Article 69 Regulation (EU) 2024/2847 · Chapter VIII 法規 (EU) 2024/2847 · 第八章
Transitional provisions CRA 的過渡條款
The article that decides which products escape the CRA and which ones get caught early. The most common APAC reading — “ship before December 2027 and you’re fine” — is partly true and partly wrong. The wrong part sits in paragraph 3, which pulls Article 14 reporting obligations forward to September 2026 and applies them to legacy products too. 決定哪些產品逃出 CRA、哪些被提早抓到的條文。APAC 最常見的讀法,「2027 年 12 月前出貨就沒事」:部分對、部分錯。錯的那部分在第 3 項,把第 14 條通報義務提前到 2026 年 9 月、而且適用於既有產品。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. Consolidated text from Regulation (EU) 2024/2847 as published in OJ L 2024/2847, 20 November 2024. Translation is unofficial; refer to EUR-Lex for binding text in all 24 EU languages. 來源。條文自《法規 (EU) 2024/2847》整合文本、發布於 OJ L 2024/2847、2024 年 11 月 20 日。此處中文為非官方翻譯;強制適用的條文請依 EUR-Lex 公告之 24 種歐盟官方語言版本。
Three paragraphs, three different timelines 三項三個不同時程
69(1)
EU type-examination certificates and approval decisions issued in accordance with cybersecurity requirements applicable to products with digital elements under Union harmonisation legislation other than this Regulation shall remain valid until 11 June 2028, unless they expire before that date, or unless otherwise specified in other Union law, in which case they shall remain valid as referred to in such Union law.
依本法規以外的聯盟調和法規所適用具數位元素產品的網路安全要求發出的歐盟型式檢驗證書與核准決定,在 2028 年 6 月 11 日前仍有效,除非更早到期、或其他聯盟法律另有規定,此情況下依該聯盟法律所定有效期間。
69(2)
Products with digital elements placed on the market before 11 December 2027 shall be subject to the requirements of this Regulation only if, from that date, those products are subject to substantial modifications.
2027 年 12 月 11 日之前投入市場的具數位元素產品,僅在自該日起受實質修改時、適用本法規之要求。
69(3)
By way of derogation from paragraph 2 of this Article, the obligations laid down in Article 14 shall apply to all products with digital elements within the scope of this Regulation that have been placed on the market before 11 December 2027.
作為本條第 2 項之例外,第 14 條所定義務適用於所有 2027 年 12 月 11 日前投入市場、屬於本法規範圍內的具數位元素產品。
Block 2 · Plain-language reading 區塊 2 · 白話解讀
What this clause is really doing 這其實在說什麼
Article 69 has three paragraphs and three different timelines. Read them as a single rule, you will get the timeline wrong.
Three things to read carefully.
One — paragraph 2 is the “grandfather clause” people remember. Products placed on the EU market before 11 December 2027 are not subject to the substantive CRA obligations — design-time work, technical documentation, conformity assessment, CE marking — unless they get substantially modified after that date. This is the part that is genuinely true.
Two — paragraph 3 is the carve-out everyone misses. Article 14 reporting obligations apply to all products in CRA scope from 11 September 2026 — including products placed on the market before that date. The grandfather clause does not cover Article 14. If a manufacturer has products on EU shelves from 2022, an actively exploited vulnerability in any of them after September 2026 has to be reported to ENISA on the 24h / 72h cadence with a 14-day final report (or one month for severe incidents).
Three — paragraph 1 is a narrower technical transition for existing certificates. EU type-examination certificates issued under other Union laws (e.g. certain RED-related certificates) that already touched cybersecurity stay valid until 11 June 2028. This gives manufacturers and notified bodies a defined window to migrate such certificates into the CRA framework.
第 69 條有三項、三個不同時程。當成一條規則讀,會把時程讀錯。
三件事要仔細讀。
第一,第 2 項是大家記得的「既有條款」。2027 年 12 月 11 日前投入歐盟市場的產品,不適用 CRA 實質義務,設計階段工作、技術文件、conformity assessment、CE 標示,除非該日後受實質修改。這部分確實對。
第二,第 3 項是大家漏掉的例外。第 14 條通報義務從 2026 年 9 月 11 日起適用於 CRA 範圍內所有產品,包括該日前投入市場的產品。既有條款不涵蓋第 14 條。如果製造商從 2022 年起就有產品在歐洲市場上,2026 年 9 月之後這些產品任何一項出現主動受利用弱點,必須依 24h / 72h 節奏向 ENISA 通報,final report 14 天(嚴重事件 1 個月)。
第三,第 1 項是針對既有證書的較窄技術過渡。依其他聯盟法律發出、已觸及網路安全議題的歐盟型式檢驗證書(例如某些 RED 相關證書),在 2028 年 6 月 11 日前仍有效。這給製造商跟 notified bodies 一個明確的時間窗、把這類證書遷移到 CRA 框架下。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
The “ship before 11 December 2027” reading is partly true and partly wrong 「2027 年 12 月 11 日前出貨就沒事」這個讀法部分對、部分錯
The reading APAC manufacturers tend to settle on APAC 製造商傾向收斂到的讀法
The most common APAC reading of Article 69 is that anything placed on the EU market before 11 December 2027 is grandfathered out of the CRA. The reading is partly true. It is also partly wrong, and the part that is wrong sits in Article 69(3) — the paragraph that pulls the Article 14 reporting obligations out of the grandfather clause and applies them to legacy products from 11 September 2026, fifteen months before the rest of the regulation becomes fully applicable.
APAC 對 Art 69 最常見的讀法是:2027 年 12 月 11 日前投入歐盟市場的東西就被既有條款保護於 CRA 之外。這個讀法部分對。也部分錯,而錯的那部分在 Art 69(3):這一段把 Art 14 通報義務從既有條款裡拉出來、從 2026 年 9 月 11 日起適用於所有既有產品,比法規其他部分全面適用早 15 個月。
Three timeline anchors that decide which rules apply 決定哪些規則適用的三個時程錨點
| Date日期 | What activates啟動什麼 | Who it catches抓到誰 |
|---|---|---|
| 2024-12-10 | CRA enters into forceCRA 生效 | Nobody yet — obligations not yet applicable尚未抓到任何人,義務尚未開始適用 |
| 2026-09-11 | Article 14 reporting obligations start applyingArt 14 通報義務開始適用 | All in-scope products, including legacy products placed on the market before 2027-12-11所有落入範圍的產品、包括 2027-12-11 前已投入市場的既有產品 |
| 2027-12-11 | CRA becomes fully applicableCRA 全面適用 | Products newly placed on the market from this date; legacy products only if substantially modified after this date自此日起新投入市場的產品;既有產品僅在這個日期之後受實質修改時 |
Three states a product can be in 產品可能處於的三種狀態
State A — placed on the market before 11 December 2027, never substantially modified afterwards. Article 69(2) keeps these products outside the substantive obligations of the CRA. Article 13 design-time obligations do not apply, conformity assessment under Article 32 is not required, technical documentation under Article 31 is not demanded. The only carve-out is Article 14: from 11 September 2026, the manufacturer of these legacy products must report actively exploited vulnerabilities and severe incidents on the 24h / 72h cadence (final report at 14 days for vulnerabilities or one month for severe incidents), just like a new product.
狀態 A,2027 年 12 月 11 日前投入市場、之後從未實質修改。Art 69(2) 把這些產品排除在 CRA 實質義務之外。Art 13 設計階段義務不適用,Art 32 conformity assessment 不要求,Art 31 技術文件不被要求。唯一的例外是 Art 14:從 2026 年 9 月 11 日起,這些既有產品的製造商必須依 24h / 72h 節奏通報主動受利用的弱點跟嚴重事件,final report 弱點 14 天、嚴重事件 1 個月,跟新產品一樣。
State B — placed on the market before 11 December 2027, but substantially modified after that date. The substantial modification flips the product from State A into State B. From the moment the modification completes, the modified product is treated as if it were newly placed on the market under the CRA. Full Article 13 obligations apply. The Article 21 manufacturer-by-modification regime engages where the modifier is not the original manufacturer. The grandfathering protection of Art 69(2) is lost on this product, prospectively, from the modification onward.
狀態 B,2027 年 12 月 11 日前投入市場、但於該日之後受實質修改。實質修改把產品從狀態 A 翻轉到狀態 B。從修改完成的那一刻起、修改後產品被視為新投入市場、適用 CRA。Art 13 全部義務適用。修改者不是原 manufacturer 的情況下,Art 21 manufacturer-by-modification 機制啟動。Art 69(2) 的既有條款保護從修改的那一刻起向前失效。
State C — placed on the market on or after 11 December 2027. Full CRA obligations apply from day one. Design-time work, supply-chain due diligence, post-market vulnerability handling, technical documentation, support period commitment, conformity assessment, CE marking, EU DoC. This is the case the regulation is mainly designed for; State A and State B are the transitional cases.
狀態 C,2027 年 12 月 11 日當日或之後投入市場。CRA 全部義務從第一天起適用。設計階段工作、供應鏈盡職調查、上市後弱點處理、技術文件、support period 承諾、conformity assessment、CE 標示、EU DoC。這是法規主要為其設計的情況;狀態 A 跟狀態 B 是過渡情況。
The point most APAC manufacturers miss: Article 14 starts early, on legacy products too 多數 APAC 製造商漏掉的點:Art 14 提早啟動、且適用於既有產品
Article 69(3) is the paragraph that breaks the comfortable reading of the transitional regime. The reporting obligations under Article 14 apply to all products in CRA scope from 11 September 2026, regardless of when those products were placed on the market. A manufacturer with a portfolio of products that have been on EU shelves since 2022 does not get to wait until December 2027 to start thinking about post-market vulnerability reporting. From September 2026, an actively exploited vulnerability in any of those products has to be reported to ENISA via the single reporting platform within 24 hours, with subsequent updates at 72 hours and 14 days, and a final report.
Art 69(3) 是打破過渡機制舒服讀法的那一段。Art 14 通報義務從 2026 年 9 月 11 日起適用於 CRA 範圍內所有產品,不論這些產品何時被投入市場。一家自 2022 年起就有產品在歐洲架上的製造商,不能等到 2027 年 12 月才開始思考上市後弱點通報。從 2026 年 9 月起,這些產品中任何一項出現主動受利用弱點,必須在 24 小時內透過單一通報平台向 ENISA 通報、並在 72 小時跟 14 天後做後續更新、最後出具最終報告。
The operational implication is that a manufacturer cannot use the December 2027 date as the deadline for building incident response capability. The deadline for that specific capability is September 2026 — over a year earlier — and it covers the entire installed base, not just newly designed products. Coordinated vulnerability disclosure processes, the reporting interface to ENISA, the internal escalation paths from product security teams to regulatory affairs to ENISA notification, all of these have to be live by September 2026 if the manufacturer has any in-scope product on the EU market by then.
操作上的含意是:製造商不能把 2027 年 12 月當作建立事件回應能力的期限。那個特定能力的期限是 2026 年 9 月,早一年多,而且涵蓋整個既有裝機,不是只涵蓋新設計的產品。Coordinated vulnerability disclosure 流程、向 ENISA 的通報介面、從產品安全團隊到法規事務到 ENISA 通報的內部升級路徑,到 2026 年 9 月若製造商在歐盟市場有任何落入範圍的產品,這些都必須上線運作。
A separate transitional rule: existing EU type-examination certificates 另一個過渡規則:既有歐盟型式檢驗證書
Article 69(1) addresses a narrower transition: EU type-examination certificates and approval decisions issued for cybersecurity requirements under other Union harmonisation legislation remain valid until 11 June 2028, unless they expire earlier or unless their parent legislation says otherwise. This matters for products that already had a type-examination certificate touching cybersecurity issued under another act — for instance, certain RED-related certificates — whose validity could otherwise have been called into question by the CRA arriving. The carve-out gives manufacturers and notified bodies a defined window to transition such certificates into the CRA framework.
Art 69(1) 處理一個較窄的過渡:依其他聯盟調和法規就網路安全要求發出的歐盟型式檢驗證書跟核准決定,在 2028 年 6 月 11 日前仍有效,除非更早到期或其母法規另有規定。這一點對「已依其他法規取得觸及網路安全議題的型式檢驗證書」的產品很重要,例如某些 RED 相關證書,這些證書的效力本來會因為 CRA 到來而受質疑。這個例外給製造商跟 notified bodies 一個明確的時間窗、把這類證書轉換到 CRA 框架下。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Where Article 69 connects to other articles in the regulation 第 69 條跟法規其他條文的連接
Article 69 is a transitional carve-out. To know what Article 69 actually does to a specific product, you need to know what other articles it carves out from — or pulls forward. 第 69 條是過渡例外。要知道第 69 條對某個具體產品到底做了什麼、要知道它從哪些其他條文裡切出例外、或把哪些條文提前。
CRA · Article 14
Reporting obligations (pulled forward)
通報義務(被提前)
Article 69(3) pulls Article 14 reporting obligations forward to 11 September 2026, and applies them to legacy products too. This is the carve-out from the carve-out: the substantive obligations of the CRA wait until December 2027, but the reporting obligations don’t.
第 69(3) 條把第 14 條通報義務提前到 2026 年 9 月 11 日、且適用於既有產品。這是「例外的例外」:CRA 實質義務等到 2027 年 12 月、但通報義務不等。
CRA · Article 21
Substantial modification
實質修改
Article 69(2) protects products placed on the market before 11 December 2027 — but only until they get substantially modified. Article 21 defines what counts as substantial modification, and once that threshold is crossed, the grandfathering ends prospectively. State A flips to State B.
第 69(2) 條保護 2027 年 12 月 11 日前投入市場的產品,但只到產品受實質修改為止。第 21 條定義什麼算實質修改、一旦跨過那個門檻,既有條款保護向前失效。狀態 A 翻轉到狀態 B。
CRA · Article 71
Entry into force and application
生效與適用
Article 71 sets the master timeline: CRA enters into force 10 December 2024; main obligations apply from 11 December 2027; Article 14 from 11 September 2026; Article 24 (open-source steward obligations) from 11 June 2026. Article 69 is the transitional carve-out from this master timeline for products placed before the December 2027 date.
第 71 條設定主時程:CRA 於 2024 年 12 月 10 日生效;主要義務從 2027 年 12 月 11 日適用;第 14 條從 2026 年 9 月 11 日;第 24 條(開源軟體 steward 義務)從 2026 年 6 月 11 日。第 69 條是這個主時程對 2027 年 12 月日期前已投入市場的產品的過渡例外。
RED DA · (EU) 2022/30
Cybersecurity certificates from RED
RED 下的網路安全證書
Article 69(1) keeps EU type-examination certificates touching cybersecurity issued under other Union laws valid until 11 June 2028. RED DA cybersecurity certificates are the most common such case for APAC radio equipment manufacturers. After June 2028, transition to the CRA framework is required.
第 69(1) 條讓依其他聯盟法律發出、觸及網路安全議題的歐盟型式檢驗證書、在 2028 年 6 月 11 日前仍有效。對 APAC 無線電設備製造商來說、最常見的是 RED DA 網路安全證書。2028 年 6 月之後、要轉換到 CRA 框架下。