Read the EULA of any consumer IoT product shipped today. Somewhere in the dense legal text you’ll find a clause: “User assumes all risks arising from the use of the product in unsecured network environments.” Or: “User is responsible for maintaining the security of credentials.” Or: “User accepts that no software is free of vulnerabilities and waives claims arising therefrom.” 讀今天出貨的任何消費 IoT 產品的 EULA。在密密麻麻的法律文字裡某處,你會找到這樣一條:「使用者承擔在不安全網路環境下使用產品所產生的所有風險。」或:「使用者負責維護憑證的安全。」或:「使用者承認沒有軟體是無弱點的,並放棄相關請求權。」
All of these clauses, under the CRA, are dead on arrival. Section 7.1 of the Draft Guidance closes the door on risk transfer to the user via documentation, terms of service, or any other contractual instrument. Cybersecurity risk stays with the manufacturer. The product, when placed on the market, must meet the essential requirements — not the user’s waivers. 在 CRA 之下,這類條款一出生就無效。指引草案 §7.1 關上了「透過文件、服務條款、或任何其他契約工具把風險轉嫁給使用者」這扇門。Cybersecurity risk 留在製造商身上。產品在投入市場時必須符合 essential requirements——而不是使用者的免責聲明。
The regulatory threshold法規門檻Risk is not measured against your appetite. It’s measured against a fixed bar.風險不是對著你的胃口量。它對著一條固定的線量。
In organisational risk management, residual risk is evaluated against the organisation’s own acceptance criteria — its risk appetite, business priorities, cost trade-offs. The CRA breaks this pattern. Paragraph 141 of the Draft Guidance is explicit: under the CRA, residual cybersecurity risk is assessed against a regulatory threshold. The product placed on the market needs to ensure an appropriate level of cybersecurity based on the risks, in light of its intended purpose and reasonably foreseeable use. The threshold is fixed in the regulation. Your risk appetite is irrelevant to whether you cross it. 在組織風險管理裡,residual risk 對著組織自己的接受準則去評估——自己的風險偏好、商業優先順序、成本取捨。CRA 打破這個模式。指引草案第 141 段明確說:在 CRA 之下,residual cybersecurity risk 對著一條法規門檻去評估。投入市場的產品必須基於風險、考量它的 intended purpose 與可合理預見之使用,確保適當的 cybersecurity 等級。門檻在法規裡固定了。你的風險偏好跟「你有沒有越過這條線」無關。
The implication is structural: a manufacturer cannot say “we accept this residual risk because addressing it would erode our margin”. The Commission rules out this argument explicitly in paragraph 142: internal risk tolerance and commercial considerations are not relevant. They might be relevant to whether you ship the product at all. They’re not relevant to whether the product, once shipped, meets the essential requirements. 這個推論在結構上很重要:製造商不能說「我們接受這個 residual risk,因為處理它會吃掉我們的毛利」。執委會在第 142 段明確排除這個論點:內部風險容忍度跟商業考量無關。它們可能跟你「要不要出貨這個產品」有關。它們跟「一旦出貨、產品有沒有符合 essential requirements 這件事」無關。
The four product-level moves四個產品層級的動作What the Commission says manufacturers can do.執委會說製造商可以做什麼。
Paragraph 144 of the Draft Guidance gives the manufacturer four moves when a risk is identified. None of them is “document and accept”: 指引草案第 144 段在識別風險時給製造商四個動作。沒有一個是「寫成文件就放著」:
| Move動作 | What it looks like長什麼樣子 | When the manufacturer reaches for it什麼時候用 |
|---|---|---|
| Reduce attack surface縮小攻擊面 | Disable unused services; close ports; remove unneeded interfaces關閉沒用的服務、關 port、移除不必要的介面 | When the risk comes from exposure that isn’t serving the intended purpose風險來自於沒在服務 intended purpose 的暴露 |
| Implement technical safeguards實作技術防護 | Authentication, encryption, integrity verification, monitoring驗證、加密、完整性驗證、監控 | When the risk has known controls that are state-of-the-art風險有已知的、業界最佳實作的控制措施 |
| Limit or adapt functionality限縮或調整功能 | Default-disable risky features; require user activation; restrict to trusted environments高風險功能預設關閉、要使用者主動啟用、限制在可信環境 | When the risk comes from features whose value doesn’t justify their threat exposure for all users那個功能的價值,對所有使用者來說,不抵它的威脅暴露 |
| Define intended purpose more precisely把 intended purpose 寫得更精確 | Narrow the documented use cases; explicitly exclude environments the product wasn’t designed for把使用案例寫窄、明確排除不是為其設計的環境 | When the risk only exists in environments outside the realistic intended use風險只存在於合理 intended use 之外的環境 |
All four are moves on the product. None is a move on the user. The fourth one is the closest the regulation comes to allowing scope-shrinking, and even then the manufacturer is restating their own product’s intended purpose — not asking the user to take on risk. 四個動作都是對產品做的動作。沒有一個是對使用者做的。第四個動作是法規最接近「允許縮小範圍」的地方——但即使如此,製造商是在重述自己產品的 intended purpose——不是要求使用者接受風險。
Where information to users still helps向使用者提供資訊還能幫上忙的地方There’s a narrow lane for legitimate user-side information.合法的使用者側資訊,有一條窄的車道。
Paragraph 146 carves out a small space where information and instructions to users have legitimate use. They support secure deployment and operation. They can inform users of residual risks that are inherent and unavoidable. Where the manufacturer has chosen to restrict the intended purpose to trusted environments, user information communicates that boundary. 第 146 段切出一小塊空間,讓使用者資訊跟說明有合法用途。它們支援安全的部署跟運作。它們可以告知使用者那些固有且不可避免的 residual risks。當製造商選擇把 intended purpose 限制在可信環境時,使用者資訊溝通的就是那個邊界。
But the next sentence in the same paragraph forecloses misuse: such information cannot be used to compensate for shortcomings in product design, or to justify leaving cybersecurity risks unaddressed where those risks are incompatible with the essential requirements. So you can tell the user “run this device on a network behind your home router’s NAT, not exposed to the open internet” — that’s legitimate operating-environment information. You cannot tell the user “the device’s default credentials are admin/admin, please change them after installation” — that’s a design defect masquerading as a user instruction. 但同一段下一句堵死誤用:這類資訊不能拿來補產品設計的不足,也不能拿來合理化「不去處理 cybersecurity risk」——如果那些風險跟 essential requirements 不相容的話。所以你可以告訴使用者「請把這個裝置放在家用路由器 NAT 後面、不要暴露在公網」——那是合法的運作環境資訊。你不能告訴使用者「裝置預設帳號密碼是 admin/admin、安裝後請自行修改」——那是設計缺陷,披著使用者指引的外衣。
User documentation can describe the safe operating envelope. It cannot patch a hole inside it. 使用者文件可以描述安全的運作範圍。它不能補範圍裡的洞。
When the only solution is to change the product當唯一的解法是改產品Or not to ship.或者不出貨。
Paragraph 147 of the Draft Guidance is the sentence APAC product managers don’t want to hear: where the cybersecurity risk assessment identifies risks that cannot be adequately addressed through appropriate measures, compliance with the CRA may require changes to the product’s design, functionality or intended purpose. Considerations relating solely to cost or commercial feasibility do not constitute sufficient grounds for leaving such risks untreated where this would prevent the product from meeting the essential requirements. 指引草案第 147 段,是 APAC 產品經理不會想聽到的那一句:當 cybersecurity risk assessment 識別出無法被適當措施處理的風險,合規可能要求改變產品的設計、功能、或 intended purpose。單純的成本或商業可行性考量,不構成「把這類風險擱著」的正當理由——如果那會讓產品無法符合 essential requirements 的話。
The implication: the regulation contemplates a class of products that should not be placed on the market. If the risks can’t be addressed at the product level, and they can’t be transferred to the user, and they can’t be hidden behind “intended purpose” restrictions, then the only remaining options are to change the product’s design until it can meet the requirements — or not to place it on the market at all. There is no fourth door. 這個推論:法規預想了一類產品——它們不該被投入市場。如果風險無法在產品層處理、不能轉嫁給使用者、不能躲在「intended purpose」限制後面——那剩下的選項就只有「改產品的設計,直到它能符合要求」——或「乾脆不投入市場」。沒有第四扇門。
APAC implicationsAPAC 落地Three patterns where the non-transfer rule bites.不可轉嫁規則咬下去的三個模式。
Pattern 1: Default credentials. Many APAC consumer IoT products still ship with default credentials and rely on the user to change them. The CRA essential requirements (Annex I Part I, point 2(d)) require products to be delivered with a secure-by-default configuration, including by enforcing change of default credentials at first use. Telling the user to change the password is not compliance — the product itself must enforce it. A 2027 audit will not accept “but the user manual told them to”. 模式一:預設帳號密碼。很多 APAC 消費 IoT 產品還是出貨就有預設帳號密碼,依賴使用者去修改。CRA essential requirements(附件一 Part I、第 2(d) 點)要求產品在出貨時配置為 secure-by-default,包括在首次使用時強制修改預設憑證。叫使用者改密碼這件事不是合規——產品本身必須強制這件事。2027 年的稽核不會接受「但是手冊有寫」。
Pattern 2: The “use only on trusted networks” bypass. A Taiwan smart-camera vendor identifies a vulnerability in their RTSP stream handling. Fixing it requires re-engineering. Their workaround: add a sentence to the user manual saying “deploy this device only on private, trusted networks”. Paragraph 146 explicitly disallows this. The vulnerability is a design shortcoming; user instructions cannot patch it. The fix is the engineering, not the manual update. 模式二:「請只在可信網路使用」繞道。一家台灣智慧攝影機廠識別出 RTSP stream 處理的弱點。修它需要重新工程。他們的權宜之計:在使用手冊加一句「請只在私人可信網路部署此裝置」。第 146 段明確禁止這個。弱點是設計缺陷;使用者指引補不了它。修法是工程、不是手冊更新。
Pattern 3: The cost-benefit argument that doesn’t fly. A Korean appliance OEM’s engineering team flags a residual risk in the OTA update mechanism: the device accepts updates signed by any of three legacy keys, two of which use a deprecated signature scheme. Fixing it requires firmware re-engineering and a key rotation across millions of installed devices. The cost is €800,000. The product team argues: residual risk is small, cost is large, accept it. Paragraph 142 says cost considerations are not relevant to whether essential requirements are met. If the residual risk crosses the regulatory threshold, the cost is irrelevant. The fix happens, or the product line stops shipping to the EU. 模式三:站不住腳的成本效益論。一家韓國家電 OEM 的工程團隊在 OTA 更新機制裡標記出一個 residual risk:裝置接受三把 legacy key 任一把簽署的更新,其中兩把使用了被廢棄的簽章機制。修它需要重新工程韌體、並對數百萬台已安裝裝置做金鑰輪替。成本 €800,000。產品團隊主張:residual risk 小、成本大、接受它。第 142 段說:成本考量跟「是否符合 essential requirements」無關。如果 residual risk 越過法規門檻,成本不重要。不修就停,這條產品線停止出貨到歐盟。
What to do tomorrow明天就做的事Audit your EULA. Audit your default settings. Audit your “use only on” clauses.稽核你的 EULA。稽核你的預設設定。稽核你的「請只在 X 使用」條款。
Pull every consumer-facing document for every product: EULA, terms of service, privacy policy, user manual, packaging text. Look for: clauses that allocate cybersecurity risk to the user; clauses that disclaim liability for security incidents; instructions that ask the user to perform a security configuration step; warnings about “trusted environments” or “recommended network setup”. Each of these is potentially a non-compliant risk transfer. The legitimate use is informing the user of inherent residual risk; the illegitimate use is patching design holes. 把每個產品的每份消費者面向文件拉出來:EULA、服務條款、隱私政策、使用手冊、包裝文字。找:把 cybersecurity risk 分配給使用者的條款;對安全事件免責的條款;要求使用者進行安全配置步驟的指示;關於「可信環境」或「建議網路設定」的警告。每一個都可能是不合規的風險轉嫁。合法用途是「告知使用者固有的 residual risk」;不合法用途是「補設計上的洞」。
For each finding, ask: is the underlying issue a design defect, or genuinely an environmental boundary? If it’s a defect, the fix is in engineering, not in the manual. If it’s a genuine boundary — the device is industrial-grade and not designed for residential networks — then the user instruction is legitimate, but the technical documentation needs to clearly state the bounded intended purpose. The line between the two is not always clear; that’s why the audit needs to be conscious, not automatic. 對每個發現,問:底下的問題是設計缺陷、還是真的是環境邊界?如果是缺陷,修在工程,不在手冊。如果是真的邊界——裝置是工業級的、不是為家用網路設計的——那使用者指示是合法的,但技術文件需要清楚說明那個有界的 intended purpose。兩者之間的線不一定清楚;所以稽核要有判斷,不能自動化。