國家要求
Article 5 is the carve-out from Article 4 free movement. It says Member States retain the right to impose, on grounds of national security or defence procurement, additional cybersecurity requirements beyond what CRA mandates. APAC manufacturers selling into EU defence supply chains, critical infrastructure procurement, or government IT need to map this carefully.
The carve-out is grounded in Treaty competence. Article 5 reflects Article 346 TFEU — Member States retain national security and defence-related sovereignty. CRA is a single-market harmonisation regulation; it cannot override national security carve-outs that are protected by primary EU law. Even if the Commission wanted to extend CRA into defence, it could not do so without Treaty-level change.
The threshold is "national security" — broader than military. National security includes defence procurement, intelligence services, critical infrastructure protected as national security assets, and certain border / customs systems. Different Member States define the boundary differently. Germany's BSI has additional cybersecurity requirements for critical infrastructure (KRITIS); France's ANSSI has its own framework. The Member State decision to invoke Article 5 is not centrally reviewed.
Stacking is allowed only on the carved-out subject matter. A Member State cannot use Article 5 to add general consumer-product cybersecurity requirements; that would breach Article 4 free movement. Article 5 only protects additional requirements specifically tied to national security / defence procurement. The product itself remains CRA-compliant; the additional requirements are layered on top for the specific procurement.
This article does not bar Member States from using public procurement to drive cybersecurity standards. A Member State can specify in a public tender that bidders must meet cybersecurity standards beyond CRA — for example, a specific EUCC certification level, or a national-scheme equivalent. This is a procurement-level requirement, not a market-access requirement. Article 5 lets the Member State do this for security-sensitive procurement; ordinary public procurement using CRA-compliant products faces only CRA requirements.
第 5 條是第 4 條自由流通的例外。它說會員國保留以國家安全或國防採購為理由、在 CRA 強制要求之外加上額外網路安全要求的權利。賣到 EU 國防供應鏈、關鍵基礎建設採購、或政府 IT 的 APAC 製造商、要小心對應。
例外建立在條約權限基礎上。第 5 條反映《歐盟運作條約》第 346 條:會員國保留國家安全與國防相關主權。CRA 是單一市場調和法規;它不能凌駕於受 EU 初級法律保護的國家安全例外之上。即使執委會想把 CRA 延伸到國防、沒有條約層級變更也辦不到。
門檻是「國家安全」:比軍事廣。國家安全包括國防採購、情報機關、被保護為國家安全資產的關鍵基礎建設、某些邊境 / 海關系統。各會員國畫線各異。德國 BSI 對關鍵基礎建設(KRITIS)有額外網路安全要求;法國 ANSSI 有自己的框架。會員國援引第 5 條的決定、不受中央覆審。
疊加只在被切出的事項上允許。會員國不能用第 5 條加一般消費端產品網路安全要求;那會破壞第 4 條自由流通。第 5 條只保護專屬國家安全 / 國防採購的額外要求。產品本身仍然符合 CRA;額外要求是針對特定採購疊加上去。
本條不阻止會員國透過公部門採購驅動網路安全標準。會員國可以在公開招標中指定投標廠商必須符合 CRA 之外的網路安全標準,例如特定 EUCC 認證等級、或國家機制等價物。這是採購層級的要求、不是市場進入要求。第 5 條讓會員國對安全敏感採購這樣做;使用 CRA 合規產品的一般公部門採購、只面對 CRA 要求。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Article 5 and APAC vendors targeting EU public sector 第 5 條跟瞄準 EU 公部門的 APAC 廠商
For most APAC manufacturers selling consumer or commercial PwDE, Article 5 is irrelevant — they will never sell into EU defence procurement. For a smaller but high-value subset — APAC industrial control vendors selling to EU utilities, APAC firewall vendors competing for German federal contracts, APAC IoT platforms seeking French smart-city tenders — Article 5 is the article that decides whether a CRA-compliant product is enough or whether the Member State will demand more.
對多數賣消費端或商用具數位元素產品的 APAC 製造商、第 5 條無關,他們不會賣到 EU 國防採購。對較小但高價值的子集,賣給 EU 電力公司的 APAC 工控廠商、爭德國聯邦合約的 APAC 防火牆廠商、爭法國智慧城市標案的 APAC IoT 平台:第 5 條決定符合 CRA 的產品夠不夠、還是會員國會要求更多。
A pre-bid checklist for APAC vendors targeting EU public sector procurement:
APAC 廠商瞄準 EU 公部門採購的投標前檢查表:
| Member State會員國 | National-security cybersecurity layer國家安全網路安全層級 | Implication for APAC bid對 APAC 投標的意義 |
|---|---|---|
| Germany德國 | BSI IT-Grundschutz, KRITIS regulation, BSIG. CC certification (BSI is a CC scheme owner) often required.BSI IT-Grundschutz、KRITIS 法規、BSIG。常要求 CC 認證(BSI 是 CC 計畫所有人)。 | CRA + EUCC certification frequently insufficient for KRITIS / federal procurement. National BSI evaluation often layered on top.CRA + EUCC 認證對 KRITIS / 聯邦採購常常不足。常疊加國家 BSI 評鑑。 |
| France法國 | ANSSI CSPN / Visa de sécurité, RGS. Strong preference for French / EU-based suppliers in defence-adjacent procurement.ANSSI CSPN / Visa de sécurité、RGS。國防相鄰採購強烈偏好法 / 歐供應商。 | Non-EU vendors face structural disadvantage in security-sensitive procurement. Article 346 TFEU lets France discriminate.非歐廠商在安全敏感採購結構上處於劣勢。《歐盟運作條約》第 346 條讓法國得以差別待遇。 |
| Netherlands荷蘭 | NCSC-NL guidance, Wbni, Aanwijzingen voor de Rijksdienst. Comparatively open to non-EU vendors with EU presence.NCSC-NL 指引、Wbni、Aanwijzingen voor de Rijksdienst。對有 EU 設立地的非歐廠商相對開放。 | Better odds for APAC vendors with strong EU subsidiary; CRA + EUCC often sufficient for non-defence sensitive procurement.有強 EU 子公司的 APAC 廠商機會較佳;非國防敏感採購、CRA + EUCC 常常足夠。 |
| Italy / Spain義大利 / 西班牙 | National schemes exist but less frequently invoked under Article 5; sectoral regulators (energy, transport, banking) often add requirements via NIS2 transposition instead.國家機制存在但少援引第 5 條;部門主管機關(能源、運輸、銀行)常透過 NIS2 轉化加要求。 | Mid-difficulty for APAC bids; map sectoral regulator requirements alongside CRA conformity.APAC 投標難度中等;對應部門主管機關要求與 CRA 合規。 |
An important pattern: Article 5 carve-outs are used sparingly for general public procurement and aggressively for sensitive procurement. APAC vendors should expect that EU defence, intelligence, and critical infrastructure tenders will demand CRA-plus, often via national CC certification or national-scheme equivalents.
重要模式:第 5 條例外對一般公部門採購用得保守、對敏感採購用得積極。APAC 廠商應預期、EU 國防、情報、關鍵基礎建設標案會要求 CRA 加碼、常透過國家 CC 認證或國家機制等價物。
A second pattern worth flagging for Korean and Japanese vendors: domestic schemes (K-ISMS, JC-STAR) do not currently confer presumption of compliance with EU national-security layered requirements. K-ISMS is recognised in Korea; not in Germany. JC-STAR is recognised in Japan; not in France. APAC vendors with multi-region GTM should not bundle domestic certification effort with EU defence-procurement preparation — these are separate compliance tracks with separate cost lines.
給韓 / 日廠商的第二個值得標出的模式:國內機制(K-ISMS、JC-STAR)目前不對 EU 國家安全層級要求賦予合規推定。K-ISMS 在韓國被認可;在德國不被認可。JC-STAR 在日本被認可;在法國不被認可。具多區 GTM 的 APAC 廠商、不應把國內認證工作跟 EU 國防採購準備綁在一起,這是獨立合規軌道、有獨立成本線。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 5 in the EU national-security carve-out family 第 5 條在 EU 國家安全例外家族中的位置
National-security carve-outs appear in nearly every EU harmonisation regulation. The pattern is consistent — single market harmonisation does not override Member State sovereignty over national security. 國家安全例外幾乎在每一部歐盟調和法規都出現。模式一致,單一市場調和不凌駕會員國對國家安全的主權。
TFEU Article 346 — the Treaty foundation《歐盟運作條約》第 346 條:條約基礎
Article 346 TFEU lets Member States protect essential national security interests connected to production or trade in arms, munitions, war material. CRA Article 5 is one specific implementation of this broader Treaty competence. Court of Justice of the EU case law has narrowed the scope (e.g., Case C-414/97 Commission v Spain) — "national security" must be invoked specifically and proportionately, not as a blanket exception.
《歐盟運作條約》第 346 條讓會員國保護與武器、彈藥、戰爭物資生產或貿易相關之重大國家安全利益。CRA 第 5 條是這個更廣條約權限的一個具體實施。歐盟法院案例法已縮窄範圍(如 Case C-414/97 Commission v Spain),「國家安全」必須具體且相稱地援引、不是一概例外。
NIS2 Directive 2022/2555 Article 2(9) — same carve-out logicNIS2 指令 2022/2555 第 2(9) 條:同樣例外邏輯
NIS2 Article 2(9) carves out activities exclusively in the area of national security, public security, or defence from NIS2 obligations. The structure mirrors CRA Article 5 — Member States may impose additional cybersecurity duties on essential / important entities for national security reasons. APAC vendors selling to NIS2 essential entities in defence / intelligence sectors face this stacked layer.
NIS2 第 2(9) 條把專屬國家安全、公共安全、或國防之活動從 NIS2 義務中切出。結構鏡映 CRA 第 5 條:會員國得對 essential / important entities 為國家安全理由課額外網路安全義務。賣給國防 / 情報部門 NIS2 essential entities 的 APAC 廠商、面對這個疊加層級。
EU AI Act 2024/1689 Article 2(3) — military / national security carve-outEU AI Act 2024/1689 第 2(3) 條:軍事 / 國家安全例外
AI Act Article 2(3) explicitly excludes AI systems placed on market or used exclusively for military, defence, or national security purposes. The carve-out is broader than CRA Article 5 — AI Act does not apply at all to military AI; CRA still applies to commercial PwDE that may also be used by defence (Article 5 just lets Member States add requirements). For products bundling AI under PwDE in defence-procurement contexts, the AI side may be entirely AI-Act-carved-out while the cybersecurity side remains CRA-plus-Member-State-layer.
AI Act 第 2(3) 條明文排除專屬軍事、國防、或國家安全用途之 AI 系統。例外比 CRA 第 5 條廣,AI Act 對軍事 AI 完全不適用;CRA 仍然適用於可能被國防使用之商用具數位元素產品(第 5 條只讓會員國加要求)。國防採購脈絡下、搭配 AI 在具數位元素產品下的產品、AI 側可能完全在 AI Act 例外內、網路安全側仍是 CRA 加會員國層級。
EU defence procurement directive 2009/81/EC歐盟國防採購指令 2009/81/EC
2009/81/EC governs defence and security procurement, with specific rules on supplier selection, technical specifications, and confidentiality. Member States procuring under this directive can specify cybersecurity requirements that are not derived from CRA. APAC vendors bidding under 2009/81/EC procurement face the most layered compliance environment in EU public procurement.
2009/81/EC 規範國防與安全採購、有對供應商選擇、技術規格、機密性的具體規則。在此指令下採購的會員國可以指定不是源自 CRA 的網路安全要求。在 2009/81/EC 採購下投標的 APAC 廠商、面對 EU 公部門採購中疊加最多的合規環境。
EU Foreign Subsidies Regulation 2022/2560 — separate but overlapping concern歐盟境外補貼法規 2022/2560:獨立但重疊的考量
2022/2560 lets the Commission investigate whether non-EU public funding distorts the EU single market. APAC vendors with home-government R&D support or industrial policy linkage face FSR review for large EU public procurement bids — separate from Article 5 cybersecurity layer but operationally relevant. Major Taiwan, Japan, Korea industrial vendors should expect FSR notifications above the €250M / €4M thresholds.
2022/2560 讓執委會調查非歐公部門資金是否扭曲 EU 單一市場。受本國政府 R&D 支援或產業政策連結的 APAC 廠商、就大型 EU 公部門採購投標面對 FSR 審查,跟第 5 條網路安全層級獨立、但營運相關。主要台 / 日 / 韓工業廠商應預期 2.5 億 / 400 萬歐元門檻以上的 FSR 通報。