Article 6 Regulation (EU) 2024/2847 · Chapter I 法規 (EU) 2024/2847 · 第一章
Requirements for products with digital elements 具數位元素產品的要求
Two sentences. But these two sentences turn every requirement inside Annex I into a market-access gate — and decide whether an APAC-made product is legally placeable on the EU market at all. 只有兩句。但這兩句把附件一所有要求變成市場准入的門檻,決定 APAC 製造的產品在法律上能不能進歐盟市場。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本,發布於 OJ L 2024/2847,2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。
The complete text of Article 6 第 6 條完整條文 (a) + (b)
Products with digital elements shall be made available on the market only where:
具數位元素產品僅於下列情形下方得於市場上提供:
(a) they meet the essential cybersecurity requirements set out in Part I of Annex I, provided that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, the necessary security updates have been installed; and
(a) 產品符合附件一第一部分所定之基本網路安全要求,前提是產品被適當安裝、維護、依預期用途或合理可預見之條件使用,且於適用時已安裝必要之安全更新;且
(b) the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.
(b) 製造商所建立之流程符合附件一第二部分所定之基本網路安全要求。
What Annex I Part I contains 附件一第一部分包含什麼 13 items
Part I (1) — overarching: products shall be designed, developed and produced to ensure an appropriate level of cybersecurity based on the risks.
第一部分 (1),總則:產品之設計、開發與生產應依風險確保適當之網路安全水準。
Part I (2)(a)–(m) — thirteen product-property requirements, each applicable where applicable based on the risk assessment: no known exploitable vulnerabilities, secure-by-default, security updates, access control, confidentiality, integrity, data minimisation, availability, attack-surface minimisation, resilience to DoS, monitoring of internal activity, secure data deletion, and limitation of incident impact.
第一部分 (2)(a)–(m),共 13 項產品屬性要求,每項依風險評估適用時方適用:無已知可利用弱點、安全預設、安全更新、存取控制、機密性、完整性、資料最小化、可用性、攻擊面最小化、DoS 韌性、內部活動監控、安全資料刪除、事件影響限制。
What Annex I Part II contains 附件一第二部分包含什麼 8 items
Part II — eight process requirements covering the vulnerability handling lifecycle: identify and document components (including SBOM), address and remediate vulnerabilities without delay, perform regular testing and review, publicly disclose information about fixed vulnerabilities, have a coordinated vulnerability disclosure (CVD) policy, facilitate information sharing via a single point of contact, distribute updates securely, and provide updates free of charge.
第二部分,涵蓋弱點處理生命週期之 8 項流程要求:識別並記載元件(含 SBOM)、即時處理並修復弱點、定期測試與檢視、公開揭露已修復弱點資訊、設有協同弱點揭露(CVD)政策、透過單一聯絡點促進資訊分享、安全派送更新、更新免費提供。
Block 2 · Plain language 區塊 2 · 白話解讀
Why these two sentences are the engine 兩句話撐起整部 CRA
Most of the CRA is prescriptive — Article 13 lists what manufacturers must do, Article 14 spells out the 24-hour reporting clock, Article 32 lays out the Module A / B+C / H conformity routes. Article 6 does none of that. It says one thing: a product with digital elements can be made available on the EU market only if it meets Annex I. Everything else in the Regulation presupposes this sentence.
Split the Article in two. Point (a) is about the product: the hardware and software must have certain properties. Annex I Part I lists thirteen of them — no known exploitable vulnerabilities, secure by default, protected from unauthorised access, preserves data integrity, and so on. Point (b) is about the manufacturer: you must run a vulnerability-handling process. Annex I Part II lists eight process rules — keep an SBOM, patch promptly, test regularly, disclose vulnerabilities, distribute updates for free. The product could be perfectly built yet still non-compliant if the manufacturer has no vulnerability policy.
One phrase in point (a) is routinely misread: "properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen." This is not a loophole letting manufacturers off the hook when users behave badly. It is the standard EU product-safety reasonableness test — the same test used in the Machinery Directive and the Radio Equipment Directive. "Reasonably foreseeable misuse" is in scope. A router that fails hard when a user plugs it into the wrong port is a design problem. A router that ships with default admin credentials and gets compromised is the manufacturer's problem, not the user's — because shipping default credentials is foreseeable misuse.
Point (a) also includes "where applicable, the necessary security updates have been installed". This anchors the support-period concept — the manufacturer is not only responsible at the moment of placing on the market, but throughout the support period declared under Article 13(8). If you declare a 5-year support period and a critical vulnerability surfaces in year 3, you are still under Article 6 pressure.
CRA 大部分條文都在規定「該做什麼」:第 13 條列出製造商義務、第 14 條訂 24 小時通報時鐘、第 32 條訂 Module A / B+C / H 的合規路徑。第 6 條什麼都不規定,它只說一件事:具數位元素產品,必須符合附件一才可以在歐盟市場上提供。法規其他所有條文,都以這句話為前提。
把這條拆兩邊看。(a) 點是產品面:硬體跟軟體必須具備特定屬性。附件一第一部分列了 13 項:無已知可利用弱點、預設安全、防止未授權存取、維護資料完整性等等。(b) 點是製造商面:你必須跑一套弱點處理流程。附件一第二部分列了 8 項:維護 SBOM、即時修補、定期測試、揭露弱點、免費發放更新。產品本身做得再完美,如果製造商沒有弱點處理政策,仍然不合規。
(a) 點裡有一句很容易被誤讀:「正確安裝、維護、依預期用途或合理可預期的條件使用」。這不是製造商的脫身條款。這是歐盟產品安全的標準「合理性測試」,跟機械指令、RED 用同一套邏輯。「合理可預期的誤用」仍在範圍內。使用者把網路線插錯孔導致 router 當機,是設計問題;router 出廠帶預設管理員密碼導致被打穿,是製造商的問題、不是使用者的,因為出廠帶預設密碼本身就是合理可預期的誤用。
(a) 點還包含「在適用時已安裝必要的安全更新」。這句話把 support period 概念綁進來,製造商不只在投入市場當下負責,而是整個第 13(8) 條宣告的 support period 內都負責。如果你宣告 5 年支援期,第 3 年爆出嚴重弱點,第 6 條的合規壓力還在。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
What Article 6 means for APAC makers 第 6 條對 APAC 製造商代表什麼
The most common APAC exporter reaction to Article 6 is: "we already have CE marking, what's new?" CE is not the new part. CE marking has existed for thirty years and has never required cybersecurity testing for most product-with-digital-element categories. What Article 6 changes is the content behind the CE mark. From 11 December 2027, attaching a CE to a connected product without meeting Annex I Parts I and II is not a marking error — it is a placing-on-the-market violation, triggering Article 64 fines up to €15 million or 2.5% of global turnover.
APAC 出口商對第 6 條最常見的反應是:「我們早就有 CE 了,有什麼新的?」CE 本身不是新的。CE 標誌存在三十年,對大部分具數位元素產品從來沒要求過網路安全測試。第 6 條改變的是 CE 背後的內容。從 2027 年 12 月 11 日起,把 CE 貼在聯網產品上而沒符合附件一第一、第二部分,這不是標示錯誤,是「投入市場違規」,會觸發第 64 條罰則,最高 €15M 或全球營業額 2.5%。
Taiwan's ICT export machine is particularly exposed. The volume profile — high SKU count, short product lifecycles, thin margins, heavy ODM/OEM reliance on third-party components — collides badly with Annex I Part I (2)(a) "no known exploitable vulnerabilities". In practice this means every shipped product needs a defensible vulnerability-scan trail going back to the components. "My upstream supplier handles that" is not an Article 6 defence.
台灣的 ICT 出口機器特別暴露在這條之下。台灣的出貨輪廓,SKU 量大、產品週期短、利潤薄、ODM/OEM 高度依賴第三方元件,跟附件一第一部分 (2)(a) 的「無已知可利用弱點」要求劇烈碰撞。實務上這代表:每件出貨產品都需要一條回溯到元件層級、站得住腳的弱點掃描軌跡。「我上游供應商負責」不是第 6 條的抗辯理由。
Two APAC-specific planning points that Article 6 forces onto the roadmap:
第 6 條把兩個 APAC 特有的規劃議題逼上路線圖:
Annex I Part I 2(a)–(m) applicability calls. Each of the thirteen sub-items is written as "where applicable, based on the risk assessment". This is the single biggest interpretive battlefield. Skip a requirement too easily and a market surveillance authority can argue the risk assessment was inadequate. Cover everything conservatively and the conformity cost balloons. APAC makers without in-house regulatory teams typically under-invest here and then discover, during post-market audit, that Part I (2)(h) DoS resilience or (2)(k) monitoring was marked non-applicable without supporting evidence.
附件一第一部分 2(a) 到 (m) 的適用性判斷。這 13 項子要求每一項都寫著「在適用時,依風險評估」。這是最大的解釋戰場。判斷太寬鬆、跳過某項,市場監督機關可以主張風險評估不夠充分;全部保守涵蓋,合規成本就會失控。沒有內部法規團隊的 APAC 製造商通常在這個環節投入不足,然後在上市後稽核時發現:第一部分 (2)(h) DoS 韌性、(2)(k) 監控這類被標成不適用的項目,沒有支撐證據。
Processes exist, but not as Part II demands them. Most Tier-1 APAC ODMs already run some form of vulnerability management — ISO 27001, SOC 2, internal PSIRT. Article 6(b) does not reject any of those. It requires that whatever you run produces the artefacts Annex I Part II calls for: a maintained SBOM, documented CVD policy with a named contact, evidence that updates are distributed securely and free of charge, public disclosure of fixed vulnerabilities. Factory-floor PSIRT practices that work fine for B2B sales into Japan or Korea often do not leave the paper trail Part II requires.
流程已經有了,但不是附件一第二部分要的那個形狀。多數 Tier-1 APAC ODM 已經跑了某種弱點管理,ISO 27001、SOC 2、內部 PSIRT。第 6(b) 條不排斥這些。它要求的是:你跑的那套,必須能產出附件一第二部分要的可見成品,維護中的 SBOM、有具名聯絡人的 CVD 政策、更新透過安全管道且免費發放的證據、已修復弱點的公開揭露。工廠端的 PSIRT 實務在賣 B2B 給日本、韓國時沒事,但通常留不下第二部分要的紙本軌跡。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Where Article 6 meets other regimes 第 6 條與其他法規的交會點
Article 6 does not operate in a vacuum. But the things it touches sit on three different legal layers — and conflating them is a common APAC compliance error. The map below is split by layer.
第 6 條不是獨立運作。但跟它接觸的東西分屬三個不同的法律層級,把它們混在一起談,是 APAC 常見的合規邏輯錯誤。下方對照按層級分開。
Layer 1 · Peer-level EU laws (Regulation-to-Regulation) 層級一・同層歐盟法律(法 vs 法)
Other EU statutes with binding force comparable to the CRA. Obligations interact, sometimes supersede, sometimes run in parallel.
其他具備跟 CRA 同等強制適用力的歐盟法律。義務之間互相影響、有時取代、有時並行。
| Instrument法律 | Relationship to CRA Article 6與 CRA 第 6 條的關係 | Status狀態 |
|---|---|---|
| RED Delegated Act 2022/30 Cybersecurity for radio equipment (access control, personal data, fraud prevention)無線電設備網路安全(存取控制、個資、詐騙防止) |
CRA Article 6 + Annex I absorbs and extends RED DA obligations. RED DA repealed 11 Dec 2027 (same date CRA becomes fully applicable).CRA 第 6 條與附件一吸納並擴展 RED DA 義務。RED DA 於 2027/12/11 廢止(與 CRA 全面適用同日)。 | Succession confirmed. Certificate transition to 11 Jun 2028.繼承已確認。證書過渡至 2028/6/11。 |
| AI Act (EU) 2024/1689 Article 15 — accuracy, robustness, cybersecurity for high-risk AI systems第 15 條:高風險 AI 系統的準確性、強韌性、網路安全 |
CRA Article 6 compliance presumes AI Act Article 15 cybersecurity compliance for high-risk AI systems within CRA scope. Conformity assessment route governed by AI Act Article 43 with carve-back for Important/Critical products under CRA Article 12.CRA 範圍內的高風險 AI 系統,符合 CRA 第 6 條就推定符合 AI Act 第 15 條網路安全要求。符合性評鑑路徑依 AI Act 第 43 條,重要 / 關鍵產品依 CRA 第 12 條另作保留。 | Bridge mechanism established in Article 12.橋接機制於第 12 條確立。 |
| NIS2 Directive (EU) 2022/2555 Sectoral cybersecurity obligations on essential and important entities (operators, not product makers)關鍵及重要實體的部門別網路安全義務(營運者,不是產品製造商) |
Orthogonal, not overlapping. NIS2 obliges operators who use products; CRA Article 6 obliges those who place products on the market. A single company may be both — a Taiwan cloud service provider with connected hardware offerings lives under both.正交,不重疊。NIS2 規管使用產品的營運者;CRA 第 6 條規管投放產品的製造商。單一公司可能兩邊都是,例如有聯網硬體產品的台灣雲端服務商兩邊都管到。 | Different regulated population.規管對象不同。 |
| GPSR (EU) 2023/988 General Product Safety Regulation一般產品安全法規 |
Where CRA applies, GPSR cybersecurity-related safety provisions defer to CRA (lex specialis). Residual GPSR duties around physical safety, marking and traceability still apply where the product is also a consumer product.CRA 適用範圍內,GPSR 網路安全相關的安全條款讓位於 CRA(特別法優先)。殘餘的 GPSR 實體安全、標示、可追溯性義務在產品同時為消費品時仍適用。 | Lex specialis resolved in CRA Article 2.特別法適用於 CRA 第 2 條處理。 |
Layer 2 · Candidate harmonised standards (presumption of conformity once cited in OJ) 層級二・候選 hEN(被 OJ 引用後可主張合規推定)
European harmonised standards drafted to support the CRA. Once cited in the EU Official Journal under CRA Article 27, applying them gives the manufacturer presumption of conformity with the relevant essential requirements. Until cited, they are working-level references — not yet a legal pathway.
為支援 CRA 所擬的歐洲協調標準。一旦於《歐盟官方公報》依 CRA 第 27 條被引用,製造商適用後即取得對相應 essential requirements 的合規推定。被引用之前,它們是工程級的參考,還不是法律路徑。
| Standard標準 | Relationship to CRA Article 6與 CRA 第 6 條的關係 | Status狀態 |
|---|---|---|
| EN 18031-1/-2/-3 Consumer IoT / gateway / childcare devices消費性 IoT / 閘道 / 兒童照護裝置 |
Drafted under RED DA mandate. Widely expected as first hEN citation for CRA Annex I coverage in consumer-IoT verticals, but citation in the CRA Official Journal is not yet confirmed.為 RED DA 授權所擬。普遍預期將成為 CRA 附件一消費性 IoT 垂直領域的首批 hEN,但於 CRA《歐盟官方公報》的引用尚未確認。 | Draft. hEN citation pending.草案。hEN 引用待定。 |
Layer 3 · Voluntary international technical standards (engineering reference, not a CRA legal route) 層級三・voluntary 國際技術標準(工程參考、不是 CRA 法源)
Voluntary international standards. They are not laws, not hENs as currently published, and applying them does not by itself give CRA presumption of conformity. They remain useful as engineering baselines and may inform future CRA hEN drafting — but they do not substitute for the CRA conformity assessment route.
voluntary 國際標準。不是法律、目前也不是 hEN,適用它們本身並不賦予 CRA 合規推定。當作工程基線仍有用、也可能影響未來 CRA hEN 制定方向,但它們不替代 CRA 的合規路徑。
| Standard標準 | Relationship to CRA Article 6與 CRA 第 6 條的關係 | Status狀態 |
|---|---|---|
| ETSI EN 303 645 Cyber security for consumer Internet of Things: baseline requirements消費性 IoT 網路安全:基線要求 |
Used by Singapore CLS, UK PSTI, India TEC ITSAR as the baseline consumer-IoT test. Covers roughly 8 of the 13 items in CRA Annex I Part I 2(a)–(m). Engineering overlap, not legal presumption — APAC labs familiar with EN 303 645 have a partial but not complete path to Annex I coverage.新加坡 CLS、英國 PSTI、印度 TEC ITSAR 都採此作為消費性 IoT 基線測試。大致涵蓋 CRA 附件一第一部分 2(a) 到 (m) 中的 8 項。是工程上的對應、不是法律上的合規推定,熟悉 EN 303 645 的 APAC 實驗室,可部分但非完整覆蓋附件一。 | Engineering reference. Not a CRA presumption-of-conformity route.工程參考。不是 CRA 合規推定路徑。 |
| IEC 62443-4-1 / -4-2 Product development / component technical security requirements for industrial automation工業自動化的產品開發 / 元件技術安全要求 |
IEC 62443-4-1 maps well onto Annex I Part II process requirements; 62443-4-2 maps onto Part I product-property requirements. IEC 62443-4-1 is under revision as EN IEC 62443-4-1 prAA:2026. Citation of any 62443 standard as harmonised for the CRA is a moving target — not a confirmed fact today.IEC 62443-4-1 跟附件一第二部分流程要求對應良好;62443-4-2 跟第一部分產品屬性要求對應。IEC 62443-4-1 修訂中、現為 EN IEC 62443-4-1 prAA:2026。任何 62443 系列標準作為 CRA hEN 的引用屬於活動目標,目前並非已確定的事實。 | Engineering reference. hEN citation uncertain.工程參考。hEN 引用未定。 |