CRA penalties and fines: what non-compliance actually costs

The Cyber Resilience Act fine tiers, the market-surveillance powers behind them, and why the real cost of non-compliance is losing EU market access mid-deal rather than the fine itself.


CRA non-compliance carries administrative fines in three tiers, up to 15 million EUR or 2.5% of global annual turnover, whichever is higher, for essential-requirement violations, with lower tiers of 10 million EUR or 2% and 5 million EUR or 1% for other breaches. But the sharper instrument is market surveillance: authorities can block sales, order withdrawals, and force recalls, which for a device company usually costs more than any fine.

This post is not an argument for panic. It is a map of what enforcement looks like under Regulation (EU) 2024/2847, so you can be on the right side of it, because for a connected-product company the CRA is less a legal risk to fear and more a market-access requirement to meet. The companies that treat it that way get something out of it: proof of conformity is fast becoming what EU buyers ask for in procurement. The full picture of who and what is covered is on our Cyber Resilience Act framework page.

What are the maximum fines under the CRA?

The regulation sets three ceilings, and in each case the operative number is whichever is higher, the fixed amount or the turnover percentage.

ViolationMaximum fine
Non-compliance with the essential cybersecurity requirements (Annex I) or the core manufacturer obligationsUp to 15 million EUR or 2.5% of global annual turnover, whichever is higher
Breach of other obligations under the regulationUp to 10 million EUR or 2% of global annual turnover, whichever is higher
Supplying incorrect, incomplete, or misleading information to notified bodies or market surveillance authoritiesUp to 5 million EUR or 1% of global annual turnover, whichever is higher

Two things are worth reading out of that table. First, the top tier attaches to the substance, the essential requirements like secure-by-design development, vulnerability handling, and security updates, not to paperwork slips. Second, the third tier exists on its own: misleading an authority is a separately fineable act, so the answer to a gap is never to paper over it in a submission.

Who enforces the CRA, and how?

Enforcement is national. Each member state designates market surveillance authorities that check products on their market, and sets penalty levels within the EU-wide maxima above. The reporting side runs through national CSIRTs and ENISA. In practice that means enforcement will be triggered the way product-regulation enforcement usually is: a complaint, an incident, a missed report after 11 September 2026, or a documentation request you cannot answer. The CRA timeline covers when each obligation, and therefore each exposure, switches on.

What can market surveillance authorities do besides fine you?

This is the part that matters most for a device company. Authorities can require a manufacturer to bring a product into conformity, restrict or prohibit it being made available on the market, and order the withdrawal or recall of units already in the channel or in the field. Set the numbers side by side: a fine is a one-time hit that member states are expected to keep proportionate, while a sales prohibition stops your EU revenue for as long as it stands, and a recall adds logistics, replacement, and customer-relationship costs on top. If you sell through distributors or OEM partners, a compliance question can freeze the whole channel while it is resolved.

What does non-compliance actually cost in a deal?

Usually the deal. Before any authority acts, your buyer's procurement process will: EU customers are already writing CRA conformity into requirements, and "we cannot show a conformity assessment or answer the SBOM question" reads as "pick the other vendor". The real cost of non-compliance is losing EU market access mid-deal, quietly, without a fine ever being issued. Which is also the good news: CRA readiness is a selling asset. A manufacturer that can hand over its technical documentation, show its vulnerability reporting process under Article 14, and point to CE marking clears the security review faster than one that cannot.

How do I stay on the right side of enforcement?

The obligations that create the top-tier exposure are the same eight capabilities every CRA-ready team needs anyway: inventory, SBOM, vulnerability monitoring, coordinated disclosure, a working update path to fielded devices, the 24-hour reporting process, the right conformity assessment, and complete technical documentation. Our CRA compliance checklist works through them in order. If you are also weighing the CRA against organisational rules like NIS2, CRA vs NIS2 explains which regime attaches where, and why the CRA is the one checked at the point of sale.

Frequently asked questions

What are the maximum fines under the Cyber Resilience Act? Three tiers. Up to 15 million EUR or 2.5% of global annual turnover, whichever is higher, for violations of the essential cybersecurity requirements. Up to 10 million EUR or 2% for breaches of other obligations under the regulation. Up to 5 million EUR or 1% for supplying incorrect, incomplete, or misleading information to authorities.

Who enforces the CRA? National market surveillance authorities in each member state, with ENISA and national CSIRTs handling the reporting side. Member states set the actual fine levels within the EU-wide maxima, so enforcement practice will vary by country while the ceilings stay the same everywhere.

Can non-compliant products be pulled from the EU market? Yes. Market surveillance authorities can require corrective action, restrict or prohibit a product being made available on the market, and order withdrawal or recall of products already sold. For most device companies these market-access powers matter more commercially than the fines.

When do CRA penalties start applying? Penalties follow the obligations. The reporting obligations apply from 11 September 2026 and the full essential requirements from 11 December 2027, so exposure starts when the obligation you would be breaching is in effect.

Are startups and small companies fined at the same level? The maxima are the same because there is no company-size exemption from the CRA, but fines are set by member states and are expected to be proportionate to the severity of the breach and the size of the company. The turnover-based percentages exist precisely so penalties scale with the business.

Last reviewed: July 7, 2026.

Where Scadable fits

Scadable is the compliance engine that keeps you on the right side of all of this by default: it identifies what is actively exploited across your fleet, fixes it, files the report inside the 24-hour window, and keeps the technical documentation and conformity evidence current, so a surveillance request or a buyer's security review is something you answer, not something you scramble for. Run the free two minute CRA readiness check to see which obligations apply to your product, or book a walkthrough.