CN CRA NotebookCRA 閱讀筆記

Interactive tool · Role × Classification × SRP readiness 互動工具 · 角色 × 分類 × SRP 準備度

In CRA, your role? CRA,你是

The Act treats manufacturers, importers, distributors, and software component suppliers very differently. Your obligations depend entirely on which of these you are. Start here. 法規對製造商、進口商、通路、軟體元件供應商的要求差異極大。你的義務取決於你是哪一種角色。從這裡開始。

This tool reads the Act. It does not issue legal advice, grant certification, or recommend any conformity assessment body. Outputs are educational. 本工具僅導讀條文。不構成法律意見、不授予驗證,也不推薦任何符合性評鑑機構。輸出為教育性質。

Step 1 · Select your role 步驟 1 · 選擇你的角色 01 / 03

In CRA, which role? 你演哪個角色

Seven categories from Regulation (EU) 2024/2847. Pick the one that best describes how you reach the EU market. If two seem to fit, pick the more upstream role — the Act resolves overlap in Articles 21–22. 《法規 (EU) 2024/2847》定義的 7 種角色。選出最能描述你「如何進入歐盟市場」的那一種。若有兩者看似都符合,請選較上游者,法規第 21–22 條會處理重疊情形。

Step 1 · Result 步驟 1 · 結果 01 / 03 ✓

You are a 你是

Your obligations under the CRA 你在 CRA 下的義務

Role is the first axis. Whether your product is "Important" (Annex III) or "Critical" (Annex IV) determines which conformity assessment route applies — with or without a notified body. That is Step 2 below. 角色是第一個軸。你的產品屬於 Class I/II Important(附件三)或 Critical(附件四),決定了符合性評鑑路徑,是否須經公告機構介入。這就是下面的第 2 步

Step 2 · Product classification 步驟 2 · 產品分類 02 / 03

Is your product Important or Critical? 你的產品屬於 Class I/II Important 還是 Critical

Under CRA Arts. 7–8 and Implementing Regulation (EU) 2025/2392, classification is driven by the core functionality test. Integrating a browser component into a news app does not make the app a "browser". It's the primary purpose that counts. Answer the questions below in order — the first "yes" decides your tier. 依 CRA 第 7–8 條與《執行法規 (EU) 2025/2392》,分類由「核心功能判斷」驅動。將瀏覽器元件整合進新聞 App 不會讓該 App 變成「瀏覽器」。真正決定的是產品主要用途。請依序回答下列問題,第一個「是」決定你的層級。

⓪ Scope check before we classify ⓪ 分類前的 scope 確認
Does your product include a cloud backend or remote data processing component? 你的產品是否含雲端後端或遠端資料處理元件?
CRA Article 3(2) defines a Remote Data Processing Solution (RDPS) as remote data processing the absence of which would prevent the product from performing one of its functions. If you ship a smart camera that needs your cloud server to detect motion, that cloud is part of the CRA-regulated product. The Commission Guidance (Feb 2026) gives detailed examples. CRA 第 3(2) 條將遠端資料處理解決方案(RDPS)定義為「若缺失將使產品無法執行其某項功能的遠端資料處理」。若你出貨的智慧攝影機需要你的雲端伺服器才能偵測動作,那雲端就是 CRA 管制產品的一部分。歐盟執委會 2026 年 2 月解讀指引給出詳細範例。
Answer step-by-step · Classification is ready when you reach a conclusion 依序回答 · 到達結論時分類完成

Step 2 · Result 步驟 2 · 結果 02 / 03 ✓

What this tier means for conformity assessment 此層級在符合性評鑑上的意義

Your combined picture (Role × Classification) 你的整合圖像(角色 × 分類)

Classification gives you the route. Execution needs Annex VII (technical documentation), the SBOM disclosure decision, Article 14 readiness for the 11 Sep 2026 deadline, and the underlying PRE infrastructure that all of these run on top of. Step 3 lets you choose which question to dive into next. 分類告訴你走哪條路。執行需要附件七(技術文件)、SBOM 揭露的判斷、第 14 條於 2026/9/11 期限的準備度、以及所有這些都建構於其上的 PRE 基礎設施。第 3 步讓你選擇下一個要深入的問題。

Step 3 · Pick a question 步驟 3 · 選擇一個問題 03 / 03

What do you want to solve next? 你下一步想解決什麼?

Four operational questions follow from your classification. Each is a self-contained tool — pick the one that matches what you need now. You can always come back for the others. 分類完成後有四個運作面問題。每一個都是自包含工具,選你現在需要的那個。其他項目你之後可以再回來看。

B

Annex VII readiness 附件七準備度

Annex VII · Technical documentation 附件七 · 技術文件

Eight-point checklist of the technical file you need to maintain for Class I / Important / Critical products. Class I / Important / Critical 產品須維持的技術檔案八點檢查清單。

C

SBOM disclosure SBOM 揭露

Article 13(25) · Annex I Part II §1 第 13(25) 條 · 附件一 Part II §1

Decision tree: who can request your SBOM, in what format, with how much detail. Includes operational guidance for PSIRT prep. 決策樹:誰能要求看你的 SBOM、以何種格式、揭露多少細節。含 PSIRT 準備的運作建議。

D

PRE readiness PRE 準備度

prEN 40000-1-3 · PRE-1 → PRE-10 prEN 40000-1-3 · PRE-1 → PRE-10

10-question self-assessment against the preparation phase of vulnerability handling. Score, item-by-item status, and one priority next step. 針對弱點處理準備階段的 10 題自我評估。分數、逐項狀態、優先下一步。

Step 3 · SRP Readiness (Article 14) 步驟 3 · SRP 通報準備度(第 14 條) 03 / 03

Can you report on time? 你能及時通報嗎?

From 11 September 2026, Article 14 requires manufacturers to notify the ENISA Single Reporting Platform of actively exploited vulnerabilities within 24 hours (early warning), 72 hours (detailed), and 14 days (final). This deadline applies retroactively to all products already on the EU market (Article 69(3)). Six operational capabilities decide whether you can meet it. 2026 年 9 月 11 日起,第 14 條要求製造商於 24 小時內(早期警訊)、72 小時內(詳細通報)、14 天內(最終報告)向 ENISA 單一通報平台通報被積極利用的弱點。此期限溯及適用已在歐盟市場之所有產品(第 69 條第 3 項)。六項營運能力決定你能否如期履行。

days to Sep 11, 2026 天至 2026/9/11
The 11 Sep 2026 deadline is tier-agnostic. Even Default-tier manufacturers and software-component suppliers must have a reporting pathway ready. 2026/9/11 期限不分層級。即使是 Default 層級製造商與軟體元件供應商,也須準備好通報途徑。

Step 3 · Result 步驟 3 · 結果 03 / 03 ✓

Per-domain breakdown 分項明細

SRP readiness is necessary but not sufficient. Article 14 also requires (i) a CVD policy and contact point under Annex I Part II(5)–(6), (ii) coordinated vulnerability disclosure when a vulnerability is discovered in a third-party component (Article 14(4)), and (iii) user notification without undue delay (Article 14(8)). The full Annex I Part II picture — 8 requirements including SBOM, secure update distribution, free-of-charge patching — lives beyond what this stage assesses. SRP 準備度是必要但不充分。第 14 條尚要求:(i) 依附件一第二部分 (5)–(6) 之 CVD 政策與聯絡窗口;(ii) 於第三方元件發現弱點時的協調揭露(第 14 條第 4 項);(iii) 無不當遲延通知使用者(第 14 條第 8 項)。附件一第二部分完整 8 項義務,含 SBOM、安全更新派送、免費修補,超出本步驟評估範圍。

Why role comes first 為什麼角色是第一步

Most "CRA compliance checkers" online rush from a one-off product category question straight to a list of recommended services. This one takes three steps instead — role first, then classification, then SRP readiness — because the three are sequential, not parallel. Role decides which articles apply; classification decides the conformity assessment route; SRP readiness is a near-term operational deadline that applies regardless of role or tier. Collapse them and the answer is usually wrong. 網路上大部分的「CRA 合規檢測器」從一次性的產品類別問題直接跳到一張推薦服務清單。這個工具走三步,先角色、再分類、最後 SRP 準備度,因為三者是連續的,不是平行的。角色決定適用哪些條文;分類決定符合性評鑑路徑;SRP 準備度是個營運期限,不論角色或層級都適用。混為一談,答案通常就錯了。

Role gets its own stage because getting role wrong means every downstream decision is wrong. Classification gets its own stage because the Important-Class II and Critical tiers change the conformity assessment route entirely. SRP readiness gets its own stage because 11 September 2026 is a hard deadline — and unlike the other requirements that only apply to future products, Article 14 reaches back to products already on the EU market. 角色自成一階,因為角色判錯,下游每個決定就都錯了。分類自成一階,因為 Class II Important 與 Critical 層級會整個改變符合性評鑑路徑。SRP 準備度自成一階,因為 2026 年 9 月 11 日是硬期限,且與其他僅適用未來產品的要求不同,第 14 條溯及已在歐盟市場的產品。

Data sources: Regulation (EU) 2024/2847 (CRA) as published in OJ L 2024/2847, 20 Nov 2024. Product classification questions verified against Commission Implementing Regulation (EU) 2025/2392 Annex I (19 Class I + 4 Class II categories) and Annex II (3 Critical categories) — official EUR-Lex text, retrieved 24 April 2026. SRP readiness domains derived from CRA Article 14 (reporting obligations) cross-referenced with Annex I Part II (1)–(8) vulnerability handling requirements. Role definitions and category names are paraphrased for clarity; binding text at EUR-Lex. 資料來源:《法規 (EU) 2024/2847》(CRA),2024 年 11 月 20 日發布於 OJ L 2024/2847。產品分類問題已對照《執行法規 (EU) 2025/2392》附件 I(Class I 共 19 類 + Class II 共 4 類)與附件 II(Critical 共 3 類)的 EUR-Lex 官方條文,於 2026 年 4 月 24 日取得。SRP 準備度領域係由 CRA 第 14 條(通報義務)並對照附件一第二部分 (1)–(8) 弱點處理要求推導而得。角色定義與類別名稱為便於理解而改寫;強制適用文字請參 EUR-Lex。