Article 52 Regulation (EU) 2024/2847 · Chapter VI 法規 (EU) 2024/2847 · 第六章
Market surveillance and control of products 具數位元素產品的市場監督與管控
The article that turns CRA compliance from a one-off project into a continuously inspectable state. Member State market surveillance authorities receive Regulation (EU) 2019/1020 powers — document requests, on-site inspections, sample testing — operable on a 7-day clock without prior notice. 把 CRA 合規從一次性專案變成隨時可被檢查狀態的條文。會員國市場監督機關取得 Regulation (EU) 2019/1020 的權力,文件調閱、現場稽查、樣品測試,以 7 天時鐘運作、不需事前通知。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. Paragraphs 7–11 covering follow-up procedures, joint investigations, multi-Member-State coordination, and Commission reporting are reproduced in full at EUR-Lex. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。第 7 至 11 項涵蓋後續程序、聯合調查、跨會員國協調、向執委會回報,完整條文請參見 EUR-Lex。
Authority designation & cooperation 機關指定與合作
52(1)
Regulation (EU) 2019/1020 shall apply to products with digital elements that fall within the scope of this Regulation.
法規 (EU) 2019/1020 適用於落入本法規範圍的具數位元素產品。
52(2)
Each Member State shall designate one or more market surveillance authorities for the purpose of ensuring the effective implementation of this Regulation. Member States may designate an existing or new authority to act as market surveillance authority for this Regulation.
每一會員國應為確保本法規的有效實施,指定一或多個市場監督機關。會員國得指定既有或新設機關擔任本法規的市場監督機關。
52(3)
The market surveillance authorities designated under paragraph 2 of this Article shall also be responsible for carrying out market surveillance activities in relation to the obligations for open-source software stewards laid down in Article 24. Where a market surveillance authority finds that an open-source software steward does not comply with the obligations set out in that Article, it shall require the open-source software steward to ensure that all appropriate corrective actions are taken.
依本條第 2 項所指定的市場監督機關,也應負責就第 24 條所定開源軟體 stewards 的義務執行市場監督活動。市場監督機關認定開源軟體 steward 未遵循該條義務時,應要求該 steward 確保採取所有適當矯正行動。
52(4)
Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated pursuant to Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, the designated market surveillance authorities shall cooperate and exchange information on a regular basis with the CSIRTs designated as coordinators and ENISA.
適用時,市場監督機關應與依法規 (EU) 2019/881 第 58 條指定的國家網路安全認證機關合作、並定期交換資訊。就本法規第 14 條通報義務的實施監督而言,受指定的市場監督機關應與指定為協調者的 CSIRT 與 ENISA 合作並定期交換資訊。
52(5)
The market surveillance authorities may request a CSIRT designated as coordinator or ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 54, market surveillance authorities may request the CSIRT designated as coordinator or ENISA to provide an analysis to support evaluations of compliance of products with digital elements.
市場監督機關得請求指定為協調者的 CSIRT 或 ENISA 就本法規的實施與執行相關事項提供技術建議。執行第 54 條下的調查時,市場監督機關得請求指定為協調者的 CSIRT 或 ENISA 提供分析、以支援具數位元素產品合規的評估。
52(6)
The market surveillance authorities shall, where relevant and in agreement with the data protection authorities, alert the latter on findings of relevance to data protection.
適用時並經與資料保護機關同意後,市場監督機關應就跟資料保護有關的發現警示後者。
Block 2 · Plain-language reading 區塊 2 · 白話解讀
What this clause is really doing 這其實在說什麼
Article 52 looks bureaucratic — it designates authorities and tells them to cooperate. The operational consequence is bigger than the wording suggests.
Three things to note.
One — Regulation (EU) 2019/1020 powers apply in full. That regulation gives market surveillance authorities the power to demand documents, run on-site inspections, take product samples, and order corrective action. Article 52 simply says: those powers apply to PwDE under the CRA. There is no carve-out, no “light-touch” version.
Two — open-source stewards are explicitly in scope. Paragraph 3 names them out. The same authorities that supervise commercial manufacturers also supervise FOSS stewards under Article 24 — though with corrective action only, not the full Article 64 penalty machinery.
Three — there is a multi-authority coordination layer. Market surveillance authorities cooperate with national cybersecurity certification authorities (under Reg 2019/881), with CSIRTs designated as coordinators, and with ENISA. For an APAC manufacturer, this means a single Article 14 incident report can become known to multiple EU authorities simultaneously, and a market surveillance investigation can pull in technical analysis from ENISA.
第 52 條看起來像行政條文,它指定機關、要它們合作。但實際的營運後果比字面看起來大。
三件事要注意。
第一,Regulation (EU) 2019/1020 的權力完整適用。該法規賦予市場監督機關調閱文件、現場稽查、抽樣、命令矯正措施的權力。第 52 條只是說:這些權力適用於 CRA 下的 PwDE。沒有例外、沒有「輕量版」。
第二,開源軟體 stewards 明確在範圍內。第 3 項點名 stewards。監督商業製造商的同一個機關,也監督第 24 條下的 FOSS stewards,但只能要求矯正、不適用第 64 條完整的罰則機制。
第三,有多機關協調層。市場監督機關跟國家網路安全認證機關(Reg 2019/881 下)、指定為協調者的 CSIRT、ENISA 合作。對 APAC 製造商來說,這代表一份 Art 14 事件通報可能同時被多個歐盟機關知道,市場監督調查可以調用 ENISA 的技術分析。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
When the phone rings about an Article 52 information request 當電話為了 Art 52 information request 響起
A worked example: the Tuesday morning letter 一個情境:週二早上那封掛號信
Picture a Tuesday morning at a European importer of an APAC-built industrial PC. A registered letter arrives from the Bundesamt für Sicherheit in der Informationstechnik. It is an information request: provide the EU declaration of conformity, the Annex VII technical documentation, the SBOM current as of the most recent placing on the market, the coordinated vulnerability disclosure policy, and the vulnerability handling records for the past twelve months. Seven calendar days. The importer reads it once, picks up the phone, and dials Asia. From the APAC manufacturer’s end, this is the first concrete contact with Article 52. The text of the article describes an authority architecture; the phone call is what the architecture actually does.
想像歐洲某進口商週二早晨的場景,他們進口一家 APAC 廠商的工業 PC。一封掛號信從德國 BSI(Bundesamt für Sicherheit in der Informationstechnik)寄來。是一份 information request:要求提供 EU declaration of conformity、Annex VII 技術文件、對應最近一次 placing on the market 版本的 SBOM、coordinated vulnerability disclosure policy、以及過去 12 個月的 vulnerability handling 紀錄。7 個日曆天。進口商讀過一次、拿起電話、撥到亞洲。對 APAC 廠商來說、這是第一次具體碰到 Art 52。條文描述的是機關架構;那通電話是這個架構實際做的事。
What actually triggers the call 實際觸發那通電話的事
Article 52 grants market surveillance authorities the powers laid out in Regulation (EU) 2019/1020 — document requests, on-site inspections, sample testing, the lot. From the APAC manufacturer’s perspective the relevant question isn’t which power was used; it’s what made the authority pick up the file in the first place. The triggers cluster into five categories: spot-check sampling under a Member State’s annual market surveillance plan; a customer complaint, often from a procurement officer at a regulated buyer (hospital, utility, government department); an Article 14 incident report that the authority is following up on; a RAPEX-style cross-border alert from another Member State; and media coverage of a disclosed vulnerability. The first two and the last one are the volume drivers. The Article 14 trigger is the one that escalates fastest, because the authority is not starting from scratch — the manufacturer has already self-identified an incident.
第 52 條賦予市場監督機關 Regulation (EU) 2019/1020 所列的權力,文件調閱、現場稽查、樣品測試、整套。對 APAC 廠商來說,相關的問題不是哪個權力被動用、而是當初是什麼讓機關把這個 file 拿出來。觸發來源分為五類:會員國年度市場監督計畫下的抽查;客戶投訴、常來自規範性採購方(醫院、公用事業、政府部門)的採購人員;機關在追蹤的某份 Art 14 事件通報;另一會員國發出的 RAPEX 式跨境警示;媒體對已揭露弱點的報導。第一、第二、第五項是量的驅動者。Art 14 觸發升級最快,因為機關不是從零開始,製造商已經自我識別了一個事件。
What you have to find within 24 hours 24 小時內必須找到的東西
The information request will list specific documents. The list is not surprising; everything on it is something Article 13 already required the manufacturer to maintain. The surprise is operational: the documents must be retrievable, current, and tied to a specific version of the product as placed on the market. The minimum set: the EU declaration of conformity for the version in scope; the Annex VII technical documentation including risk assessment, design and development records, and conformity assessment results; the SBOM corresponding to the placed-on-market version, with dependency information current at the time of that placement; the CVD policy as published; vulnerability handling records for the past twelve months including triage decisions and remediation timelines; the declared support period and the reasoning behind it; and proof of authorised representative or EU contact point under Article 13(15)–(18).
Information request 會列出具體文件。清單不令人意外;上面每一項都是 Art 13 已經要求製造商維護的。意外的是操作面:這些文件必須可調閱、是最新的、且綁定於 placed-on-market 的具體產品版本。最低限度的集合:對應範圍內版本的 EU declaration of conformity;Annex VII 技術文件,包括風險評估、設計開發紀錄、conformity assessment 結果;對應 placed-on-market 版本的 SBOM,依賴資訊截至該次 placement 為最新;已公布的 CVD policy;過去 12 個月的 vulnerability handling 紀錄,包括分流決定跟修補時程;宣告的 support period 跟其理由;以及 Art 13(15) 到 (18) 下的 authorised representative 或 EU contact point 證明。
Failure mode 1 — documents exist but are out of date 失敗模式 1:文件存在但過期
The manufacturer can produce a 2025 SBOM for a product placed on the market in early 2026, after which two firmware updates were issued. The CRA requirement is that the SBOM track the version that is actually on the market. An out-of-date SBOM is, in practice, treated as no SBOM — the document does not match the artefact the authority is examining. This is the single most common failure mode, and it is structurally a continuous-monitoring failure: somebody had to update the SBOM at every release and didn’t.
製造商可以拿出 2025 年的 SBOM,但對應的產品是 2026 年初投入市場、之後又發了兩次韌體更新。CRA 的要求是 SBOM 必須對應實際在市場上的版本。實務上,過期的 SBOM 等同沒有 SBOM:文件對不上機關正在檢視的成品。這是最常見的失敗模式,而且結構上是「持續監控」的失敗:應該有人每次出版都更新 SBOM,但沒有。
Failure mode 2 — SBOM is fragmented or incomplete 失敗模式 2:SBOM 片段或不完整
An SBOM that lists only top-level dependencies, an SBOM that doesn’t cover firmware components only the OS layer, an SBOM in a non-standard format that doesn’t round-trip into common tooling. The Annex I Part II requirement is for an SBOM “covering at the very least the top-level dependencies of the product” in a commonly used and machine-readable format — but in a market-surveillance context, the authority will probe whether the listed dependencies are sufficient to enable a meaningful vulnerability analysis. The SBOM is not a checkbox; it is the artefact the authority uses to verify that the manufacturer can actually reason about its supply chain. A thin SBOM signals a thin process.
只列上層依賴的 SBOM、不涵蓋韌體元件只涵蓋 OS 層的 SBOM、非標準格式而無法跟一般工具來回轉換的 SBOM。Annex I 第二部分的要求是 SBOM「至少涵蓋產品上層依賴」、採通用機器可讀格式,但在市場監督情境下,機關會探究列出的依賴是否足以支援有意義的弱點分析。SBOM 不是打勾項目;它是機關用來驗證製造商是否真的能分析自己供應鏈的成品。薄的 SBOM 透露的是薄的流程。
Failure mode 3 — no authorised representative or EU contact point 失敗模式 3:沒有 authorised representative 或 EU contact point
Article 13(15)–(18) require manufacturers established outside the EU to designate an authorised representative or, where exempted, a clearly identified EU contact point. APAC manufacturers selling exclusively through European distributors sometimes assume the distributor handles this; the regulation does not. The market surveillance authority that cannot serve a request on a clear EU representative will escalate, and an escalation under Article 52 reaches Article 64 quickly — including the Tier-3 bracket for incomplete or missing information.
第 13(15) 到 (18) 條要求設立於歐盟外的製造商指定 authorised representative,或在豁免的情況下指定一個明確識別的 EU contact point。APAC 製造商如果只透過歐洲通路銷售,有時假設通路會處理這件事;法規不是這樣寫的。市場監督機關如果找不到可以送達 request 的明確歐盟代表,會升級;Art 52 下的升級很快就會到 Art 64:包括資訊不完整或缺失的 Tier-3 罰則層級。
The continuous-update reading 持續更新的讀法
All three failure modes share a structural cause: someone treated CRA compliance as a one-off project rather than a standing function. The most consequential of the three, by far, is the SBOM staying current with every release. Every firmware update, every component swap, every dependency upgrade has to flow into an updated SBOM that gets attached to the version actually on the market. The Article 13 obligations don’t freeze at placing on the market; they run in parallel with the product’s lifecycle. Article 52 is the article that makes that real. When the phone rings, the question the authority is asking is not “did you do compliance once?” It is “is your compliance current as of today?” The answer to that question is whatever the SBOM and the vulnerability handling records say it is. Both have to be live documents, updated as the product is updated, or the answer is no.
三種失敗模式有同一個結構原因:有人把 CRA 合規當一次性專案處理,而不是常態功能。其中最關鍵的是 SBOM 每次出版都保持最新。每一次韌體更新、每一次元件抽換、每一次依賴升級都必須流進一份更新過的 SBOM,並綁定到實際在市場上的版本。Art 13 的義務不在 placing on the market 那一刻凍結;它們跟產品生命週期並行運行。Art 52 是讓這件事變真的那一條。電話響的時候,機關問的不是「你做過合規嗎?」是「你的合規截至今天還是最新的嗎?」這個問題的答案,就是 SBOM 跟 vulnerability handling 紀錄寫的那個答案。兩者都必須是隨產品更新而更新的活文件,否則答案就是 no。
The actual penalty exposure under Article 52 is not the headline-grabbing part. It is upstream of penalties. Article 52 is the article that makes “the state of your compliance” a thing that can be inspected at any time, on a seven-day clock, by an authority that does not need to ask permission. Most APAC manufacturers have not yet reorganised their compliance function around that fact. The ones that do, treat the SBOM and the vulnerability handling records as continuously updated artefacts — not as deliverables that close out a project.
Art 52 的實際罰則暴露不是標題抓眼球的那一部分。它在罰則的上游。Art 52 是讓「你的合規狀態」變成一個可以在 7 天時鐘下、由不需要請示的機關隨時檢查的東西。多數 APAC 製造商還沒有圍繞這點重組他們的合規功能。已經重組的那些,把 SBOM 跟 vulnerability handling 紀錄當作持續更新的成品,不是結案某個專案的交付物。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Where Article 52 connects to other EU regimes 第 52 條跟其他歐盟法規的接點
Article 52 is a connector article. It plugs the CRA into pre-existing EU market surveillance and cybersecurity machinery, and it pulls APAC manufacturers into a multi-authority coordination web they may not have realised exists. 第 52 條是一條接線條文。它把 CRA 插進歐盟既有的市場監督跟網路安全機制、也把 APAC 製造商拉進一個他們可能還沒意識到存在的多機關協調網。
Reg (EU) · 2019/1020
Market surveillance & compliance
市場監督與合規
The horizontal market surveillance regulation. Article 52(1) imports it wholesale: information requests, on-site inspections, sample testing, corrective measures all apply to PwDE. There is no CRA-specific carve-out — the same powers used against any CE-marked product apply to CRA compliance.
水平市場監督法規。第 52(1) 條原樣引入:資訊請求、現場稽查、樣品測試、矯正措施全部適用於 PwDE。沒有 CRA 特定例外,對任何 CE 標示產品適用的權力,全部適用於 CRA 合規。
Reg (EU) · 2019/881
EU Cybersecurity Act
歐盟網路安全法
Article 52(4) requires market surveillance authorities to cooperate with national cybersecurity certification authorities designated under Reg 2019/881 Article 58. EUCC certificates and their holders surface in this cooperation channel — a manufacturer with an EUCC certificate has a different surveillance posture from one without.
第 52(4) 條要求市場監督機關跟依 Reg 2019/881 第 58 條指定的國家網路安全認證機關合作。EUCC 證書跟證書持有者會在這個合作管道中浮現,持有 EUCC 證書的製造商,跟沒有的,在監督姿態上不同。
CRA · Article 14
Reporting obligations
通報義務
Article 52(4) explicitly links to Article 14: market surveillance authorities cooperate with CSIRTs designated as coordinators and ENISA on Article 14 reports. An Article 14 incident report is therefore not a one-way submission — it becomes shared knowledge across multiple authorities, and can directly trigger an Article 52 information request.
第 52(4) 條明確連接到第 14 條:市場監督機關跟指定為協調者的 CSIRT 跟 ENISA 在 Art 14 通報上合作。一份 Art 14 事件通報因此不是單向遞交,它變成多個機關之間的共享知識、可以直接觸發 Art 52 資訊請求。
CRA · Article 64
Penalties
罰則
Article 52 sits upstream of Article 64. Failure to respond adequately to a market surveillance request — incomplete documents, missing SBOMs, no EU contact point — escalates into the Tier-3 €5M / 1% turnover penalty bracket for “incomplete, incorrect or misleading information”. The Article 52 → 64 path is short and well-trodden.
第 52 條在第 64 條的上游。對市場監督請求回應不充分,文件不完整、SBOM 缺失、沒有 EU 聯絡點,會升級到「資訊不完整、不正確或誤導」的 Tier-3€5M / 1% 營業額罰則層級。第 52 條到第 64 條的路徑既短又常被走。