A Taipei industrial-controller manufacturer ships a product line designed in 2023, hardened in 2024, certified to IEC 62443-4-2 in 2025. The 2027 deadline arrives. Do they have to redesign the controller from scratch to meet the CRA? 一家台北工業控制器廠出貨一條產品線,2023 年設計、2024 年硬化、2025 年通過 IEC 62443-4-2 認證。2027 年截止日來了。他們要不要把控制器從零重新設計,來符合 CRA?
No. The CRA does not impose a redesign obligation on legacy products. But it does impose something else, and that something else is what most APAC manufacturers underestimate. Section 2.6 of the Draft Guidance answers the legacy question with a sentence that’s easy to mis-read: compliance does not necessarily require redesign. The word that does the work is “necessarily”. 不用。CRA 不強制 legacy 產品重新設計。但它強制的是另一件事——那件事是多數 APAC 製造商低估的。指引草案 §2.6 用一個容易誤讀的句子回答 legacy 問題:合規不必然要求重新設計。真正出力的字是「不必然」。
Test 1第一道A risk assessment is non-negotiable.風險評估是不可商量的。
Whether or not you redesign, you have to do the risk assessment. Article 13(2) applies to the product as it is being placed on the market — not to the product as it was designed. The Commission is explicit on this in paragraph 32: when it’s not possible for the manufacturer to demonstrate how the risk assessment was taken into account during design and development, Article 13(2) is interpreted as requiring the manufacturer to perform the assessment now and demonstrate the product incorporates adequate security measures based on it. 不管你重不重新設計,你都要做 risk assessment。第 13 條第 2 項適用的是「產品被投入市場時」的狀態——不是「產品被設計時」的狀態。執委會在第 32 段明確說:當製造商沒辦法證明設計開發階段把 risk assessment 納進去——第 13 條第 2 項就被解讀為要求製造商現在就做評估,並依評估證明產品有足夠的安全措施。
Note what just happened. The CRA is forward-looking by design, but for legacy products the obligation is read as “perform the assessment in the present tense, against the product as it now exists, against the threats as they now exist, against the essential requirements as written”. The historical record (or absence of one) doesn’t matter. What matters is whether you can produce a credible risk assessment today. 注意這裡發生了什麼。CRA 在設計上是向前看的,但對 legacy 產品,義務被讀成「在現在這個時點做評估、對著現在存在的產品、針對現在存在的威脅、對照寫好的 essential requirements」。歷史紀錄有沒有都不重要。重要的是你今天能不能產出一份可信的 risk assessment。
Test 2第二道If the existing measures already meet the requirements, you may rely on them.如果既有措施已經符合要求,你可以靠它們。
Paragraph 31 of the Draft Guidance gives the relief clause. If the risk assessment shows the product already incorporates appropriate and effective security measures addressing the relevant risks, the manufacturer may rely on those existing measures to demonstrate compliance. The CRA does not impose an obligation to introduce new security features or to redesign the product where this is not necessary to address the identified risks. 指引草案第 31 段給了鬆綁條款。如果 risk assessment 顯示產品已經有適當且有效的安全措施在處理相關風險,製造商可以靠這些既有措施證明合規。CRA 不強制新增安全功能、也不強制重新設計——前提是這對處理已識別風險沒有必要。
This sentence is doing more work than it looks. It says: the test isn’t “was the product designed to the CRA”, the test is “does the product meet the essential requirements”. The route taken to get there doesn’t matter. A controller hardened to IEC 62443-4-2 in 2024 may already meet most of Annex I Part I — without ever having heard of the CRA during its design phase. 這個句子份量比看起來重。它在說:測試不是「產品設計時有沒有對著 CRA」,測試是「產品有沒有符合 essential requirements」。怎麼走到那裡的,不重要。一個 2024 年硬化到 IEC 62443-4-2 的控制器,很可能已經符合附件一 Part I 大部分——即使設計階段從來沒聽過 CRA。
Test 3第三道CE marking, DoC, conformity assessment — these still apply.CE 標誌、DoC、conformity assessment——這些還是要做。
Paragraph 32 makes the procedural obligations explicit. Whether or not the product was redesigned, the manufacturer remains subject to: ensuring before placing on the market that the applicable conformity assessment procedure has been carried out; the EU Declaration of Conformity has been drawn up; and the CE marking has been affixed. These are independent of whether the design needed modification. The legacy doctrine forgives redesign, not conformity. 第 32 段把程序義務講明白。不管產品有沒有重新設計,製造商仍然要:在投入市場前完成適用的 conformity assessment 程序、發出 EU Declaration of Conformity、貼上 CE 標誌。這些跟「設計有沒有需要修改」獨立。Legacy 原則寬待的是重新設計,不是合規程序。
There’s a useful concession for legacy products in paragraph 35. For products subject to Article 32(1) (default category) where the risk assessment shows existing measures are appropriate, the obligation to provide evidence as part of the conformity assessment procedure should not be understood as requiring the manufacturer to provide test results covering the original design and development phases. You don’t have to retroactively reconstruct testing from 2023. 第 35 段對 legacy 產品有一個有用的寬限。對適用第 32 條第 1 項(default 類別)、且 risk assessment 顯示既有措施適當的產品——conformity assessment 程序中提供證據的義務,不應被理解為要求製造商提供原設計開發階段的測試結果。你不用回溯重建 2023 年的測試。
Test 4第四道Vulnerability handling and Article 13(18) information — these are not optional.弱點處理跟第 13 條第 18 項的使用者資訊——這些不可選。
Paragraph 36 names the obligations that don’t bend for legacy products: evidence of compliance with the vulnerability handling processes in Annex I Part II; keeping the risk assessment updated under Article 13(3); and providing information and instructions to users under Article 13(18). The Annex I Part II vulnerability handling regime — SBOM, CVD, the patching pipeline, the ENISA Single Reporting Platform connection — applies in full to legacy products. There’s no grandfathering for the post-market obligations. 第 36 段點出對 legacy 產品不會放鬆的義務:附件一 Part II 弱點處理流程的合規證據;依第 13 條第 3 項持續更新 risk assessment;依第 13 條第 18 項向使用者提供資訊與說明。附件一 Part II 的弱點處理機制——SBOM、CVD、修補 pipeline、ENISA Single Reporting Platform 連接——對 legacy 產品全面適用。Post-market 義務不能「沿用舊規」。
The legacy doctrine forgives the architecture you shipped. It does not forgive the SBOM you didn’t. Legacy 原則寬待你出貨的架構。它不寬待你沒做的 SBOM。
Product family grouping產品族分組A way to amortise the assessment cost.把評估成本攤開的一個方法。
Paragraph 35 closes with a useful pointer: where tests are necessary, manufacturers are not expected to provide evidence on every product variant. They can group tests across product families, with reference to Section 7.4 of the Draft Guidance on re-use of risk assessments and conformity documentation for product families. This is the cost-recovery clause — one risk assessment can cover a family of related variants, provided the risks they share are genuinely the same. 第 35 段尾巴給了一個有用的指引:必要的測試上,製造商不需要對每個產品變體提供證據。可以跨產品族 group test——參考指引草案 §7.4 對 product family 重用 risk assessment 跟 conformity 文件的說明。這是成本攤提條款——一份 risk assessment 可以涵蓋一族相關變體,前提是它們共享的風險真的相同。
For an APAC controller manufacturer with twenty SKUs differing only in I/O count, communication protocol, or housing, this is the path. One family-level risk assessment, family-level testing, family-level technical documentation. The marginal cost of adding a 21st SKU to the family is a delta document, not a new conformity assessment. 對一家 APAC 控制器廠,20 個 SKU 只在 I/O 數量、通訊協定、外殼上有差別——這就是路徑。一份 family-level risk assessment、family-level 測試、family-level 技術文件。第 21 個 SKU 加入這族的邊際成本,是一份 delta 文件,不是一個新的 conformity assessment。
APAC implicationsAPAC 落地Three patterns from the legacy floor.Legacy 現場常見的三個模式。
Pattern 1: Mistaking IEC 62443 evidence for CRA evidence. A Taiwan industrial OEM has IEC 62443-4-2 SL-2 certification on a product line. They assume this satisfies CRA. It doesn’t. IEC 62443 covers a different threat model; the CRA essential requirements in Annex I Part I do not map one-to-one. The mapping is mostly favourable, but you have to do the gap analysis. Treat the 62443 evidence as input to the CRA risk assessment, not as a substitute for it. The result is usually 80% reuse and a 20% gap to close — manageable, but not zero. 模式一:把 IEC 62443 證據當 CRA 證據。一家台灣工業 OEM 對某產品線有 IEC 62443-4-2 SL-2 認證。他們假設這就滿足 CRA。不滿足。IEC 62443 涵蓋的是不同的威脅模型;CRA 附件一 Part I 的 essential requirements 不是一對一對應。對應關係多半是有利的,但你要做 gap analysis。把 62443 的證據當 CRA risk assessment 的輸入,不要當替代品。結果通常是 80% 可重用、20% gap 要補——可管理,但不是零。
Pattern 2: The historical reconstruction fantasy. A Korean OEM tries to reconstruct what the design intent was in 2022 to demonstrate compliance with 2027 essential requirements. This is a waste of effort. The Commission says it explicitly: when the manufacturer cannot demonstrate how the risk assessment was taken into account during design, the obligation is to perform the assessment now, against the product as it is. Don’t spend three months trying to reconstruct what your old engineers were thinking. Do the present-day assessment instead. 模式二:歷史重建幻想。一家韓國 OEM 想重建 2022 年的設計意圖,來證明符合 2027 年的 essential requirements。這是白費功夫。執委會明確說:當製造商沒辦法證明設計時把 risk assessment 納進去,義務就是現在對著現在的產品做評估。不要花三個月重建你以前工程師當時在想什麼。做今天的評估就好。
Pattern 3: The product family that isn’t. A Taipei manufacturer with three product lines that share “some” common code tries to group them as a product family. The Notified Body pushes back. Family grouping requires the products to share genuinely the same risk profile — same intended purpose, same threat model, same security architecture. Three different industrial domains (factory automation, building HVAC, fleet telematics) even with shared code is not a family. The manufacturer ends up with three separate risk assessments. Honesty about what is and isn’t a family up front saves Notified Body cycles. 模式三:不是族的產品族。一家台北製造商三條產品線「有些」共用程式碼,想把它們 group 為一個產品族。Notified Body 不接受。Family grouping 要求產品真的共享同樣的風險輪廓——同樣的 intended purpose、同樣的 threat model、同樣的安全架構。三個不同產業領域(工廠自動化、建物 HVAC、車隊 telematics)即使有共用程式碼,不是一個族。製造商最後做了三份獨立的 risk assessment。一開始就誠實面對「什麼是族、什麼不是」,省下 Notified Body cycles。
What to do tomorrow明天就做的事Inventory legacy SKUs. Group. Assess. Document.盤點 legacy SKU。分族。評估。建檔。
Step 1: list every product SKU still being placed on the market after 11 December 2027 that was designed before 11 December 2027. That’s your legacy inventory. Step 2: group SKUs by genuine risk-profile equivalence. The grouping is contestable; document the criteria. Step 3: for each group, do one present-day risk assessment against Annex I Part I. Step 4: for each gap, decide between (a) showing existing measures are sufficient or (b) targeted modification — not full redesign. 第 1 步:列出每一個 2027-12-11 後還在投入市場、且 2027-12-11 前已設計的 SKU。那是你的 legacy 盤點。第 2 步:依真實的 risk-profile 等價性把 SKU 分族。族界經得起被質疑;把分族準則寫下來。第 3 步:對每一族,做一份今天的 risk assessment,對照附件一 Part I。第 4 步:每一個 gap,二選一:(a) 證明既有措施已足夠、或 (b) 針對性修改——不是全面重新設計。
Step 5, the one most APAC manufacturers underestimate: the post-market machinery. SBOM, vulnerability handling, CVD process, Article 14 reporting hookup. None of this is forgiven by the legacy doctrine. If you don’t have a working PSIRT today, that’s the hard work for legacy products — not the redesign you don’t need to do. 第 5 步,多數 APAC 製造商低估的那一步:post-market 機制。SBOM、弱點處理、CVD 流程、第 14 條通報接入。這些都不會被 legacy 原則寬待。如果你今天沒有運作中的 PSIRT——那才是 legacy 產品真正硬的部分——不是你不需要做的那個重新設計。