CRAdarCheck

Guides

CRA fines explained: what you actually risk, article by article

€15 million headlines are marketing. Here is the actual penalty structure of the Cyber Resilience Act, how market surveillance really escalates, and what gets small vendors in trouble first.

Updated 2026-07-03

The three penalty tiers

  • Up to €15M or 2.5% of global annual turnover (whichever is higher): breaching the essential requirements (Annex I) or the core manufacturer obligations (Art. 13/14) — shipping known-vulnerable products, no vulnerability handling, missed reporting.
  • Up to €10M or 2%: breaching most other obligations — CE marking, technical documentation, conformity procedures, importer/distributor duties.
  • Up to €5M or 1%: supplying incorrect, incomplete or misleading information to notified bodies or market surveillance authorities.

How enforcement actually escalates

Fines are the end of the road, not the beginning. Market surveillance authorities (one per Member State) typically move through: request for information → corrective-action order with a deadline → restriction or ban on making the product available, forced withdrawal or recall → and fines when cooperation fails or the breach is serious. For a small vendor, the existential step is not the fine — it's the withdrawal order that kills EU revenue overnight, and public naming that kills trust.

Member States set the exact fine amounts and procedures nationally (like GDPR), so enforcement culture will vary — Germany's market surveillance apparatus and complaint-friendly ecosystem make it the market to take most seriously first.

What gets small vendors in trouble first (predicted, with reasons)

  • Missed Art. 14 reports: the 24-hour clock on actively exploited vulnerabilities is objective and checkable — a missed deadline attached to a real incident is the easiest violation for an authority to establish. Applies from 11 September 2026, before everything else.
  • No SBOM / no vulnerability handling process: the first document requests in any investigation. Absence is undeniable and instantly proves an Annex I Part II breach.
  • Signed EU Declarations of Conformity that don't survive scrutiny: self-assessment is a right, but a false declaration is its own infringement tier.
  • Abandoned products still on sale: EOL versions sold without support-period disclosure or updates — the pattern authorities can find from their desk by reading app-store listings.

The honest read for a small software maker

Nobody expects Brussels to open with seven-figure fines against indie developers in December 2027 — regulators prioritize remediation, and enforcement resources are finite. The realistic risks are: being ordered off the EU market until you comply (revenue zero, timeline yours to fix), procurement doors closing (enterprise buyers now ask for CRA evidence contractually), and being the unlucky example after a real incident. All three are cheaper to prevent than to survive: the prevention is a checklist, most of it automatable.

Where do you stand today? Run the free Risk Check — verdict, class and prioritized gaps in 3 minutes.

Where do you stand today?

Run the free 3-minute Risk Check: scope verdict, risk class, readiness score, prioritized fixes.

Or get compliance on autopilot at launch:

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.