Timeline Regulation (EU) 2024/2847 · Article 69 (staggered application) 法規 (EU) 2024/2847 · 第 69 條(階段適用)
What applies when 什麼時候開始?
The CRA does not apply in one big bang. Article 69 staggers application across several dates between 2024 and 2028. This page lays them all out, with what triggers each date and what it means for manufacturers, importers, and software stewards. CRA 不是一次生效。第 69 條將適用日期分散於 2024 至 2028 間若干時點。本頁逐一列出,附上觸發日期的條件及其對製造商、進口商、軟體管理者的意義。
CRA timeline CRA 時間軸
Dates in chronological order 依時間順序之日期
Source: Regulation (EU) 2024/2847 Article 69 (staggered application); Commission Implementing Regulation (EU) 2025/2392; Commission Delegated Regulation (EU) 2025/1535; ENISA SRP operational timeline; M/606 standardisation work programme. 來源:《法規 (EU) 2024/2847》第 69 條(階段適用);《執行法規 (EU) 2025/2392》;《授權法規 (EU) 2025/1535》;ENISA SRP 營運時程;M/606 標準化工作計畫。
CRA adopted by CouncilCRA 獲理事會通過
The Council of the EU formally adopted Regulation (EU) 2024/2847 after the European Parliament approved the text on 12 March 2024. Adoption triggered the publication timeline.
繼歐洲議會於 2024 年 3 月 12 日通過條文,歐盟理事會於此日正式採納《法規 (EU) 2024/2847》。採納啟動公告時程。
Published in Official Journal刊載於歐盟官方公報
OJ L 2024/2847. The 20-day clock to entry into force started here.
OJ L 2024/2847。生效前 20 日倒數自此開始。
CRA entered into forceCRA 生效
The Regulation entered into force 20 days after OJ publication. This does not yet impose operational obligations — those stage in over the following three years.
法規於 OJ 刊載後 20 日生效。此時尚未施加營運義務,義務於其後三年內分階段到位。
Delegated Regulation 2025/1535 adopted授權法規 2025/1535 通過
Commission Delegated Regulation (EU) 2025/1535 excludes certain products falling under Regulation (EU) 168/2013 (L-category vehicles) from the CRA's scope.
《委員會授權法規 (EU) 2025/1535》將屬於《法規 (EU) 168/2013》(L 類車輛)的特定產品排除於 CRA 範圍之外。
Implementing Regulation 2025/2392 published執行法規 2025/2392 公告
The technical descriptions of Important (Annex III) and Critical (Annex IV) product categories — the binding reference for product classification. 19 Class I + 4 Class II + 3 Critical categories specified.
重要(附件三)與關鍵(附件四)產品類別的技術描述,產品分類的強制適用參考。規定 19 個 Class I + 4 個 Class II + 3 個 Critical 類別。
Delegated Regulation 2026/881 adopted (delay-grounds for SRP dissemination)授權法規 2026/881 通過(SRP 通報延遲依據)
Commission Delegated Regulation (EU) 2026/881, the Article 14(9) act, specifies the cybersecurity-related grounds on which a CSIRT receiving a manufacturer's notification may delay its dissemination to other CSIRTs via the SRP. Three categories of grounds: nature of the notified information (sensitivity outweighing dissemination benefit, or risk of being weaponised within 72h), the receiving CSIRT cannot ensure confidentiality, or the SRP itself is compromised. This is the act that operationalises the Article 16(2) "exceptional circumstances" trigger.
《委員會授權法規 (EU) 2026/881》是第 14(9) 條的 delegated act,規定 CSIRT 收到製造商通報後得以延遲對其他 CSIRT 透過 SRP 轉發的網路安全相關依據。三類依據:通報資訊性質本身(敏感度大於轉發效益、或 72 小時內有被武器化的風險)、收件 CSIRT 無法確保機密性、SRP 本身遭到入侵。這份就是把第 16(2) 條的「例外情況」觸發機制實作出來的法規。
You are here 目前位置
26 April 2026
CRA in force, no operational obligations applying yet. Article 14 reporting begins in 4 months and 16 days (11 Sep 2026). Chapter IV — Notified Body notifications — opens 1 month and 16 days from now (11 Jun 2026). Full application 1 year, 7 months, 15 days away. CRA 已生效,但尚無營運義務適用。第 14 條通報義務於 4 個月又 16 天後(2026/9/11)開始。第四章,指定機構通報,於 1 個月又 16 天後(2026/6/11)開放。距全面適用尚有 1 年 7 個月 15 天。
Chapter IV applies · Notified Body notifications open第四章適用 · 驗證機構指定開始
Member States can begin notifying cybersecurity-competent bodies as CRA Notified Bodies. For Class II and Critical products, this is the critical precondition for conformity assessment availability from 11 Dec 2027.
會員國可開始通報網路安全主管機構為 CRA 驗證機構。對 Class II 與 Critical 產品,此為 2027 年 12 月 11 日後能進行符合性評鑑的關鍵前提。
Article 14 applies · SRP reporting obligations begin第 14 條適用 · SRP 通報義務開始
The near-term deadline. From this date, every manufacturer must report actively exploited vulnerabilities (24h/72h/14d) and severe incidents (24h/72h/1 month) via ENISA's Single Reporting Platform. This obligation applies to all products currently on the EU market, not only new products. The SRP should be operational by this date with a testing period before. See Article 14 →
最近的期限。自此日起,每一家製造商須透過 ENISA 單一通報平台通報被積極利用的弱點(24h/72h/14d)與重大事件(24h/72h/1 月)。此義務適用於目前在歐盟市場之所有產品,不只新產品。SRP 預計於此日營運,前有測試期。參見第 14 條 →
target
M/606 Work Programme targetM/606 工作計畫目標
Target adoption date for the first batch of harmonised standards under standardisation request M/606, including prEN 40000-1-1/-1-2/-1-3 horizontal standards and the EN IEC 62443-5-XX vertical profiles. No hEN cited in OJEU at this date would mean no presumption of conformity available, pushing manufacturers onto self-justified risk assessment.
標準化請求 M/606 的第一批協調標準目標採納日期,含 prEN 40000-1-1/-1-2/-1-3 橫向標準與 EN IEC 62443-5-XX 垂直型態。此日若無 hEN 於 OJEU 取得 citation,表示無符合性推定可用,製造商須走自我證成的風險評估。
CRA full applicationCRA 全面適用
The big one. All CRA obligations apply to products placed on the EU market from this date. CE marking based on Annex I conformity is mandatory. Technical documentation per Annex VII. EU Declaration of Conformity per Article 28. Support period declared. No conformity, no placing on market.
大日子。自此日起投放歐盟市場的產品,CRA 全部義務都適用。依附件一符合的 CE 標示為必要。附件七技術文件。第 28 條之歐盟符合宣告。聲明支援期間。不符合就不得投放市場。
Legacy EU type-examination certificate cut-off舊歐盟型式審查證書截止
EU type-examination certificates and approval decisions for cybersecurity issued before 11 Dec 2027 remain valid until this date, unless they expire earlier. After this, only CRA-conformant certificates apply.
2027 年 12 月 11 日前核發的網路安全 EU 型式審查證書與核准決定,除先到期外,有效至此日。之後僅 CRA 符合的證書有效。
Substantial modification rule實質修改原則
Products placed on the EU market before 11 Dec 2027 are covered by the CRA only from the date they undergo a substantial modification. In practice, a major software update that changes the product's risk profile or adds new features can trigger full CRA conformity — whether the original product was CRA-compliant or not.
2027 年 12 月 11 日前投放歐盟市場的產品,僅於經歷實質修改之日起受 CRA 規管。實務上,改變產品風險輪廓或增加新功能的重大軟體更新可觸發完整 CRA 符合性要求,不論原產品是否 CRA 符合。
Member State activity 會員國動向
Notified Bodies, sandboxes, standardisation 指定機構、沙盒、標準化
As of 26 April 2026 截至 2026 年 4 月 26 日
What's actually moving on the ground 實際進度
This block tracks publicly visible Member State and EU-level activity that determines whether the headline timeline above will land on schedule. Where data is genuinely absent or unverified, the card says so — there is no upside to guessing. 本區塊追蹤公開可見的會員國與歐盟層級動向,這些動向決定上方主時間軸是否能準時上路。資料確實缺失或未經驗證者,卡片直接標示,猜測無益。
Notified Body designations 公告機構指派
Pending 待定Member State notifications under Chapter IV are scheduled to open 11 Jun 2026. NANDO query for "Regulation (EU) 2024/2847" returned no entries — consistent with the legal window not yet being open. France's ANSSI has launched a call for expressions of interest (Jul 2025) and reports approximately 30 vendor inquiries with around ten French NBs anticipated. No DAkkS, COFRAC, ENAC, or RvA pre-announcements of specific intended designations have been located. 第四章下的會員國通報依排程於 2026 年 6 月 11 日開放。NANDO 資料庫查詢 Regulation (EU) 2024/2847 無任何條目,符合法定窗口尚未開放。法國 ANSSI 已啟動廠商意願徵詢(2025/7)、回報約 30 家廠商詢問、預期最終約 10 家法國公告機構。德 DAkkS、法 COFRAC、西 ENAC、荷 RvA 皆無具體預先指派公告。
CRA-ADCO inaugurated CRA-ADCO 成立
Tracked 追蹤中CRA Administrative Cooperation Group (ADCO) under Article 52(15) held its inaugural meeting on 19 Mar 2026 in Athens, hosted by ENISA. Anna Schwendicke (BSI, Germany) elected Chair; Xenia Kyriakidou (Cyprus NCCA) elected Vice-Chair. ADCO is the formal channel for Article 33(2) sandbox notifications, market surveillance coordination, and Member State-level enforcement consistency. Operational for ~5 weeks as of this update. CRA 第 52(15) 條設立的行政合作組(ADCO)於 2026/3/19 在雅典舉行首次會議,由 ENISA 主辦。德國 BSI 之 Anna Schwendicke 當選主席;賽普勒斯國家網路安全認證機關之 Xenia Kyriakidou 當選副主席。ADCO 是第 33(2) 條沙盒通報、市場監督協調、會員國執法一致性的正式管道。本次更新時 ADCO 運作約 5 週。
CRA regulatory sandboxes CRA 法規沙盒
Unverified 未驗證Article 33(2) authorises Member States to establish CRA regulatory sandboxes via ADCO notification. No CRA-specific sandbox has been publicly notified to ADCO as of 26 Apr 2026. Closest concrete development is Finland's government proposal of 27 Nov 2025 — Traficom would be empowered to set up sandboxes at its discretion, target effective date 1 Jun 2026 (enabling provisions, no specific sandbox yet). With ADCO only constituted 19 Mar 2026, sandbox-mediated SME compliance routes are unlikely before late 2026. 第 33(2) 條授權會員國經 ADCO 通報建立 CRA 法規沙盒。截至 2026/4/26,無 CRA 特定沙盒公開通報 ADCO。最具體進展為芬蘭 2025/11/27 的政府草案,Traficom 將獲授權自行建立沙盒,目標生效日 2026/6/1(屬授權條款、尚無具體沙盒)。ADCO 才於 2026/3/19 成立,沙盒導向的中小企合規路徑在 2026 年底前難以成形。
M/606 standardisation work M/606 標準化工作
Tracked 追蹤中M/606 Work Programme V1 dated 2 Apr 2025 (Commission Implementing Decision C(2025)618 of 3 Feb 2025; accepted by ESOs 3 Apr 2025). 41 items total: 15 horizontal + 26 vertical. Six verified verticals — VPN, NMS, SIEM, Network Interfaces, Routers/Modems/Switches, Firewalls/IDS/IPS — under CLC/TC 65X WG3 + ETSI CYBER-EUSR with adoption deadline 30 Oct 2026. No V2 of the Work Programme has been published. M/606 工作計畫第 1 版日期為 2025/4/2(執委會實施決定 C(2025)618、2025/2/3;ESO 於 2025/4/3 接受)。共 41 個項目:15 個橫向 + 26 個垂直。已驗證 6 個垂直,VPN、NMS、SIEM、網路介面、路由器 / 數據機 / 交換器、防火牆 / IDS/IPS,於 CLC/TC 65X WG3 + ETSI CYBER-EUSR 下進行,採納截止日 2026/10/30。工作計畫第 2 版尚未發布。
prEN 40000 horizontal series prEN 40000 橫向系列
Tracked 追蹤中All three parts have completed CEN public enquiry. prEN 40000-1-1 (Vocabulary) at CEN stage 40.20→40.60 (DIS ballot opened 9 Oct 2025); German DIN EN 40000-1-1:2026-03 published. prEN 40000-1-2 (Principles of cyber resilience): public enquiry closed 8 Dec 2025, stage 40.60 reached 1 Jan 2026. prEN 40000-1-3 (Vulnerability handling): public enquiry closed 9 Feb 2026, stage 40.60 reached 5 Mar 2026. A fourth part prEN 40000-1-4 (Generic security requirements) targets public enquiry mid-2026. 三個部分皆已通過 CEN 公開諮詢。prEN 40000-1-1(術語)於 CEN 階段 40.20→40.60(DIS 投票於 2025/10/9 開放);德國 DIN EN 40000-1-1:2026-03 已發行。prEN 40000-1-2(網路韌性原則):公開諮詢於 2025/12/8 截止,2026/1/1 進入 40.60 階段。prEN 40000-1-3(弱點處理):公開諮詢於 2026/2/9 截止,2026/3/5 進入 40.60 階段。第四部分 prEN 40000-1-4(通用安全要求)公開諮詢預計 2026 年中。
EN 304 series vertical drafts EN 304 系列垂直草案
Pending 待定Latest mature drafts on ETSI Open Area: EN 304 617 / 618 / 620 / 626 at V0.1.0 (23 Dec 2025); 304 619 V0.0.12 (11 Dec 2025); 304 623 V0.0.12 (19 Dec 2025); 304 627 V0.0.11 (24 Nov 2025); 304 636 V0.0.9 (15 Dec 2025). 304 631 (smart-home assistants) and 304 632 (smart-home security) remain PWI. None published as full EN; none cited in OJEU. ETSI cover-page disclaimer states drafts "expected to undergo significant changes before final publication in H2 2026". ETSI 公開區最新成熟草案:EN 304 617 / 618 / 620 / 626 為 V0.1.0(2025/12/23);304 619 V0.0.12(2025/12/11);304 623 V0.0.12(2025/12/19);304 627 V0.0.11(2025/11/24);304 636 V0.0.9(2025/12/15)。304 631(智慧家庭助理)跟 304 632(智慧家庭安全)仍為 PWI。皆未作為 EN 發布;皆未於 OJEU 引用。ETSI 封面聲明草案「預期在 2026 下半年最終發布前有重大變動」。
Article 8(1) delegated act for EUCC mandate 第 8(1) 條 EUCC 強制授權法案
Unverified 未驗證No Article 8(1) delegated act mandating EUCC certification has been adopted, drafted publicly, or opened for Have-Your-Say consultation as of 26 Apr 2026. The Commission's tracker lists one EUCC-related delegated act for Q4 2026 — but it is the Article 27(9) presumption-of-conformity act, specifying that EUCC certification confers presumption of CRA conformity, not the Article 8(1) mandatory-certification act. ENISA preparatory analysis on EUCC implementation has been published. 截至 2026/4/26,無第 8(1) 條強制 EUCC 認證之授權法案被採納、公開草擬或 Have-Your-Say 諮詢。執委會追蹤表列出 1 個 EUCC 相關授權法案於 2026 Q4,但該法案是第 27(9) 條的符合性推定法案(規定 EUCC 認證授予 CRA 符合性推定),非第 8(1) 條的強制認證法案。ENISA 已發布 EUCC 實施的前期分析。
Commission Article 26 guidance 執委會第 26 條指引
Pending 待定Draft Commission guidance published 3 Mar 2026 as Commission Communication Ares(2026)2319816 via Have-Your-Say initiative ref. 16959. Feedback period ran 3-31 Mar 2026 (now closed). Coverage: placing-on-market scope, FOSS criteria with 16 examples, OSS Steward scope, RDPS, substantial modification, conformity-assessment routing, support periods, interaction with other EU legislation. No final adopted version has been published in OJEU or as a Commission Notice as of 26 Apr 2026. 執委會指引草案於 2026/3/3 公布,為執委會通訊 Ares(2026)2319816、透過 Have-Your-Say 案號 16959。意見期 2026/3/3–3/31(已結束)。涵蓋:投放市場範圍、FOSS 標準 16 個範例、OSS Steward 範圍、RDPS、實質修改、符合性評鑑路徑、支援期間、與其他歐盟法規的互動。截至 2026/4/26,尚未在 OJEU 或執委會公告中發布正式採納版本。
ENISA Single Reporting Platform ENISA 單一通報平台
Tracked 追蹤中ENISA confirms SRP operational by 11 Sep 2026. Procurement verified: tender ENISA/2025/OP/0001, max budget €11M over 4 years, status Completed. Awarded to consortium led by Uni Systems with Wavestone and Luxembourg's NC3 (announcement 22 Dec 2025; not corroborated on a primary ENISA award URL). Article 16(2) delegated act on CSIRT withholding/delaying dissemination adopted 11 Dec 2025 as C(2025)8407. No API specifications, OpenAPI / JSON schemas, or pilot timetable published as of 26 Apr 2026. ENISA 確認 SRP 於 2026/9/11 營運。採購已驗證:招標案 ENISA/2025/OP/0001、最高預算 4 年 €11M、狀態為「已完成」。由 Uni Systems 主導、Wavestone 與盧森堡 NC3 組成的 consortium 得標(2025/12/22 公告;ENISA 官方頁面未直接確認得標者)。第 16(2) 條 CSIRT 延遲揭露之授權法案於 2025/12/11 採納為 C(2025)8407。截至 2026/4/26,無 API 規格、OpenAPI / JSON schema 或試行時程公布。
Implementing Reg (EU) 2025/2392 實施法規 (EU) 2025/2392
Tracked 追蹤中Commission Implementing Regulation (EU) 2025/2392 of 28 Nov 2025 on the technical description of categories of important and critical products with digital elements (Annexes III & IV). Published OJ L on 1 Dec 2025; entered into force 21 Dec 2025. Adopted under Article 7(4) by the Commission (not ENISA, as sometimes referenced). This is the binding technical description manufacturers use to determine whether their product falls into Annex III or Annex IV categories. 執委會實施法規 (EU) 2025/2392 於 2025/11/28 採納,內容為附件三與附件四重要與關鍵產品類別之技術描述。OJ L 系列於 2025/12/1 公布;2025/12/21 生效。依第 7(4) 條由執委會(非 ENISA、雖坊間有此誤指)採納。此為製造商判斷產品是否落入附件三或附件四類別所依據的具拘束力技術描述。
Working with the timeline 和時間軸一起工作
Three dates that deserve calendar entries 三個值得排進行事曆的日期
11 September 2026 — the operational deadline
If you sell products with digital elements into the EU, your PSIRT, SBOM inventory, and ENISA SRP registration need to exist by August 2026 so that you have a month to pressure-test. Missing the 24-hour early warning on your first real incident is a regulatory exposure event, not an operational hiccup.
October 2026 — watch the harmonised standards
This is softer than the other two but just as consequential. If the M/606 work programme delivers on schedule and the first hENs get OJEU citation in late 2026, your life is dramatically easier — you get presumption of conformity by aligning with standards. If it slips, you are building your Annex I conformity claim on self-justified risk assessment, which is harder to defend under market surveillance scrutiny.
11 December 2027 — the CE marking deadline
Everything that touches product conformity (Annex I requirements, technical documentation, conformity assessment route, EU Declaration of Conformity, CE marking) must be in place before you can ship. Work backwards: notified body audits (for Class II + Critical) typically take 4–6 months. If you need a notified body, start conversations in H2 2026, not H2 2027.
2026 年 9 月 11 日 — 營運期限
若你把具數位元素產品賣到歐盟,你的 PSIRT、SBOM 清單、ENISA SRP 註冊需於 2026 年 8 月前到位,讓你有一個月壓力測試。第一次真實事件錯過 24 小時早期警訊不是營運小差錯,是法規曝險事件。
2026 年 10 月 — 盯緊協調標準
這條比另兩條軟,但同等關鍵。若 M/606 工作計畫按進度交付且第一批 hEN 於 2026 年底取得 OJEU citation,你的日子會輕鬆許多,對齊標準就獲符合性推定。若延遲,你將基於自我證成的風險評估建構附件一符合性主張,在市場監管審視下更難辯護。
2027 年 12 月 11 日 — CE 標示期限
所有觸及產品符合性的項目(附件一要求、技術文件、符合性評鑑路徑、歐盟符合宣告、CE 標示)必須到位才能出貨。倒推:驗證機構稽核(Class II + Critical)通常需 4–6 個月。若需驗證機構,請於 2026 下半年開始對話,不是 2027 下半年。