Reference. 參考文獻。

Regulation (EU) 2024/2847 — Cyber Resilience Act法規 (EU) 2024/2847 — 網路韌性法

European Parliament & Council歐洲議會與理事會 · Adopted 23 Oct 2024 · OJ L published 20 Nov 2024 · Entry into force 10 Dec 20242024-10-23 通過 · OJ L 2024-11-20 公告 · 2024-12-10 生效 · Last verified 2026-04-29最後確認 2026-04-29

The base regulation. Defines the scope, manufacturer obligations, conformity assessment routes, market surveillance, and reporting framework. Fully applicable from 11 December 2027; Article 14 reporting from 11 September 2026. 基礎法規。界定適用範圍、製造商義務、符合性評鑑路徑、市場監督、通報框架。2027 年 12 月 11 日全面適用；第 14 條通報義務於 2026 年 9 月 11 日啟動。

EUR-Lex (ELI)

Commission Delegated Regulation (EU) 2026/881 — supplementing CRA Article 14(9) on grounds for delaying SRP dissemination執委會授權法規 (EU) 2026/881 — 補充 CRA 第 14(9) 條、SRP 散播延遲的理由

European Commission歐盟執委會 · Adopted 11 Dec 2025 · OJ L published 20 Apr 2026 · In force 10 May 20262025-12-11 採用 · OJ L 2026-04-20 公告 · 2026-05-10 生效 · Last verified 2026-04-29最後確認 2026-04-29

Specifies the grounds on which CSIRTs and ENISA may delay disseminating vulnerability notifications submitted via the Single Reporting Platform. Three categories of conditions: nature of information (Art 3, four sub-conditions), CSIRT confidentiality (Art 4), SRP outage (Art 5). 規定 CSIRT 與 ENISA 得延遲散播 SRP 提交弱點通報的理由。三類條件：資訊性質（第 3 條、四個子條件）、CSIRT 機密性（第 4 條）、SRP 停機（第 5 條）。

EUR-Lex (ELI)

Commission Implementing Regulation (EU) 2025/2392 — technical descriptions of important and critical product categories執委會執行法規 (EU) 2025/2392 — 重要與關鍵產品類別的技術描述

European Commission歐盟執委會 · Adopted 28 Nov 2025 · OJ L published 1 Dec 2025 · Entry into force 21 Dec 20252025-11-28 採用 · OJ L 2025-12-01 公告 · 2025-12-21 生效 · Last verified 2026-04-29最後確認 2026-04-29

Pursuant to Article 7(4) CRA. Provides binding technical descriptions for the 28 product categories listed in Annex III (Important Class I + II) and Annex IV (Critical) of the CRA. Resolves the classification ambiguity manufacturers previously faced when reading the Annexes' general descriptions. First major piece of CRA secondary legislation. Recitals 3–5 govern when an embedded component does or does not pull the host product into the category — the boundary rule the site's Article 7 commentary depends on. 依 CRA 第 7(4) 條授權。對 CRA 附件三（Important Class I + II）與附件四（Critical）所列 28 個產品類別、提供具強制適用力的技術描述。解決製造商先前依附件原文一般性描述判斷類別的歧義。CRA 首部重要 secondary legislation。Recital 3–5 規定嵌入式元件何時會使母產品落入該類別、是本站第 7 條 commentary 倚賴的邊界規則。

EUR-Lex (ELI)

Directive (EU) 2022/2555 — NIS2指令 (EU) 2022/2555 — NIS2

European Parliament & Council歐洲議會與理事會 · In force since 16 Jan 2023 · National transposition due 17 Oct 20242023-01-16 生效 · 2024-10-17 完成國內法化 · Last verified 2026-04-29最後確認 2026-04-29

CSIRT designation regime that the CRA reporting cascade rests on. CRA Article 14(7) routes notifications via the CSIRT designated as coordinator under NIS2. The Cooperation Group established under NIS2 Article 14 is referenced in CRA Article 13(25). CRA 通報層級依靠的 CSIRT 指定機制。CRA 第 14(7) 條的通報是透過 NIS2 指定的協調 CSIRT。NIS2 第 14 條設立的 Cooperation Group 在 CRA 第 13(25) 條被引用。

EUR-Lex (ELI)

Regulation (EU) 2024/1689 — AI Act法規 (EU) 2024/1689 — AI 法

European Parliament & Council歐洲議會與理事會 · OJ L published 12 Jul 2024 · Phased application from 2 Feb 2025OJ L 2024-07-12 公告 · 2025-02-02 起分階段適用 · Last verified 2026-04-29最後確認 2026-04-29

Cross-applicability for products with digital elements that are also AI systems. CRA Annex III Class II overlaps with AI Act Annex VI/VII conformity assessment in some cases; routing decisions need both regulations read together. 與「具數位元素產品」同時為 AI 系統時的交叉適用。CRA 附件三 Class II 在某些情況與 AI 法附件六 / 七的符合性評鑑路徑重疊；路徑判斷需兩部法規並讀。

EUR-Lex (ELI)

Regulation (EU) 2016/679 — GDPR法規 (EU) 2016/679 — GDPR

European Parliament & Council歐洲議會與理事會 · In force since 25 May 20182018-05-25 生效 · Last verified 2026-04-29最後確認 2026-04-29

Personal-data overlap and breach-notification interplay. CRA Article 14 incident reporting and GDPR Article 33 breach notification can be triggered by the same event, with different regulators, different deadlines, and different content requirements. 個資領域的重疊、與洩漏通報的互動。CRA 第 14 條事件通報與 GDPR 第 33 條洩漏通報可能由同一事件觸發、向不同主管機關、不同期限、不同內容要求。

EUR-Lex (ELI)

Regulation (EU) 2023/1230 — Machinery Regulation法規 (EU) 2023/1230 — 機械法規

European Parliament & Council歐洲議會與理事會 · OJ L published 29 Jun 2023 · Application 20 Jan 2027OJ L 2023-06-29 公告 · 2027-01-20 適用 · Last verified 2026-04-29最後確認 2026-04-29

CRA Recital 53 cross-compliance for products that are both machinery and products with digital elements. Cybersecurity essential requirements under CRA may help demonstrate compliance with machinery essential requirements that also cover cybersecurity risks (Annex III sections 1.1.9, 1.2.1). CRA 序言 (53) 對「同為機械、又屬具數位元素產品」的交叉合規。CRA 的網路安全 essential requirements 可能協助證明符合機械法規亦涵蓋網路安全風險的 essential requirements（附件三 1.1.9、1.2.1）。

EUR-Lex (ELI)

Directive 2014/53/EU — Radio Equipment Directive (RED) and Delegated Act (RED-DA) (EU) 2022/30指令 2014/53/EU — 無線電設備指令（RED）與授權法案 (EU) 2022/30

European Parliament & Council; European Commission歐洲議會與理事會；歐盟執委會 · RED in force since 13 Jun 2014; RED-DA Article 3(3)(d–f) applicable 1 Aug 2025RED 自 2014-06-13 生效；RED-DA 第 3(3)(d–f) 條於 2025-08-01 適用 · Last verified 2026-04-29最後確認 2026-04-29

RED-DA covers cybersecurity essential requirements for radio products. The CRA progressively supersedes RED-DA for non-radio cybersecurity aspects; transition handling matters for products on the market under RED-DA before CRA full application. RED-DA 涵蓋無線產品的網路安全 essential requirements。CRA 對無線設備以外的網路安全層面逐步取代 RED-DA；CRA 全面適用前已依 RED-DA 投入市場的產品、過渡處理重要。

EUR-Lex (RED, ELI) EUR-Lex (RED-DA, ELI)

Commission Implementing Regulation (EU) 2024/482 — EUCC scheme執委會執行法規 (EU) 2024/482 — EUCC 方案

European Commission歐盟執委會 · OJ L published 31 Jan 2024 · Application 27 Feb 2025OJ L 2024-01-31 公告 · 2025-02-27 適用 · Last verified 2026-04-29最後確認 2026-04-29

EU Common Criteria-based cybersecurity certification scheme. CRA Annex IV Critical-class products may be required to use EUCC at the “substantial” assurance level once delegated acts under CRA Article 8 are adopted. EU 以 Common Criteria 為基礎的網路安全認證方案。CRA 附件四關鍵類產品在 CRA 第 8 條的授權法案通過後、可能被要求使用 EUCC「substantial」保證等級。

EUR-Lex (ELI)

FAQs on the Cyber Resilience Act, v1.2CRA FAQs v1.2

Commission services (DG CNECT)執委會幕僚（DG CNECT） · v1.0: 3 Dec 2025 · v1.1: 17 Dec 2025 · v1.2: 16 Jan 2026 (current)v1.0：2025-12-03 · v1.1：2025-12-17 · v1.2：2026-01-16（目前版本） · Last verified 2026-04-29最後確認 2026-04-29

Living document. Commission states explicitly that the FAQs are not authoritative and do not extend rights or obligations. Useful for surfacing how the Commission services currently read recurring questions on scope, definitions, transitions. 活文件。執委會明確聲明此 FAQ 非權威性、不擴張權利或義務。對了解執委會幕僚目前如何理解範圍、定義、過渡相關常見問題、有用。

Commission CRA page (host)

Draft Commission Guidance on the application of the CRA — Communication Ares(2026)2319816執委會 CRA 適用指引草案 — Communication Ares(2026)2319816

European Commission, DG CNECT歐盟執委會 DG CNECT · Published for feedback 3 March 2026 · Consultation closed 31 March 2026 · Final version pending2026-03-03 公告徵求意見 · 諮詢期已於 2026-03-31 結束 · 最終版待發布 · Last verified 2026-04-29最後確認 2026-04-29

First Commission guidance issued under Article 26 CRA. Approximately 70 pages, 232 paragraphs, structured around 9 thematic areas: scope/applicability (incl. RDPS three-part test, source-code/data-connection edge cases), FOSS placed-on-market boundary, support periods, substantial modification (4-factor test, 17 worked examples), CRA-vs-other-EU-law interplay, reporting obligations, microenterprise/SME considerations. Heavily relied on for the site's Guidance section, which marks each interpretation as draft. Non-binding; final-version differences possible after stakeholder feedback review. 執委會依 CRA 第 26 條發布的首份指引。約 70 頁、232 paragraphs、涵蓋 9 個主題：scope/applicability（含 RDPS 三部分測試、source-code/data-connection 邊界 case）、FOSS placed-on-market 邊界、support periods、substantial modification（4-factor test、17 個 worked example）、CRA 與其他 EU 法規 interplay、reporting obligations、microenterprise/SME 考量。本站 解讀 區塊大量倚賴此文件、每項解讀都標明為草案。非強制適用；待 stakeholder feedback 審查後、最終版可能與草案有出入。

EC announcement (DG CNECT)  ·  Have Your Say (consultation portal)

Standardisation Request M/606 — harmonised standards in support of the CRA標準化要求 M/606 — 支持 CRA 的調和標準

European Commission to CEN, CENELEC, ETSI歐盟執委會給 CEN、CENELEC、ETSI · Issued March 2025 (C(2025)618) · Accepted by ESOs 3 April 20252025 年 3 月發出（C(2025)618）· ESO 於 2025-04-03 接受 · Last verified 2026-04-29最後確認 2026-04-29

The Commission's request to CEN, CENELEC, and ETSI for 41 harmonised standards (15 horizontal + 26 vertical) giving conformity presumption to CRA Annex I. Underpins the prEN 40000-1-x series. Vertical standards target Annex III Class I/II and Annex IV products with EN 304 6xx numbering scheme. 執委會要求 CEN、CENELEC、ETSI 制定 41 份能對 CRA 附件一賦予 conformity presumption 的調和標準（15 份 horizontal + 26 份 vertical）。是 prEN 40000-1-x 系列的依據。Vertical 標準針對附件三 Class I/II 與附件四產品、採用 EN 304 6xx 編號規則。

Commission CRA standardisation page

prEN 40000-1-1:2025 — Cybersecurity for products with digital elements: framework and vocabularyprEN 40000-1-1:2025 — 具數位元素產品之網路安全：框架與術語

CEN-CENELEC JTC 13 WG 9CEN-CENELEC JTC 13 WG 9 · Public enquiry: 9 Oct 2025 → ~early Jan 2026 (12 weeks); comments resolution in progress公開意見徵集：2025-10-09 開始 → ~2026 年 1 月初（12 週）；意見處理中 · Last verified 2026-04-29最後確認 2026-04-29

Part 1 of the harmonised standard series. Provides the vocabulary and the framework that the other parts build on. Currently in draft; not yet OJ-cited. 調和標準系列第一部分。提供其他部分立基的術語與框架。目前為草案、尚未於 OJ 引用。

CEN-CENELEC

prEN 40000-1-2:2025 — Cybersecurity for products with digital elements: generic security requirementsprEN 40000-1-2:2025 — 具數位元素產品之網路安全：通用安全要求

CEN-CENELEC JTC 13 WG 9CEN-CENELEC JTC 13 WG 9 · Public enquiry closed 8 Dec 2025; comments resolution in progress公開意見徵集 2025-12-08 截止；意見處理中 · Last verified 2026-04-29最後確認 2026-04-29

Part 2 of the series. Generic security requirements mappable to CRA Annex I Part I (the 13 product-property essential requirements). Currently in draft. 系列第二部分。可對應到 CRA 附件一第一部分（13 個產品性質 essential requirements）的通用安全要求。目前為草案。

CEN-CENELEC

prEN 40000-1-3:2025 — Cybersecurity for products with digital elements: vulnerability handlingprEN 40000-1-3:2025 — 具數位元素產品之網路安全：弱點處理

CEN-CENELEC JTC 13 WG 9CEN-CENELEC JTC 13 WG 9 · Public enquiry: 11 Dec 2025 → ~4 Mar 2026 (12 weeks); comments resolution in progress公開意見徵集：2025-12-11 開始 → ~2026-03-04（12 週）；意見處理中 · Last verified 2026-04-29最後確認 2026-04-29

Part 3 of the series. Vulnerability handling, mappable to CRA Annex I Part II. Decomposes vulnerability handling into 6 phases (PRE, RECEIVE, TRIAGE, REMEDIATE, COMMUNICATE, LEARN), 25 requirement groups. The site's commentary on the PRE phase relies on this draft. 系列第三部分。對應到 CRA 附件一第二部分的弱點處理。將弱點處理拆為 6 個階段（PRE、RECEIVE、TRIAGE、REMEDIATE、COMMUNICATE、LEARN）、共 25 個 requirement group。本站關於 PRE 階段的 commentary 依靠此草案。

CEN-CENELEC

EN 18031 series (parts 1, 2, 3) — Common security requirements for radio equipmentEN 18031 系列（第 1、2、3 部分）— 無線電設備共通安全要求

CEN-CENELECCEN-CENELEC · Adopted 2024–2025 · Harmonised under RED-DA2024–2025 採用 · 在 RED-DA 下調和 · Last verified 2026-04-29最後確認 2026-04-29

Adopted harmonised standard for RED-DA Article 3(3)(d–f) cybersecurity requirements. Mappable to CRA Annex I; manufacturers compliant with EN 18031 today have a head start on CRA conformity, with caveats on what is and is not covered. RED-DA 第 3(3)(d–f) 條網路安全要求的已採用調和標準。可對應 CRA 附件一；目前符合 EN 18031 的製造商在 CRA 合規上有先行優勢、但涵蓋與不涵蓋的範圍須留意。

CEN-CENELEC

EN IEC 62443-4-1 — Industrial communication networks: security for IACS, product development requirementsEN IEC 62443-4-1 — 工業通訊網路：IACS 安全、產品開發要求

IEC / CENELECIEC / CENELEC · Published; revision in progress已發布；修訂中 · Last verified 2026-04-29最後確認 2026-04-29

Industrial automation and control systems product-development security baseline. Cited by industrial-product manufacturers as the supply-chain due-diligence reference for CRA Article 13(5)/(6). Not a CRA harmonised standard, but widely adopted in OT contexts. 工業自動化與控制系統產品開發安全基準。被工業產品製造商作為 CRA 第 13(5)/(6) 條供應鏈盡職調查的參考依據。不是 CRA 的調和標準、但 OT 領域廣泛採用。

IEC webstore

ENISA Single Reporting Platform (SRP)ENISA Single Reporting Platform（SRP）

ENISAENISA · Scheduled platform · CRA Article 16 entry point · Scheduled to be operational by 11 Sep 2026籌備中平台 · CRA 第 16 條入口 · 預計 2026-09-11 上線 · Last verified 2026-04-29最後確認 2026-04-29

Single entry point for Article 14 reporting (vulnerabilities and severe incidents). Manufacturers will file via electronic notification end-points routed to the CSIRT designated as coordinator. Implementation tendered under ENISA/2025/OP/0001 (4-year contract, closed Mar 2025); vendor not publicly disclosed. No registration mechanism or URL has been published as of April 2026; testing period expected before 11 Sep 2026 operational date. 第 14 條通報（弱點與嚴重事件）的單一入口。製造商將透過電子通報端點提交、路由到指定協調 CSIRT。實作以 ENISA/2025/OP/0001 招標（4 年合約、2025 年 3 月截止），廠商未公開揭露。截至 2026 年 4 月、尚未公布註冊機制或 URL；2026-09-11 上線日前預計有測試期。

ENISA SRP page

ENISA Threat Landscape (ETL) — annual reportENISA Threat Landscape（ETL）— 年度報告

ENISAENISA · Annual; current edition ETL 2025 (v1.2 published 9 Jan 2026)年度；現行版本 ETL 2025（v1.2 於 2026-01-09 發布） · Last verified 2026-04-29最後確認 2026-04-29

Sector-by-sector threat trend report. Informational input for risk assessment baselines under CRA Article 13(2)/(3). Not a regulatory document, but useful for grounding the risk-assessment narrative against documented threat patterns. 分領域威脅趨勢報告。CRA 第 13(2)/(3) 條風險評估基準的資訊輸入。非法規文件、但對將風險評估敘述對齊已有記錄的威脅模式、有用。

ENISA Threat Landscape

BSI Technical Report 03183 (TR-03183) — parts 1, 2, 3, HBSI Technical Report 03183（TR-03183）— 第 1、2、3、H 部分

BSI (Federal Office for Information Security)BSI（德國聯邦資訊安全局） · Germany · Living document · Part 1 v0.10.0, Part 2 v2.1.0, Part 3 v1.0.0 (Aug 2025), Part H v1.0.0 community draft (Mar 2026)德國 · 活文件 · Part 1 v0.10.0、Part 2 v2.1.0、Part 3 v1.0.0（2025 年 8 月）、Part H v1.0.0 社群草案（2026 年 3 月） · Last verified 2026-04-29最後確認 2026-04-29

German national guidance on cybersecurity for products with digital elements. TR-03183 has four parts: Part 1 (general requirements), Part 2 (SBOM), Part 3 (vulnerability reports and notifications), Part H (CRA conformity via ISO/IEC 27001 ISMS / Module H). Mappable to CRA Article 13. Treated as informational outside Germany. 德國關於具數位元素產品的網路安全國家指引。TR-03183 有四個部分：Part 1（通用要求）、Part 2（SBOM）、Part 3（弱點通報）、Part H（透過 ISO/IEC 27001 ISMS / Module H 證明 CRA 符合性）。可對應 CRA 第 13 條。在德國以外屬資訊性參考。

BSI TR-03183 (short URL)

NEN-EN 40000-1-x:2025 Ontwerp (Dutch national publication of European drafts)NEN-EN 40000-1-x:2025 草案（歐洲標準草案的荷蘭國家版本）

NEN (Royal Netherlands Standardisation Institute)NEN（荷蘭皇家標準化機構） · Netherlands · Published Oct 2025 (parts 1, 2) and Dec 2025 (part 3)荷蘭 · 2025 年 10 月（第 1、2 部分）、12 月（第 3 部分）發布 · Last verified 2026-04-29最後確認 2026-04-29

Dutch national publication of the prEN 40000-1-x drafts for national-level commentary. Content is identical (IDT) to the prEN drafts. Useful when the prEN PDFs are difficult to access; NEN drafts are a parallel route to the same text. prEN 40000-1-x 草案的荷蘭國家層級公布、供國內意見徵集。內容與 prEN 草案相同（IDT）。當 prEN PDF 難以取得時、NEN 草案是同一文本的平行管道。

NEN

NIST Cybersecurity Framework 2.0; NIST SP 800-53NIST 網路安全框架 2.0；NIST SP 800-53

NIST (US National Institute of Standards and Technology)NIST（美國國家標準與技術研究院） · CSF 2.0 published 26 Feb 2024 · SP 800-53 Rev. 5 (current)CSF 2.0 於 2024-02-26 發布 · SP 800-53 Rev. 5（現行） · Last verified 2026-04-29最後確認 2026-04-29

US framework. Some manufacturers cross-walk NIST CSF / SP 800-53 controls to CRA essential requirements as a way to leverage existing programmes. Not a CRA conformity route. 美國框架。部分製造商將 NIST CSF / SP 800-53 控制項對應 CRA essential requirements、藉此沿用既有計畫。非 CRA 合規路徑。

NIST CSF SP 800-53 Rev. 5

ISO/IEC 27001:2022 — Information security management systemsISO/IEC 27001:2022 — 資訊安全管理系統

ISO/IECISO/IEC · Published 25 Oct 2022 · Transition from ISO 27001:2013 ended 31 Oct 20252022-10-25 發布 · ISO 27001:2013 過渡期於 2025-10-31 結束 · Last verified 2026-04-29最後確認 2026-04-29

Management system reference. Informational; ISO 27001 certification is not a CRA conformity route. Manufacturers with mature ISMS programmes already satisfy parts of Annex I Part II vulnerability handling, but the CRA scope is broader. Note: BSI TR-03183-H provides a path to demonstrate CRA conformity through an ISO 27001-compliant ISMS. 管理系統參考。資訊性、ISO 27001 認證非 CRA 合規路徑。已有成熟 ISMS 計畫的製造商已滿足附件一第二部分弱點處理的部分內容、但 CRA 範圍更廣。註：BSI TR-03183-H 提供透過 ISO 27001 相容 ISMS 證明 CRA 符合性的路徑。

ISO 27001:2022

CSAF (Common Security Advisory Framework) 2.0CSAF（Common Security Advisory Framework）2.0

OASIS OpenOASIS Open · Standard ratified 20222022 年通過為標準 · Last verified 2026-04-29最後確認 2026-04-29

Machine-readable format for security advisories. Relevant to Article 14 reporting workflow design. Some Commission documents suggest CSAF will be among the formats specified by implementing acts under Article 13(24). 安全公告的機器可讀格式。與第 14 條通報工作流程設計相關。部分執委會文件暗示 CSAF 會是第 13(24) 條執行法案規定的格式之一。

CSAF

SBOM formats: SPDX 3.0, CycloneDX 1.6SBOM 格式：SPDX 3.0、CycloneDX 1.6

Linux Foundation (SPDX) · OWASP / Ecma TC54 (CycloneDX)Linux Foundation（SPDX）· OWASP / Ecma TC54（CycloneDX） · SPDX 3.0 published 2024 · CycloneDX 1.6 published 2024SPDX 3.0 於 2024 年發布 · CycloneDX 1.6 於 2024 年發布 · Last verified 2026-04-29最後確認 2026-04-29

SBOM formats potentially specified by Commission implementing acts under CRA Article 13(24). Both formats are operational standards in industry; no Commission act has yet bound either as the CRA-specified format. CRA 第 13(24) 條執行法案可能指定的 SBOM 格式。兩者皆為業界營運層級標準；尚無執委會法案將任一指定為 CRA 標準格式。

SPDX CycloneDX