CRA enforcement

CRA Penalties

Last updated · 8 Jun 2026

The EU Cyber Resilience Act sets three tiers of financial penalties. The highest reaches €15 million or 2.5% of worldwide annual turnover - whichever is higher. This page explains what triggers each tier, who enforces the rules, and what carve-outs exist for smaller companies and open-source stewards. Art. 64, Regulation (EU) 2024/2847

TL;DR

  • Tier 1 - €15M / 2.5%: breaching the essential requirements (Annex I) or manufacturer obligations (Arts. 13-14). Highest penalty, whichever figure is larger.
  • Tier 2 - €10M / 2%: breaching other CRA obligations (importers, distributors, notified bodies).
  • Tier 3 - €5M / 1%: supplying incorrect, incomplete or misleading information to authorities.
  • Carve-outs: micro and small enterprises not fined for missing the 24h early-warning deadline. Open-source stewards not fined.
  • Enforcement: national market surveillance authorities, with powers to order corrective action, withdrawal and recall.
Work through the compliance checklistCheck your scope

The three fine tiers

Tier 1 - Highest

€15M

or 2.5% of worldwide annual turnover

Whichever is higher

Triggered by breaching the essential requirements (Annex I) or the manufacturer obligations in Arts. 13-14 (risk assessment, technical documentation, CE marking, incident reporting).

Tier 2 - Mid

€10M

or 2% of worldwide annual turnover

Whichever is higher

Other CRA obligations not covered by Tier 1 - including duties on importers, distributors and notified bodies.

Tier 3 - Lowest

€5M

or 1% of worldwide annual turnover

Whichever is higher

Providing incorrect, incomplete or misleading information to national authorities or notified bodies in the course of conformity assessment or market surveillance.

In each tier the fixed euro amount and the turnover percentage both apply; the authority applies whichever produces the higher figure. Art. 64, Reg. (EU) 2024/2847

What triggers each tier

Tier 1: Essential requirements and manufacturer obligations

The highest tier applies when a manufacturer breaches Annex I essential requirements or the manufacturer obligations set out in Arts. 13-14. In practice this means: Arts. 13-14, Annex I

  • Placing a product on the market that does not meet the security by design or secure by default requirements.
  • Failing to maintain or provide an SBOM.
  • Not handling vulnerabilities - failing to monitor, remediate or provide free security updates across the support period.
  • Failing to publish a coordinated vulnerability disclosure policy or provide a security contact point.
  • Failing to report an actively exploited vulnerability or severe incident via ENISA's Single Reporting Platform within the required windows (after 11 Sep 2026).
  • Failing to conduct a cybersecurity risk assessment (Art. 13), draw up technical documentation (Annex VII), or affix a CE mark where required.

Tier 2: Other CRA obligations

This tier covers obligations across the supply chain that are not the core essential requirements. For example: Art. 64

  • An importer placing a product on the EU market without verifying that the manufacturer has met the essential requirements or that a CE mark is present.
  • A distributor making a non-conforming product available without taking corrective action when they know or should know it is non-compliant.
  • Notified bodies failing to meet their obligations under the CRA.

Tier 3: Incorrect information

Supplying incorrect, incomplete or misleading information to a national market surveillance authority or a notified body - whether in a conformity assessment, market surveillance investigation or post-market monitoring response. Art. 64

Who enforces the CRA - market surveillance authorities

Enforcement is by national market surveillance authorities (MSAs) in each EU member state. The same bodies that enforce product safety and CE-marking rules will take on CRA enforcement. They have broad investigative and corrective powers. European Commission

Inspect and investigate

MSAs can request technical documentation, test products, access premises and gather evidence. They coordinate through ENISA and EU-wide surveillance mechanisms.

Order corrective action

Where a product does not meet CRA requirements, an MSA can order the manufacturer (or importer/distributor) to bring it into conformity within a specified period.

Withdraw or restrict

If corrective action is not taken, MSAs can order products to be withdrawn from the market or their availability restricted - preventing further sales.

Recall

For serious cybersecurity risks, MSAs can require products already sold to consumers or businesses to be recalled. This is a measure of last resort but is available.

Penalties are proportionate, not automatic

Art. 64 requires authorities to take into account proportionality when setting fines. Factors include the nature, gravity and duration of the infringement, the number of consumers affected, whether the infringement was intentional or negligent, and the size and financial resources of the undertaking. The maximum figures are ceilings, not default starting points. Art. 64

Carve-outs: small enterprises and open-source stewards

The CRA includes two explicit carve-outs from fines. Art. 64

Micro and small enterprises

Micro and small enterprises (as defined in EU SME rules) may not be fined for missing the 24-hour early-warning deadline for reporting actively exploited vulnerabilities or severe incidents. They must still report - just the fine for missing the 24-hour window specifically is excluded.

All other CRA obligations, including the essential requirements, still apply to small enterprises. There is no blanket SME exemption.

Open-source software stewards

Open-source software stewards - organisations that systematically support open-source software used in commercial products - are not subject to fines under the CRA. They have tailored, lighter obligations under Art. 24 (a cybersecurity policy, cooperation with authorities, facilitating vulnerability disclosure).

Individual developers who publish open-source in a genuinely non-commercial capacity are generally outside scope entirely.

No broader SME exemption

Some EU product regulations give micro and small enterprises blanket exemptions or very long grace periods. The CRA does not. Small companies must still meet the essential requirements and affix a CE mark by 11 December 2027. Only the 24-hour reporting penalty is carved out. Build to the requirements early.

How to reduce your penalty risk

The fastest way to reduce CRA penalty risk is to start early on the requirements that take the most time to build. A few practical steps:

  • Confirm you are in scope. The scope checker will tell you whether your product is a product with digital elements and, if so, which tier it sits in.
  • Identify your product tier. The product classes page maps the Annex III / IV categories with their conformity routes. Important Class II and Critical products need a notified body - start identifying one now.
  • Build your SBOM before the reporting deadline. The SBOM is your vulnerability-response backbone. Having it in place before 11 September 2026 means you can respond to the reporting obligations accurately. SBOM guide
  • Stand up your CVD policy and contact point. This is one of the fastest wins: publish a security.txt file, open a monitored inbox, and write a short CVD policy. CVD guide
  • Prepare your 24h/72h/14-day reporting playbook before 11 September 2026. When an actively exploited vulnerability hits, you need a practiced process - not a scramble. CVD and reporting guide
  • Start your technical documentation (Annex VII). This must be kept for 10 years. Building it alongside product development is far easier than reconstructing it later.
  • Work through the compliance checklist. The checklist maps every major CRA obligation with a status tracker.
Open the compliance checklistCheck your scopeCRA explainer

By the numbers

CRA penalties at a glance

€15M / 2.5%

Maximum fine for breaching essential requirements - whichever is higher.

€10M / 2%

Maximum fine for other CRA obligations (importers, distributors).

€5M / 1%

Maximum fine for providing incorrect or misleading information.

10 yrs

How long technical documentation must be kept and available to authorities.

Art. 64, Regulation (EU) 2024/2847. Fines are whichever of the fixed maximum or the turnover percentage produces the higher figure. Penalties must be effective, proportionate and dissuasive.

FAQ

People also ask

What are the maximum CRA fines?
Three tiers apply. The highest is €15 million or 2.5% of worldwide annual turnover (whichever is higher) for breaching the essential requirements in Annex I or the manufacturer obligations in Arts. 13-14. Other CRA obligations carry up to €10 million / 2%. Providing incorrect or misleading information to authorities carries up to €5 million / 1%.
Who enforces the CRA?
National market surveillance authorities (MSAs) in each EU member state. They can inspect products, order corrective action, require withdrawal or recall, and impose fines. They coordinate through EU-level mechanisms including ENISA and the Commission.
Are small companies protected from CRA fines?
Micro and small enterprises are not fined for missing the 24-hour early-warning reporting deadline. For other obligations, general penalty principles apply - authorities must consider proportionality, including the size of the undertaking and ability to pay. However, there is no blanket exemption from CRA fines for small businesses: only the 24-hour reporting deadline has an explicit carve-out.
Are open-source developers subject to CRA fines?
Open-source software stewards - organisations that systematically support open-source software used in commercial products - are not subject to fines under the CRA. Individual developers who publish open-source in a non-commercial capacity are generally outside scope entirely.
Can authorities recall or withdraw products?
Yes. In addition to fines, market surveillance authorities can order manufacturers or other economic operators to bring products into conformity, withdraw them from the market, or recall them. These orders can be issued regardless of whether a fine is also imposed.
What triggers the highest fine tier?
Breaching the essential requirements of Annex I (security by design, secure by default, SBOM, vulnerability handling, CVD policy, free security updates, etc.) or failing to meet the manufacturer obligations in Arts. 13 (risk assessment, technical documentation, CE marking) and 14 (incident reporting). These are the core of the CRA.
How can I reduce the risk of CRA fines?
Complete the scope checker to confirm you are in scope and identify your product tier. Build to the essential requirements early - especially the SBOM, CVD policy and reporting readiness ahead of the 11 September 2026 deadline. Keep technical documentation current for 10 years. Work from the compliance checklist.

The CRA Brief

Subscribe to The CRA Brief

We watch Brussels so you don't. Plain-English CRA updates, free.

No spam. Unsubscribe anytime.

This is guidance, not legal advice

This page explains CRA penalties to help you understand the enforcement framework. It is not legal advice. Fine calculations depend on specific facts and national authority discretion. For advice specific to your situation, consult the official sources we link or a qualified legal adviser.

Sources

  1. [1]Regulation (EU) 2024/2847, Art. 64 - penalties (EUR-Lex)retrieved 8 Jun 2026
  2. [2]European Commission - CRA legislative summaryretrieved 8 Jun 2026
  3. [3]European Commission - Cyber Resilience Act policy pageretrieved 8 Jun 2026