EuroComply
Konto erstellen
Fine exposure

How much can my company be fined under CRA?

CRA carries penalties of up to €15M or 2.5% of global turnover. This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

The Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for connected products and software, with enforcement beginning January 1, 2027. Maximum fines reach €15 million or 2.5% of global turnover for serious violations.

RegulationRegulation (EU) 2024/2847 — Cyber Resilience Act
Entry into ForceJanuary 1, 2025
Enforcement BeginsJanuary 1, 2027
Maximum Fine€15 million or 2.5% of global turnover
ScopeAll products with digital elements sold in the EU (hardware, software, IoT, cloud)

Common Questions

What products are covered by the CRA?
The CRA applies to any product with digital elements sold in the EU: IoT devices (smart home, industrial IoT), mobile apps, cloud services, network devices (routers, firewalls), embedded software, connected vehicles, and security software.
What are the core CRA requirements?
Manufacturers must: implement security by design and by default, provide security updates for a defined period, report actively exploited vulnerabilities to ENISA and affected parties, maintain technical documentation, conduct conformity assessment, and affix the CE mark.
How long must CRA security updates be provided?
The duration depends on product type: longer-lifecycle products (e.g., industrial IoT) require extended support; shorter-lifecycle products (e.g., mobile apps) require minimum 5 years or the expected product lifetime, whichever is shorter. High-risk products require longer support periods.
What is a "security vulnerability" requiring disclosure under the CRA?
The CRA defines a vulnerability as a weakness that can be exploited to compromise confidentiality, integrity, or availability. "Actively exploited" vulnerabilities are those with known public exploits or confirmed attacks. These must be disclosed within 90 days of discovery.
Can small manufacturers get relief from CRA compliance?
The CRA applies equally to all manufacturers. However, ENISA provides guidance tailored to different organization sizes, and some member states may offer technical assistance for SMEs. No blanket exemptions exist.
When do CRA penalties begin?
Penalties are enforceable from January 1, 2027. The 24-month transition period (Jan 2025–Dec 2026) is a grace period for manufacturers to implement compliance controls and conduct conformity assessments.

Maximum fine

€15M

or 2.5% of global turnover — whichever is higher

Source: Regulation (EU) 2024/2847

How CRA penalties work

The Cyber Resilience Act (Article 64) creates a two-tier penalty structure for manufacturers of products with digital elements. The upper tier — up to €15M or 2.5% of global annual turnover — applies to violations of essential cybersecurity requirements. The lower tier — €10M or 2% — covers procedural violations such as technical documentation failures or non-cooperation with market surveillance authorities.

Fine tiers by article

Art. 64(2)

Violations of essential cybersecurity requirements (Annex I) and SBOM, vulnerability handling obligations

€15,000,000

or 2.5% of global turnover

Applies to:

  • Products placed on market without meeting Annex I essential cybersecurity requirements
  • Failure to provide security updates for the product's support lifetime
  • Failure to report actively exploited vulnerabilities to ENISA within 24 hours
  • No Software Bill of Materials (SBOM) provided
EUR-Lex — Art. 64(2)
Art. 64(3)

Procedural violations: technical documentation, CE marking, conformity assessment failures

€10,000,000

or 2% of global turnover

Applies to:

  • Failure to maintain or provide technical documentation (Art. 31)
  • Incorrect or fraudulent CE marking
  • Failure to conduct required conformity assessment
  • Non-cooperation with market surveillance authorities
EUR-Lex — Art. 64(3)

Stacked exposure with other EU regulations

CRA fines can stack with AI Act fines for AI-integrated products, and with GDPR where cybersecurity failures result in a personal data breach. For example, a connected device manufacturer facing a CRA violation for missing security updates could also face GDPR fines if user data is compromised.

Calculate your stacked fine exposure →

Frequently asked questions

What is the maximum Cyber Resilience Act fine?

The maximum CRA fine is €15,000,000 or 2.5% of global annual turnover — whichever is higher — for violations of essential cybersecurity requirements under Annex I of the Regulation.

When do CRA penalties apply?

CRA vulnerability and incident reporting obligations apply from 11 September 2026. All other CRA obligations, including essential cybersecurity requirements, apply from 11 December 2027.

Does the CRA apply to open-source software?

Open-source software developed or distributed in a commercial context is in scope. Software developed entirely without commercial intent and provided free of charge is generally outside the CRA's scope, subject to Article 16 conditions.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across CRA, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
CRA compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: