CRA Insights

Cyber Resilience Act

CRA Penalties & Fines: what Article 64 actually provides for

CRA Penalties & Fines: what Article 64 actually provides for

Last updated: 2026-07-18

The Cyber Resilience Act (Regulation (EU) 2024/2847) does not merely demand cyber-secure products with digital elements – it backs its obligations with a tiered penalty framework. That framework sits in Article 64 and defines maximum amounts for infringements. Understanding the order of magnitude of possible fines helps you weigh the cost of CRA compliance in commercial terms. This article frames the rules in technical-organisational terms; it is not legal advice.

The core principle: „up to" and „whichever is higher"

Article 64 works with three penalty tiers. Each tier states both an absolute euro amount and a percentage of the total worldwide annual turnover of the preceding financial year. A fine may be imposed of up to the higher of the two figures. For high-revenue groups the percentage therefore acts as the ceiling; for smaller firms the fixed euro amount does. These are maxima – the actual amount is set by the competent authorities on a proportionate, case-by-case basis.

The reference base matters: the percentage is measured against a company's total worldwide turnover, not against revenue from the product concerned. In group structures this can amount to substantial sums. At the same time the Regulation requires penalties to be effective, proportionate and dissuasive – the maxima are therefore not automatic but the upper frame within which the authority weighs the nature and gravity of the infringement, its duration, willingness to cooperate and any previous infringements.

The three penalty tiers at a glance

Maximum (whichever is higher)For what (simplified)
up to €15,000,000 or 2.5% of worldwide annual turnoverInfringement of the essential requirements in Annex I and of the manufacturer obligations in Articles 13 and 14 (incl. vulnerability handling and reporting duties).
up to €10,000,000 or 2% of worldwide annual turnoverInfringement of other obligations – for example the duties of importers and distributors and conformity-related duties.
up to €5,000,000 or 1% of worldwide annual turnoverSupplying incorrect, incomplete or misleading information to notified bodies or market surveillance authorities.

Key point: The most serious infringements – against the product's own security requirements and against vulnerability handling and reporting – sit in the top tier. If you want to establish whether and how your product is affected at all, start with the applicability assessment.

Why this is not the GDPR

A common misconception is to transfer the figures familiar from the General Data Protection Regulation (up to €20m or 4% of group turnover) straight onto the CRA. That is wrong. The CRA has its own, lower ceiling: the top tier is €15m or 2.5%, not €20m or 4%. The percentage refers, as under the GDPR, to worldwide annual turnover, but the rates are markedly lower. Both regimes can apply side by side where a situation touches both product security and personal data – they do not replace one another.

Who enforces? The market surveillance authorities

Enforcement of the CRA rests with the Member States' market surveillance authorities. They monitor products with digital elements on the market, can request conformity evidence, technical documentation and information, order corrective measures up to withdrawal or recall, and impose fines. In Germany the concrete allocation of authority is a matter of national implementation. The practical consequence for companies: providing reliable, complete and correct information to these authorities is itself an obligation subject to penalties – the third tier (up to €5m / 1%) targets precisely incorrect or misleading statements.

Two important carve-outs

Microenterprises and small enterprises

A relief applies to microenterprises and small enterprises: they cannot be fined for missing solely the 24-hour early warning (Art. 14(2)(a) / (4)(a)). The carve-out is narrow: it applies only to that early warning – not to the 72-hour notification and not to the final report; missing those remains subject to a fine even for microenterprises and small enterprises. This reflects the limited resources of small providers without removing the reporting and security obligation itself.

Open-source software stewards

The CRA recognises a distinct, lighter-touch role for open-source software stewards (Article 24). These are legal persons that systematically support the development of free and open-source software for commercial purposes without themselves being manufacturers. A regime with reduced obligations applies to them – and crucially, they are not subject to the administrative fines of Article 64. Individual, non-commercial open-source contributors fall outside the scope in any case. The underlying idea: someone who supports free software in a fostering role, without placing it on the market as a product in their own name, should not carry the full liability and penalty weight of a manufacturer.

Not just fines: the actual enforcement toolkit

The fines in Article 64 are only one part of the enforcement picture. Market surveillance authorities can additionally order a non-conforming product to be withdrawn from the market or recalled, restrict or prohibit its further distribution, and compel corrective measures. For most providers the threatened distribution halt or recall is the weightier commercial risk compared with the fine itself – it hits revenue directly and can entail reputational damage. The penalty tiers should therefore not be read in isolation but as part of this overall toolkit.

What does this mean for your preparation?

The penalty tiers reveal where the Regulation places its greatest weight: on the essential security requirements and on vulnerability handling and reporting. These are precisely the areas that need the longest organisational lead time. Because the obligations enter into application in a staggered manner and the penalties only bite once the respective obligation applies, it is worth looking at the CRA deadlines and timeline. Investing in conformity processes today reduces not only the fine risk but above all the risk of an ordered market withdrawal – which usually weighs more heavily in business terms than the fine itself.

  • Essential requirements (Annex I) and vulnerability handling/reporting (Art. 13/14) are the costliest infringements – start here.
  • Information to authorities must be correct and complete – that too is penalised.
  • Micro/small enterprises: no fine only for a missed 24-hour early warning (Art. 14(2)(a) / (4)(a)) – the 72-hour notification and final report remain subject to fines, the obligation remains.
  • Open-source stewards: no administrative fines.

For an overview of the Regulation as a whole, see our introduction to the Cyber Resilience Act.

Frequently asked questions

How high can CRA fines go at most?+
Under Article 64, up to €15,000,000 or 2.5% of the total worldwide annual turnover of the preceding financial year – whichever is higher. This is the top of three tiers and applies to infringements of the essential requirements (Annex I) and of Articles 13 and 14. It is a maximum, not a standard amount.
Are CRA fines as high as under the GDPR?+
No. The top CRA tier is up to €15m or 2.5% of worldwide annual turnover, and thus lower than the GDPR ceiling of €20m or 4%. Both regimes can apply side by side, but they do not replace one another.
Are there exemptions for small companies?+
Partly. Microenterprises and small enterprises cannot be fined for missing the 24-hour early warning (Art. 14(2)(a) / (4)(a)). The carve-out applies only to that early warning, however – not to the 72-hour notification and not to the final report; missing those remains subject to a fine even for these size classes. The reporting and security obligations themselves remain in place in any case.
Can open-source stewards be fined?+
No. Open-source software stewards within the meaning of Article 24 are not subject to the administrative fines of Article 64. They carry a regime with reduced obligations. Individual, non-commercial open-source contributors fall outside the Regulation's scope in any case.
Who imposes the fines and when do they apply?+
The Member States' market surveillance authorities enforce the Regulation and can impose fines. Because the CRA obligations enter into application in a staggered manner, the respective penalties only bite once the relevant obligation applies. A look at the CRA timeline helps place the relevant date.

Sources

This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).