EuroComply
Créer un compte
Fine exposure

How much can my company be fined under CRA?

CRA carries penalties of up to €15M or 2.5% of global turnover. This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

Maximum fine

€15M

or 2.5% of global turnover — whichever is higher

Source: Regulation (EU) 2024/2847

How CRA penalties work

The Cyber Resilience Act (Article 64) creates a two-tier penalty structure for manufacturers of products with digital elements. The upper tier — up to €15M or 2.5% of global annual turnover — applies to violations of essential cybersecurity requirements. The lower tier — €10M or 2% — covers procedural violations such as technical documentation failures or non-cooperation with market surveillance authorities.

Fine tiers by article

Art. 64(2)

Violations of essential cybersecurity requirements (Annex I) and SBOM, vulnerability handling obligations

€15,000,000

or 2.5% of global turnover

Applies to:

  • Products placed on market without meeting Annex I essential cybersecurity requirements
  • Failure to provide security updates for the product's support lifetime
  • Failure to report actively exploited vulnerabilities to ENISA within 24 hours
  • No Software Bill of Materials (SBOM) provided
EUR-Lex — Art. 64(2)
Art. 64(3)

Procedural violations: technical documentation, CE marking, conformity assessment failures

€10,000,000

or 2% of global turnover

Applies to:

  • Failure to maintain or provide technical documentation (Art. 31)
  • Incorrect or fraudulent CE marking
  • Failure to conduct required conformity assessment
  • Non-cooperation with market surveillance authorities
EUR-Lex — Art. 64(3)

Stacked exposure with other EU regulations

CRA fines can stack with AI Act fines for AI-integrated products, and with GDPR where cybersecurity failures result in a personal data breach. For example, a connected device manufacturer facing a CRA violation for missing security updates could also face GDPR fines if user data is compromised.

Calculate your stacked fine exposure →

Frequently asked questions

What is the maximum Cyber Resilience Act fine?

The maximum CRA fine is €15,000,000 or 2.5% of global annual turnover — whichever is higher — for violations of essential cybersecurity requirements under Annex I of the Regulation.

When do CRA penalties apply?

CRA vulnerability and incident reporting obligations apply from 11 September 2026. All other CRA obligations, including essential cybersecurity requirements, apply from 11 December 2027.

Does the CRA apply to open-source software?

Open-source software developed or distributed in a commercial context is in scope. Software developed entirely without commercial intent and provided free of charge is generally outside the CRA's scope, subject to Article 16 conditions.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across CRA, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
CRA compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: