
Last updated: 2026-07-18
The Cyber Resilience Act (Regulation (EU) 2024/2847) does not merely demand cyber-secure products with digital elements – it backs its obligations with a tiered penalty framework. That framework sits in Article 64 and defines maximum amounts for infringements. Understanding the order of magnitude of possible fines helps you weigh the cost of CRA compliance in commercial terms. This article frames the rules in technical-organisational terms; it is not legal advice.
The core principle: „up to" and „whichever is higher"
Article 64 works with three penalty tiers. Each tier states both an absolute euro amount and a percentage of the total worldwide annual turnover of the preceding financial year. A fine may be imposed of up to the higher of the two figures. For high-revenue groups the percentage therefore acts as the ceiling; for smaller firms the fixed euro amount does. These are maxima – the actual amount is set by the competent authorities on a proportionate, case-by-case basis.
The reference base matters: the percentage is measured against a company's total worldwide turnover, not against revenue from the product concerned. In group structures this can amount to substantial sums. At the same time the Regulation requires penalties to be effective, proportionate and dissuasive – the maxima are therefore not automatic but the upper frame within which the authority weighs the nature and gravity of the infringement, its duration, willingness to cooperate and any previous infringements.
The three penalty tiers at a glance
| Maximum (whichever is higher) | For what (simplified) |
|---|---|
| up to €15,000,000 or 2.5% of worldwide annual turnover | Infringement of the essential requirements in Annex I and of the manufacturer obligations in Articles 13 and 14 (incl. vulnerability handling and reporting duties). |
| up to €10,000,000 or 2% of worldwide annual turnover | Infringement of other obligations – for example the duties of importers and distributors and conformity-related duties. |
| up to €5,000,000 or 1% of worldwide annual turnover | Supplying incorrect, incomplete or misleading information to notified bodies or market surveillance authorities. |
Key point: The most serious infringements – against the product's own security requirements and against vulnerability handling and reporting – sit in the top tier. If you want to establish whether and how your product is affected at all, start with the applicability assessment.
Why this is not the GDPR
A common misconception is to transfer the figures familiar from the General Data Protection Regulation (up to €20m or 4% of group turnover) straight onto the CRA. That is wrong. The CRA has its own, lower ceiling: the top tier is €15m or 2.5%, not €20m or 4%. The percentage refers, as under the GDPR, to worldwide annual turnover, but the rates are markedly lower. Both regimes can apply side by side where a situation touches both product security and personal data – they do not replace one another.
Who enforces? The market surveillance authorities
Enforcement of the CRA rests with the Member States' market surveillance authorities. They monitor products with digital elements on the market, can request conformity evidence, technical documentation and information, order corrective measures up to withdrawal or recall, and impose fines. In Germany the concrete allocation of authority is a matter of national implementation. The practical consequence for companies: providing reliable, complete and correct information to these authorities is itself an obligation subject to penalties – the third tier (up to €5m / 1%) targets precisely incorrect or misleading statements.
Two important carve-outs
Microenterprises and small enterprises
A relief applies to microenterprises and small enterprises: they cannot be fined for missing solely the 24-hour early warning (Art. 14(2)(a) / (4)(a)). The carve-out is narrow: it applies only to that early warning – not to the 72-hour notification and not to the final report; missing those remains subject to a fine even for microenterprises and small enterprises. This reflects the limited resources of small providers without removing the reporting and security obligation itself.
Open-source software stewards
The CRA recognises a distinct, lighter-touch role for open-source software stewards (Article 24). These are legal persons that systematically support the development of free and open-source software for commercial purposes without themselves being manufacturers. A regime with reduced obligations applies to them – and crucially, they are not subject to the administrative fines of Article 64. Individual, non-commercial open-source contributors fall outside the scope in any case. The underlying idea: someone who supports free software in a fostering role, without placing it on the market as a product in their own name, should not carry the full liability and penalty weight of a manufacturer.
Not just fines: the actual enforcement toolkit
The fines in Article 64 are only one part of the enforcement picture. Market surveillance authorities can additionally order a non-conforming product to be withdrawn from the market or recalled, restrict or prohibit its further distribution, and compel corrective measures. For most providers the threatened distribution halt or recall is the weightier commercial risk compared with the fine itself – it hits revenue directly and can entail reputational damage. The penalty tiers should therefore not be read in isolation but as part of this overall toolkit.
What does this mean for your preparation?
The penalty tiers reveal where the Regulation places its greatest weight: on the essential security requirements and on vulnerability handling and reporting. These are precisely the areas that need the longest organisational lead time. Because the obligations enter into application in a staggered manner and the penalties only bite once the respective obligation applies, it is worth looking at the CRA deadlines and timeline. Investing in conformity processes today reduces not only the fine risk but above all the risk of an ordered market withdrawal – which usually weighs more heavily in business terms than the fine itself.
- Essential requirements (Annex I) and vulnerability handling/reporting (Art. 13/14) are the costliest infringements – start here.
- Information to authorities must be correct and complete – that too is penalised.
- Micro/small enterprises: no fine only for a missed 24-hour early warning (Art. 14(2)(a) / (4)(a)) – the 72-hour notification and final report remain subject to fines, the obligation remains.
- Open-source stewards: no administrative fines.
For an overview of the Regulation as a whole, see our introduction to the Cyber Resilience Act.
Frequently asked questions
How high can CRA fines go at most?+
Are CRA fines as high as under the GDPR?+
Are there exemptions for small companies?+
Can open-source stewards be fined?+
Who imposes the fines and when do they apply?+
Sources
This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).