Last reviewed 28 Apr 2026最後校閱 2026-04-28 · 14 min read閱讀 14 分鐘 · Close reading細讀 · Standing校正

Article 13 is the load-bearing wall of the CRA. Here’s why. 第 13 條是整部 CRA 的承重牆。原因在這裡。

Twenty-five paragraphs long. The place where every APAC hardware exporter’s compliance fate actually gets decided. A close reading of why this article is structurally different from the seventy others. 一共 25 段。每一家 APAC 硬體出口商的合規命運，實質上都在這裡決定。為什麼這一條在結構上跟其他 70 條不同——這篇細讀一遍。

Maxi Tsai · APACAPAC · Bilingual essay雙語文章

The first time I sat down with Regulation (EU) 2024/2847 and read it cover to cover, the thing that surprised me wasn’t the scope. The scope I expected. Anyone who tracks European cybersecurity policy could see the CRA coming five years out. What surprised me was the weight distribution. Most regulations are evenly loaded — a hundred articles, each carrying its own piece of the legal cargo. The CRA is not built that way.

Article 13 carries most of it.

Twenty-five paragraphs. Every one of them imposes an obligation on the manufacturer or anchors a Commission power that creates one. No other article in the CRA comes close. Article 14 has ten paragraphs. Article 19 — importer obligations — has eight. Article 20 — distributors — six. Article 32, the conformity assessment routing engine, six. The Annex I essential requirements, which feel weighty when you read them, fit on a page and a half: thirteen sub-points in Part I, eight numbered points in Part II. Article 13 is structurally a different kind of object. It is the load-bearing wall of the building.

I want to explain why I think this matters, and why anyone whose job touches CRA compliance — manufacturer, importer, notified body, in-house counsel — should treat Article 13 differently from the rest of the regulation.

§ 01What “load-bearing” actually means

Architecture has a useful concept here. In a load-bearing wall structure, certain walls hold up everything else; remove them and the building collapses. Other walls are partition walls — they divide rooms but support nothing. You can knock them down with a sledgehammer and the roof stays where it is.

Most regulatory articles are partition walls. They define a procedure, a deadline, an exception. They matter, but they refer outward — to other articles, to annexes, to delegated acts. Read in isolation, they feel incomplete, because they are. They’re part of a larger structure.

Article 13 is different. Article 13 doesn’t refer outward. Other articles refer to it. When Article 14 talks about the manufacturer’s reporting obligations, it sits on top of Article 13’s definition of what the manufacturer is and what the manufacturer must already be doing. When Article 19 specifies importer obligations, those obligations are derivative — the importer’s job is to verify the manufacturer’s compliance with specific paragraphs of Article 13 (Article 19(2)(c) and (d) name Article 13(15), (16), (19), and (20) explicitly). When Article 27 talks about presumption of conformity, the conformity that gets presumed is conformity with Annex I — and Annex I is the substance that Article 13(1) makes mandatory. The whole regulation pivots on this one article.

If you remove Article 13 from the CRA, the CRA does not exist. You have a regulation about market surveillance of nothing in particular.

§ 02The 25 paragraphs, grouped

I read Article 13 the way one reads a building’s structural drawings — not paragraph by paragraph, but in load groups. Six of them.

Group 1: design-time obligations (paragraphs 1, 2, 3). The “before you build the product” rules. Annex I Part I conformity by design (¶1). Cybersecurity risk assessment (¶2), and what that risk assessment must analyse (¶3). They’re structurally first because nothing else can land if the product wasn’t designed for it. You can’t patch security in.

Group 2: supply-chain due diligence (paragraphs 5, 6). Due diligence on third-party components, including open-source components (¶5). Where the manufacturer finds a vulnerability in an integrated component, an obligation to report it back to whoever maintains that component and remediate (¶6). The vulnerability of any included component becomes the manufacturer’s vulnerability. This is the group that should keep APAC contract manufacturers up at night, because a lot of what they ship is integration work.

Group 3: documentation as evidence (paragraphs 4, 7, 13). The risk assessment goes into the technical documentation required by Article 31 and Annex VII (¶4). Vulnerabilities and cybersecurity aspects must be systematically documented and the risk assessment updated (¶7). Technical documentation and the EU declaration of conformity must be kept available to market surveillance authorities for at least ten years or the support period, whichever is longer (¶13). Paperwork-shaped on the surface, but the documents are themselves audit objects.

Group 4: post-market vulnerability handling (paragraphs 8, 9, 10, 11, 21). The support period — at least five years, with the manufacturer determining the actual duration based on expected use time (¶8). Each security update issued during the support period must remain available for at least ten years after issue, or the remainder of the support period, whichever is longer (¶9). For substantially modified software, compliance only required on the latest version, subject to free upgrade conditions (¶10). Where the manufacturer maintains public archives of historical versions, users must be clearly informed about risks of using unsupported software (¶11). Where non-compliance is identified, immediate corrective action, withdrawal, or recall (¶21). This is the group that turns CRA from a one-time certification cost into a perpetual operational cost — and the group that most companies haven’t budgeted for.

Group 5: conformity, CE marking, identification, user-facing artefacts (paragraphs 12, 14, 15, 16, 17, 18, 19, 20). The artefacts you ship with the product. Technical documentation drawn up before market, conformity assessment carried out, EU declaration of conformity, CE marking (¶12). Procedures for series production to remain in conformity (¶14). Type, batch, or serial number for product identification (¶15). Manufacturer name and contact details on the product (¶16). A single point of contact for users to report vulnerabilities (¶17). Information and instructions to the user per Annex II, kept available for ten years or the support period (¶18). End date of the support period clearly specified at time of purchase (¶19). EU declaration of conformity, or simplified DoC per Annex VI, accompanying the product (¶20). It looks like a paperwork group, but every artefact in it is something a market surveillance authority can ask to see.

Group 6: authority interaction and Commission powers (paragraphs 22, 23, 24, 25). On reasoned request from a market surveillance authority, all information and documentation needed to demonstrate conformity (¶22). On cessation of operations, advance notification to authorities and users (¶23). The Commission may, by implementing acts, specify the format and elements of the SBOM referred to in Annex I Part II (¶24). ADCO may decide to conduct a Union-wide dependency assessment, in which case market surveillance authorities can request manufacturers to submit SBOMs (¶25). Most APAC manufacturers underweight this group because it doesn’t show up in conformity assessment artefacts — but it’s where post-market enforcement and Commission rule-making actually bite.

Six groups. Twenty-five paragraphs. One article. Read individually, the paragraphs feel like a checklist. Read as six functional groups, they feel like a coherent operating model — and that’s the right way to read them.

§ 03The asymmetry that makes Article 13 dangerous

Here is the part that surprised me, and the reason I think Article 13 deserves separate treatment from the rest of the regulation.

Most CRA articles fail the manufacturer in specific ways. Miss Article 14’s 24-hour reporting deadline? You’ve breached Article 14. Miss the CE marking rules in Article 30? You’ve breached Article 30. The penalty under Article 64 attaches to the specific failed obligation, the failure is enumerable, and the remediation is bounded.

Article 13 doesn’t work that way. Article 13 fails structurally.

If you missed Group 1 — you didn’t do a risk assessment, your product wasn’t designed against Annex I Part I — every downstream obligation is also breached, because every downstream obligation assumes a product designed against Annex I. Your Article 14 vulnerability and incident reports refer to a product that doesn’t have a documented security baseline. Your Article 27 presumption of conformity presumes nothing. Your Annex VII technical file describes a product whose risk model was never written. The whole stack collapses.

This is what “load-bearing” means in compliance terms. A failure in Article 13 is not a single fine — it’s an unwinding of every claim you’ve made under every other article. Article 64(2) recognises this implicitly: breaches of Article 13 attract the highest penalty tier (up to €15 million or 2.5% of worldwide annual turnover), the same tier as Annex I breaches and Article 14 breaches. The legislator put Article 13 in the maximum bracket because the legislator understood the structural role.

Anchor — penalty bracket Article 64(2): Non-compliance with Annex I and Articles 13/14 attracts administrative fines up to €15 million or 2.5% of worldwide annual turnover, whichever is higher. Article 13 sits in the top tier alongside Annex I — not the second tier alongside operator-specific articles like 19 or 20.

§ 03bThe Article 18 carve-out: what an authorised representative cannot shield

For APAC manufacturers placing products on the EU market, the standard route is appointing an EU-established authorised representative (AR) under Article 18. The AR carries the legal mandate. The AR keeps the EU declaration of conformity available to market surveillance authorities. The AR cooperates with authorities on corrective action.

What the AR cannot carry is most of Article 13. Article 18(2) is explicit: “The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative’s mandate.” Read that list carefully. ¶1-3 (design-time). ¶4-7 (documentation and supply chain). ¶8-11 (vulnerability handling and support period). ¶12 first subparagraph (the technical documentation drawing-up itself). ¶14 (series production conformity). All of it sits with the manufacturer, structurally and contractually. The AR cannot stand in for any of it.

This is not a paperwork detail. It means the operational obligations — risk assessment, SBOM, vulnerability handling, support period commitment, series production controls — remain with an entity that may have no establishment, no employees, and no operational presence inside the EU. The AR is a legal contact point. It is not an organisational substitute. A manufacturer in Taipei or Shenzhen who reads Article 13 as something the AR will handle has misread Article 18.

The practical implication: Article 13 has to be implemented in-house, by people who understand the product. The AR mandate is a wrapper around that implementation, not a replacement for it.

§ 03cWhy APAC manufacturers feel this differently

I want to be specific about why this matters more in APAC than in, say, Frankfurt or Helsinki, because the regulation reads identically everywhere but lands differently.

European manufacturers — particularly in regulated sectors like automotive or industrial automation — have decades of experience operating under harmonised conformity regulations. Machine Directive, EMC Directive, RED. They have institutional muscle for risk assessment, technical documentation, market surveillance correspondence. Article 13 reads to them as a familiar pattern with new content.

For most APAC hardware OEMs and ODMs, especially those whose European business has gone through brand-customer importers, Article 13 reads as an entirely new operating model. The Group 1 design-time obligations don’t map onto any existing internal process. The Group 4 post-market obligations don’t map onto any existing budget category. The Group 5 user-facing artefacts and Group 6 authority-cooperation obligations require organisational reach into customer relationships and regulatory communications that contract manufacturers historically didn’t have.

The CRA doesn’t care about this. The CRA applies identically. But the operational gap that has to be closed across the APAC manufacturing belt is genuinely larger than the gap in Stuttgart or Eindhoven. That gap is what Article 13 measures, and Article 13 is the one place in the regulation that measures it.

§ 04The reading strategy I’d recommend

If you have time to read one article of the CRA closely — and most operators don’t have time to read all seventy-one — read Article 13. Not because the others don’t matter, but because the others are conditional on Article 13 being right.

Read it in groups, not in paragraph order. Map each group to an internal owner — Group 1 is engineering, Group 2 is procurement and SBOM, Group 3 is the documentation function (technical writing, regulatory affairs, audit), Group 4 is product security and incident response, Group 5 is regulatory affairs and customer support, Group 6 is regulatory affairs and legal. The mapping won’t be clean in any company below 200 people, and that’s where the gap analysis becomes visible — these obligations don’t have homes yet.

Treat Group 4 as the budget item. Most companies will discover, while reading the paragraphs that mandate vulnerability handling throughout a manufacturer-declared support period of at least five years — with each issued security update remaining available for at least ten years — that they have never priced support into their P&L. The first time someone calculates the carrying cost of supporting a product line at SBOM-level visibility for the support period plus the ten-year update-availability tail, the reaction tends to be physical.

And finally — read Article 13 alongside Article 64. The penalty reference makes the structural role visible. €15 million or 2.5% of turnover is not a parking ticket. It’s a number designed to be larger than the cost of compliance, which is the only way it works as deterrence.

§ 05What this implies for the rest of the project

Most of this site is built around Article-by-article reading, and most of the articles will get a single editorial. Article 13 is the exception. The full editorial sits at /act/article/13, and over the coming weeks I expect to write follow-up commentary on specific paragraphs — particularly paragraph 8 (support period determination), paragraph 24 (SBOM format implementing acts) and paragraph 25 (ADCO Union-wide dependency assessment), and the Group 4 vulnerability handling cluster.

If you only have an hour to spend on the CRA this month, spend it on Article 13. Everything else is downstream.

Source note Verified verbatim against OJ L 2024/2847 (20 November 2024): the 25-paragraph count for Article 13; paragraph counts for Articles 14 (10), 19 (8), 20 (6), and 32 (6); the Annex I structure (Part I, 13 sub-points; Part II, 8 numbered points); the Article 18(2) AR carve-out wording; the Article 64(2) penalty bracket of EUR 15,000,000 or 2.5% of worldwide annual turnover. The group taxonomy (Groups 1–6) is my distillation of the article’s functional structure, not a labelling that appears in the regulation itself.

第一次把《法規 (EU) 2024/2847》從頭讀到尾、意外的不是範圍。範圍我本來就有預期；任何追歐盟網路安全政策的人、五年前就看得到 CRA 要來。意外的是它的條文比重。大部分法規條文的重量是平均分布的：上百條條文、每一條扛自己那一份。CRA 不是這樣設計的。

第 13 條扛了大部分。

一共 25 段。每一段都對製造商加上一項義務，或授權委員會制定相關規則。CRA 裡沒有任何其他條文接近這個密度。第 14 條 10 段，第 19 條（進口商義務）8 段，第 20 條（通路）6 段，第 32 條（conformity assessment 路徑引擎）6 段。附件一的 essential requirements 讀起來有分量，但其實不到一頁半：Part I 13 個 sub-points，Part II 8 個 numbered points。第 13 條在結構上完全是另一種東西。它是這棟建築的承重牆。

我想說明為什麼這件事重要，以及為什麼工作會碰到 CRA 合規的人——製造商、進口商、Notified Body、法務——應該把第 13 條跟其他條文分開來處理。

§ 01「承重」實際上是什麼意思

建築學有個概念剛好可以借用。承重牆的建築裡、某些牆撐起其他一切；拆掉它們、整棟建築會倒。其他牆是隔間牆、只區隔房間、什麼都不撐。你拿大鐵錘把它們敲掉、屋頂照樣不動。

大部分法規條文是隔間牆。它們界定一個程序、一個期限、一個例外。重要，但它們指涉外部——指向其他條文、附件、授權法案。單獨讀會覺得不完整，因為它們本來就不完整：是更大結構的一部分。

第 13 條不一樣。它不指向外面，是其他條文指向它。第 14 條講通報義務時，建立在第 13 條對製造商的定義以及製造商該做的事情上。第 19 條規定進口商義務時，那些義務是衍生的：進口商的工作是驗證製造商是否符合第 13 條的特定段落（第 19(2)(c) 跟 (d) 條明確點名第 13(15)、(16)、(19)、(20) 段）。第 27 條談符合性推定時，被推定的是符合附件一——而附件一的內容，正是第 13(1) 條規定為強制義務的內容。整部法規以這一條為軸心轉動。

把第 13 條從 CRA 拿掉、CRA 就不存在了。你會剩下一部沒有具體管轄對象的市場監督法規。

§ 02把 25 段，分組

我讀第 13 條的方式像讀一棟建築的結構圖：不照段落順序，而是依負載分組。一共六組。

第一組：設計階段義務（第 1、2、3 段）。「動手做產品之前」的規則。產品依附件一 Part I 設計（第 1 段），網路安全風險評估（第 2 段），以及該風險評估必須分析什麼（第 3 段）。它們在結構上排第一，因為產品要不是為此設計，後面什麼都接不住。安全沒辦法事後修補上去。

第二組：供應鏈盡職調查（第 5、6 段）。對第三方元件，包含開源元件，做盡職調查（第 5 段）。製造商在已整合的元件中發現弱點時，有義務通知該元件的維護方並協助 remediate（第 6 段）。任何納入元件的弱點都變成製造商自己的弱點。這一組是 APAC 代工廠該睡不著覺的一組，因為他們出貨的內容很多是整合工作。

第三組：文件作為證據（第 4、7、13 段）。風險評估必須納入第 31 條與附件七要求的技術文件（第 4 段）。網路安全相關面向必須有系統地書面記錄，風險評估須隨時更新（第 7 段）。技術文件與 EU 符合性宣告須提供市場監督機關使用，至少 10 年或 support period 內，取較長者（第 13 段）。表面上是文書，但這些文件本身就是稽核對象。

第四組：上市後弱點處理（第 8、9、10、11、21 段）。support period——至少 5 年，由製造商依產品預期使用時間決定實際長度（第 8 段）。support period 內發布的每一個安全更新，須在發布後保持可取得至少 10 年，或 support period 剩餘時間，取較長者（第 9 段）。對 substantially modified 軟體，僅針對最新版本提供合規，但須符合免費升級條件（第 10 段）。製造商如維護歷史版本的公開封存，須清楚告知使用者使用 unsupported software 的風險（第 11 段）。發現不合規時，立即矯正、撤回或召回（第 21 段）。這一組把 CRA 從一次性認證成本轉成永久性營運成本——也是大部分公司沒編入預算的一組。

第五組：符合性、CE 標示、識別與使用者面向交付物（第 12、14、15、16、17、18、19、20 段）。產品上市時要交付的具體物件。上市前完成技術文件、執行符合性評鑑、發出 EU 符合性宣告、貼上 CE 標示（第 12 段）。系列生產的合規維持程序（第 14 段）。產品識別所需的型號、批號或序號（第 15 段）。製造商名稱與聯絡資訊（第 16 段）。供使用者通報弱點的單一聯絡點（第 17 段）。附件二要求的使用者資訊與說明，須保存 10 年或 support period 內（第 18 段）。購買時清楚標示 support period 結束日期（第 19 段）。EU 符合性宣告本體，或附件六的簡化 DoC，隨產品提供（第 20 段）。看起來像文書組，但裡面每一個交付物都是市場監督機關可能要求查看的對象。

第六組：機關互動與委員會權力（第 22、23、24、25 段）。市場監督機關提出 reasoned request 時，提供所有展示合規所需的資訊與文件（第 22 段）。製造商停止營運時，事前通知機關與使用者（第 23 段）。委員會可透過 implementing acts 規定附件一 Part II 所提 SBOM 的格式與要素（第 24 段）。ADCO 可決定進行歐盟範圍的依賴性評估，市場監督機關可要求製造商提交 SBOM（第 25 段）。多數 APAC 製造商低估這一組，因為它在 conformity assessment 文件中看不到——但這正是上市後執法與委員會制定規則真正咬下去的地方。

六組，25 段，一條條文。逐段讀，這些段落像一張清單。按六個功能組讀，它們是一個連貫的營運模型——這才是讀它的正確方式。

§ 03讓第 13 條變得危險的「不對稱」

這裡是讓我意外的部分，也是我覺得第 13 條值得跟其他條文分開來處理的原因。

大部分 CRA 條文是以特定方式讓製造商不合規。沒達到第 14 條的 24 小時通報期限？你違反第 14 條。沒符合第 30 條的 CE 標示規則？你違反第 30 條。第 64 條的罰則綁在那個特定的不合規義務上，不合規是可列舉的，補救是有邊界的。

第 13 條不是這樣運作。違反第 13 條在結構上會擴散。

如果你錯過第一組——沒做風險評估，產品沒按附件一 Part I 設計——下游每一項義務都會跟著不合規，因為每一項都假設產品是按附件一設計的。你的第 14 條弱點與事件通報指向的是一個沒有書面安全基線的產品。你的第 27 條符合性推定，推定的是空白。你的附件七技術檔案描述的是一個從未寫過風險模型的產品。整個堆疊崩塌。

這就是「承重」在合規語境下的意思。第 13 條的不合規不是單一罰款——而是把你在其他每一條下做的每一項主張、全部一次解開。第 64(2) 條暗中承認了這一點：違反第 13 條落在最高罰則層級（最高 €15 百萬或全球年營業額 2.5%）、跟附件一、第 14 條同級。立法者把第 13 條放在最高的罰則層級，因為他們知道這條的結構角色。

錨點：罰則層級第 64(2) 條：違反附件一與第 13、14 條、行政罰鍰最高 €15 百萬或全球年營業額 2.5%、取較高者。第 13 條與附件一同列最高層級——不在第 19、20 條等經營者特定條文的第二層級。

§ 03b第 18 條 carve-out：authorised representative不能為製造商擋下的東西

對在歐盟市場上市產品的 APAC 製造商，標準路徑是依第 18 條指定一位設立於歐盟的 authorised representative（AR）。AR 持有法律授權書，AR 替市場監督機關保管 EU 符合性宣告，AR 配合機關採取矯正措施。

AR 不能扛的是第 13 條的多數義務。第 18(2) 條字面寫得很清楚：「The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative's mandate.」仔細看清單。第 1-3 段（設計階段）。第 4-7 段（文件與供應鏈）。第 8-11 段（弱點處理與 support period）。第 12 段第一子段（技術文件本身的草擬）。第 14 段（系列生產合規）。全部留在製造商身上，不論是結構上還是合約上。AR 沒辦法替任何一項代位。

這不是文書細節。這意味著營運層義務——風險評估、SBOM、弱點處理、support period 承諾、系列生產控制——還是落在一個可能在歐盟境內沒有設立、沒有員工、沒有營運實體的單位上。AR 是法律聯絡點，不是組織替代品。台北或深圳的製造商如果把第 13 條當成 AR 會處理的事，這是把第 18 條讀錯了。

實務 implication：第 13 條必須由懂產品的人在公司內部實作。AR 授權書是包在這個實作外面的法律外殼，不是替代品。

§ 03c為什麼 APAC 製造商感受不一樣

我想具體說明為什麼這件事在 APAC 比在法蘭克福、赫爾辛基都嚴重——法規文字到處都一樣，但落地的方式不一樣。

歐洲製造商——尤其汽車、工業自動化這些受規範產業——在調和合規法規底下已經跑了幾十年：機械指令、EMC 指令、RED。他們有風險評估、技術文件、跟市場監督往來的組織體質。第 13 條對他們來說，是老架構裝載新內容。

對大部分 APAC 硬體 OEM 跟 ODM，特別是歐洲業務一直透過品牌客戶或進口商在走的，第 13 條讀起來是一套全新的營運模型。第一組設計階段義務對應不到任何既有內部流程；第四組上市後義務對應不到任何既有預算科目；第五組使用者面向交付物與第六組機關互動義務，要求組織直接伸進客戶關係與法規溝通——而代工廠歷來都沒有這層直接接觸。

CRA 不在乎這件事。CRA 對所有人一視同仁。但 APAC 製造業要補上的營運缺口，實質上比斯圖加特、艾恩德霍芬要補的大得多。那個缺口就是第 13 條在衡量的東西，而第 13 條是整部法規唯一在衡量它的地方。

§ 04我會建議的讀法

如果你只有時間細讀 CRA 一條——大部分營運者根本沒時間讀完 71 條——讀第 13 條。不是因為其他條不重要，是因為其他條都以第 13 條為對的條件。

分組讀，不要照段落順序。把每一組對應到內部負責人：第一組是工程，第二組是採購跟 SBOM，第三組是文件功能（技術寫作、法規事務、稽核），第四組是產品安全跟事件回應，第五組是法規事務跟客服，第六組是法規事務跟法務。在 200 人以下的公司，這個對應一定不會乾淨——那正是缺口分析會浮出來的地方：這些義務還沒人接手。

把第四組當預算項目看待。很多公司讀到「製造商在自己宣告的 support period（至少 5 年）內必須處理弱點，且每一個發布的安全更新須維持可取得至少 10 年」這幾段時才發現，他們從來沒把支援成本納入損益表。第一次有人試算「以 SBOM 級的可見度，把一條產品線在 support period 加 10 年更新可取得的 tail 內持續支援」的承擔成本，反應通常會反映在身體上。

最後——把第 13 條跟第 64 條配著讀。罰則的引用讓結構角色變得明顯。€15 百萬或營業額 2.5% 不是停車罰單。這個數字被設計成要大過合規成本——這是它能起到威懾作用的唯一方式。

§ 05這對這個專案其餘部分的意義

本站大部分內容是圍繞著條文依序閱讀來建構的，每條條文都會有一篇編輯。第 13 條是例外。完整編輯版在 /act/article/13。未來幾週我會針對特定段落寫後續評論——特別是第 8 段（support period 的決定）、第 24 段（SBOM 格式 implementing acts）跟第 25 段（ADCO 歐盟範圍依賴性評估），以及第四組的弱點處理那一群。

如果你這個月只有一個小時可以花在 CRA 上，花在第 13 條。其他都是下游。

Source note 對照 OJ L 2024/2847（2024 年 11 月 20 日）字面 verified：第 13 條 25 段的段數；第 14 條（10）、第 19 條（8）、第 20 條（6）、第 32 條（6）的段數；附件一結構（Part I 13 個 sub-points，Part II 8 個 numbered points）；第 18(2) 條 AR carve-out 字面；第 64(2) 條罰則 EUR 15,000,000 或全球年營業額 2.5%。六組分類（第一組到第六組）是我對條文功能結構的 distillation，不是法規本身的標籤。