EU CRA 網路韌性法合規輔導

The EU CRA will officially come into force in December 2024, but there is a phased transition period: obligations for notified bodies (after 21 months, September 2026), vulnerability reporting obligations (after 21 months), and full enforcement (after 36 months, December 2027). Taiwanese exporters should immediately start assessing product applicability to avoid being banned from entering the EU market after December 2027.

SBOM (Software Bill of Materials) is a list of all components that make up a software (open-source libraries, third-party components, self-developed code). CRA requires SBOM because many software vulnerabilities originate from open-source components (such as Log4j), and SBOM allows manufacturers to quickly identify affected products and patch them in a timely manner.

Class I critical PDE listed in CRA Annex III include: identity management software, browsers, password managers, VPNs, network monitoring tools, operating systems, routers, firewalls, industrial IoT devices, etc. Class II includes: HSM (Hardware Security Module), smart cards, industrial automation control systems, etc. Products not listed in Annex III are considered general PDE and can be self-assessed.

Taiwanese exporters have three pathways: 1. EU Authorized Representative (designate a representative within the EU to be responsible for CRA compliance obligations); 2. Conformity with European harmonized standards (adopt harmonized standards such as ETSI EN 18031, presumed to comply with CRA requirements); 3. Third-party certification (mandatory for Class II, conducted by an EU-approved notified body).

The maximum penalty for CRA non-compliance is 2.5% of global annual turnover or 15 million Euros (whichever is higher). A more severe consequence is the prohibition of products from being sold in the EU market, which for Taiwanese exporters relying on the European market, the loss far exceeds the fine amount.

For manufacturers of industrial automation control systems, IEC 62443 is the most direct standard corresponding to the security requirements of CRA Annex I. Obtaining IEC 62443 certification can serve as an important basis for CRA conformity, significantly simplifying the CRA compliance process. Jishui Research provides integrated guidance for CRA plus IEC 62443.

Winners Consulting is one of the few firms in Taiwan with integrated advisory capabilities for EU CRA, EU AI Act, and IEC 62443. We assist Taiwanese exporters in entering the European market via the most effective path, integrating four EU regulations (CRA + EU AI Act + IEC 62443 + ISO 26262).

No. Software above the OS layer is subject to CRA as long as it has network connectivity. CRA's triggering condition is 'network connectivity,' not 'hardware interface.' The EU's official FAQ explicitly lists mobile apps and computer games as default-category PDE examples—both are pure OS-layer-above software with no relation to firmware. Desktop applications (with network connectivity), mobile apps, and browser extensions all fall under CRA. The only exemption is pure SaaS (all software logic in the cloud, no downloadable device-side components).

Yes. Pure SaaS is exempt under CRA Article 2(5)(h), but the exemption condition is 'no downloadable device-side components.' If the SaaS includes a downloadable mobile app, desktop client (.exe/.dmg), or browser extension, that device-side component triggers CRA default category or Class I/II requirements. The SaaS core (cloud portion) remains exempt, but the device-side component must comply. Winners Consulting helps clarify which components require compliance and plans the minimum-scope compliance pathway.