EU Cyber Resilience Act FAQ Penalties and Fines

It does both.

Article 64 requires each Member State to lay down and enforce penalty rules, but the CRA itself also fixes the main administrative-fine categories and maximum ceilings. National law still determines the detailed enforcement setup, provided the penalties are effective, proportionate, and dissuasive.

No.

The CRA harmonises the main fine tiers and maximum caps, but not every procedural and institutional detail. Member States still decide how penalties are implemented in national law, who imposes them, and whether public bodies can be fined.

The highest fine tier applies to:

- non-compliance with the essential cybersecurity requirements in Annex I

- non-compliance with the obligations in Articles 13 and 14

The maximum is EUR 15,000,000 or, if the offender is an undertaking, 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher.

The middle tier covers a broad set of obligations for economic operators, conformity assessment, notified bodies, and authority access. Article 64(3) lists the relevant provisions directly, including Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1) to (3), Article 33(5), and Articles 39, 41, 47, 49 and 53.

The maximum is EUR 10,000,000 or, if the offender is an undertaking, 2% of total worldwide annual turnover for the preceding financial year, whichever is higher.

Supplying incorrect, incomplete, or misleading information in reply to a request from a notified body or a market-surveillance authority can lead to fines of up to EUR 5,000,000 or, if the offender is an undertaking, 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.

No.

The CRA sets maximum ceilings, not automatic penalty amounts. The final amount in an individual case depends on the national system and the case-specific factors in Article 64(5).

Article 64(5) says authorities must take all relevant circumstances into account and give due regard at least to:

- the nature, gravity, duration, and consequences of the infringement

- whether similar fines have already been applied by the same or other market-surveillance authorities to the same operator

- the size and market share of the operator, including whether it is a microenterprise, SME, or start-up

Potentially yes, but not without limits.

Article 64(5)(b) requires authorities to take earlier fines by the same or other market-surveillance authorities into account, and Article 64(6) requires authorities that apply fines to communicate that through the Union information system. Recital 120 adds that cumulative fines across several Member States for the same type of infringement must still respect proportionality.

No.

The derogation is narrow. As corrected by the 2 July 2025 corrigendum, Article 64(10)(a) removes the Article 64(2) to (9) administrative-fine regime only for manufacturers that qualify as microenterprises or small enterprises, and only with regard to a failure to meet the 24-hour deadline in Article 14(2)(a) or Article 14(4)(a).

That is not a general exemption from CRA penalties or from other CRA obligations.

The CRA recital points the other way.

Recital 120 says that, given the Article 64 carve-out for microenterprises and small enterprises for that 24-hour reporting deadline failure, Member States should not impose other kinds of penalties with pecuniary character on those entities for that situation.

No, not under the Article 64 administrative-fine regime.

As corrected by the 2 July 2025 corrigendum, Article 64(10)(b) removes the administrative fines referred to in Article 64(2) to (9) for infringements of the CRA by open-source software stewards.

No.

Article 52(3) still makes market-surveillance authorities responsible for supervising steward obligations under Article 24 and for requiring corrective action where a steward does not comply. Recital 120 also says Member States should not replace the exempted administrative fines with other pecuniary penalties for stewards.

That depends on national law.

Article 64(7) says each Member State must decide whether, and to what extent, administrative fines may be imposed on public authorities and public bodies established in that Member State. Recital 121 points the same way.

Either can be involved.

Article 64(8) says Member States may structure the system so fines are imposed by competent national courts or by other bodies, as long as the national system has equivalent effect.

They can also be exposed.

Article 64(3) covers many obligations that apply beyond the manufacturer, including importer, distributor, authorised-representative, and notified-body obligations. The real question is not the actor's label but which CRA obligation that actor has breached.

Yes.

Article 64(9) expressly says administrative fines may be imposed in addition to other corrective or restrictive measures for the same infringement. In practice, that means a product can face recall, withdrawal, restrictions, or other corrective action as well as a fine.

It follows the CRA's staggered application dates.

The CRA generally applies from 11 December 2027. However, Article 14 applies earlier, from 11 September 2026, and Chapter IV on notified bodies applies from 11 June 2026. Penalty exposure follows the obligations that are already applicable.

No.

Beyond fines, the CRA also allows corrective and restrictive market-surveillance measures and applies the EU representative-actions regime to qualifying consumer cases.

No.

For the main CRA fine tiers, the Regulation sets the ceiling as the fixed euro amount or, if the offender is an undertaking, the stated percentage of total worldwide annual turnover for the preceding financial year, whichever is higher. So the percentage is not a softer optional substitute; it can raise the applicable maximum above the fixed euro cap.

The fixed euro ceiling applies, but the authority should also take account of that person's situation.

Recital 121 says that where administrative fines are imposed on a person that is not an undertaking, the competent authority should consider the general level of income in the Member State and the economic situation of that person when setting the amount.

No.

It is limited to failure to meet the 24-hour deadline for the early warning notification in Article 14(2)(a) or Article 14(4)(a). It does not create a general immunity for microenterprise or small-enterprise manufacturers from other Article 14 duties, from other CRA obligations, or from the separate fine tier for supplying incorrect, incomplete, or misleading information.

Yes, potentially.

The CRA itself requires Member States to lay down effective, proportionate, and dissuasive penalty rules, while fixing the main administrative-fine ceilings. The Blue Guide explains more generally for Union product law that national penalties may include criminal sanctions for serious infringements. So the CRA does not prevent Member States from adding criminal-law consequences in their national enforcement systems where national law provides for them.

Yes, at recital level.

Recital 122 says Member States should examine, taking national circumstances into account, the possibility of using revenues from CRA penalties, or their financial equivalent, to support cybersecurity policies and raise the level of cybersecurity in the Union, including through skills, SME capacity building, and public awareness.