Search every question across CRA sub-FAQs

Either can be involved.

Article 64(8) says Member States may structure the system so fines are imposed by competent national courts or by other bodies, as long as the national system has equivalent effect.

They can also be exposed.

Article 64(3) covers many obligations that apply beyond the manufacturer, including importer, distributor, authorised-representative, and notified-body obligations. The real question is not the actor's label but which CRA obligation that actor has breached.

Yes.

Article 64(9) expressly says administrative fines may be imposed in addition to other corrective or restrictive measures for the same infringement. In practice, that means a product can face recall, withdrawal, restrictions, or other corrective action as well as a fine.

It follows the CRA's staggered application dates.

The CRA generally applies from 11 December 2027. However, Article 14 applies earlier, from 11 September 2026, and Chapter IV on notified bodies applies from 11 June 2026. Penalty exposure follows the obligations that are already applicable.

No.

Beyond fines, the CRA also allows corrective and restrictive market-surveillance measures and applies the EU representative-actions regime to qualifying consumer cases.

No.

For the main CRA fine tiers, the Regulation sets the ceiling as the fixed euro amount or, if the offender is an undertaking, the stated percentage of total worldwide annual turnover for the preceding financial year, whichever is higher. So the percentage is not a softer optional substitute; it can raise the applicable maximum above the fixed euro cap.

The fixed euro ceiling applies, but the authority should also take account of that person's situation.

Recital 121 says that where administrative fines are imposed on a person that is not an undertaking, the competent authority should consider the general level of income in the Member State and the economic situation of that person when setting the amount.

No.

It is limited to failure to meet the 24-hour deadline for the early warning notification in Article 14(2)(a) or Article 14(4)(a). It does not create a general immunity for microenterprise or small-enterprise manufacturers from other Article 14 duties, from other CRA obligations, or from the separate fine tier for supplying incorrect, incomplete, or misleading information.

Yes, potentially.

The CRA itself requires Member States to lay down effective, proportionate, and dissuasive penalty rules, while fixing the main administrative-fine ceilings. The Blue Guide explains more generally for Union product law that national penalties may include criminal sanctions for serious infringements. So the CRA does not prevent Member States from adding criminal-law consequences in their national enforcement systems where national law provides for them.

Yes, at recital level.

Recital 122 says Member States should examine, taking national circumstances into account, the possibility of using revenues from CRA penalties, or their financial equivalent, to support cybersecurity policies and raise the level of cybersecurity in the Union, including through skills, SME capacity building, and public awareness.

Not expressly in the regulation text.

The CRA itself requires manufacturers to document and assess the conformity of the relevant product with digital elements. The more specific idea that similar variants, models, or configurations can in some cases be handled together as a product family is explained in the Commission's March 2026 draft guidance.

Where the variants are similar in the ways that matter for cybersecurity.

The draft guidance says reuse is possible where products in the same family share the same architecture, security-relevant design, and intended purpose, and are exposed to the same cybersecurity risks. In that case, the manufacturer may rely on a single cybersecurity risk assessment, a single set of technical documentation, and a single conformity assessment, as long as all variants are adequately covered.

The decisive test is whether the differences between the variants are relevant to cybersecurity.

The guidance makes clear that commercial similarity alone is not enough. The question is whether the differences affect cybersecurity properties, exposure to threats, or the way the essential cybersecurity requirements are implemented.

Differences that do not affect cybersecurity properties usually do not require separate risk assessments or separate conformity assessments.

The draft guidance gives examples such as:

- physical housing

- colour

- form factor

- memory size

- other characteristics that are not security-relevant

Differences that change the cybersecurity profile usually do.

The draft guidance gives examples such as different communication interfaces, software stacks, update mechanisms, or remote connectivity. Those differences can affect threat exposure or the implementation of the essential requirements, so they must be reflected in the risk assessment and, where necessary, in the conformity assessment and technical documentation.

Yes, where the variants are based on the same design and share the same risk profile.

The March 2026 draft guidance says manufacturers are not expected to provide test evidence for every variant in that situation. It gives that clarification especially for products designed before the CRA applies, but the logic is tied to the shared design and shared risk profile rather than to a purely commercial grouping.

No.

Even where documentation is reused across a family, the CRA still requires product identification and traceability. Annex VII requires information enabling unique identification, Annex V requires the declaration's object to identify the product, and Annex VIII requires the declaration to identify the relevant product or product model. The Commission FAQ also says technical documentation must reflect redesigns, changes, and how versions can be identified.

No.

Where a new variant introduces new cybersecurity risks or changes how the essential cybersecurity requirements are implemented, the existing risk assessment and conformity documentation must be updated. The CRA itself also requires the technical documentation to be kept up to date.

Yes, but the RDPS still needs to be declared in each affected product's technical documentation.

The March 2026 draft guidance says documentation concerning the same RDPS can be reused across product conformity assessments, but each product's documentation must still indicate that the product has RDPS or relies on relevant third-party cloud solutions and must describe them.

No.

The family concept is about reusing assessment and documentation where that is justified. Product-law concepts like placing on the market still apply to each individual product. The CRA and the Blue Guide both treat placing on the market and compliance timing at the level of the individual product, not just the type or family.