Article 53 Regulation (EU) 2024/2847 · Chapter V 法規 (EU) 2024/2847 · 第五章
Access to data and documentation 取得資料與文件
Market surveillance authorities may demand any data or documentation needed to assess CRA conformity from the relevant economic operator, including source code in justified cases. 市場監督機關得向相關經濟經營者要求評估 CRA 合規所需之任何資料或文件、含合理情況下的源碼。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text. 來源。節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the relevant economic operator shall, following a reasoned request by a market surveillance authority, make available to that authority, in a language which can be easily understood by it, all data and documentation, in paper or electronic form, necessary for that purpose. That data and documentation shall include all relevant information about the design, development, production and the vulnerability handling of products with digital elements, including the documentation of internal cybersecurity tests carried out by the manufacturer or, where carried out under the responsibility or on behalf of the manufacturer, by other parties.
當評估具數位元素產品以及製造商所建立之流程與附件一所定基本網路安全要求之合規時、相關經濟經營者應於市場監督機關提出合理請求後、以該機關易於理解之語言、提供該目的所需之全部資料與文件(紙本或電子形式)。該等資料與文件應包括關於具數位元素產品之設計、開發、生產、與弱點處理之全部相關資訊,包括製造商所執行或在其責任下、或代表其執行之內部網路安全測試之文件。
Block 2 · Plain language 區塊 2 · 白話解讀
When market surveillance can ask for source code — and what they can ask 市場監督什麼時候可以要源碼,可以要什麼
Article 53 is the article that lets market surveillance authorities reach into a manufacturer's technical file. It grants the power to demand documentation, technical specifications, and — under specific conditions — access to source code. APAC manufacturers used to keeping source code confidential need to understand exactly what triggers this power and what protections exist.
The default scope is technical documentation, not source code. Article 53(1) lets market surveillance authorities request "all the information and documentation, in either paper or electronic form, that is necessary for the verification of the conformity of the product with digital elements". This is the everyday tool — when an inspector wants to verify CE marking, they ask for the technical file (Annex VII), the EU DoC, the harmonised standard application records.
Source code access is conditional and protected. Article 53(3) and (4) together set up the source-code access regime. Authorities can request access to "the source code of the product with digital elements" only when (a) it is necessary to assess conformity with Annex I essential requirements; (b) the request is reasoned; (c) the manufacturer can require confidentiality and trade-secret protections. The text is restrictive — source code access is the exception, not the routine inspection tool.
Confidentiality protection is the manufacturer's lever. Article 53(5) requires Member States to ensure information obtained is treated as confidential and protected as trade secret where appropriate. The manufacturer can demand confidentiality undertakings, technical safeguards (encrypted transfer, on-site inspection rather than off-site copy), and limits on how long the source code is retained. These are not theoretical — APAC manufacturers should have a pre-prepared response procedure for source-code requests, including the exact safeguards they will require.
Authorised representatives carry the access duty in practice. For non-EU manufacturers, Article 53 requests typically reach the AR first (Article 18(3)(b)). The AR has to provide the requested information; if the AR can't (because they don't have technical access), they have to escalate to the manufacturer. This is one of several reasons APAC manufacturers should not pick a mailbox AR — when an Article 53 request hits, the AR's technical capability matters.
The article works in tandem with Article 54 (formal non-compliance procedure). Article 53 is the routine information-gathering tool; Article 54 is the formal escalation when authorities have grounds to suspect non-compliance. A manufacturer who refuses an Article 53 reasoned request risks triggering Article 54 procedures — withdrawal from market, fines, restriction of free movement.
第 53 條讓市場監督機關得以伸進製造商的技術檔案。它授予要求文件、技術規格、與,在特定條件下,取得源碼的權力。習慣讓源碼保密的 APAC 製造商、需要了解什麼確切觸發此權力、有什麼保護。
預設範圍是技術文件、不是源碼。第 53(1) 條讓市場監督機關得請求「為驗證具數位元素產品合規所必要之全部資訊與文件、書面或電子形式」。這是日常工具,檢查員想驗證 CE 標示時、會要求技術檔(附件七)、EU DoC、調和標準適用紀錄。
源碼取得是有條件且受保護的。第 53(3) 跟 (4) 條一起設立源碼取得制度。主管機關只有在 (a) 為評鑑附件一基本要求合規所必要、(b) 請求有理由、(c) 製造商可要求機密與營業祕密保護的情況下、才能請求取得「具數位元素產品之源碼」。條文限制性的,源碼取得是例外、不是日常檢查工具。
機密性保護是製造商的槓桿。第 53(5) 條要求會員國確保所取得資訊被視為機密、並適當保護為營業祕密。製造商可以要求機密承諾、技術保障措施(加密傳輸、現場檢查而非異地副本)、源碼保留期限。這些不是理論,APAC 製造商對源碼請求應有預先備好的回應程序、含他們會要求的確切保障措施。
實務上、授權代表承擔取得義務。對非歐製造商、第 53 條請求通常先到 AR(第 18(3)(b) 條)。AR 必須提供所請求資訊;若 AR 做不到(因為沒技術權限)、必須升級到製造商。這是 APAC 製造商不該選信箱 AR 的好幾個理由之一:第 53 條請求發生時、AR 的技術能力很重要。
本條與第 54 條(正式不合規程序)配合運作。第 53 條是日常資訊蒐集工具;第 54 條是主管機關有合理懷疑不合規時的正式升級。拒絕第 53 條合理請求的製造商、有觸發第 54 條程序的風險,撤出市場、罰款、限制自由流通。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Source code requests and APAC IP-protection reality 源碼請求跟 APAC IP 保護現實
For APAC manufacturers, source code is among the most sensitive IP. Taiwan IC design firms (MediaTek, Realtek), Korea handset makers (Samsung, LG), Japan IIoT vendors all treat source code as core competitive asset. A market surveillance request for source code, if mishandled, can be a high-stakes incident.
對 APAC 製造商、源碼是最敏感的 IP 之一。台灣 IC 設計商(聯發科、瑞昱)、韓國手機製造商(Samsung、LG)、日本 IIoT 廠商、都把源碼當核心競爭資產。市場監督對源碼的請求、處理不當,可能是高風險事件。
A pre-prepared response framework that APAC manufacturers should have in place before CRA full application:
APAC 製造商在 CRA 全面適用前應到位的預先備好回應框架:
| Article 53 request type第 53 條請求類型 | APAC default responseAPAC 預設回應 | Required safeguards應要求的保障措施 |
|---|---|---|
| Technical file (Annex VII) request技術檔(附件七)請求 | Comply within reasonable timeframe (typically 14–30 days). Provide via secure channel.在合理時間內配合(通常 14-30 天)。以安全通道提供。 | Confidentiality undertaking from authority. Information should not be shared with third parties beyond legitimate enforcement need.機關提供機密承諾。資訊不得超出正當執法需求分享給第三方。 |
| EU DoC, harmonised standard recordsEU DoC、調和標準紀錄 | Routine response. Already prepared for filing; should be ready within days.日常回應。檔案已備、應在數日內就緒。 | Standard NDA-like protection.標準 NDA 類保護。 |
| Vulnerability handling records (Article 14 reports, internal CVD)弱點處理紀錄(第 14 條通報、內部 CVD) | Comply, but with timing coordination (some records may relate to ongoing CVD; need delay alignment per Article 16(3)).配合、但有時程協調(某些紀錄可能涉及進行中 CVD;需要依第 16(3) 條對齊延後)。 | CVD timing protections; protection of unpublished vulnerability details from third-party disclosure.CVD 時程保護;防止未發布弱點細節向第三方揭露的保護。 |
| Source code access源碼取得 | Demand reasoning, demand specific scope (which module, what verification purpose), require on-site inspection rather than off-site copy where possible.要求理由、要求特定範圍(哪個模組、什麼驗證目的)、可能時要求現場檢查而非異地副本。 | Trade-secret protection per Article 53(5). On-site only. Encrypted transfer if off-site. Time-limited access. Designated authority personnel only.第 53(5) 條營業祕密保護。僅現場。異地時加密傳輸。時限存取。僅指定機關人員。 |
| SBOM, supply chain recordsSBOM、供應鏈紀錄 | Comply. Article 23 traceability records should already be retrievable.配合。第 23 條可追溯紀錄應已可取出。 | Standard confidentiality. May redact pricing / commercial terms; not technical components.標準機密。可遮蔽定價 / 商業條款;不可遮蔽技術元件。 |
An important pattern from market surveillance practice across other EU regimes (RED, EMC, MDR): authorities use Article 53-equivalent powers infrequently in routine inspections and intensively when there is grounds for suspicion (vulnerability disclosure, customer complaint, competitor tip). For APAC manufacturers, the practical reality is: expect 1–3 routine technical file requests per year per active SKU; expect source code requests only when there is specific cause.
從其他 EU 制度(RED、EMC、MDR)的市場監督實務看到的重要模式:主管機關在日常檢查中很少用第 53 條等價權力、有合理懷疑時(弱點揭露、客戶申訴、競爭對手線報)密集使用。對 APAC 製造商、實務現實是:每年每個活躍 SKU 預期 1-3 次日常技術檔請求;源碼請求只在有特定原因時預期。
A defensive insight for APAC ICT exporters: a high-quality, well-organised technical file reduces the probability of source-code requests. When inspectors can verify conformity from technical documentation, they have no "necessary" basis under Article 53(3) to escalate to source code. Investing in technical file quality is therefore investing in source-code privacy.
給 APAC ICT 出口商的防禦洞察:高品質、組織良好的技術檔降低源碼請求的機率。檢查員可以從技術文件驗證合規時、就沒有第 53(3) 條下「必要」的依據升級到源碼。投資技術檔品質、因此就是投資源碼隱私。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 53 in EU market surveillance powers 第 53 條在 EU 市場監督權力中
Article 53 is one of multiple EU regulatory regimes' information-access powers. The pattern is consistent — market surveillance authorities can demand documentation; source code access is exceptional and conditional on confidentiality. 第 53 條是 EU 多個法規制度的資訊取得權力之一。模式一致,市場監督機關可以要求文件;源碼取得是例外、且以機密為條件。
Reg 2019/1020 Article 14 — horizontal market surveillance powersReg 2019/1020 第 14 條:橫向市場監督權力
2019/1020 Article 14 grants market surveillance authorities horizontal powers — request information, take samples, enter premises, restrict products. CRA Article 53 supplements this with CRA-specific source-code access. The two regimes work together: 2019/1020 provides the general toolkit; CRA Article 53 customises it for cybersecurity verification.
2019/1020 第 14 條授予市場監督機關橫向權力,要求資訊、抽樣、進入廠所、限制產品。CRA 第 53 條以 CRA 特有源碼取得補充。兩個制度配合運作:2019/1020 提供通用工具組;CRA 第 53 條為網路安全驗證做客製。
RED 2014/53/EU Article 41 — radio equipment information accessRED 2014/53/EU 第 41 條:無線電設備資訊取得
RED Article 41 has the same structure — market surveillance authorities can demand technical documentation; source-code access is implicit but rarely exercised. APAC radio equipment manufacturers familiar with RED inspection routines can map directly to CRA Article 53 for cybersecurity inspections.
RED 第 41 條有相同結構,市場監督機關可要求技術文件;源碼取得是隱含的但少行使。熟悉 RED 檢查流程的 APAC 無線電設備製造商、可以直接對應到 CRA 第 53 條的網路安全檢查。
Medical Devices Regulation 2017/745 Article 95 — heavier MDR powers醫療器材法規 2017/745 第 95 條:較重的 MDR 權力
MDR Article 95 grants substantially heavier inspection powers than CRA Article 53 — including the right to enter premises without prior notice, take product samples without compensation, and demand all documentation related to design, manufacturing, distribution. Source code access under MDR is broader because of medical device safety stakes. Connected medical devices that fall under MDR carve-out from CRA face the heavier MDR regime instead.
MDR 第 95 條授予比 CRA 第 53 條重得多的檢查權力,包括未經通知進入廠所、不補償取樣產品、要求全部設計、生產、分銷相關文件。MDR 下的源碼取得較廣、因為醫療器材安全有更高利害關係。落入 MDR 例外脫離 CRA 的連網醫療器材、面對較重的 MDR 制度。
EU AI Act 2024/1689 Article 74 — AI system surveillanceEU AI Act 2024/1689 第 74 條:AI 系統監督
AI Act Article 74 creates similar information-access powers for high-risk AI systems. Source-code-equivalent for AI is access to training data, model weights, and architecture documentation. For products bundling high-risk AI under PwDE, both Article 53 (source code) and AI Act Article 74 (model details) can be invoked, potentially by the same authority.
AI Act 第 74 條為高風險 AI 系統創造類似的資訊取得權力。AI 的源碼等價物是訓練資料、模型權重、架構文件的取得。對搭配高風險 AI 在具數位元素產品下的產品、第 53 條(源碼)跟 AI Act 第 74 條(模型細節)都可以被援引、可能由同一主管機關援引。
EU Trade Secret Directive 2016/943 — confidentiality protection floorEU 營業祕密指令 2016/943:機密保護地板
2016/943 sets EU-wide minimum protection for trade secrets. CRA Article 53(5) confidentiality obligation is reinforced by the Trade Secret Directive — Member States must give source code shared with regulators trade-secret-equivalent protection. APAC manufacturers can rely on this Directive when negotiating safeguards for Article 53 source-code access.
2016/943 為營業祕密設定 EU 全境最低保護。CRA 第 53(5) 條機密義務、由營業祕密指令強化,會員國必須給跟主管機關分享的源碼營業祕密等價保護。APAC 製造商在第 53 條源碼取得的保障措施談判中、可以依賴本指令。