Article 71 Regulation (EU) 2024/2847 · Chapter VIII 法規 (EU) 2024/2847 · 第八章
Entry into force and application 生效與適用
The dates that decide everything. CRA enters into force 10 Dec 2024, full application 11 Dec 2027 — but Article 14 (incident reporting) starts earlier on 11 Sep 2026, and Chapter IV (notification of conformity assessment bodies) on 11 Jun 2026. 決定一切的日期。CRA 於 2024 年 12 月 10 日生效、2027 年 12 月 11 日全面適用,但第 14 條(事件通報)提前到 2026 年 9 月 11 日、第四章(合規評鑑機構通報)於 2026 年 6 月 11 日就先開始。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text.節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. This Regulation shall apply from 11 December 2027. However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
1. 本法規應於其於歐盟官方公報發布日後第二十日生效。
2. 本法規應自 2027 年 12 月 11 日適用。但第 14 條應自 2026 年 9 月 11 日適用,第四章(第 35 至 51 條)應自 2026 年 6 月 11 日適用。
本法規應於所有會員國內具完整強制適用力且直接適用。
Block 2 · Plain language 區塊 2 · 白話解讀
Four dates that decide the entire CRA programme calendar 決定整個 CRA 計畫行事曆的四個日期
Article 71 looks like a standard end-of-regulation provision. In fact it is the article that fragments CRA into four staggered application windows. Treating CRA as a single "applies from December 2027" event is the most common — and most expensive — APAC planning mistake.
10 December 2024 — entry into force. Article 71(1) — the regulation enters into force on the twentieth day following its publication in the Official Journal. Published 20 Nov 2024, EIF on 10 Dec 2024. Entry into force is not the same as application. From this date, the legal text exists, the obligations are scheduled, but most operative duties are not yet enforceable. This date matters mainly for delegated and implementing acts the Commission can start adopting.
11 June 2026 — Chapter IV applies. Article 71(2) — Chapter IV (Articles 35 to 51, the notified body framework) applies from 11 Jun 2026. This is the date when notifying authorities can be designated, notified bodies can apply for notification under CRA, and the NANDO database starts populating with CRA-notified bodies. Without this earlier date, no NB would be notified by 11 Dec 2027 and the entire Class II conformity assessment infrastructure would be empty on day one of full application.
11 September 2026 — Articles 14 and 15 apply. Article 71(2) second sub-clause — manufacturer reporting obligations under Article 14 (severe incidents, actively exploited vulnerabilities) and Article 15 (voluntary reporting) apply from 11 Sep 2026. ENISA's single reporting platform must be operational by then. From this date, every manufacturer placing PwDE on the EU market is on the 24-hour early warning clock for actively exploited vulnerabilities — even if the rest of CRA is not yet enforceable for them.
11 December 2027 — full application of CRA. Article 71(2) opening clause — "this Regulation shall apply from 11 December 2027". From this date, every PwDE placed on the EU market must be CRA-conformant: full Article 13 manufacturer obligations, Article 7 important product classification, Annex I essential cybersecurity requirements, CE marking under Article 30. This is the date manufacturers, importers, distributors, and notified bodies have circled in red.
The dates are not negotiable. Each date is set in primary EU legislation. Changing a date requires an amending regulation through ordinary legislative procedure — Council, Parliament, trilogue. APAC manufacturers waiting for "a delay" will be disappointed. Historical precedent — MDR was delayed once by COVID; that required emergency action. CRA has no comparable disruption argument, and the Commission has signalled the dates will hold.
第 71 條看起來像法規末段的標準條文。實際上、這條把 CRA 分成四個交錯的適用窗口。把 CRA 當作單一的「2027 年 12 月起適用」事件、是 APAC 最常見也最昂貴的規劃錯誤。
2024 年 12 月 10 日,生效。第 71(1) 條:本法規於歐盟公報公布後第二十日生效。2024 年 11 月 20 日公布、12 月 10 日生效。生效不等於適用。自該日起、法律文本存在、義務有時程、但多數操作義務尚未可執行。這個日期主要影響執委會可開始通過的授權行為與實施行為。
2026 年 6 月 11 日,第四章適用。第 71(2) 條:第四章(第 35 到 51 條、指定機構框架)自 2026 年 6 月 11 日適用。這是通報機關可被指派、指定機構可依 CRA 申請通報、NANDO 資料庫開始填入 CRA 通報的指定機構的日期。沒有這個較早的日期、2027 年 12 月 11 日就不會有 NB 被通報、整個 Class II 合規評鑑基礎設施會在全面適用第一天空無一物。
2026 年 9 月 11 日:第 14 條跟第 15 條適用。第 71(2) 條第二款:製造商依第 14 條(嚴重事件、主動受利用弱點)跟第 15 條(自願通報)的通報義務、自 2026 年 9 月 11 日適用。ENISA 單一通報平台必須在那之前可運作。自該日起、每一個把具數位元素產品投入 EU 市場的製造商、都在主動受利用弱點 24 小時早期警報的時鐘上,即使 CRA 其他條文還沒對他們可執行。
2027 年 12 月 11 日,CRA 全面適用。第 71(2) 條開頭,「本法規自 2027 年 12 月 11 日適用」。自該日起、每一個投入 EU 市場的具數位元素產品都必須符合 CRA:完整第 13 條製造商義務、第 7 條重要產品分類、附件一基本網路安全要求、第 30 條 CE 標示。這是製造商、進口商、經銷商、指定機構行事曆上紅圈圈起來的日期。
日期不可協商。每個日期都寫在歐盟初級立法裡。改日期需要透過普通立法程序的修正法規,理事會、議會、三方對話。等「延期」的 APAC 製造商會失望。歷史先例,MDR 因 COVID 延期一次、那需要緊急行動。CRA 沒有可比的中斷理由、執委會也已表態日期會維持。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Mapping the four dates onto APAC product calendars 把四個日期對應到 APAC 產品行事曆
For APAC manufacturers, the four-date timeline collides with annual product launch cycles in awkward ways. Most Taiwan ICT vendors run a Q3-launch cadence (Computex teases in June, mass production from August, channel fill from September, holiday demand October–December). Japan IIoT vendors run a Q1 / Q3 dual cadence aligned with fiscal-year structures. Korean device makers run a Q1 / Q2 cadence aligned with global handset cycles.
對 APAC 製造商、四個日期的時程跟年度產品發表週期撞得不太對。多數台灣 ICT 廠商 Q3 發表(六月 Computex 預告、八月起量產、九月通路鋪貨、十至十二月旺季)。日本 IIoT 廠商 Q1 / Q3 雙週期、跟會計年度對齊。韓國裝置製造商 Q1 / Q2 週期、跟全球手機週期對齊。
The 11 Dec 2027 cutover lands in the middle of the 2027 holiday quarter. Products placed on the EU market on 10 Dec 2027 are subject to the pre-CRA regime. Products placed on 11 Dec 2027 are subject to full CRA. There is no transitional period for products that miss the cutover. APAC manufacturers planning Q4 2027 launches should commit to either being CRA-ready by August 2027 (safe margin) or holding new launches into 2028 (the next clean window). Splitting the difference creates regulatory ambiguity that customs and market surveillance will resolve against the manufacturer.
2027 年 12 月 11 日切換落在 2027 旺季的中間。2027 年 12 月 10 日投入 EU 市場的產品適用 CRA 前的制度。12 月 11 日投入的適用完整 CRA。錯過切換點的產品沒有過渡期。規劃 2027 年 Q4 發表的 APAC 製造商、應該承諾要嘛 2027 年 8 月前 CRA 就緒(安全邊際)、要嘛把新發表延到 2028(下個乾淨窗口)。中間分割會創造法規模糊、海關跟市場監督會以對製造商不利的方式解讀。
The four dates create different APAC readiness windows. Each date triggers different work, with different lead times.
四個日期創造不同的 APAC 就緒窗口。每個日期觸發不同的工作、需要不同前置時間。
| CRA milestoneCRA 里程碑 | APAC readiness workAPAC 就緒工作 | Lead time前置時間 |
|---|---|---|
| 11 Jun 2026 — Chapter IV applies2026 年 6 月 11 日,第四章適用 | For APAC TIC bodies (DEKRA Onward Security, TÜV Rheinland Taiwan, etc.) — submit NB notification application. Accreditation and notification take 6–12 months.對 APAC TIC 機構(德凱安華、TÜV Rheinland Taiwan 等),提交 NB 通報申請。認證跟通報需 6 到 12 個月。 | Apply by Q4 2025 to be NANDO-listed early 2026.2025 年 Q4 申請、2026 年初進入 NANDO 名單。 |
| 11 Sep 2026 — Articles 14 / 15 apply2026 年 9 月 11 日:第 14 / 15 條適用 | Manufacturer-side: 24/7 PSIRT capability (own or contracted). Practice ENISA SRP filing in advance. AR established with reporting routing pre-agreed.製造商端:24/7 PSIRT 能力(自有或外包)。事先演練 ENISA SRP 通報。AR 設立並預先協議通報路由。 | PSIRT contracts signed Q1 2026; tabletop exercise Q2 2026; AR mandate finalised by July 2026.PSIRT 合約 2026 年 Q1 簽訂;2026 年 Q2 桌上演練;AR 授權書 2026 年 7 月前定案。 |
| 11 Dec 2027 — full application2027 年 12 月 11 日,全面適用 | Annex I conformity, technical documentation, EU DoC, CE marking, support period commitment, CVD policy. For Class II — completed Module B+C or H assessment by NB.附件一合規、技術文件、EU DoC、CE 標示、支援期間承諾、CVD 政策。Class II:NB 完成 Module B+C 或 H 評鑑。 | Class I conformity work starts H1 2027 latest. Class II NB engagement starts H2 2026 to allow 12+ months for assessment.Class I 合規工作最晚 2027 年 H1 開始。Class II NB engagement 2026 年 H2 開始、留 12 個月以上做評鑑。 |
| Pre-hEN transitional reality調和標準公布前的過渡現實 | Many CRA hENs may not be cited in OJ by 11 Dec 2027. Manufacturers using draft hENs must follow Module B+C or H even for Class I, or wait for hEN OJ citation.很多 CRA 調和標準在 2027 年 12 月 11 日前可能還沒在歐盟公報引用。使用草案調和標準的製造商即使是 Class I 也要走 Module B+C 或 H、或等調和標準歐盟公報引用。 | Track CEN-CENELEC and ETSI publication progress monthly through 2026–2027.2026 至 2027 年每月追蹤 CEN-CENELEC 跟 ETSI 公布進度。 |
For Taiwan, Japan, and Korea, the regulatory clock interacts with domestic schemes in ways that need active coordination. Taiwan's BSMI CNS 16190 / CNS 18031 mandatory cybersecurity testing for connected products begins 1 Jan 2028 — three weeks after CRA full application. Japan's JC-STAR (METI/IPA) is voluntary but ramping up through 2025–2026. Korea's K-ISMS / KISA evaluation is established. None of these substitute for CRA, and CRA does not satisfy any of them. APAC manufacturers face stacked compliance regimes for the same product, often with overlapping but not identical scope.
對台日韓、法規時鐘跟國內機制的互動需要主動協調。台灣 BSMI CNS 16190 / CNS 18031 對連網產品的強制網路安全測試自 2028 年 1 月 1 日開始,CRA 全面適用後三週。日本 JC-STAR(METI / IPA)是自願性、2025-2026 年加速。韓國 K-ISMS / KISA 評鑑已成熟。這些都不能替代 CRA、CRA 也無法滿足任何一個。APAC 製造商就同一產品面對堆疊的合規制度、範圍重疊但不相同。
A pragmatic planning principle: budget CRA conformity as a separate line item, on top of any domestic scheme cost. Do not assume domestic certification accelerates the EU side beyond the engineering work that is genuinely shared (test data, threat models, vulnerability handling processes). The conformity routes are separate.
務實規劃原則:CRA 合規當作獨立預算項、疊在任何國內機制成本之上。不要假設國內認證在真正可共用的工程工作(測試數據、威脅模型、弱點處理流程)以外、會加速 EU 端。合規路徑是分開的。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
CRA timeline against the wider EU regulatory cluster CRA 時程跟更廣 EU 法規群的對照
CRA does not enter into force in isolation. The years 2024–2027 see multiple EU cybersecurity, AI, machinery, and product safety regimes coming online. Knowing the parallel calendars matters because APAC manufacturers often face several at once. CRA 不是孤立生效。2024 到 2027 年、多個 EU 網路安全、AI、機械、產品安全制度同時上線。知道平行行事曆很重要、因為 APAC 製造商常常同時面對好幾個。
RED Delegated Act 2022/30 — 1 August 2025 cybersecurity essential requirementsRED 授權行為 2022/30:2025 年 8 月 1 日網路安全基本要求
RED Article 3(3)(d), (e), (f) cybersecurity essential requirements for radio equipment apply from 1 Aug 2025. This date is before CRA full application. APAC ICT exporters with radio products (Wi-Fi, Bluetooth, cellular) face RED-DA cybersecurity requirements 28 months earlier than CRA. The RED-DA is harmonised by EN 18031 series. RED-DA conformity work is a partial down-payment on later CRA conformity, but the regimes are legally distinct.
RED 第 3(3)(d)、(e)、(f) 條對無線電設備的網路安全基本要求、自 2025 年 8 月 1 日適用。這個日期早於 CRA 全面適用。具無線電產品(Wi-Fi、Bluetooth、行動通訊)的 APAC ICT 出口商、面對 RED-DA 網路安全要求比 CRA 早 28 個月。RED-DA 由 EN 18031 系列調和。RED-DA 合規工作是後續 CRA 合規的部分頭期款、但兩個制度法律上分開。
NIS2 Directive — 17 October 2024 transposition deadlineNIS2 指令,2024 年 10 月 17 日轉化期限
NIS2 Member State transposition deadline was 17 Oct 2024. The directive imposes cybersecurity duties and incident reporting on essential and important entities. Most APAC ICT manufacturers selling B2B / industrial products into EU end up indirectly affected — their EU customers are NIS2 entities and demand SBOMs, secure configuration, vulnerability handling commitments to support customer-side NIS2 compliance.
NIS2 會員國轉化期限為 2024 年 10 月 17 日。該指令對 essential 跟 important entities 課網路安全義務跟事件通報。多數賣 B2B / 工業產品進 EU 的 APAC ICT 製造商會被間接影響,EU 客戶是 NIS2 實體、要求 SBOM、安全配置、弱點處理承諾、以支援客戶端 NIS2 合規。
EU AI Act — tiered application 2025–2027EU AI Act,分階段適用 2025-2027
AI Act applies in tiers: prohibited practices from 2 Feb 2025, general-purpose AI from 2 Aug 2025, full application 2 Aug 2026 (with high-risk AI systems specific provisions from 2 Aug 2027). For APAC manufacturers building AI-bundled PwDE (smart cameras with object recognition, AI-powered industrial sensors), the AI Act application track precedes CRA full application by ~16 months.
AI Act 分階段適用:禁止行為自 2025 年 2 月 2 日、通用型 AI 自 2025 年 8 月 2 日、全面適用 2026 年 8 月 2 日(高風險 AI 系統特定條款自 2027 年 8 月 2 日)。對打造 AI 搭配具數位元素產品的 APAC 製造商(具物件辨識的智慧攝影機、AI 工業感測器)、AI Act 適用軌道比 CRA 全面適用早約 16 個月。
Machinery Regulation 2023/1230 — 20 January 2027 application機械法規 2023/1230:2027 年 1 月 20 日適用
The Machinery Regulation applies from 20 Jan 2027 — about 11 months before CRA full application. The Machinery Regulation introduces digital safety provisions and connectivity-related risks. APAC machine builders selling connected machinery to EU face Machinery Regulation in early 2027 and then CRA in late 2027. The two regimes overlap on connected machinery — most APAC industrial automation suppliers will need to map both.
機械法規自 2027 年 1 月 20 日適用,比 CRA 全面適用早約 11 個月。機械法規引入數位安全條款跟連網相關風險。賣連網機械到 EU 的 APAC 機械製造商、2027 年初面對機械法規、年底面對 CRA。兩個制度在連網機械上重疊,多數 APAC 工業自動化供應商需要同時對應。
DORA Reg 2022/2554 — 17 January 2025 application; GPSR Reg 2023/988 — 13 December 2024 applicationDORA 法規 2022/2554:2025 年 1 月 17 日適用;GPSR 法規 2023/988:2024 年 12 月 13 日適用
DORA applies from 17 Jan 2025 — well before CRA. APAC manufacturers selling PwDE into EU financial-sector customers face DORA-driven downstream pressure earlier than CRA itself. GPSR (General Product Safety Regulation) applies from 13 Dec 2024 — also well before CRA. GPSR is the residual safety net for risks CRA does not cover. Connected consumer products may face GPSR-side market surveillance from late 2024 even though full CRA arrives only at the end of 2027.
DORA 自 2025 年 1 月 17 日適用,遠早於 CRA。賣具數位元素產品進 EU 金融部門客戶的 APAC 製造商、比 CRA 本身更早面對 DORA 驅動的下游壓力。GPSR(一般產品安全法規)自 2024 年 12 月 13 日適用,也遠早於 CRA。GPSR 是 CRA 沒涵蓋風險的剩餘安全網。連網消費產品可能從 2024 年底開始面對 GPSR 端市場監督、即使完整 CRA 要到 2027 年底才到位。