What are the Cyber Resilience Act penalties?
Direct answer
Breaches of the essential requirements or manufacturer obligations carry fines of up to EUR 15 million or 2.5 % of total worldwide annual turnover, whichever is higher. Lower ceilings apply to other infringements and to supplying incorrect information. Open-source software stewards are exempt from administrative fines under Article 64.
Key Facts
- Top tier: EUR 15 million or 2.5 % of total worldwide annual turnover — breaches of essential requirements (Annex I) or obligations under Articles 13 and 14 (including reporting duties) (Art. 64).
- Mid tier: EUR 10 million or 2 % — other obligations not covered by the top tier.
- Lower tier: EUR 5 million or 1 % — incorrect, incomplete or misleading information supplied to authorities.
- "Total worldwide annual turnover" can include parent group revenue.
- Enforcement by national market surveillance authorities (Regulation (EU) 2019/1020).
- Open-source software stewards are exempt from administrative fines (Art. 64(10)).
- Micro and small enterprises are exempt from fines for missing the 24-hour early warning deadline; all other obligations remain.
The CRA sets a tiered penalty structure (Art. 64), with the ceiling determined by turnover or a fixed cap, whichever is higher: | Infringement | Fine ceiling | |---|---| | Breach of essential requirements (Annex I) or obligations under Articles 13 and 14 | EUR 15 million or 2.5 % of total worldwide annual turnover | | Breach of other obligations | EUR 10 million or 2 % of total worldwide annual turnover | | Supplying incorrect, incomplete or misleading information | EUR 5 million or 1 % of total worldwide annual turnover | The "total worldwide annual turnover" basis means that a subsidiary's fine can be calculated on the parent group's revenue, not only the entity that placed the non-compliant product on the market. Enforcement is carried out by national market surveillance authorities under Regulation (EU) 2019/1020. They can order corrective measures, restrict or prohibit a product, require a recall, and impose fines. The Commission can also request corrective action directly on products that present a serious risk. Two carve-outs apply: open-source software stewards are explicitly exempt from administrative fines under Article 64(10); and micro and small enterprises are exempt from fines for missing the 24-hour early warning deadline, though all substantive obligations -- including the 72-hour notification and the final report -- continue to apply to them.
Regulatory References