Commentary, from APAC. 從APAC,看CRA。
The CRA has seventy-one articles. Read the text slowly, in public, and try to say what it means when it lands in the APAC region. CRA 有 71 條。慢慢讀,公開讀,然後試著講清楚:這些條文落到 APAC 製造商身上時,到底是什麼意思。
One door. Two clocks. A cascade that decides where you land. 一道門。兩個時鐘。一個 cascade 決定你落到哪。
Article 14 looks like a single reporting article on first read. It is actually one entry-point feeding two parallel clocks — vulnerability and severe incident — with different anchors and different final-report deadlines. 第 14 條乍看是一條通報條文。實際上是一個入口、兩條平行時鐘——弱點軌道與嚴重事件軌道——各有不同的起算點與不同的最終報告期限。
Article 13 is the load-bearing wall of the CRA. Here’s why. 第 13 條是整部 CRA 的承重牆。原因在這裡。
Most regulations distribute their weight across many articles. The CRA is not designed that way. One article carries most of it, and reading it that way changes how the rest of the regulation reads. 大部分法規條文是平均承重的。CRA 不是這樣設計的。第 13 條扛了大部分;用「承重牆」的視角來讀它,整部法規的其他條文也會跟著重讀。
Article 21 — when an importer or distributor becomes the manufacturer. 第 21 條 —— 當進口商或經銷商變成製造商。
Article 21 is short. It is also the article that quietly converts importers and distributors into manufacturers when certain conditions are met. APAC partners need to know when the conversion happens, and what changes the moment it does. 第 21 條很短。它也是悄悄把進口商或經銷商「升格」為製造商的那條條文。APAC 通路夥伴需要知道升格何時發生、發生那一刻什麼跟著變。
You can still ship. You just have to tell on yourself. 你還能出貨,但你必須把自己抖出來。
11 September 2026 is the most-quoted date in the CRA universe and one of the most misunderstood. It is not the day Article 13 starts. It is the day Article 14 starts — the day reporting starts. Reporting and building are not the same thing, and confusing them is what separates a calm 2026 from a panicky one. 2026/9/11 是 CRA 圈裡被引用最多、也被誤解最多的日期。它不是 Article 13 生效日;是 Article 14 生效日 —— 通報啟動日。通報跟建構不是同一件事,把這兩個搞混,就是「平靜的 2026」跟「焦慮的 2026」的差別。
Why PRE eats more than its share. PRE 階段吃掉的,比它的份額還多。
prEN 40000-1-3 splits vulnerability handling into six phases. PRE looks like 1/6, the smallest. In an APAC manufacturer’s actual workflow, it eats far more. prEN 40000-1-3 把弱點處理切成六個階段。PRE 看起來是六分之一、最小的一塊。但落到 APAC 製造商實際工作流程,它吃掉的份額遠超這個比例。
Article 2 is the question every other article presupposes. 第 2 條那個問題,其他 70 條都當你已經答過了。
Most articles tell you what to do. Article 2 tells you whether the rest of the regulation applies to you at all. Read it first, read it carefully, and read it twice. 大部分條文告訴你「該做什麼」。第 2 條告訴你「這部法規到底適不適用於你」。先讀、認真讀、讀兩次。
Article 22 is the hidden membership gate of the manufacturer club. 第 22 條是進入「製造商」這個身份的後門。
Article 22 looks like a one-paragraph rule about substantial modification. It is actually the door that, without anyone applying, can convert an integrator, an importer, or even a distributor into the manufacturer of a product they did not make. 第 22 條看起來是一條關於 substantial modification 的小條文。它實際上是一道沒有人會主動申請、卻會把整合商、進口商、甚至經銷商轉換成「他沒生產的產品」的製造商的那道門。
Article 3 is a budget sluice. Read it like one. 第 3 條決定錢從哪裡花。它不是辭典。
Article 3 lists definitions. It looks like a glossary. It is not. Each definition opens or closes a budget sluice that determines whether your team owns the work, which sub-team it falls to, and how much it costs. 第 3 條列了一堆定義。看起來像辭典。其實不是。每個定義都打開或關上一個預算閥門、決定哪個團隊扛這份工作、落到哪個 sub-team、要花多少錢。
Who is an “open-source steward”? The CRA’s new puzzle piece. 誰是「open-source steward」?這是 CRA 多出來的一個角色。
The CRA introduces “open-source software steward” as a new legal category. The boundaries of who counts and what they owe are still moving. Here is the current state and the questions that remain. CRA 新增「open-source software steward」這個法律身份。誰算、欠什麼義務的邊界、目前都還在動。這篇是目前的狀態跟仍待釐清的問題。
An SBOM is a mirror of your supply chain, not a document about it. SBOM 是供應鏈的鏡子,不是關於供應鏈的文件。
Most discussion of SBOMs treats them as compliance artefacts — a thing you produce. The CRA reads them differently. SBOM is the mirror your supply chain looks into; what it shows is what you actually shipped, not what you told someone you shipped. 一般討論 SBOM 把它當成「合規交付物」——一份你做出來的東西。CRA 不是這樣讀的。SBOM 是你供應鏈照進去的那面鏡子;它照出來的是你實際出貨的東西、不是你跟誰說過你出了什麼。
About this column 關於本專欄
Each piece is read three times before publication: once for legal accuracy, once for plain-language clarity, once for whether it actually helps an APAC operator make a Monday-morning decision. If a piece does not pass the third read, it does not run. 每一篇文章在發布前讀三遍:一遍校法律準確性,一遍校白話清晰度,一遍校它是否真能幫一個 APAC 從業者在週一早上做一個決定。沒過第三關就不發。
Bilingual by default. Written from APAC. Free to read, permanently ad-free. No products behind the page, no lead forms, no service being sold. The text is the product. 預設雙語並行。從 APAC 寫起。永久免費閱讀、永久無廣告。頁面背後沒有要賣的產品、沒有表單、沒有要兜售的服務。條文本身就是產品。