Last reviewed 3 May 2026最後校閱 2026-05-03 · 18 min read閱讀 18 分鐘 · Working note書寫筆記 · Working書寫

Compliance, from cost to capability 合規從成本變能力

Once the capability is in place, compliance is not only an entry ticket — it's bargaining leverage. The 2026 to 2027 window is when the position consolidates. This essay walks through how SBOM, signed updates, and an auditable support-period commitment turn from cost into capability. 能力一旦建好、合規就不只是入場券、而是議價籌碼。2026 到 2027 是位置定型的時間窗。這篇講 SBOM、簽署更新、可被 audit 的 support period commitment 怎麼從成本變成能力。

Maxi Tsai · APACAPAC · Bilingual essay雙語文章

Part 1 framed the map. Part 2 worked the priority order. Part 3 named the three capabilities worth building. This essay closes the series.

The thread that ties the four together: the CRA is not only a compliance burden — it’s also a window during which industry positions get redrawn. Manufacturers who build capability earlier in this window land in a different position on the EU market post-2027.

That isn’t optimistic framing; it’s what surfaces when the 22 principles from Part 2 and the three capabilities from Part 3 are placed back into the market context. This essay opens four layers of that context: the EU-market entry ticket, the ODM bargaining position, the industry restructuring window, and the cognitive shift from cost centre to operational capability.

§ 01Entry-ticket layer: how CRA compliance binds to EU market access

Start with the baseline.

CRA Article 64(2) sets administrative fines of up to EUR 15 million or 2.5% of total worldwide annual turnover, whichever is higher, for breaches of Annex I requirements or Articles 13 and 14 obligations. For APAC manufacturers, though, the fine isn’t the most consequential exposure — market access is.

The CRA is wired into the broader EU market-surveillance architecture. Articles 54 through 58 give market surveillance authorities the power to require corrective action from manufacturers, restrict or prohibit a product’s availability on the EU market, order recalls or withdrawals, and notify peer Member States. In other words, non-compliance under the CRA isn’t a Member State-specific fine — the consequence runs across the entire EU single market.

For many APAC manufacturers, the EU is a meaningful market — especially in networking equipment, IP cameras, IoT edge devices, and embedded systems, which are the largest ODM categories. The impact of losing EU market access doesn’t sit at the “added cost” level; it sits closer to “specific product lines facing market continuation questions.”

This reframing matters for CRA prioritisation: the CRA is not a Compliance department to-do — it’s a company-level market strategy question.

The timeline reality: how much time sits between now and December 2027

Stacking the key dates together:

11 June 2026: Chapter IV (Articles 35-51, the Notified Body designation framework) applies, per Article 71(2)
11 September 2026: Article 14 reporting obligations apply, the ENISA Single Reporting Platform (SRP) goes live
11 December 2026: Member States shall strive to ensure (per Article 35(2)) sufficient NB capacity is in place
11 December 2027: full CRA application

Anchor — Article 71(2) verbatim “This Regulation shall apply from 11 December 2027. However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.” — Article 71(2), Regulation (EU) 2024/2847.

Counting from May 2026, that’s about 19 months to full application. Bringing the four Tier 1 principles to a “defensible to an external auditor” level takes 9 to 12 months; designing contract interfaces with brand customers adds another 3 to 6 months; threat modelling, release gates, and support-period planning need to thread through the same window as Tier 2 work.

The window isn’t as short as it might feel, but it isn’t as long as it might feel either. The premise: starting now rather than waiting until first half of 2027 to sprint.

§ 02Bargaining-position layer: the ODM’s place in the compliance chain gets redefined

This is the layer most worth thinking through carefully for APAC ODMs.

The CRA’s regulated party is the manufacturer — the entity that markets the product under its own name or trademark. In an ODM model, that manufacturer is the brand customer, not the ODM itself. On the surface, the ODM’s statutory obligations look smaller, the responsibility lighter, the risk lower.

That surface read, though, misses the operating reality. To complete CRA compliance, the brand customer needs most of what sits on the ODM’s side:

SBOM: needs to come from the ODM, because firmware and hardware integration sit there
Vulnerability information: chipset SDKs, third-party libraries, accumulated dependency issues — the ODM has clearer visibility than the brand customer
Secure-update release capability: OTA mechanisms, signing infrastructure, rollback flow — usually on the ODM side
Support-period commitment: chipset EOL, library EOL, the ODM’s own maintenance capacity directly determine how many years the brand customer can credibly commit to its EU customers

Anchor — the ingredient ladder For the brand customer to sign CRA-anchored commitments to its EU customers, the brand customer first needs the ODM to deliver the ingredients those commitments depend on: SBOM, vulnerability information, secure-update release capability, support-period commitment. The ODM’s CRA readiness directly shapes the brand customer’s path to market — this distillation isn’t in the regulation, but it’s the operational reality that follows from Article 13 and Article 14 read together.

Translated: for the brand customer to sign CRA-anchored commitments to its EU customers, the brand customer first needs the ODM to deliver the ingredients those commitments depend on. The ODM’s CRA readiness directly shapes the brand customer’s path to market.

This shift inverts the ODM’s traditional position. ODMs have historically been the passive party on compliance — the brand customer asked for tests and certifications, the ODM accommodated. Under the CRA, the ODM becomes an active supplier of compliance ingredients — whether you can deliver an SBOM, whether you can carry a multi-year support commitment, whether you can respond to vulnerability information within 24 hours, all of which directly shape whether you can land the order.

ODMs that move earlier shift from “interchangeable contract manufacturer” to “key node on the compliance chain.” Among ODMs that move later, compliance capability becomes one more dimension on which they get evaluated — if an ODM can’t deliver an SBOM, the brand customer’s whole product line can stall on EU market entry.

MRSM: still a concept, but with particular strategic relevance for the ODM model

ENISA Playbook Chapter 5 introduces the Machine-Readable Security Manifest (MRSM) concept. It’s currently an illustrative example, not a standard, and not a regulatory requirement. But for ODM-to-brand-customer compliance evidence exchange, the concept is worth watching early.

The reasoning is direct: under the CRA, what an ODM hands to the brand customer isn’t a PDF report — it’s a package of machine-readable, verifiable, downstream-passable evidence: SBOMs, dependency-scan results, signing records, build provenance, support-period status, known-vulnerability disposition. If those move as PDFs, the brand customer has to spend headcount digesting, translating, and integrating them into its own compliance documentation, which scales poorly. As machine-readable artifacts, they can be ingested directly into the customer’s toolchain.

MRSM as drafted integrates existing ecosystems — primarily OSCAL, CycloneDX CDXA, OWASP ASVS, and OpenSSF Security Insights (with ENISA Playbook Section 5.3 also listing TC54 and OpenSSF Scorecard among others) — and proposes a layered architecture: a Control Layer (mapping to security objectives), an Implementation Layer (technical controls), and an Assessment and Verification Layer (verification results). This layering fits the ODM/brand-customer evidence exchange particularly well, because it can move across organisational boundaries without losing fidelity.

A useful posture: there’s no need to adopt MRSM today (it’s still at concept stage), but the underlying artifacts — SBOMs, vulnerability scan results, build provenance — are worth producing in machine-readable form starting now. When MRSM or a similar integration framework matures, the underlying data is already in place; the work becomes upper-layer format conversion.

§ 03Industry-restructuring layer: 2026 prepare, 2027 apply, 2028 the gap becomes visible

Stretch the timeline further out, and the CRA looks like a capability-stratification event for the industry.

Over the past decade, APAC manufacturers have competed on the EU market primarily through cost, flexibility, and lead time. Cybersecurity capability has been a plus, not a precondition. Post-CRA, cybersecurity capability moves from plus to entry condition. Once everyone is past the entry, the maturity of cybersecurity capability becomes the new competitive baseline.

This shift won’t materialise as a single event in December 2027. It surfaces gradually through 2028 and 2029.

A subset of Taiwanese manufacturers is already positioning along this direction — some ODMs joined FIRST (Forum of Incident Response and Security Teams) during 2024 and 2025, set up external PSIRT channels, started publishing security advisories, and built CVD policies. The short-term return on these moves is hard to see; the medium-term effect shows up on customers’ supplier evaluation lists; the long-term effect compounds into a visible capability gap.

A question worth sitting with: if a “supplier CRA compliance maturity” column appears on EU procurement evaluation tables in 2028, where does your company sit? If that column hasn’t appeared yet, when does it appear?

A practical estimate: the column likely starts showing up in the second half of 2027. The reasoning: full CRA application is December 2027, brand customers need to align all their suppliers before that date, and procurement evaluation tables typically run six months to a year ahead of the regulatory date itself. Which puts the question at mid-2027 — around the time you’d want to be ready to answer it.

§ 04Cognitive-shift layer: moving the CRA from cost centre to operational capability

The final layer is an organisational positioning question.

In many APAC manufacturers right now, CRA planning sits inside Compliance or Quality Assurance, framed as “another regulatory burden.” The budget posture follows from that framing — necessary cost, minimised where possible, deferred where possible.

That positioning is worth recalibrating.

The capabilities the CRA requires building — SBOM workflow, vulnerability handling SOP, PSIRT interface, support-period commitments, secure-update infrastructure — are each a product capability in their own right, not just a compliance artifact. Once these are operational:

The SBOM workflow doubles as supply chain management capability
The vulnerability handling SOP doubles as quality engineering capability
The PSIRT interface doubles as customer relationship capability
The support-period commitment doubles as long-term revenue planning
The secure-update infrastructure doubles as fleet management capability

Treating these as product features to invest in, versus treating them as compliance cost to absorb, generates very different levels of internal support and resource allocation. The first frame can pull from R&D budget; the second only competes inside the Compliance budget. The first becomes a market sales pitch; the second remains a cost centre.

A practical move on this: shift CRA core capability building from the Compliance function to the operations layer — owned directly by the CTO/COO, with Compliance and QA as supporting functions rather than owners. That’s the organisational shape that lets cross-functional coordination across R&D, PM, QA, and Sales actually take place.

§ 05Closing the series

Across the four essays — from “map, not ticket” through which four of the twenty-two principles to run first, through three capabilities worth building, through compliance moving from cost to capability — the throughline tries to address one question: how can an APAC SME manufacturer, under the CRA, turn this compliance challenge into an upgrade in industry position?

The answer condenses into three lines:

See the starting point clearly: the existing national-law training doesn’t map to the CRA’s regulated-party structure; surfacing that gap explicitly is the precondition for sizing the investment correctly
Focus the priority: don’t run all 22 principles in parallel — start with the four Tier 1 starters, follow with Tier 2 contract interfaces, let Tier 3 wait for resources
Reposition organisationally: CRA capability is product capability, not compliance cost; ownership belongs at the operations layer, not the Compliance layer

The ENISA Playbook is a good engineering map, but it doesn’t make the strategic decisions for you. Picking the principles that matter most for your situation, designing the compliance interface with brand customers, and turning built capability into market differentiation — these are pieces of work each company has to do for itself.

What this series offers is a thinking frame, not an SOP. If only one line carries forward, this is the line: the CRA is not only a compliance threshold — it’s also a window for APAC manufacturers to think again about their place in the global supply chain. Manufacturers that move earlier find themselves in a different position when the post-2027 EU market shapes up.

The clock is now running.

Source note Verified verbatim against OJ L 2024/2847: Article 13 and Article 14 obligations referenced; Article 35(2) Member State NB capacity timing (11 December 2026); Articles 54-58 market surveillance enforcement powers; Article 64(2) penalty bracket (EUR 15M or 2.5% worldwide annual turnover, whichever is higher); Article 71(2) verbatim three key dates (11 June 2026 / 11 September 2026 / 11 December 2027). Verified against ENISA Security by Design and Default Playbook v0.4 (19 March 2026): Chapter 5 MRSM concept; Section 5.3 listing of OSCAL, CycloneDX CDXA, OWASP ASVS, OpenSSF Security Insights, TC54, OpenSSF Scorecard; Section 5 layered architecture (Control Layer, Implementation Layer, Assessment and Verification Layer). The four-layer framing (entry ticket / bargaining position / industry restructuring / cognitive shift), the “ingredient ladder” metaphor, and the “2028 procurement-evaluation column” question are my distillation, not labels appearing in the regulation or the Playbook.

第 1 篇講地圖，第 2 篇講優先順序，第 3 篇講三個值得建立的能力。這篇是系列的收尾。

我想用一個論述把前面三篇收起來：CRA 帶來的不只是合規負擔，也是一次產業位置調整的時間窗。先把能力建起來的廠商，在 2027 年之後的 EU 市場上會有不同的位置。

這不是樂觀的話術，是把第 2 篇的 22 條原則、第 3 篇的三個能力，放回市場現實裡看到的結果。這篇要展開四個層次的論述：EU 市場入場券、ODM 的議價籌碼、行業洗牌的時間窗，以及從成本中心變營運能力的認知轉換。

§ 01入場券層次：CRA 合規與 EU 市場進入權的綁定關係

先把基本盤講清楚。

CRA 第 64 條第 2 項規定的罰款上限是 1,500 萬歐元或全球年營業額 2.5%（取高者），這是違反 Annex I 要求或第 13、14 條義務的後果。但對 APAC 製造商來說，罰款不是最該關注的風險——市場進入權才是。

CRA 配合的是歐盟整套市場監管機制。第 54 條到第 58 條給市場監管機關的權力包括：要求廠商採取改正措施、限制或禁止產品在 EU 市場上提供、命令召回或下架、跨會員國通報。換句話說，如果你的產品在 CRA 之下不合規，後果不是個別會員國的罰款問題，是整個 EU 統一市場關上門。

對許多 APAC 製造商來說，EU 是重要市場——尤其是網通設備、IP 攝影機、IoT 邊緣裝置、嵌入式系統這幾個 ODM 大宗類別。EU 市場進入權的影響，對營收結構不只是「成本增加」這個層級，更接近「特定產品線的市場去留」。

這個認知對 CRA 準備的優先順序排定有直接影響：CRA 不是法遵部門選做題，是公司層級的市場戰略題。

時程現實：從現在到 2027 年 12 月有多少時間

把幾個關鍵時點疊在一起看：

2026 年 6 月 11 日：Notified Body 框架啟動（Chapter IV、Article 35-51 適用，依 Article 71(2)）
2026 年 9 月 11 日：第 14 條通報義務適用，ENISA SRP 上線
2026 年 12 月 11 日：依 Article 35(2)，會員國應致力確保（strive to ensure）有足夠 NB 容量
2027 年 12 月 11 日：CRA 全面適用

錨點 —— Article 71(2) 字面 “This Regulation shall apply from 11 December 2027. However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.” —— Article 71(2)，Regulation (EU) 2024/2847。

從 2026 年 5 月算起，到全面適用大約 19 個月。把 Tier 1 的四條原則建到「對外可解釋」的程度需要 9 到 12 個月，跟品牌客戶設計合約介面再加 3 到 6 個月，中間還要穿插威脅塑模、release gate、支援期規劃這些 Tier 2 工作。

時間沒有想像中多，但也不是不夠用。前提是現在就動手，不是等 2027 上半年再衝刺。

§ 02議價籌碼層次：ODM 在合規鏈條上的位置會被重新定義

這是我覺得最值得 APAC ODM 想清楚的一層。

CRA 的義務人是 manufacturer——以自己的名稱或商標在 EU 市場銷售的人。ODM 模式下，這個 manufacturer 是品牌客戶，不是 ODM 自己。表面看起來，ODM 的法定義務小，責任輕，風險低。

但這是表面看法。實際上，品牌客戶要做完 CRA 合規，需要的東西大部分都在 ODM 手上：

SBOM：需要 ODM 提供，因為韌體跟硬體配置是 ODM 整合的
弱點資訊：晶片商 SDK、第三方 library、累積的相依性問題，ODM 比品牌客戶清楚得多
安全更新發布能力：OTA 機制、簽章基礎建設、rollback 流程，通常在 ODM 這側
支援期承諾：晶片 EOL、library EOL、ODM 自己的維運能力，直接決定品牌客戶能對 EU 客戶承諾幾年

錨點 —— ingredient ladder 品牌客戶要簽下對 EU 客戶的 CRA 承諾，得先從 ODM 拿到能讓他簽下去的條件：SBOM、弱點資訊、安全更新發布能力、支援期承諾。ODM 對 CRA 的準備程度直接決定品牌客戶能不能上市——這個 distillation 不在法規裡，是 Article 13 跟 Article 14 合在一起讀必然推出的營運現實。

換句話說，品牌客戶要簽下對 EU 客戶的 CRA 承諾，他得先從 ODM 拿到能讓他簽下去的條件。ODM 對 CRA 的準備程度，直接決定品牌客戶能不能上市。

這個結構翻轉了 ODM 的傳統位置。過去 ODM 在合規上是被動配合方——客戶要什麼測試、什麼證書，ODM 配合。CRA 之下，ODM 變成主動供應方——你能不能提供 SBOM，能不能承擔幾年支援期，能不能 24 小時內回覆弱點資訊，這些直接影響客戶能不能接單。

先到位的 ODM 會從「可被替換的代工」變成「合規鏈條上的關鍵節點」。較晚到位的 ODM，合規能力會成為被評估的條件之一——SBOM 給不出來，品牌客戶整個產品線的 EU 上市就會卡住。

MRSM：目前是概念，但對 ODM 模式有特別的戰略意義

ENISA Playbook 第 5 章提出 Machine-Readable Security Manifest（MRSM）的概念。這目前還是 illustrative example，不是標準，也不是規範要求。但對 ODM 跟品牌客戶之間的合規證據交換來說，這個概念值得早點關注。

理由很單純：CRA 之下，ODM 要交給品牌客戶的東西不是一份 PDF 報告，是一套可機讀、可驗證、可在合規鏈條上往下傳遞的證據包——SBOM、相依性掃描結果、簽章記錄、build provenance、支援期狀態、已知弱點處置。這些東西如果用 PDF 交付，品牌客戶要再投人力消化、轉譯、整合進自己的合規文件，效率很低。如果是機讀格式，可以直接 ingest 進品牌客戶的工具鏈。

MRSM 概念上主要整合 OSCAL、CycloneDX CDXA、OWASP ASVS、OpenSSF Security Insights 等既有生態系（ENISA Playbook 第 5.3 節另列出 TC54、OpenSSF Scorecard 等），提供一個分層架構：Control Layer（對應安全目標）、Implementation Layer（技術控制）、Assessment and Verification Layer（驗證結果）。這個架構特別適合處理 ODM/品牌客戶的證據交換，因為它能跨組織邊界傳遞而不失真。

我的建議：不需要現在就導入 MRSM（它本身還在概念階段），但 SBOM、弱點掃描結果、build provenance 這些底層 artifact 應該開始用機讀格式產出。等 MRSM 或類似的整合架構成熟，你的底層資料已經就位，接上層只是格式轉換。

§ 03行業洗牌層次：2026 準備、2027 適用、2028 開始可見差距

時間軸再拉長一點看，CRA 是一次行業能力分層的事件。

過去十年，APAC 製造商在 EU 市場上的競爭主要靠成本、彈性、交期。資安能力是加分項，不是必要條件。CRA 之後，資安能力從加分項變成入場條件。入場之後，資安能力的成熟度才是新的競爭基準。

這個轉變不會在 2027 年 12 月一次發生，會在 2028、2029 年逐步顯現。

台灣已經有部分廠商在這個方向上佈局——有些 ODM 在 2024、2025 年陸續加入 FIRST（Forum of Incident Response and Security Teams），設立對外 PSIRT 通道、發布資安公告、建立 CVD 政策。這些動作短期看不出回報，中期會反映在客戶的供應商評選名單上，長期會形成可見的能力差距。

值得想的問題：2028 年的 EU 採購評選表上，如果出現「供應商 CRA 合規成熟度」這個欄位，你的公司在哪一格？如果這個欄位還沒出現，什麼時候會出現？

我自己的判斷是，2027 年下半年會開始出現。理由是 CRA 全面適用是 2027 年 12 月，品牌客戶在那之前必須跟所有供應商完成合規對齊，評選表會比 CRA 全面適用提前半年到一年啟動。也就是 2027 年中，你要回答這個問題。

§ 04認知轉換層次：把 CRA 從成本中心移到營運能力

最後一層，是組織認知的轉換。

許多 APAC 製造商目前的 CRA 規劃，還是放在法遵部門或品保部門底下，當成「另一個合規負擔」處理。預算編列上，被當成必要成本——能省則省，能延則延。

這個定位需要重新校準。

CRA 要求建立的能力——SBOM 流程、弱點處理 SOP、PSIRT 介面、支援期承諾、安全更新基礎建設——每一項都是產品本身的能力，不只是合規文件。這些能力建起來之後：

SBOM 流程同時是供應鏈管理能力
弱點處理 SOP 同時是品質工程能力
PSIRT 介面同時是客戶關係能力
支援期承諾同時是長期收入規劃
安全更新基礎建設同時是 fleet management 能力

把這些當成產品的 feature 來投資，跟當成法遵成本來投資，在組織內部會得到完全不同的支持度跟資源配置。前者進得了 R&D 預算，後者只能搶法遵預算。前者能變成市場 sales pitch，後者只能變成成本中心。

具體做法：把 CRA 的核心能力建構從法遵部門移到 ops 層級，CTO/COO 直接 own，法遵跟品保是 supporting function 而不是 owner。這樣才有辦法跨部門協調 R&D、PM、QA、sales 一起參與。

§ 05Series 收尾

四篇下來，從「地圖，不是車票」開始，到 22 條原則先跑哪四條，到三個值得建立的能力，到合規從成本變能力——這條論述線想要回答一個問題：APAC 中小型製造商在 CRA 之下，要怎麼把這場合規挑戰轉成產業位置的提升？

我自己的答案濃縮成三句：

看清起點：現有內國法給的訓練不對應 CRA 的義務人結構，把這個落差攤開來看，才有辦法做對的投資決定
聚焦優先：不要 22 條一起跑。Tier 1 的 4 條起手，Tier 2 的合約介面接續，Tier 3 等資源到位
重新定位：CRA 能力是產品的能力，不是合規的成本。組織內部 own 在 ops 層級，不是法遵層級

ENISA Playbook 是好的工程地圖，但它沒辦法替你做戰略決策。從 22 條原則裡挑出對你最重要的子集合，設計跟品牌客戶之間的合規介面，把建起來的能力轉化成市場差異化，這些都是各家公司自己要做的功課。

這個系列提供的是一個思考框架，不是一份 SOP。如果讀完只記得一句話，我希望是這句：CRA 不只是合規門檻，也是 APAC 製造商重新思考自己在全球供應鏈位置的一個窗口。先動手的廠商會在 2027 年之後的市場上看到自己處在不一樣的位置。

時間軸現在開始走。

Source note 對照 OJ L 2024/2847 字面 verified：Article 13 與 Article 14 義務；Article 35(2) 會員國 NB 容量時程（2026 年 12 月 11 日）；Article 54-58 市場監管執法權；Article 64(2) 罰則上限（歐元 1500 萬元或全球年營業額 2.5% 取較高者）；Article 71(2) 三個關鍵時點字面（2026/6/11 / 2026/9/11 / 2027/12/11）。對照 ENISA《Security by Design and Default Playbook》v0.4（2026/3/19）verified：第 5 章 MRSM 概念；第 5.3 節列出 OSCAL、CycloneDX CDXA、OWASP ASVS、OpenSSF Security Insights、TC54、OpenSSF Scorecard；第 5 章分層架構（Control Layer、Implementation Layer、Assessment and Verification Layer）。四層 framing（入場券／議價籌碼／行業洗牌／認知轉換）、「ingredient ladder」隱喻、「2028 採購評選欄位」這個問題都是我的 distillation，不是法規或 Playbook 本身的標籤。