Role 1角色 1 A reading for manufacturers 寫給製造商的讀法
If your name is on the product, this is your CRA. 如果產品上印的是你的名字,這是你的 CRA。
The CRA's centre of gravity sits on the manufacturer. Of all the roles defined in the regulation, this one carries the most paragraphs, the most timing constraints, and the most sustained obligations after the product ships. The reading below is the one I would hand to a manufacturer who has not opened the regulation yet. CRA 的重心壓在製造商身上。在這部法規定義的所有角色裡、這個角色背負最多段落、最緊的時程、產品出貨後最持續的義務。下面這份讀法、是我給「還沒翻過這部法規」的製造商的開頭。
Block 1 · The threshold question 區塊 1 · 入會門檻
Two ways into the manufacturer club. 兩種方式進製造商俱樂部。
The CRA defines manufacturer in Article 3(13) — anyone who develops or manufactures products with digital elements, or has them designed or manufactured, and markets them under their own name or trademark, whether for payment or free of charge. The first half is intuitive. The second half — own name or trademark — is the one APAC OEM/ODM operations sometimes underestimate.
If you make the product, you are a manufacturer. That is the obvious door.
If you put your label on someone else's product, Article 21 turns you into a manufacturer too. That is the door no one applies through, the one that activates by behaviour. Most APAC ODM relationships do not live cleanly on either side of this line. The reading of Article 21 below is where the real cost decisions get made.
If you make a substantial modification to a product already on the market, you can be re-cast as the manufacturer of the modified product. Two pathways apply depending on who you are: Article 21 if you are an EU importer or distributor; Article 22 if you are anyone else — system integrator, value-added reseller, third-party customiser. Article 3(30) defines what counts as substantial modification. APAC system integrators and value-add resellers should read Article 22 before bundling.
CRA 在第 3 條第 (13) 款定義製造商,任何人開發或製造具數位元素產品、或讓他人替自己設計或製造、然後以自己的名字或商標放到市場上、無論收費或免費。前半句很直觀。後半句「自己的名字或商標」、是 APAC 的 OEM/ODM 經營者有時候低估的那部分。
如果你做這個產品、你就是製造商。這是顯而易見的門。
如果你把自己的標貼到別人的產品上、第 21 條會把你也變成製造商。這扇門沒人主動申請、是行為觸發的。多數 APAC ODM 關係並不乾淨地落在這條線的某一邊。第 21 條的讀法、是實際成本決定的地方。
如果你對已經在市場上的產品做出實質修改、可能被重新認定為改後產品的製造商。視你的身分而定有兩條路徑:身為歐盟進口商或經銷商適用第 21 條;其他人,系統整合商、加值經銷商、第三方客製化業者,適用第 22 條。第 3 條第 (30) 款定義什麼算實質修改。APAC 的系統整合商跟加值經銷商在 bundle 之前要先讀第 22 條。
Block 2 · Anchor articles 區塊 2 · 主軸條文
The six articles that define your obligations. 定義你義務的六條條文。
The CRA has 71 articles. As a manufacturer you should read all of them eventually. But six of them define what you must do, when, and to what evidence standard. The rest is context for these six.
CRA 有 71 條條文。作為製造商、你最終都該讀過。但有六條定義你必須做什麼、什麼時候做、證據要做到什麼程度。其他都是這六條的背景。
Article 13
Manufacturer obligations 製造商義務
The 25-paragraph backbone. Design duty, risk assessment, support-period commitment, third-party diligence, single PoC, EU DoC, technical documentation. Everything other articles reference flows from here. 25 段骨幹。設計義務、風險評估、support period 承諾、第三方盡職調查、單一聯絡窗口、EU DoC、技術文件。其他條文引用的義務都從這裡延伸。
Article 14
Reporting obligations 通報義務
The 24h / 72h cadence with parallel final-report tracks — 14 days for vulnerabilities, one month for severe incidents. Actively exploited vulnerabilities and severe incidents must be reported to ENISA + the relevant CSIRT, on a non-negotiable schedule. The clock starts when you become aware, not when you are sure. 24 小時 / 72 小時節奏,加兩條 final report 軌道——弱點 14 天、嚴重事件 1 個月。主動利用弱點與重大事件必須向 ENISA 跟相應 CSIRT 通報,時程不可商量。時鐘從你「知道」開始算,不是從你「確定」開始算。
Article 15
Vulnerability handling 弱點處理
The CVD policy you must publish. The patch you must distribute. The contact channel you must keep open. Annex I Part II is the substance — Article 15 is the procedural shell. 你必須公開的 CVD 政策。你必須派發的 patch。你必須保持開放的聯絡通道。附件一第二部分是實質要求、第 15 條是程序外殼。
Article 28
EU declaration of conformity 歐盟符合性聲明
The signed sheet under your name that asserts compliance with every applicable Union act. Annex V lists the eight items it must contain. Single DoC for products covered by RED + Machinery + LVD + CRA at once. 你署名的那張紙、宣告產品符合所有適用聯盟法規。附件五列出必含的 8 項。同時受 RED + Machinery + LVD + CRA 規範的產品、只用一份 DoC。
Article 31
Technical documentation 技術文件
Annex VII contents. Continuously updated, not a snapshot. 10-year retention. The biggest operational difference from existing RED/EMC technical files — your CRA file moves with the product. 附件七內容。持續更新、不是快照。保存 10 年。跟既有 RED/EMC 技術檔案的最大營運差別,CRA 檔案跟著產品走。
Article 32
Conformity assessment routing 符合性評鑑路徑
The decision tree. Class I → conditional Module A self-assessment. Class II → mandatory NB engagement (Module B+C or H). Annex IV Critical → conditional EUCC substantial+. The single most cost-determining choice. 決策樹。Class I → 條件式 Module A 自我評鑑。Class II → 強制 NB 介入(Module B+C 或 H)。附件四 Critical → 條件式 EUCC substantial+。單一最關鍵的成本決定。
Block 3 · The timing 區塊 3 · 時程
When obligations turn on. 義務什麼時候啟動。
The CRA does not switch on all at once. Three dates structure the manufacturer's preparation window.
CRA 不是一次全部啟動。三個日期、結構化你準備期。
| Date日期 | What turns on啟動的義務 | What you should be doing你該在做什麼 |
|---|---|---|
| 11 Dec 2024 Entry into force生效 |
Regulation legally binding. No manufacturer obligations active yet.法規有法律拘束力。製造商義務尚未啟動。 | Read the text. Map your portfolio against Annex III/IV. Decide which products are in scope.讀條文。盤你的產品線對應附件三/四。決定哪些產品在範圍內。 |
| 11 Sept 2026 Reporting on通報義務啟動 |
Article 14 obligations active — 24h / 72h reporting cadence starts running, with final reports at 14 days (vulnerabilities) or one month (severe incidents). Articles 13 and 15 still in transition.第 14 條義務啟動,24 小時 / 72 小時通報節奏開始走,final report 弱點 14 天、嚴重事件 1 個月。第 13、15 條仍在過渡。 | Have a CVD policy. Have a contact channel. Have a 24h-capable incident triage process. Know your CSIRT contact.準備好 CVD 政策。準備好聯絡通道。準備好 24 小時內能反應的 incident triage 流程。知道你的 CSIRT 聯絡窗口。 |
| 11 Dec 2027 Full applicability全面適用 |
Articles 13, 15, 28, 31, 32 all active. Conformity assessment required. CE marking required. EU DoC required.第 13、15、28、31、32 條全部啟動。需要符合性評鑑。需要 CE 標示。需要 EU DoC。 | Have completed conformity assessment. Have signed DoC. Have technical documentation. Have NB engaged (if Class II/Critical).完成符合性評鑑。簽好 DoC。準備好技術文件。如果是 Class II/Critical、已經跟 NB 介接好。 |
Block 4 · APAC perspective 區塊 4 · APAC 觀點
What APAC manufacturers consistently get wrong. APAC 製造商一致的盲點。
1 · "We are an ODM, the brand handles compliance." 1 · 「我們是 ODM、合規由品牌方處理」
Sometimes true. Often not. Article 21 inheritance triggers depend on what name appears on the product, not on the contract. If your private-label SKU goes out with your importer's brand on the box, the importer's Article 21 risk is well known — but if it goes out with no brand, or if a brand is added at retail, the responsibility chain gets messy. Read Article 21 in conjunction with your shipping documents.
有時候對。常常不對。第 21 條的繼承觸發、取決於產品上掛誰的名字、不是合約怎麼寫。私牌 SKU 出貨時、若包裝上是進口商品牌、那進口商承擔第 21 條風險已知;但如果出貨時沒掛品牌、或在通路端才掛品牌、責任鏈會混亂。讀第 21 條時把出貨文件一起讀。
2 · "Our RED file already covers cybersecurity." 2 · 「我們的 RED 檔案已經涵蓋資安」
RED Delegated Act 2022/30 covers cybersecurity for radio equipment — three obligations only. The CRA covers all products with digital elements — Annex I has thirteen Part I requirements and eight Part II requirements. Your RED file is a subset, not a substitute. The Article 31 technical file is materially larger.
RED Delegated Act 2022/30 涵蓋無線電設備的資安,只有三項義務。CRA 涵蓋所有具數位元素產品:附件一第一部分有 13 項要求、第二部分有 8 項。你的 RED 檔案是 subset、不是替代品。第 31 條技術檔案實質上大得多。
3 · "We can self-assess everything." 3 · 「我們可以全部自我評鑑」
Article 32 routes products to Module A (self-assessment) only when (a) they are not in Annex III, or (b) they are in Annex III Class I and a hEN is cited in OJEU. As of early 2026, no hEN is cited yet. Until that changes, Annex III Class I products cannot use Module A — they must use B+C or H, which means a Notified Body. APAC manufacturers planning their 2027 budgets on a self-assessment assumption need to revisit that assumption.
第 32 條把產品路由到 Module A(自我評鑑)的條件是:(a) 產品不在附件三裡、或 (b) 產品在附件三 Class I 且 hEN 已在 OJEU 引用。截至 2026 年初、還沒有 hEN 被引用。在這狀況改變之前、附件三 Class I 產品不能用 Module A、必須用 B+C 或 H、也就是必須引入 Notified Body。把 2027 年預算建立在「自我評鑑」假設上的 APAC 製造商、需要重新檢視這個假設。
4 · "We can sign the DoC after the product ships." 4 · 「DoC 等出貨後再簽」
Article 28 says the DoC must be drawn up "where it is demonstrated that the essential cybersecurity requirements have been complied with". The conformity assessment must be complete before the product is placed on the market. The DoC is signed after the assessment, but before the first shipment leaves your facility for the EU. Backdating a DoC is a falsification offence, not a paperwork inconvenience.
第 28 條說、DoC 必須在「已證明符合基本資安要求」時製作。符合性評鑑必須在產品投入市場「之前」完成。DoC 在評鑑完成後簽、但要在第一批出貨運往歐盟前簽好。事後追日的 DoC 是文件造假罪、不是行政疏失。
Block 5 · Continue reading 區塊 5 · 繼續閱讀