Artifact GuideEU

Cyber Resilience Act penalties and fines

Article 64 sets EU-level administrative fine ceilings, while Member States lay down and implement the national penalty rules.

Use this page to separate the CRA fine caps from corrective market-surveillance measures, reporting duties, and narrow derogations.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated May 25, 2026
Overview

The Cyber Resilience Act does not leave penalty exposure entirely to national law. Article 64 requires Member States to create effective, proportionate, and dissuasive penalty rules, but it also fixes the main administrative fine ceilings for specific CRA infringements. The ceiling depends on the breached obligation, and for undertakings the turnover percentage is compared with the fixed euro amount.

Section 1

Article 64 fine ceilings

Article 64 sets maximum administrative fine levels rather than automatic fine amounts. For undertakings, each tier uses the higher of the fixed euro ceiling or the stated percentage of total worldwide annual turnover for the preceding financial year.

The highest tier is tied to the core product-security and manufacturer/reporting duties. The middle tier covers several other economic-operator, conformity-assessment, notified-body, and authority-access obligations. A separate tier covers misleading or incomplete responses to official requests.

  • Up to EUR 15,000,000 or 2.5% of worldwide annual turnover for non-compliance with Annex I essential cybersecurity requirements and Articles 13 and 14.
  • Up to EUR 10,000,000 or 2% of worldwide annual turnover for non-compliance with Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1) to (3), Article 33(5), and Articles 39, 41, 47, 49, and 53.
  • Up to EUR 5,000,000 or 1% of worldwide annual turnover for supplying incorrect, incomplete, or misleading information to notified bodies or market-surveillance authorities in reply to a request.
Section 2

Obligations behind the highest tier

The EUR 15,000,000 or 2.5% ceiling is not a generic cybersecurity penalty. It is linked to Annex I and to Articles 13 and 14, so it reaches product design, vulnerability handling, manufacturer documentation, support-period decisions, user information, and incident or vulnerability reporting.

For a product team, the highest-risk evidence gaps are usually the ones that make it hard to show how the product met Annex I at market placement, how vulnerabilities were handled during the support period, and how Article 14 notifications were assessed and submitted.

  • Annex I: essential cybersecurity requirements for product properties and vulnerability handling.
  • Article 13: manufacturer obligations, including cybersecurity risk assessment, documentation, support-period logic, vulnerability processes, technical documentation, EU declaration of conformity, CE marking, and user information.
  • Article 14: reporting of actively exploited vulnerabilities and severe incidents having an impact on product security.
Section 3

Member State penalty rules and fine amounts

Member States must lay down the penalty rules and make sure they are implemented. That means national law still determines the institutional and procedural setup, including whether courts or other national bodies impose the fines.

Article 64 does not set an automatic amount for a given defect. Authorities must consider all relevant circumstances in the specific case, including the nature, gravity, duration, and consequences of the infringement, previous similar administrative fines against the same operator, and the operator's size and market share.

  • Public authorities and public bodies are handled by national rules on whether and to what extent administrative fines can be imposed on them.
  • Where several market-surveillance authorities are involved, earlier similar fines must be considered and applied fines are communicated through the Union market-surveillance information system.
  • Microenterprises, small and medium-sized enterprises, and start-ups are expressly relevant to proportionality when the amount is set.
Section 4

Market-surveillance consequences beyond fines

CRA enforcement is not limited to money penalties. Market-surveillance authorities can evaluate products with digital elements where there is sufficient reason to consider that the product, including its vulnerability handling, presents a significant cybersecurity risk.

If the authority finds non-compliance, it can require corrective action, withdrawal, or recall. If adequate corrective action is not taken, it can prohibit, restrict, withdraw, or recall the product from the national market. Article 64 also allows administrative fines to be imposed in addition to corrective or restrictive measures for the same infringement.

  • Article 53 access requests can cover data needed to assess design, development, production, and vulnerability handling, including related internal documentation.
  • Article 54 procedures can lead to corrective action, withdrawal, recall, or provisional restrictions for products presenting a significant cybersecurity risk.
  • Article 58 formal non-compliance covers issues such as missing or incorrect CE marking, missing or incorrect EU declaration of conformity, missing notified-body identification where required, and unavailable or incomplete technical documentation.
Section 5

Narrow derogations and what not to assume

Article 64 includes narrow derogations. The corrected CRA text excludes Article 64 administrative fines for microenterprise and small-enterprise manufacturers only for failure to meet the 24-hour early-warning deadline in Article 14(2)(a) or Article 14(4)(a). It also excludes Article 64 administrative fines for infringements by open-source software stewards.

Those derogations should not be read as a general exclusion from CRA supervision. Market-surveillance authorities remain responsible for CRA market surveillance, including supervision of open-source software steward obligations and corrective action where those obligations are not met.

  • Do not treat the micro or small enterprise derogation as a blanket exemption from Article 14 or other CRA duties.
  • Do not treat the steward derogation as permission to ignore Article 24 obligations or market-surveillance corrective action.
  • Do not invent national fine schedules before the relevant Member State has implemented and published its penalty rules.
Section 6

Evidence to prepare before an authority asks

The CRA source text does not say that keeping evidence prevents a fine. It does, however, make documentation, cooperation, authority access, and case-specific circumstances central to enforcement.

The useful preparation is therefore concrete: keep records that connect the product, the breached or satisfied obligation, the support-period and vulnerability-handling process, the authority request, and any corrective action taken.

  • Annex I traceability: cybersecurity risk assessment, essential-requirement mapping, test evidence, and vulnerability-handling records.
  • Article 13 records: technical documentation, EU declaration of conformity history, CE-marking basis, support-period rationale, user information, contact point, and update availability records.
  • Article 14 records: awareness timestamps, vulnerability or incident classification, notification submissions, user communications, remediation decisions, and follow-up actions.
  • Authority-response records: copies of requests, supplied information, internal documentation reviewed, translations if needed, and checks that responses were complete and not misleading.
Recommended next step

Check CRA penalty exposure against product and reporting evidence

Use Research Copilot to review which CRA obligations are implicated by a product issue, authority request, vulnerability report, or incident timeline, with citations back to the source text.

Research workflow
Open Research Copilot

Ask cited questions about Article 64, market-surveillance measures, and the records needed for a specific CRA issue.

Explore next step
Talk to Sorena
Discuss CRA enforcement readiness

Review product-security, vulnerability-handling, reporting, and authority-response evidence for products with digital elements.

Explore next step
Primary sources

References and citations

Cyber Resilience Act corrigendum of 2 July 2025
eur-lex.europa.eu
Referenced sections
  • Supports the corrected reading of the Article 64(10) derogations for microenterprise and small-enterprise manufacturers and open-source software stewards.
"Article 64(10)"
Regulation (EU) 2024/2847, Cyber Resilience Act
data.europa.eu
Referenced sections
  • Supports the Article 64 fine ceilings, Member State penalty-rule requirement, fine-setting factors, market-surveillance measures, authority access to documentation, and representative-action context.
"effective, proportionate and dissuasive"
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.