Article 64 Regulation (EU) 2024/2847 · Chapter VI 法規 (EU) 2024/2847 · 第六章
Penalties for non-compliance 違反 CRA 的罰則
The article that puts financial weight on every other obligation in the regulation. Three penalty tiers — €15M / 2.5%, €10M / 2%, €5M / 1% — and the way the legislator allocated articles to those tiers is itself a signal about which obligations matter most. 把財務重量壓在法規中每一條義務上的條文。三個罰則層級,€15M / 2.5%、€10M / 2%、€5M / 1%,立法者把哪些條文分到哪一層、本身就是哪些義務最重要的訊號。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本、發布於 OJ L 2024/2847、2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。
The three penalty tiers 三個罰則層級
64(2)
Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
違反附件一所列基本網路安全要求、跟第 13 條與第 14 條義務、應處以行政罰金,最高可達歐元 15 000 000;違反者為事業時,可達其前一財務年度全球總年營業額 2.5%,取高者。
64(3)
Non-compliance with any of the obligations set out in Articles 18 to 23, 28, 30(1) to (4), 31(1) to (4), 32(1) to (3), 33(5), 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
違反第 18 至 23、28、30(1) 至 (4)、31(1) 至 (4)、32(1) 至 (3)、33(5)、39、41、47、49、53 條任一義務,應處以行政罰金,最高可達歐元 10 000 000;違反者為事業時,可達其前一財務年度全球總年營業額 2%,取高者。
64(4)
The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
回應 NB 與市場監督機關請求時,提供不正確、不完整、誤導性資訊,應處以行政罰金,最高可達歐元 5 000 000;違反者為事業時,可達其前一財務年度全球總年營業額 1%,取高者。
64(5)
When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account, including the nature, gravity and duration of the infringement; whether previous administrative fines have been imposed on the same operator; and the size of the operator, with due regard to micro-, small- and medium-sized enterprises and start-ups.
每一個案決定罰金金額時、應考量個案具體情形的所有相關因素,包括違反的性質、嚴重性、持續時間;同一經營者過去是否已被處以行政罰金;以及經營者規模,特別關照微型、中小企業與新創。
Block 2 · Plain-language reading 區塊 2 · 白話解讀
What this clause is really doing 這其實在說什麼
Three numbers, in descending order: €15M / 2.5%, €10M / 2%, €5M / 1%. Each is a maximum penalty cap. Each applies to a different cluster of obligations.
Three things to read carefully.
One — “whichever is higher” is the binding clause. For an APAC manufacturer with worldwide turnover of €1 billion, Tier 1 is €25M (2.5% × €1B), not €15M. The percentage figure overtakes the nominal cap once turnover crosses about €600M for Tier 1, €500M for Tier 2, €500M for Tier 3. Mid-cap and large APAC manufacturers feel the percentage figure first.
Two — Annex I, Article 13, and Article 14 are placed together at the top. The legislator’s decision to bundle these three at the highest cap is the formal signal that none of them can stand without the others. Annex I = what the product must be; Article 13 = what the manufacturer must do to deliver it; Article 14 = what must be reported when something goes wrong. The three are inseparable.
Three — the cap is a ceiling, not a floor. Actual fines are decided by Member State authorities case by case under Art 64(5). A first-time, well-remediated, fully cooperated breach can attract a fine well below the nominal ceiling. A repeat, prolonged, or wilfully concealed breach runs to the cap. Article 64 sets the bracket; the actual number sits inside the bracket.
三個數字、從高到低:€15M / 2.5%、€10M / 2%、€5M / 1%。都是罰則上限。各自適用於不同的義務群。
三件事要仔細讀。
第一,「取高」條款才是綁住的那一條。對全球營業額 €1B 的 APAC 製造商,Tier 1 是 €25M(2.5% × €1B),不是 €15M。營業額超過約 €600M(Tier 1)、€500M(Tier 2 / Tier 3)時,比例數字會超過名目上限。中型跟大型 APAC 製造商先感受到比例數字。
第二,附件一、第 13 條、第 14 條一起放在最高層級。立法者把這三者綁在最高上限的決定,是「三者互相支撐、缺一不可」的正式訊號。附件一是產品必須是什麼;第 13 條是製造商必須做什麼來交付它;第 14 條是出事時必須通報什麼。三者不可分。
第三,罰則是上限不是下限。實際罰金由會員國機關依 Art 64(5) 個案裁量。首次違反、積極補救、全程配合的案子,實際罰金可能遠低於名目上限。重複、持續、或刻意隱匿的違反、會跑到上限。第 64 條設定區間;實際數字落在區間內。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Reading Article 64 as a thermometer for legislative intent 把第 64 條當立法意圖的溫度計來讀
The structural reading of three numbers 三個數字的結構性讀法
Read at headline level, Article 64 is just three numbers: €15M / 2.5%, €10M / 2%, €5M / 1%. Read structurally, the way the legislator allocated articles to those three tiers tells a more interesting story. The split is not random; it follows a structural-versus-procedural-versus-informational gradient. The legislator placed the structural backbone — Annex I plus Article 13 plus Article 14 — in the highest tier. That placement is a signal about which obligations the legislator considers non-negotiable.
就標題數字讀,第 64 條只是三個數字:€15M / 2.5%、€10M / 2%、€5M / 1%。從結構上讀,立法者把哪些條文放進哪一級,講了一個更有意思的故事。這個劃分不是隨機的;它依循「結構性 vs 程序性 vs 資訊性」的梯度。立法者把結構性骨幹:附件一加第 13 條加第 14 條:放進最高層級。這個放法是一個訊號、告訴你立法者把哪些義務視為不可妥協。
The three tiers, side by side 三個層級並列
| Tier層級 | Cap罰金上限 | Articles caught適用條文 |
|---|---|---|
| Tier 1 | €15M or 2.5% of worldwide annual turnover (whichever is higher)€15M 或全球年營業額 2.5%(取高) | Annex I, Article 13, Article 14附件一、第 13 條、第 14 條 |
| Tier 2 | €10M or 2% of worldwide annual turnover (whichever is higher)€10M 或全球年營業額 2%(取高) | Articles 18–23, 28, 30(1)–(4), 31(1)–(4), 32(1)–(3), 33(5), 39, 41, 47, 49, 53第 18 到 23、28、30(1) 到 (4)、31(1) 到 (4)、32(1) 到 (3)、33(5)、39、41、47、49、53 條 |
| Tier 3 | €5M or 1% of worldwide annual turnover (whichever is higher)€5M 或全球年營業額 1%(取高) | Incorrect, incomplete, or misleading information supplied to notified bodies or market surveillance authorities向 NB 或市場監督機關提供不正確、不完整、誤導性資訊 |
What the “higher of” clause does to mid-cap APAC manufacturers 「取高」條款對中型 APAC 製造商的實際影響
For an APAC manufacturer with substantial worldwide revenue, the percentage figure is the binding constraint, not the headline euro cap. A manufacturer with €500M in worldwide annual turnover faces a Tier 1 maximum of €12.5M from the percentage calculation — below the €15M nominal cap, but still a single penalty event that exceeds most companies’ annual contingency budget. At €1B turnover, the percentage gives €25M and the percentage figure overtakes the nominal cap. The structure is deliberately designed to scale with the size of the violator: small companies are protected from existential nominal penalties by the cap; large companies are prevented from treating the cap as a rounding error by the percentage. Mid-cap manufacturers — the bracket most APAC industrial OEMs sit in — feel the percentage figure most acutely.
對營收規模大的 APAC 製造商來說,比例數字才是綁住的上限,不是標題歐元金額。一家全球年營業額 €500M 的製造商、Tier 1 比例算出來的上限是 €12.5M,低於 €15M 名目上限,但仍然是一次處罰超過多數公司年度應急預算。營業額到 €1B,比例算出 €25M、比例數字超過名目上限。這個結構是刻意設計成會隨違反者規模調整:小公司被名目上限保護不至於存亡攸關;大公司被比例條款防止把名目上限當成捨入誤差。中型製造商,多數 APAC 工業 OEM 所在的級別,對比例數字感受最深。
Why the legislator placed those three at the top 立法者為什麼把那三個放在最高層級
Annex I, Article 13, and Article 14 are placed together in the highest tier. Annex I is the set of essential cybersecurity requirements that the product itself must meet. Article 13 is the operational obligation on manufacturers to actually deliver those requirements — the design-time obligations, the supply-chain due diligence, the post-market vulnerability handling, the technical documentation, the support period commitments. Article 14 is the post-market reporting cycle: actively exploited vulnerabilities and severe incidents to ENISA and CSIRTs on the 24h / 72h cadence, with final reports at 14 days for vulnerabilities or one month for severe incidents. The three articles cover what the product must be, what the manufacturer must do to deliver and maintain it, and what the manufacturer must report when something goes wrong. That the legislator chose to apply the same maximum penalty bracket across all three is the formal signal that, in the legislator’s view, none of the three can stand without the others.
附件一、第 13 條、第 14 條一起放在最高層級。附件一是產品本身必須符合的基本網路安全要求集合。第 13 條是製造商實際交付這些要求的操作義務,設計階段義務、供應鏈盡職調查、上市後弱點處理、技術文件、support period 承諾。第 14 條是上市後通報循環:actively exploited vulnerabilities 跟嚴重事件向 ENISA 跟 CSIRT 通報的 24h / 72h 節奏,final report 弱點 14 天、嚴重事件 1 個月。這三條涵蓋了「產品必須是什麼」、「製造商必須做什麼來交付跟維護它」、「出事時製造商必須通報什麼」。立法者選擇對這三者套用相同的最高罰則層級,是個正式訊號,在立法者看來,這三者互相支撐、缺一不可。
A frequently-overlooked nuance: the cap is a ceiling, not a floor 常被忽略的一點:罰則是上限不是下限
Article 64 sets maxima. Actual fines are determined by Member State authorities under the discretion in Art 64(5), which lists the factors: nature, gravity, and duration of the infringement; whether the same operator has been previously fined; the operator’s size, with explicit attention to micro-, small-, and medium-sized enterprises and start-ups. A first-time, well-remediated, fully-cooperated breach by a mid-cap manufacturer can attract a fine well below the nominal ceiling. A repeat, prolonged, or wilfully concealed breach can run to the cap. The point is that Article 64 sets the bracket; the actual number sits inside the bracket and is shaped by how the operator behaves before and during the enforcement process. What Article 64 does not cover — and what often costs more than the fine itself — is the reputational and commercial consequence of being a named subject of a Member State market surveillance enforcement decision. That cost has no statutory ceiling.
第 64 條規定的是上限。實際罰金由會員國機關依 Art 64(5) 所列因素裁量:違反的性質、嚴重性、持續時間;同一經營者過去是否已被處罰;經營者的規模、特別關照微型、中小企業跟新創。中型製造商若是首次違反、積極補救、全程配合,實際罰金可能遠低於名目上限。重複、持續、或刻意隱匿的違反,可能跑到上限。重點是第 64 條設定區間;實際數字落在區間內、由經營者在執法程序前跟程序中的行為塑造。第 64 條沒有涵蓋,而且常常比罰金本身更貴,的是「被列名為會員國市場監督執法決定對象」的商譽跟商業後果。那個成本沒有法定上限。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 64 in the context of EU penalty regimes 第 64 條跟其他歐盟罰則機制的對照
Article 64 sits in a family of EU penalty regimes that all use the same “€X or Y% of worldwide turnover, whichever is higher” structure. The cards below show the closest peers and where CRA fits. 第 64 條屬於一個歐盟罰則機制家族,這些機制都用同一個「€X 或全球營業額 Y%、取高」結構。下方卡片列出最接近的同類機制、以及 CRA 落在哪個位置。
GDPR · (EU) 2016/679
Data protection penalties
資料保護罰則
Two-tier structure: €20M / 4% (highest) for breaches of Articles 5, 6, 7, 9, 12-22, 44-49 etc.; €10M / 2% (second) for breaches of Articles 8, 11, 25-39, 42, 43. The CRA Tier 1 cap (€15M / 2.5%) sits between GDPR’s two tiers. CRA exposure is comparable to GDPR exposure for a mid-cap manufacturer.
兩層結構:€20M / 4%(最高)適用於違反第 5、6、7、9、12 到 22、44 到 49 條等;€10M / 2%(次高)適用於違反第 8、11、25 到 39、42、43 條。CRA Tier 1 上限(€15M / 2.5%)落在 GDPR 兩層之間。對中型製造商來說、CRA 的暴露程度跟 GDPR 相當。
NIS2 · (EU) 2022/2555
NIS2 essential entity penalties
NIS2 重要實體罰則
Article 34: essential entities face up to €10M / 2% of worldwide turnover; important entities up to €7M / 1.4%. The CRA Tier 2 cap (€10M / 2%) matches NIS2 essential entity exposure exactly. A company that is both NIS2 essential and a CRA manufacturer faces parallel enforcement under both regimes.
第 34 條:重要實體最高 €10M / 全球營業額 2%;關鍵實體最高 €7M / 1.4%。CRA Tier 2 上限(€10M / 2%)跟 NIS2 重要實體暴露程度完全相同。同時是 NIS2 重要實體跟 CRA 製造商的公司,會在兩個機制下面對平行執法。
AI Act · (EU) 2024/1689
AI Act penalties
AI Act 罰則
Three-tier structure: €35M / 7% for Article 5 prohibited practices; €15M / 3% for non-compliance with provider/deployer obligations; €7.5M / 1% for incorrect information. CRA Tier 1 (€15M / 2.5%) is structurally similar to AI Act’s middle tier. A high-risk AI system that is also a CRA Important Product faces both regimes simultaneously — Article 12 sets the bridge.
三層結構:€35M / 7% 適用第 5 條禁止實務;€15M / 3% 適用 provider / deployer 義務違反;€7.5M / 1% 適用不正確資訊。CRA Tier 1(€15M / 2.5%)結構上類似 AI Act 中間層。同時是高風險 AI 系統跟 CRA 重要產品的,會同時面對兩個機制:第 12 條設橋接。
DSA · (EU) 2022/2065
Digital Services Act
數位服務法
Article 52: up to 6% of annual worldwide turnover for non-compliance, up to 1% for incorrect information. DSA does not have a fixed-euro alternative; only the percentage applies. CRA’s “€X or Y% whichever is higher” structure is more typical of post-2020 EU regulations than DSA’s pure-percentage approach.
第 52 條:違反者最高處全球年營業額 6%、不正確資訊最高 1%。DSA 沒有固定歐元金額替代;只有比例適用。CRA 的「€X 或 Y% 取高」結構,比 DSA 純比例的做法更典型於 2020 年之後的歐盟法規。