CRA Penalties: What You Risk
The Cyber Resilience Act carries severe financial penalties and market restrictions for non-compliance. Understand the risks and how to avoid them.
Maximum Penalty: €15 million or 2.5% of global annual turnover (whichever is higher) for cybersecurity requirement violations.
CRA Penalty Structure
Fines are tiered based on violation severity, with the higher amount always applied
Highest Tier
(whichever is higher)
Violations That Trigger This Penalty:
- Breaching essential cybersecurity requirements (Annex I)
- Placing products on market without conformity assessment
- Using CE marking without proper authorization
- Failing to ensure product cybersecurity throughout lifecycle
Real-World Examples:
- Selling IoT devices with known vulnerabilities
- Products without security updates capability
- Devices with default passwords that cannot be changed
Mid Tier
(whichever is higher)
Violations That Trigger This Penalty:
- Inadequate technical documentation
- Failure to conduct proper risk assessments
- Insufficient vulnerability handling processes
- Missing or incomplete EU Declaration of Conformity
Real-World Examples:
- Incomplete Software Bill of Materials (SBOM)
- No coordinated vulnerability disclosure policy
- Missing security incident response procedures
Lower Tier
(whichever is higher)
Violations That Trigger This Penalty:
- Providing false or misleading information
- Inadequate product labeling or marking
- Insufficient cooperation with authorities
- Missing or incorrect product identification
Real-World Examples:
- False claims about security certifications
- Incorrect CE marking placement
- Refusing to provide documentation to authorities
Beyond Fines: Other Enforcement Powers
Authorities have additional tools that can be more damaging than financial penalties
Product Withdrawal
Authorities can order immediate removal of non-compliant products from the EU market
Market Prohibition
Prohibition from placing products on the EU market
Recall Orders
Mandatory recall of products already distributed to customers
Corrective Measures
Forced implementation of specific security measures
Real-World Penalty Scenarios
See how CRA penalties could apply to common violation scenarios
Smart Home Device Manufacturer
Violation: Ships products with default passwords and no update mechanism
€15 million or 2.5% turnover
Additional Consequences:
- Product recall
- Market withdrawal
- Reputation damage
Implement unique default credentials and automatic security updates
Software Company
Violation: Fails to maintain proper vulnerability disclosure policy
€10 million or 2% turnover
Additional Consequences:
- Forced policy implementation
- Ongoing monitoring
Establish clear coordinated vulnerability disclosure process
Industrial Equipment Manufacturer
Violation: Provides incomplete technical documentation to authorities
€5 million or 1% turnover
Additional Consequences:
- Documentation review
- Compliance audit
Maintain comprehensive technical documentation from product design
Total Cost of Non-Compliance
Penalties are just the beginning - calculate the full impact
Direct Financial Impact
Operational Impact
For a €100M Revenue Company
Special Provisions and Exemptions
Important exceptions and special cases in CRA enforcement
Open Source Software Protection
Free and open-source software is exempt from fines under Article 64(10)(b), even if covered by CRA due to commercial activities.
Note: This exemption only applies to monetary penalties, not other compliance obligations.
Penalty Calculation Method
Authorities always apply the higher amount between the fixed euro amount and the percentage of global turnover.
Note: For €1B revenue company, 2.5% = €25M, which exceeds €15M fixed amount.
How to Avoid These Penalties
Prevention is always better (and cheaper) than paying fines
Official Source
Regulation (EU) 2024/2847 - Cyber Resilience Act, Chapter VII
Penalties and enforcement measures for violations of cybersecurity requirements for products with digital elements.
View on EUR-Lex