What are the key CRA obligations for EU businesses?

Implement security by design. Provide security updates for product lifetime. Report actively exploited vulnerabilities. Maintain technical documentation. Conduct conformity assessment.

What is the maximum fine for CRA non-compliance?

The maximum fine under CRA is €15M or 2.5% of global turnover.

When does CRA apply or what is the enforcement deadline?

CRA deadline: December 11, 2027.

Which sectors does CRA affect?

CRA applies to: Software, IoT, Hardware, Connected Devices.

Cyber Resilience Act

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

What does CRA require and when does it apply?

CRA applies to Software and IoT organisations across all EU member states. The key deadline is December 11, 2027. Non-compliance carries a maximum penalty of €15M or 2.5% of global turnover. Core obligations include implement security by design and provide security updates for product lifetime.

Implement security by design
Provide security updates for product lifetime
Report actively exploited vulnerabilities
Maintain technical documentation
Conduct conformity assessment

Deadline	December 11, 2027
Max fine	€15M or 2.5% of global turnover
Primary sectors	Software, IoT, Hardware

Source: Official Journal of the EU — Cyber Resilience ActReviewed: 2026-05-01

TL;DR

CRA: €15M or 2.5% of global turnover max fine

CRA applies to Software and IoT organisations in all EU member states. Key deadline: December 11, 2027.

Source: Official Journal of the European Union — Cyber Resilience Act

Deadline

December 11, 2027

Max Fine

€15M or 2.5% of global turnover

Sectors Affected

Software, IoT, Hardware

€15Mmaximum fine

The highest penalty for non-compliance with CRA in the EU.

EU Official Journal

How do I comply with CRA?

Implement security by design
Provide security updates for product lifetime
Report actively exploited vulnerabilities
Maintain technical documentation
Conduct conformity assessment

Does CRA apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

Related Regulations

AI Act

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which CRA obligations apply to your business in 2 minutes.