Article 54 Regulation (EU) 2024/2847 · Chapter V 法規 (EU) 2024/2847 · 第五章
Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk 具重大網路安全風險產品之國家層級程序
Procedure when a Member State market surveillance authority finds a PwDE non-compliant or risky: requires corrective action, may restrict/prohibit/recall, notifies Commission and other Member States. 會員國市場監督機關發現具數位元素產品不合規或具風險時的程序:要求矯正措施、得限制 / 禁止 / 召回、並通知執委會與其他會員國。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text. 來源。節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. Where the market surveillance authority of a Member State has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall, without undue delay, carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate as necessary with the market surveillance authority.
If, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall, without undue delay, require the relevant economic operator to take all appropriate corrective action to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period commensurate with the nature of the risk, as the market surveillance authority may prescribe.
The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the corrective actions.
2. When determining the significance of a cybersecurity risk referred to in paragraph 1 of this Article, market surveillance authorities shall take into consideration non-technical risk factors, in particular those established by the Cooperation Group as a result of Union-level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the relevant national authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.
3. Where the market surveillance authority considers that the non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator to take.
4. The economic operator shall ensure that all appropriate corrective action is taken in respect of all the products with digital elements concerned that it has made available on the market throughout the Union.
5. Where the relevant economic operator does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the product with digital elements being made available on its national market, to withdraw the product with digital elements from that market or to recall it. The market surveillance authority shall inform the Commission and the other Member States, without undue delay, of those measures.
6. The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant product with digital elements, the origin of the product with digital elements, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authorities shall indicate whether the non-compliance is due to either of the following: (a) failure of the product with digital elements or of the processes put in place by the manufacturer to comply with the essential cybersecurity requirements set out in Annex I; (b) shortcomings in the harmonised standards, common specifications or European cybersecurity certification schemes, as referred to in Article 27.
7. The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall, without undue delay, inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the product with digital elements concerned, and, in the event of disagreement with the notified national measure, of their objections.
1. 當會員國市場監督機關有充分理由認為某具數位元素產品(含其弱點處理)構成重大網路安全風險時、應毫不延遲地對該具數位元素產品就其與本法規所定全部要求之合規進行評估。相關經濟經營者應依需要與市場監督機關合作。
若市場監督機關於該評估中發現該具數位元素產品不符合本法規所定要求、應毫不延遲地要求相關經濟經營者於該機關所訂之與風險性質相當之合理期間內、採取所有適當矯正措施使該產品符合該等要求、撤回市場、或召回。
市場監督機關應依此通知相關指定機構。《法規 (EU) 2019/1020》第 18 條應適用於矯正措施。
2. 市場監督機關於判定本條第 1 項所指網路安全風險之重大性時、應考量非技術性風險因素,特別是合作小組因依《指令 (EU) 2022/2555》第 22 條進行歐盟層級關鍵供應鏈協調安全風險評估而確立者。市場監督機關有充分理由認為某具數位元素產品就非技術性風險因素構成重大網路安全風險時、應通知依《指令 (EU) 2022/2555》第 8 條指定或設立之相關國家機關、並依需要與該等機關合作。
3. 市場監督機關認為不合規不限於其國家領土時、應將評估結果與其要求經濟經營者採取之行動通知執委會與其他會員國。
4. 經濟經營者應確保就其於歐盟範圍內市場上提供之全部相關具數位元素產品採取所有適當矯正措施。
5. 相關經濟經營者於第 1 項第二段所指期間內未採取適當矯正措施時、市場監督機關應採取一切適當臨時措施、禁止或限制該具數位元素產品於其國家市場上提供、自該市場撤回、或召回。市場監督機關應毫不延遲地將該等措施通知執委會與其他會員國。
6. 第 5 項所指資訊應包括所有可得細節、特別是識別不合規之具數位元素產品所必要之資料、該產品之來源、所指不合規之性質與所涉風險、所採國家措施之性質與期間、以及相關經濟經營者所提出之主張。市場監督機關特別應指明不合規係因下列何者所致:(a) 具數位元素產品或製造商所建立之流程未能符合附件一所定基本網路安全要求;(b) 第 27 條所指調和標準、共同規格、或歐洲網路安全認證計畫之缺陷。
7. 啟動程序之會員國以外其他會員國之市場監督機關、應毫不延遲地將其所採取之任何措施、以及就所涉具數位元素產品不合規之任何額外可得資訊、通知執委會與其他會員國;如不同意所通報之國家措施、應通知其異議。
Block 2 · Plain language 區塊 2 · 白話解讀
When market surveillance escalates to formal enforcement — and the response window 市場監督升級到正式執法時,跟回應視窗
Article 54 is the formal non-compliance escalation procedure. When a market surveillance authority has "sufficient reason to consider" that a PwDE presents a significant cybersecurity risk, Article 54 procedure starts. It is the article that determines whether a CRA inspection becomes a recall, market withdrawal, or fine.
The trigger threshold is "significant cybersecurity risk". Article 54(1) says the market surveillance authority must have "sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk". "Significant" is the operative word — minor non-conformity does not trigger Article 54. Major Annex I gaps, exploited vulnerabilities, evidence of widespread harm — these trigger.
Manufacturer obligation to cooperate is explicit. Article 54(1) imposes a duty: "The relevant economic operators shall cooperate as necessary with the market surveillance authority". Refusing to cooperate is itself a non-compliance. APAC manufacturers under Article 54 review must engage — they cannot run silent. The AR (Article 18) is typically the operational interface.
Corrective action timeline is set by authority. If the authority finds non-compliance, Article 54(2) says it shall require the relevant economic operator to take "all appropriate corrective action" within a "reasonable period prescribed by the authority". "Reasonable" is undefined — in practice ranges from days (urgent recall scenarios) to months (technical file remediation). The authority sets the clock; the manufacturer accommodates.
Failure to remedy escalates to restriction or withdrawal. Article 54(4) — if the economic operator fails to take corrective action within the prescribed period, or the non-compliance persists, the market surveillance authority shall "take all appropriate provisional measures to prohibit or restrict the product's being made available on its national market, to withdraw the product from that market or to recall it". This is the EU's sharpest market-side weapon. Once invoked, the product is off the relevant Member State market until remediated — and other Member States are notified per Article 54(5).
Cross-Member-State spread is automatic. Article 54(5) requires the Member State invoking restriction to inform the Commission and other Member States immediately. Article 55 then runs the EU-wide review — within months, what started as one Member State's action can become an EU-wide market restriction. APAC manufacturers should not assume "only Germany acted; we still have France" — Article 55 closes that loophole.
第 54 條是正式不合規升級程序。市場監督機關有「合理理由認定」具數位元素產品造成重大網路安全風險時、第 54 條程序啟動。是決定 CRA 檢查會不會變成召回、撤出市場、罰款的那一條。
觸發門檻是「重大網路安全風險」。第 54(1) 條說市場監督機關須有「合理理由認定具數位元素產品(含其弱點處理)造成重大網路安全風險」。「重大」是關鍵詞,輕微不合規不觸發第 54 條。重大附件一落差、被利用之弱點、廣泛損害證據,觸發。
製造商配合義務明文。第 54(1) 條課義務:「相關經濟經營者應視必要與市場監督機關配合」。拒絕配合本身就是不合規。在第 54 條審查下的 APAC 製造商必須投入,不能保持沉默。AR(第 18 條)通常是營運接觸窗。
矯正行動時程由主管機關設定。主管機關認定不合規時、第 54(2) 條說它應要求相關經濟經營者於「主管機關規定之合理期間內」採取「全部適當矯正措施」。「合理」未定義,實務上從數日(緊急召回情境)到數月(技術檔矯正)。主管機關設時鐘;製造商配合。
未矯正升級到限制或撤回。第 54(4) 條:經濟經營者於規定期間內未採取矯正措施、或不合規持續時、市場監督機關應「採取全部適當之臨時措施、禁止或限制該產品於其國家市場提供、自該市場撤回或召回該產品」。這是 EU 在市場側最銳利的武器。一旦援引、該產品在相關會員國市場下架直到矯正,而其他會員國依第 54(5) 條被通知。
跨會員國擴散是自動的。第 54(5) 條要求援引限制的會員國立即通知執委會與其他會員國。第 55 條再啟動 EU 全境覆審,數月內、一個會員國的行動可變成 EU 全境市場限制。APAC 製造商不應假設「只有德國行動了;我們還有法國」:第 55 條關閉這個法律漏洞。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Article 54 enforcement and APAC manufacturer crisis playbook 第 54 條執法與 APAC 製造商危機操作手冊
Article 54 enforcement is the worst-case scenario for an APAC CRA-impacted manufacturer. Once an Article 54 procedure starts, the operational clock favours the regulator, not the manufacturer. Pre-prepared playbook is essential.
第 54 條執法是受 CRA 影響的 APAC 製造商的最壞情境。第 54 條程序一旦啟動、營運時鐘對主管機關有利、不對製造商有利。預擬操作手冊是必要的。
| Article 54 phase第 54 條階段 | APAC manufacturer actionAPAC 製造商行動 | Critical mistakes to avoid應避免的關鍵錯誤 |
|---|---|---|
| Phase 1: Initial assessment notice第 1 階段:初步評鑑通知 | Engage AR + EU-side legal counsel within 24h. Map exact regulatory basis cited. Request reasoning in writing.24h 內找 AR + EU 側法律顧問。對應確切引用的法律依據。書面要求理由。 | (a) Treating notice as routine inspection. (b) Responding without legal review. (c) Failing to escalate to APAC HQ leadership.(a) 把通知當日常檢查。(b) 未經法律審查就回應。(c) 沒有升級到 APAC 總部領導層。 |
| Phase 2: Cooperation period (Article 54(1))第 2 階段:配合期間(第 54(1) 條) | Cooperate fully on technical evidence; preserve confidentiality protections. Document all submissions.在技術證據上完全配合;保留機密保護。記錄所有提交。 | (a) Going silent. (b) Submitting source code without Article 53(5) trade-secret protections. (c) Inconsistent statements across submissions.(a) 保持沉默。(b) 未要求第 53(5) 條營業祕密保護就提交源碼。(c) 不同提交間陳述不一致。 |
| Phase 3: Corrective action (Article 54(2))第 3 階段:矯正行動(第 54(2) 條) | Negotiate timeline. Propose phased remediation if reasonable. Deliver interim mitigations early.協商時程。合理時建議分階段矯正。及早交付中期緩解。 | (a) Accepting unrealistic deadline that you will miss. (b) Promising remediation you cannot deliver. (c) Delaying customer notification.(a) 接受會錯過的不切實際期限。(b) 承諾無法交付的矯正。(c) 延後客戶通知。 |
| Phase 4: Risk of restriction (Article 54(4))第 4 階段:限制風險(第 54(4) 條) | Engage at executive level. Consider voluntary recall to preempt mandatory withdrawal. Coordinate communications with customers, distributors, AR.高層介入。考量自願召回以先發制人對抗強制撤回。跟客戶、經銷商、AR 協調溝通。 | (a) Treating as a one-Member-State problem. (b) Customer / channel surprise from regulator action. (c) Public communication misalignment.(a) 當成單一會員國問題處理。(b) 客戶 / 通路因主管機關行動驚訝。(c) 公開溝通不對齊。 |
| Phase 5: Cross-Member-State spread (Article 54(5) → Article 55)第 5 階段:跨會員國擴散(第 54(5) 條 → 第 55 條) | Anticipate EU-wide market exit. Prepare for fines under Article 64 (up to €15M or 2.5% global turnover). Coordinate global response across regions.預期 EU 全境退出市場。為第 64 條罰款做準備(最高 1,500 萬歐元或全球營業額 2.5%)。跨區協調全球回應。 | (a) Continuing to ship into other Member States. (b) Inconsistent post-incident statements. (c) Failing to align with parent-company global crisis response.(a) 繼續出貨到其他會員國。(b) 事件後陳述不一致。(c) 未與母公司全球危機回應對齊。 |
A defensive insight from EU enforcement practice across regimes: Article 54-equivalent procedures are the regulator's last resort, not first response. Most non-compliance is resolved at Article 53 information request stage. APAC manufacturers who respond promptly and substantively at Article 53 stage rarely escalate to Article 54. The escalation typically happens because of (a) refusal to cooperate, (b) repeated non-compliance, or (c) discovery of severe Annex I gaps that cannot be quickly remediated.
從跨制度 EU 執法實務看到的防禦洞察:第 54 條等價程序是主管機關的最後手段、不是第一回應。多數不合規在第 53 條資訊請求階段解決。在第 53 條階段及時且實質回應的 APAC 製造商、很少升級到第 54 條。升級通常是因為 (a) 拒絕配合、(b) 反覆不合規、或 (c) 發現無法快速矯正的嚴重附件一落差。
A second defensive insight: APAC manufacturers should not pick the cheapest AR. When Article 54 hits, the AR is your operational interface with the regulator for weeks. A mailbox AR fails this test. The added cost of a real AR (€10–30K/year for an industrial PwDE manufacturer) is insurance against a six-figure Article 54 mismanagement.
第二個防禦洞察:APAC 製造商不應選最便宜的 AR。第 54 條發生時、AR 數週內是你跟主管機關的營運介面。信箱 AR 通不過這個考驗。實質 AR 的額外成本(工業具數位元素產品製造商每年 1-3 萬歐元)、是對六位數第 54 條處理失誤的保險。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 54 in the EU enforcement architecture 第 54 條在 EU 執法架構中
Article 54 is one of multiple parallel enforcement procedures across EU product regulation. The structure — significant risk + cooperation + corrective action + restriction + cross-Member-State spread — repeats across regimes. 第 54 條是 EU 產品法規中多個平行執法程序之一。結構,重大風險 + 配合 + 矯正行動 + 限制 + 跨會員國擴散,在制度間重複。
Reg 2019/1020 Article 16 — horizontal corrective action templateReg 2019/1020 第 16 條:橫向矯正行動模板
2019/1020 Article 16 is the horizontal procedure for non-compliance — applies across CRA, RED, EMC, LVD, GPSR, RoHS. Same structure: investigation → corrective action → restriction. CRA Article 54 is the CRA-tailored version, slightly more specific on cybersecurity risk thresholds. APAC manufacturers familiar with 2019/1020 procedures will recognise the structure immediately.
2019/1020 第 16 條是不合規的橫向程序,適用於 CRA、RED、EMC、LVD、GPSR、RoHS。同結構:調查 → 矯正行動 → 限制。CRA 第 54 條是 CRA 客製版、在網路安全風險門檻上稍微更具體。熟悉 2019/1020 程序的 APAC 製造商會立刻認得結構。
RED 2014/53/EU Article 40 — radio equipment non-complianceRED 2014/53/EU 第 40 條:無線電設備不合規
RED Article 40 mirrors CRA Article 54 — radio equipment posing risk to health, safety, environment, or property triggers corrective action procedure. APAC radio equipment manufacturers have already lived through RED Article 40 enforcement; the playbook transfers directly to CRA Article 54 with cybersecurity-specific evidence requirements.
RED 第 40 條鏡映 CRA 第 54 條:對健康、安全、環境、財產造成風險的無線電設備、觸發矯正行動程序。APAC 無線電設備製造商已經經歷過 RED 第 40 條執法;操作手冊直接轉用到 CRA 第 54 條、加上網路安全特定證據要求。
MDR 2017/745 Article 95 — medical device safeguard procedureMDR 2017/745 第 95 條:醫療器材保障程序
MDR Article 95 is the medical device equivalent — heavier penalties because medical device risks are direct to patient safety. CRA Article 54 has lower stakes per incident but broader scope. APAC medical device manufacturers familiar with MDR's field-safety-corrective-action workflow can adapt the same playbook for CRA Article 54.
MDR 第 95 條是醫療器材等價,因為醫療器材風險直接影響病人安全、罰則較重。CRA 第 54 條每起事件風險較低、但範圍較廣。熟悉 MDR 現場安全矯正行動工作流程的 APAC 醫療器材製造商、可調適同一操作手冊到 CRA 第 54 條。
EU AI Act 2024/1689 Article 79 — AI system risk procedureEU AI Act 2024/1689 第 79 條:AI 系統風險程序
AI Act Article 79 is the parallel procedure for AI systems presenting risk — same structure as CRA Article 54, applied to AI risk. For products bundling high-risk AI under PwDE, both procedures can run simultaneously. APAC manufacturers need a unified incident response that can satisfy both.
AI Act 第 79 條是 AI 系統造成風險的平行程序,跟 CRA 第 54 條同結構、套用到 AI 風險。對搭配高風險 AI 在具數位元素產品下的產品、兩個程序可同時跑。APAC 製造商需要可同時滿足兩者的統一事件回應。
CRA Article 64 — penalty regimeCRA 第 64 條:罰則制度
Article 64 sets penalties for CRA non-compliance in three tiers: up to €15M or 2.5% of worldwide annual turnover for breaches of essential requirements (Annex I) and Articles 13, 14 (manufacturer obligations); up to €10M or 2% for breaches of specified articles including 18–23, 28, 30(1)–(4), 31(1)–(4), 32(1)–(3), 33(5), 39, 41, 47, 49, 53; up to €5M or 1% for supplying incorrect, incomplete or misleading information to notified bodies and market surveillance authorities. Article 54 is the procedural pathway that culminates in Article 64 sanctions. APAC manufacturers should track the Article 54 → Article 64 connection — the procedural article and the penalty article work together.
第 64 條設定 CRA 不合規罰則三層級:違反基本要求(附件一)與第 13、14 條(製造商義務)最高 1,500 萬歐元或全球年營業額 2.5%;違反特定列舉條文(含第 18 到 23 條、第 28 條、第 30(1) 到 (4) 條、第 31(1) 到 (4) 條、第 32(1) 到 (3) 條、第 33(5) 條、第 39、41、47、49、53 條)最高 1,000 萬或 2%;對指定機構與市場監督機關提供不正確、不完整、或誤導之資訊最高 500 萬或 1%。第 54 條是程序路徑、最終以第 64 條制裁告終。APAC 製造商應追蹤第 54 條 → 第 64 條的連結,程序條文跟罰則條文配合運作。