EU Cyber Resilience Act penalties and fines FAQ

Both. Article 64 requires Member States to lay down penalty rules and take the measures needed to implement them. Those penalties must be effective, proportionate, and dissuasive.

At the same time, Article 64 sets the main administrative-fine ceilings. Member States therefore design the national enforcement system, but they do so within the CRA's EU-level maximum fine structure.

The highest cap applies to non-compliance with the essential cybersecurity requirements in Annex I and with manufacturer obligations in Articles 13 and 14.

The maximum is up to EUR 15,000,000 or, for an undertaking, up to 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher.

Article 64(3) covers a wide set of CRA obligations beyond the manufacturer core: authorised representatives, importers, distributors, simplified technical documentation for micro and small enterprises, EU declarations of conformity, CE marking, notified bodies, notification obligations, and market-surveillance cooperation.

The maximum is up to EUR 10,000,000 or, for an undertaking, up to 2% of total worldwide annual turnover for the preceding financial year, whichever is higher.

Supplying incorrect, incomplete, or misleading information to a notified body or market-surveillance authority in reply to a request has its own Article 64 tier.

The maximum is up to EUR 5,000,000 or, for an undertaking, up to 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.

No. For undertakings, the CRA ceiling is the fixed euro amount or the stated percentage of total worldwide annual turnover for the preceding financial year, whichever is higher.

That means the percentage can raise the applicable maximum above the euro figure for a large undertaking.

No. Article 64 sets maximum ceilings, not automatic fine amounts.

For each case, the authority must consider all relevant circumstances, including the nature, gravity, duration, and consequences of the infringement; whether the same or another market-surveillance authority already fined the same economic operator for a similar infringement; and the operator's size and market share, including whether it is a microenterprise, SME, or start-up.

The CRA does not create a single EU one-stop-shop for penalties. Market-surveillance authorities can apply administrative fines under their national systems.

However, Article 64 requires earlier fines by the same or other market-surveillance authorities for a similar infringement to be considered. Authorities that apply fines must communicate that through the EU market-surveillance information and communication system. Recital 120 also stresses proportionality where several Member States act against the same economic operator for the same type of infringement.

Manufacturers face the highest exposure because Article 64(2) covers Annex I and Articles 13 and 14. Other economic operators can also be exposed where the breached provision applies to them.

Article 64(3) expressly covers obligations in Articles 18 to 23, which include authorised representatives, importers, distributors, and cases where importers or distributors become subject to manufacturer obligations. It also covers specified notified-body and market-surveillance provisions.

Yes. Article 64(9) says administrative fines may be imposed, depending on the circumstances of the case, in addition to corrective or restrictive measures for the same infringement.

That means fine exposure should be assessed separately from product restrictions, withdrawals, recalls, and other market-surveillance outcomes.

Article 14 reporting obligations are in the highest Article 64(2) tier. Manufacturers must notify actively exploited vulnerabilities and severe incidents through the single reporting platform, with an early warning within 24 hours after becoming aware, a follow-up notification within 72 hours, and later final reporting.

For severe incidents, the final report is due within one month after the incident notification. For actively exploited vulnerabilities, the final report is due no later than 14 days after a corrective or mitigating measure is available.

No. The carve-out is narrow.

After the 2 July 2025 corrigendum, Article 64(10)(a) derogates from paragraphs 2 to 9 only for manufacturers that qualify as microenterprises or small enterprises, and only for failure to meet the 24-hour early-warning deadline in Article 14(2)(a) or Article 14(4)(a). It is not a general exemption from CRA obligations, not an SME-wide exemption, and not a shield for other reporting failures.

Article 64(10)(b), as corrected by the 2 July 2025 corrigendum, excludes open-source software stewards from the administrative fines referred to in Article 64(2) to (9) for infringements of the CRA.

That does not put stewards outside supervision. Article 24 gives stewards documented cybersecurity-policy, cooperation, and limited reporting duties. Article 52(3) makes market-surveillance authorities responsible for steward obligations and lets them require appropriate corrective action.

Recital 120 says Member States should not impose other kinds of penalties with a pecuniary character on the entities covered by those Article 64 carve-outs.

For micro and small manufacturers, that recital statement is tied to the 24-hour early-warning deadline failure. For open-source software stewards, it is tied to their exclusion from Article 64 administrative fines, while corrective action under Article 52(3) can still apply.

That is left to national law. Article 64(7) says each Member State must lay down rules on whether, and to what extent, administrative fines may be imposed on public authorities and public bodies established in that Member State.

For persons that are not undertakings, Recital 121 says authorities should consider the general income level in the Member State and the person's economic situation when setting a fine.

The answer depends on each Member State's legal system. Article 64(8) allows fines to be imposed by competent national courts or by other bodies according to national competences, provided the application of the rules has equivalent effect.

For compliance planning, this means Article 64 gives the ceiling and required effect, while the enforcement body, procedure, appeal path, and national penalty mechanics must be checked Member State by Member State.

Penalty exposure follows the CRA obligations that are already applicable. The Regulation generally applies from 11 December 2027.

Article 14 reporting obligations apply earlier, from 11 September 2026, and Chapter IV on notified bodies applies from 11 June 2026. Article 69(3) also says Article 14 applies to in-scope products placed on the market before 11 December 2027.

Only at recital level. Recital 122 says Member States should examine, taking national circumstances into account, whether penalty revenues or their financial equivalent can support cybersecurity policies and increase cybersecurity in the Union.

The recital gives examples such as more qualified cybersecurity professionals, capacity building for microenterprises and SMEs, and public awareness of cyber threats. It does not create a fixed revenue allocation rule.