What are the Cyber Resilience Act penalties?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

Breaches of the essential requirements or manufacturer obligations carry fines of up to EUR 15 million or 2.5 % of total worldwide annual turnover, whichever is higher. Lower ceilings apply to other infringements and to supplying incorrect information. Open-source software stewards are exempt from administrative fines under Article 64.

Key Facts

  • Top tier: EUR 15 million or 2.5 % of total worldwide annual turnover — breaches of essential requirements (Annex I) or obligations under Articles 13 and 14 (including reporting duties) (Art. 64).
  • Mid tier: EUR 10 million or 2 % — other obligations not covered by the top tier.
  • Lower tier: EUR 5 million or 1 % — incorrect, incomplete or misleading information supplied to authorities.
  • "Total worldwide annual turnover" can include parent group revenue.
  • Enforcement by national market surveillance authorities (Regulation (EU) 2019/1020).
  • Open-source software stewards are exempt from administrative fines (Art. 64(10)).
  • Micro and small enterprises are exempt from fines for missing the 24-hour early warning deadline; all other obligations remain.

The CRA sets a tiered penalty structure (Art. 64), with the ceiling determined by turnover or a fixed cap, whichever is higher: | Infringement | Fine ceiling | |---|---| | Breach of essential requirements (Annex I) or obligations under Articles 13 and 14 | EUR 15 million or 2.5 % of total worldwide annual turnover | | Breach of other obligations | EUR 10 million or 2 % of total worldwide annual turnover | | Supplying incorrect, incomplete or misleading information | EUR 5 million or 1 % of total worldwide annual turnover | The "total worldwide annual turnover" basis means that a subsidiary's fine can be calculated on the parent group's revenue, not only the entity that placed the non-compliant product on the market. Enforcement is carried out by national market surveillance authorities under Regulation (EU) 2019/1020. They can order corrective measures, restrict or prohibit a product, require a recall, and impose fines. The Commission can also request corrective action directly on products that present a serious risk. Two carve-outs apply: open-source software stewards are explicitly exempt from administrative fines under Article 64(10); and micro and small enterprises are exempt from fines for missing the 24-hour early warning deadline, though all substantive obligations -- including the 72-hour notification and the final report -- continue to apply to them.

What's next

See how Acuna handles this