Glossary — the 51 defined terms. 術語表,51 個定義用語。
Article 3 of the CRA defines fifty-one terms. The table below pairs each term with a one-line description and the downstream articles it activates — the rest of the regulation that turns on this definition being read correctly. CRA 第 3 條定義了 51 個用語。下表為每個用語配上一句描述和它所啟動的下游條文 — 法規其他部分依賴這個定義被正確讀取才能成立。
Source: Regulation (EU) 2024/2847, Article 3. Translations are unofficial.
來源:Regulation (EU) 2024/2847 第 3 條。翻譯為非官方版本。
| № | Term & description用語與說明 | 中文中文 | Activates in觸發對應條文 |
|---|---|---|---|
| (1) | product with digital elements
Software or hardware product, plus components placed on the market separately, plus its remote data processing solutions.
軟體或硬體產品,加上單獨投入市場的元件,加上其遠端資料處理解決方案。
|
具數位元素產品(PwDE) 具數位元素產品(PwDE) | Art 2 · Art 13 · Annex III · Annex IV |
| (2) | remote data processing
Cloud-side data processing necessary for the product to function; placed under manufacturer responsibility.
產品功能必需的雲端側資料處理;歸製造商責任範圍。
|
遠端資料處理 遠端資料處理 | Art 3(1) · Annex I |
| (3) | cybersecurity
As defined in Reg (EU) 2019/881 Art 2(1) — protection from cyber threats.
依 Reg (EU) 2019/881 Art 2(1) — 對網路威脅的防護。
|
網路安全(cybersecurity) 網路安全(cybersecurity) | Annex I |
| (4) | software
The part of an electronic information system that consists of computer code.
電子資訊系統中由電腦程式碼構成的部分。
|
軟體 軟體 | Art 3(1) · Annex I |
| (5) | hardware
A physical electronic information system, or parts thereof, capable of processing/storing/transmitting digital data.
能處理/儲存/傳輸數位資料的實體電子資訊系統或其部分。
|
硬體 硬體 | Art 3(1) · Annex I |
| (6) | component
Software or hardware intended for integration into an electronic information system.
預定整合進電子資訊系統的軟體或硬體。
|
元件 元件 | Art 3(1) · Art 13 SBOM |
| (7) | electronic information system
A system, including electrical/electronic equipment, capable of processing/storing/transmitting digital data.
能處理/儲存/傳輸數位資料的系統(含電氣/電子設備)。
|
電子資訊系統 電子資訊系統 | Art 3(1) · Art 3(4) · Art 3(5) |
| (8) | logical connection
A virtual representation of a data connection implemented through a software interface.
透過軟體介面實作的資料連線的虛擬表徵。
|
邏輯連線 邏輯連線 | Annex III (network-related categories) |
| (9) | physical connection
A connection implemented using physical means (electrical, optical, mechanical, wires, radio waves).
以物理方式(電氣、光學、機械、線材、無線電波)實作的連線。
|
實體連線 實體連線 | Annex I |
| (10) | indirect connection
Connection to a device or network that occurs as part of a larger directly-connectable system.
作為較大可直連系統的一部分而對裝置/網路產生的連線。
|
間接連線 間接連線 | Art 2 scope assessment |
| (11) | end-point
Any device that is connected to a network and serves as an entry point to that network.
任何連接至網路並作為該網路入口點的裝置。
|
端點(end-point) 端點(end-point) | Annex III |
| (12) | economic operator
Manufacturer, authorised representative, importer, distributor, or other person with CRA obligations.
製造商、authorised representative、進口商、通路,或其他承擔 CRA 義務的人。
|
經濟經營者 經濟經營者 | Art 13 · Art 18 · Art 19 · Art 20 · Art 23 |
| (13) | manufacturer
Person who develops or manufactures (or has made) PwDE and markets it under its own name or trademark.
自行開發或製造(或委託他人製造)具數位元素產品,並以自身名稱或商標投入市場的人。
|
製造商 製造商 | Art 13 · Art 14 · Art 21 · Art 32 |
| (14) | open-source software steward
Legal person (not a manufacturer) that systematically supports specific FOSS PwDE intended for commercial activities.
非製造商的法人,系統性支援特定 FOSS PwDE 的開發以供商業活動。
|
開源軟體保管者(暫譯,open-source software steward) 開源軟體保管者(暫譯,open-source software steward) | Art 24 · Art 52(3) |
| (15) | authorised representative
EU-established person with written mandate from a manufacturer to act on its behalf for specified tasks.
設立於歐盟、受製造商書面授權代表處理特定任務的自然人或法人。
|
授權代表(authorised representative) 授權代表(authorised representative) | Art 13(15)–(18) · Art 18 |
| (16) | importer
EU-established person who places on the market a PwDE that bears the name/trademark of a non-EU person.
設立於歐盟、將標示非歐盟人士名稱/商標的 PwDE 投入市場的人。
|
進口商 進口商 | Art 19 |
| (17) | distributor
Person in the supply chain, other than manufacturer or importer, who makes a PwDE available on the market.
供應鏈中製造商或進口商以外、將 PwDE 提供於市場的人。
|
經銷商 通路 | Art 20 |
| (18) | consumer
Natural person acting outside their trade, business, craft, or profession.
在交易、商業、工藝或專業以外活動的自然人。
|
消費者 消費者 | Art 13(19) user instructions · Annex II |
| (19) | microenterprises, small enterprises, medium-sized enterprises
As defined in Annex to Recommendation 2003/361/EC.
依 Recommendation 2003/361/EC 附件的定義。
|
微型/小型/中型企業 微型/小型/中型企業 | Art 33(5) · Art 64(5) |
| (20) | support period
Period during which the manufacturer must handle vulnerabilities effectively per Annex I.
製造商有義務依附件一有效處理弱點之期間。
|
支援期間 支援期間 | Art 13(8) · Art 13(9)–(13) |
| (21) | placing on the market
First making available of a PwDE on the Union market.
PwDE 在聯盟市場的首次提供。
|
投入市場(placing on the market) 投入市場(placing on the market) | Art 2(1) · Art 13(1) |
| (22) | making available on the market
Any supply of a PwDE for distribution or use on the Union market in the course of commercial activity.
在商業活動中,為配銷或使用而於聯盟市場供應 PwDE 的任何行為。
|
提供於市場(making available on the market) 提供於市場(making available on the market) | Art 2(1) · Art 19 · Art 20 |
| (23) | intended purpose
Use for which a PwDE is intended by the manufacturer, including specific context, conditions, and applicable users.
製造商所預期的 PwDE 用途(含具體情境、條件、適用使用者)。
|
預期用途(intended purpose) 預期用途(intended purpose) | Art 3(30) substantial modification trigger · Annex I |
| (24) | reasonably foreseeable use
Use that is not necessarily the intended purpose, but may result from reasonably foreseeable human behaviour or technical interactions.
非預期用途、但可能因合理可預見的人類行為或技術互動而產生的使用。
|
合理可預見之使用 合理可預見的使用 | Annex I |
| (25) | reasonably foreseeable misuse
Use of a PwDE in a way not intended, but resulting from reasonably foreseeable human behaviour or technical interaction.
非預期、但由合理可預見的人類行為或技術互動導致的使用。
|
合理可預見之誤用 合理可預見的誤用 | Annex I |
| (26) | notifying authority
Authority designated by a Member State responsible for assessment and notification of conformity assessment bodies.
會員國指定、負責評鑑與通知 conformity assessment 機構的主管機關。
|
通知主管機關(notifying authority) 通知主管機關(notifying authority) | Art 35–47 (NB designation chapter) |
| (27) | conformity assessment
Process of demonstrating whether the essential cybersecurity requirements of Annex I have been fulfilled.
證明附件一基本網路安全要求是否已被滿足的程序。
|
合規性評鑑(conformity assessment) 合規性評鑑(conformity assessment) | Art 32 · Annex VIII |
| (28) | conformity assessment body
Body that performs conformity assessment activities including testing, certification, inspection.
執行 conformity assessment 活動(測試、認證、檢驗)的機構。
|
合規性評鑑機構(conformity assessment body) 合規性評鑑機構(conformity assessment body) | Art 35–47 |
| (29) | notified body
Conformity assessment body notified in accordance with the CRA.
依 CRA 通知的 conformity assessment body。
|
指定機構(notified body) 指定機構(notified body) | Art 32(2)–(3) · Art 38 |
| (30) | substantial modification
A change after placing on the market that affects Annex I compliance OR modifies the intended purpose.
投入市場後的變更,影響附件一合規性,或變更預期用途。
|
實質修改(substantial modification) 實質修改(substantial modification) | Art 21 · Art 32 · Art 13(1) |
| (31) | CE marking
Marking by which the manufacturer indicates the PwDE conforms with Annex I and other applicable Union legislation.
製造商藉以表明 PwDE 符合附件一及其他適用聯盟法規的標示。
|
CE 標示 CE 標示 | Art 28 · Art 29 · Art 30 |
| (32) | Union harmonisation legislation
Union legislation listed in Annex I to Reg (EU) 2019/1020 plus other Union legislation harmonising marketing conditions.
Reg (EU) 2019/1020 附件一所列聯盟立法,及其他調和市場條件的聯盟立法。
|
聯盟調和立法 聯盟調和立法 | Art 29(1) · Art 31 |
| (33) | market surveillance authority
As defined in Reg (EU) 2019/1020 Art 3(4).
依 Reg (EU) 2019/1020 Art 3(4) 之定義。
|
市場監督機關 市場監督機關 | Art 52 · Art 54 · Art 64 |
| (34) | international standard
As defined in Reg (EU) No 1025/2012 Art 2(1)(a).
依 Reg (EU) No 1025/2012 Art 2(1)(a) 之定義。
|
國際標準 國際標準 | Art 27 |
| (35) | European standard
As defined in Reg (EU) No 1025/2012 Art 2(1)(b).
依 Reg (EU) No 1025/2012 Art 2(1)(b) 之定義。
|
歐洲標準 歐洲標準 | Art 27 |
| (36) | harmonised standard
As defined in Reg (EU) No 1025/2012 Art 2(1)(c). When cited in OJEU under CRA, gives presumption of conformity. As of Apr 2026, no hEN cited under CRA.
依 Reg (EU) No 1025/2012 Art 2(1)(c) 之定義。一旦於 OJEU 公告引用、即提供合規推定。截至 2026 年 4 月、CRA 尚無任何 hEN 公告引用。
|
調和標準(harmonised standard) 調和標準(harmonised standard) | Art 27 · Art 32 |
| (37) | cybersecurity risk
Potential for loss or disruption from an incident; combination of magnitude and likelihood.
事件導致損失或中斷的潛勢;嚴重度與可能性的組合。
|
網路安全風險 網路安全風險 | Annex I · Art 13(2) |
| (38) | significant cybersecurity risk
A cybersecurity risk where (a) the technical characteristics make an incident likely AND (b) such an incident could cause severe negative impact.
兩個條件並存:(a) 技術特性使事件發生機率高,且 (b) 該事件可能導致嚴重負面影響(含重大物質或非物質損失)。
|
重大網路安全風險 重大網路安全風險 | Art 14 reporting threshold |
| (39) | software bill of materials
Formal record of details and supply chain relationships of components included in the software elements of a PwDE.
PwDE 軟體元件的細節與供應鏈關係的正式紀錄。
|
軟體物料清單(SBOM) 軟體物料清單(SBOM) | Annex I Part II(1) · Art 13(25) |
| (40) | vulnerability
A weakness, susceptibility, or flaw of a PwDE that can be exploited by a cyber threat.
PwDE 可被網路威脅利用的弱點、易受性或缺陷。
|
弱點(vulnerability) 弱點(vulnerability) | Art 13(8)–(13) · Annex I Part II |
| (41) | exploitable vulnerability
A vulnerability that can be effectively used by an adversary under practical operational conditions.
在實際操作條件下可被對手有效利用的弱點。
|
可利用之弱點 可利用的弱點 | Art 13(10) |
| (42) | actively exploited vulnerability
Vulnerability with reliable evidence that a malicious actor has exploited it without permission.
有可靠證據顯示惡意行為者已未經許可利用的弱點。
|
主動受利用之弱點(actively exploited vulnerability) 主動受利用的弱點(actively exploited vulnerability) | Art 14(1) — 24-hour reporting trigger |
| (43) | incident
As defined in Directive (EU) 2022/2555 Art 6(6) — NIS2 definition.
依 Directive (EU) 2022/2555 Art 6(6) — NIS2 定義。
|
事件(incident) 事件(incident) | Art 14 |
| (44) | incident having an impact on the security of the product with digital elements
Incident that negatively affects the ability of a PwDE to protect availability/authenticity/integrity/confidentiality.
負面影響 PwDE 保護可用性/真實性/完整性/機密性能力的事件。
|
影響 PwDE 安全之事件 影響 PwDE 安全的事件 | Art 14(1) — 24-hour reporting |
| (45) | near miss
As defined in Directive (EU) 2022/2555 Art 6(5).
依 Directive (EU) 2022/2555 Art 6(5) 之定義。
|
險失(near miss) 險失(near miss) | NIS2 reference (not a CRA reporting trigger) |
| (46) | cyber threat
As defined in Reg (EU) 2019/881 Art 2(8).
依 Reg (EU) 2019/881 Art 2(8) 之定義。
|
網路威脅(cyber threat) 網路威脅(cyber threat) | Annex I · Art 13(2) |
| (47) | personal data
As defined in Reg (EU) 2016/679 Art 4(1) — GDPR definition.
依 Reg (EU) 2016/679 Art 4(1) — GDPR 定義。
|
個人資料 個人資料 | Annex I (where data protection overlaps) |
| (48) | free and open-source software
Software with openly shared source code, available under a free and open-source licence permitting full freedoms.
原始碼公開共享、以允許完整自由的 FOSS 授權方式提供的軟體。
|
自由與開源軟體(FOSS) 自由與開源軟體(FOSS) | Recital 18 · Art 24 |
| (49) | recall
As defined in Reg (EU) 2019/1020 Art 3(22).
依 Reg (EU) 2019/1020 Art 3(22) 之定義。
|
召回 召回 | Art 53 · Art 54 |
| (50) | withdrawal
As defined in Reg (EU) 2019/1020 Art 3(23).
依 Reg (EU) 2019/1020 Art 3(23) 之定義。
|
撤回 撤回 | Art 53 · Art 54 |
| (51) | CSIRT designated as coordinator
CSIRT designated as coordinator pursuant to Directive (EU) 2022/2555 Art 12(1).
依 Directive (EU) 2022/2555 Art 12(1) 指定為協調者的 CSIRT。
|
指定為協調者之 CSIRT 指定為協調者的 CSIRT | Art 14 · Art 52(4) |
How to read the “Activates in” column. A definition that activates in “Art 13 · Art 21 · Art 32” means: when those three articles are applied, this definition is the one being relied on. Mis-reading the definition propagates to those articles. Cross-references to other Union legislation (Reg 765/2008, Reg 2019/881, Reg 2019/1020, Reg 2016/679 GDPR, Directive 2022/2555 NIS2, Reg 1025/2012) are noted where the CRA imports the term wholesale.
如何讀「觸發對應條文」欄。一個定義啟動於「Art 13 · Art 21 · Art 32」表示:這三條被適用時,依據的就是這個定義。讀錯定義會傳播到那些條文。對其他聯盟法規(Reg 765/2008、Reg 2019/881、Reg 2019/1020、Reg 2016/679 GDPR、Directive 2022/2555 NIS2、Reg 1025/2012)的交叉引用,在 CRA 整段引入用語的地方有標註。
For deeper context on why definitions matter structurally — and which five definitions APAC manufacturers most often misread — see the Article 3 commentary.
關於為何這些定義在結構上重要,以及 APAC 製造商最常讀錯的 5 個定義,請見 第 3 條 commentary。
The six phases of vulnerability handling — prEN 40000-1-3. 弱點處理的六個階段,prEN 40000-1-3。
These six phase identifiers are not CRA-defined terms — they are the structural skeleton of the harmonised standard prEN 40000-1-3 (under draft by CEN-CENELEC JTC 13 WG 9), the standard against which Article 13(8) "vulnerability handling" will be assessed. Once the standard is published as an EN under the OJEU, conformance with these phases gives presumption of conformity for the relevant Annex I Part II essential requirements. Reading them in order is the cleanest mental model for what Article 13(8) actually requires. 這六個階段識別碼不是 CRA 法定用語,它們是調和標準 prEN 40000-1-3(CEN-CENELEC JTC 13 WG 9 起草中)的結構骨架,第 13(8) 條「弱點處理」會用這份標準來評鑑。一旦標準以 EN 形式在 OJEU 公告,符合這六個階段就可推定符合 Annex I Part II 的相關必要要求。依序讀過這六個階段,是我目前找到對「第 13(8) 條到底要你做什麼」最乾淨的心智模型。
| № | Phase & description階段與說明 | 中文中文 | Activates in觸發對應條文 |
|---|---|---|---|
| [PRE] | Preparation
Establishing the policies, processes, and capabilities for vulnerability intake and disclosure that all subsequent phases depend on. Ten requirements (PRE-1 to PRE-10) — vulnerability handling policy, CVD policy, operational security, secure communication, product identification, software bill of materials (SBOM), hardware bill of materials (HBOM), test and review planning, distribution mechanisms.
建立後續所有階段所依賴的弱點接收與揭露政策、流程與能力。10 個 requirement(PRE-1 到 PRE-10):弱點處理政策、CVD 政策、營運安全、安全通訊、產品識別、軟體物料清單(SBOM)、硬體物料清單(HBOM)、測試與審查規劃、散發機制。
|
準備 準備 | prEN 40000-1-3 §5.3 · CRA Art 13(8) · Annex I Part II(1)–(2) |
| [RCP] | Receipt
Receiving and monitoring vulnerability reports from internal and external sources. Seven requirements (RCP-1 to RCP-7) — capability to receive reports (security.txt or equivalent), continuous monitoring of CVE feeds and upstream advisories, mapping new disclosures to potentially impacted software and hardware components via the SBOM/HBOM, coordinator involvement, regular tests and reviews.
接收並監測來自內外部來源的弱點通報。7 個 requirement(RCP-1 到 RCP-7):通報接收能力(security.txt 或同等機制)、CVE feed 與上游公告的持續監測、透過 SBOM/HBOM 把新揭露的弱點對應到可能受影響的軟硬體元件、協調者參與、定期測試與審查。
|
接收 接收 | prEN 40000-1-3 §5.4 · CRA Annex I Part II(5) |
| [VRF] | Verification
Triage. Assessing the validity, reproducibility, applicability, and severity of reported vulnerabilities. Two requirements (VRF-1 initial assessment, VRF-2 risk assessment). Output is a tracked, verified vulnerability report with severity rating — the input to remediation, and to Article 14 SRP notification if the threshold is met.
分流。評估通報弱點的有效性、可重現性、適用性與嚴重度。2 個 requirement(VRF-1 初步評估、VRF-2 風險評估)。產出:一份追蹤過、驗證過、含嚴重度評估的弱點報告,這是修復階段的輸入、達門檻時也是 Article 14 SRP 通報的輸入。
|
驗證 驗證 | prEN 40000-1-3 §5.5 · CRA Annex I Part II(1) · Art 14(1) |
| [RMD] | Remediation
Decision, development, and testing of fixes or mitigations. Three requirements (RMD-1 decision, RMD-2 development, RMD-3 test). RMD-3 covers both effectiveness and compatibility — a fix that breaks integrations is a fix that gets rejected. Output: a tested remediation, ready to ship.
修補或緩解措施的決策、開發、測試。3 個 requirement(RMD-1 決策、RMD-2 開發、RMD-3 測試)。RMD-3 同時涵蓋有效性與相容性,會打壞客戶整合的修補就是會被退回的修補。產出:測試過、可以出貨的修補。
|
修復 修復 | prEN 40000-1-3 §5.6 · CRA Annex I Part II(2) |
| [RLS] | Release
Distributing the security update and publishing the advisory. Two requirements (RLS-1 update distribution, RLS-2 release information). RLS-1 demands secure distribution channels, integrity verification, automatic updates for consumer products. RLS-2-RQ-03-RE requires a machine-readable advisory format — the standard explicitly references CSAF 2.0 (ISO/IEC 20153:2025). RLS-2-RC-01 expects publication into the EU Vulnerability Database (EUVD).
散發安全更新並發佈公告。2 個 requirement(RLS-1 更新散發、RLS-2 發佈資訊)。RLS-1 要求安全散發通道、完整性驗證、消費性產品自動更新。RLS-2-RQ-03-RE 要求機讀格式公告,標準明確引用 CSAF 2.0(ISO/IEC 20153:2025)。RLS-2-RC-01 期待公告進入歐盟弱點資料庫(EUVD)。
|
發佈 發佈 | prEN 40000-1-3 §5.7 · CRA Annex I Part II(7)–(8) · Art 14(8) |
| [PRA] | Post-release
Monitoring effectiveness and feeding lessons back into Preparation. One requirement (PRA-1). After the patch is shipped, you watch adoption rates, capture lessons learned, and use them to sharpen the next round of policies, detection, and triage. This is the loop that makes vulnerability handling a process, not a project.
監測有效性並把教訓回饋到準備階段。1 個 requirement(PRA-1)。修補出去後,你監控採用率、整理教訓、用來銳化下一輪的政策、偵測、分流。這是讓弱點處理變成「流程」、而不是「專案」的回饋迴圈。
|
發佈後 發佈後 | prEN 40000-1-3 §5.8 |
Why these phase identifiers are worth memorising. A notified body or market surveillance authority assessing your Article 13(8) compliance will navigate by these identifiers. "Show me your PRE-7 evidence" means "show me your SBOM". "Show me your RLS-2-RQ-03-RE artefact" means "show me your CSAF advisory". Building your evidence binder along these six phases turns audit into recognition rather than surprise.
為什麼這些階段識別碼值得記下來。公告機構或市場監督機關在評鑑你的 Article 13(8) 符合性時,會用這些識別碼來尋路。「Show me your PRE-7 evidence」意思是「拿你的 SBOM 出來」。「Show me your RLS-2-RQ-03-RE artefact」意思是「拿你的 CSAF 公告出來」。沿著這六個階段建立你的證據夾,稽核就會變成「展示」、不是「驚訝」。
For the full unpacking of how these six phases map to specific deliverables — and which of them must be done by September 2026 vs which can wait for December 2027 — see the September 2026 commentary and the Article 13 plain-language section.
這六個階段如何對應到具體可交付物,以及哪些必須在 2026 年 9 月前做完、哪些可以等到 2027 年 12 月,完整拆解請見 九月評論跟第 13 條白話解讀。