← Back to Blogregulation

CRA Penalties and Enforcement: What Non-Compliance Actually Costs

The CRA's fines reach €15 million or 2.5% of global turnover — but financial penalties are only part of the enforcement picture. Here is what market surveillance authorities can actually do.

CRAReady Team·

The Numbers That Focus Attention

The Cyber Resilience Act backs its requirements with penalties on a par with the GDPR. There are three tiers, and which one applies depends on which obligation you breach.

TierWhat it coversMaximum fine
1Breach of the Annex I essential requirements, and the obligations in Articles 13 and 14€15,000,000 or 2.5% of total worldwide annual turnover, whichever is higher
2Breach of most other CRA obligations€10,000,000 or 2% of total worldwide annual turnover
3Supplying incorrect, incomplete, or misleading information to notified bodies or market surveillance authorities€5,000,000 or 1% of total worldwide annual turnover

The "whichever is higher" construction is deliberate: for a large company, the percentage-of-turnover figure can dwarf the flat cap. And the top tier attaches to the essential requirements and the incident-reporting duties — the core of what the CRA is about.

Fines Are Not the Whole Story

Focusing only on the headline fines understates the risk. Market surveillance authorities in each member state have a broad toolkit under the CRA and the underlying market surveillance regulation. They can:

  • Order corrective action — require you to bring a non-compliant product into conformity within a set period
  • Restrict or prohibit the product being made available on their market
  • Order withdrawal — pull the product from the supply chain
  • Order a recall — retrieve products already in users' hands
  • Publish the non-compliance — issue a public warning naming the product and the manufacturer

For most businesses, a recall or a public non-compliance notice is more damaging than a fine. The reputational hit and the channel disruption — importers and distributors are obliged to stop handling non-compliant products — can freeze EU revenue faster than any penalty.

Proportionality and SMEs

The CRA requires penalties to be effective, proportionate, and dissuasive, and it directs authorities to take into account the size of the business — in particular SMEs and startups — and the nature, gravity, and duration of the infringement. This is genuine relief on the margin, but it is not an exemption: the obligations still apply, and the reduced-fine discretion does not extend to the withdrawal, recall, and restriction powers.

What Triggers Enforcement

Enforcement typically starts with one of:

  • A market surveillance authority's own product checks or market screening
  • A complaint or a report from a security researcher
  • A serious incident or a widely reported actively exploited vulnerability in your product
  • A request for the technical file that you cannot satisfy

That last point is worth emphasising: failing to produce a complete technical file on request is itself an infringement, regardless of whether the product is actually secure. The paperwork is not optional evidence — its absence is a violation.

Reducing Your Exposure

The most effective protection against CRA enforcement is boringly practical:

  1. Keep the technical file current and retrievable. It is your first and best defence in any investigation.
  2. Operate the Article 14 process for real. The 24-hour reporting duty carries top-tier penalties, and it begins on 11 September 2026 — earlier than the full December 2027 deadline.
  3. Document your decisions. Classification rationale, risk assessments, and patch-prioritisation reasoning all demonstrate diligence.
  4. Remediate without undue delay. Demonstrable, timely vulnerability handling is what separates a manageable finding from an escalation.

The manufacturers who get hurt by CRA enforcement will rarely be the ones who tried and fell slightly short. They will be the ones who could not produce evidence they had tried at all.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker
CRA Penalties and Enforcement: What Non-Compliance Actually Costs | CRAReady Blog