Blackfort TechnologyBlackfort Technology

CRA Penalties & Fines: what Article 64 actually provides for

Blackfort Technology · Cyber Resilience Act knowledge

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

The Cyber Resilience Act (Regulation (EU) 2024/2847) does not merely demand cyber-secure products with digital elements – it backs its obligations with a tiered penalty framework. That framework sits in Article 64 and defines maximum amounts for infringements. Understanding the order of magnitude of possible fines helps you weigh the cost of CRA compliance in commercial terms. This article frames the rules in technical-organisational terms; it is not legal advice.

The core principle: „up to" and „whichever is higher"

Article 64 works with three penalty tiers. Each tier states both an absolute euro amount and a percentage of the total worldwide annual turnover of the preceding financial year. A fine may be imposed of up to the higher of the two figures. For high-revenue groups the percentage therefore acts as the ceiling; for smaller firms the fixed euro amount does. These are maxima – the actual amount is set by the competent authorities on a proportionate, case-by-case basis.

The reference base matters: the percentage is measured against a company's total worldwide turnover, not against revenue from the product concerned. In group structures this can amount to substantial sums. At the same time the Regulation requires penalties to be effective, proportionate and dissuasive – the maxima are therefore not automatic but the upper frame within which the authority weighs the nature and gravity of the infringement, its duration, willingness to cooperate and any previous infringements.

The three penalty tiers at a glance

Maximum (whichever is higher)For what (simplified)
up to €15,000,000 or 2.5% of worldwide annual turnoverInfringement of the essential requirements in Annex I and of the manufacturer obligations in Articles 13 and 14 (incl. vulnerability handling and reporting duties).
up to €10,000,000 or 2% of worldwide annual turnoverInfringement of other obligations – for example the duties of importers and distributors and conformity-related duties.
up to €5,000,000 or 1% of worldwide annual turnoverSupplying incorrect, incomplete or misleading information to notified bodies or market surveillance authorities.

Key point: The most serious infringements – against the product's own security requirements and against vulnerability handling and reporting – sit in the top tier. If you want to establish whether and how your product is affected at all, start with the applicability assessment.

Why this is not the GDPR

A common misconception is to transfer the figures familiar from the General Data Protection Regulation (up to €20m or 4% of group turnover) straight onto the CRA. That is wrong. The CRA has its own, lower ceiling: the top tier is €15m or 2.5%, not €20m or 4%. The percentage refers, as under the GDPR, to worldwide annual turnover, but the rates are markedly lower. Both regimes can apply side by side where a situation touches both product security and personal data – they do not replace one another.

Who enforces? The market surveillance authorities

Enforcement of the CRA rests with the Member States' market surveillance authorities. They monitor products with digital elements on the market, can request conformity evidence, technical documentation and information, order corrective measures up to withdrawal or recall, and impose fines. In Germany the concrete allocation of authority is a matter of national implementation. The practical consequence for companies: providing reliable, complete and correct information to these authorities is itself an obligation subject to penalties – the third tier (up to €5m / 1%) targets precisely incorrect or misleading statements.

Two important carve-outs

Microenterprises and small enterprises

A relief applies to microenterprises and small enterprises: they cannot be fined for missing the reporting deadlines under Article 14. The substantive reporting and security obligation remains in place – but missing the tight deadlines (24 hours / 72 hours / final report) does not trigger a fine for firms of that size. This reflects the limited resources of small providers without removing the obligation itself.

Open-source software stewards

The CRA recognises a distinct, lighter-touch role for open-source software stewards (Article 24). These are legal persons that systematically support the development of free and open-source software for commercial purposes without themselves being manufacturers. A regime with reduced obligations applies to them – and crucially, they are not subject to the administrative fines of Article 64. Individual, non-commercial open-source contributors fall outside the scope in any case. The underlying idea: someone who supports free software in a fostering role, without placing it on the market as a product in their own name, should not carry the full liability and penalty weight of a manufacturer.

Not just fines: the actual enforcement toolkit

The fines in Article 64 are only one part of the enforcement picture. Market surveillance authorities can additionally order a non-conforming product to be withdrawn from the market or recalled, restrict or prohibit its further distribution, and compel corrective measures. For most providers the threatened distribution halt or recall is the weightier commercial risk compared with the fine itself – it hits revenue directly and can entail reputational damage. The penalty tiers should therefore not be read in isolation but as part of this overall toolkit.

What does this mean for your preparation?

The penalty tiers reveal where the Regulation places its greatest weight: on the essential security requirements and on vulnerability handling and reporting. These are precisely the areas that need the longest organisational lead time. Because the obligations enter into application in a staggered manner and the penalties only bite once the respective obligation applies, it is worth looking at the CRA deadlines and timeline. Investing in conformity processes today reduces not only the fine risk but above all the risk of an ordered market withdrawal – which usually weighs more heavily in business terms than the fine itself.

  • Essential requirements (Annex I) and vulnerability handling/reporting (Art. 13/14) are the costliest infringements – start here.
  • Information to authorities must be correct and complete – that too is penalised.
  • Micro/small enterprises: no fine for missed Art. 14 deadlines, the obligation remains.
  • Open-source stewards: no administrative fines.

For an overview of the Regulation as a whole, see our introduction to the Cyber Resilience Act.

Frequently asked questions

How high can CRA fines go at most?
Under Article 64, up to €15,000,000 or 2.5% of the total worldwide annual turnover of the preceding financial year – whichever is higher. This is the top of three tiers and applies to infringements of the essential requirements (Annex I) and of Articles 13 and 14. It is a maximum, not a standard amount.
Are CRA fines as high as under the GDPR?
No. The top CRA tier is up to €15m or 2.5% of worldwide annual turnover, and thus lower than the GDPR ceiling of €20m or 4%. Both regimes can apply side by side, but they do not replace one another.
Are there exemptions for small companies?
Yes. Microenterprises and small enterprises cannot be fined for missing the reporting deadlines under Article 14. However, the reporting and security obligations themselves remain in place; only the missed deadline is not subject to a fine for these size classes.
Can open-source stewards be fined?
No. Open-source software stewards within the meaning of Article 24 are not subject to the administrative fines of Article 64. They carry a regime with reduced obligations. Individual, non-commercial open-source contributors fall outside the Regulation's scope in any case.
Who imposes the fines and when do they apply?
The Member States' market surveillance authorities enforce the Regulation and can impose fines. Because the CRA obligations enter into application in a staggered manner, the respective penalties only bite once the relevant obligation applies. A look at the CRA timeline helps place the relevant date.

Let's talk about your CRA readiness

Unsure which CRA obligations – and thus which penalty tier – apply to your product? Blackfort Technology frames your applicability in technical-organisational terms and prioritises the measures with the greatest risk leverage. Start with the applicability assessment.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.