CRA Penalties Explained: The Three Fine Tiers, Who Can't Be Fined, and What Else Authorities Can Do

The Cyber Resilience Act sets three tiers of administrative fines in Article 64, with the highest reaching up to €15,000,000 or 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher. The fine tiers are fixed in the regulation text and are not in dispute. What is still developing - as of mid-2026 - is exactly how national market surveillance authorities will apply them in practice once enforcement begins.

This article is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against Regulation (EU) 2024/2847.

---

Key points

• Three tiers. Article 64 fines are always "whichever is higher" - the euro ceiling or the turnover percentage.
• Tier 1 (highest): breaching Annex I essential requirements or Articles 13/14 obligations -> up to €15M or 2.5% of global annual turnover.
• Tier 2: most other obligations (importer/distributor duties, EU Declaration of Conformity, CE marking, technical documentation, conformity assessment) -> up to €10M or 2%.
• Tier 3: supplying incorrect, incomplete or misleading information to notified bodies or market surveillance authorities -> up to €5M or 1%.
• Fines are not the only tool. Authorities can also require corrective action, restrict or prohibit a product, order withdrawal, or order a recall.
• Two exemptions: micro and small enterprises cannot be fined for missing the 24-hour early-warning deadline. Open-source software stewards under Article 24 cannot be fined at all.
• Enforcement is phased. Reporting obligations (Article 14) switch on 11 September 2026. Full application - essential requirements, CE marking, conformity assessment - follows on 11 December 2027.

---

The three fine tiers in Article 64

Tier 1 - Essential requirements and core manufacturer duties

This is the highest tier. It applies when a manufacturer breaches:

• The essential cybersecurity requirements in Annex I (secure-by-design, vulnerability handling, and related technical obligations), or
• The obligations in Article 13 (general manufacturer duties throughout the product lifecycle), or
• The obligations in Article 14 (vulnerability and incident reporting).

The ceiling is up to €15,000,000 or 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher. For a company with €200M in global revenue, that means the turnover percentage - €5M - is the operative ceiling, not the flat €15M figure.

Tier 2 - Other economic operator and conformity obligations

Tier 2 covers a broad range of obligations that sit outside the core Annex I/Article 13-14 cluster. This includes:

• Importer and distributor duties (Articles 18-23)
• EU Declaration of Conformity requirements
• CE marking obligations
• Technical documentation requirements
• Conformity assessment obligations
• Notified body duties

The ceiling here is up to €10,000,000 or 2% of total worldwide annual turnover, again whichever is higher.

Tier 3 - Misleading or incomplete information

The lowest tier targets a specific behaviour: providing incorrect, incomplete, or misleading information to a notified body or a market surveillance authority. The ceiling is up to €5,000,000 or 1% of total worldwide annual turnover.

This tier matters because it applies independently of whether the underlying product is compliant. A company that is broadly compliant but gives an authority inaccurate documentation during an inspection can still face a Tier 3 fine.

---

Fines are not the only enforcement tool

It is easy to focus on the headline numbers, but financial penalties are only one part of the enforcement toolkit. National market surveillance authorities have a wider range of powers they can use alongside - or instead of - a fine.

Under the CRA, authorities can:

• Require corrective action - ordering the economic operator to bring the product into conformity within a set timeframe.
• Restrict or prohibit availability - preventing the product from being placed on or made available on the EU market until non-conformities are resolved.
• Order withdrawal - requiring the product to be removed from the market, stopping it from reaching new customers.
• Order a recall - requiring the manufacturer or importer to recover products already supplied to users.

For companies with large installed bases, the operational and reputational cost of a recall can significantly exceed any direct fine. Loss of EU market access is a separate consequence that sits entirely outside the fine tiers.

---

Who cannot be fined - the two exemptions

Micro and small enterprises: the 24-hour deadline carve-out

Manufacturers that qualify as microenterprises or small enterprises may not be fined for failures to meet the 24-hour early-warning reporting deadline. This is a targeted exemption - it covers only the 24-hour clock, not the 72-hour notification or the 14-day final report, and it does not exempt smaller companies from the reporting obligation itself. They still need to report; they just cannot be fined for missing that first 24-hour window.

Open-source software stewards: no fines at all

Open-source software stewards operating under Article 24 of the CRA cannot be subject to any administrative fines under Article 64. This is a complete carve-out, not a reduced ceiling. It reflects the CRA's recognition that foundations and platforms supporting open-source development on a non-commercial basis occupy a fundamentally different position from manufacturers placing products on the market.

This exemption does not extend to commercial companies that integrate open-source components into products they sell. Those companies remain fully in scope as manufacturers and face the full fine tiers.

---

What is settled vs. what is still developing

The penalty tiers themselves are fixed law - they are in the published text of Regulation (EU) 2024/2847 and are not subject to further negotiation.

What is still developing is how authorities will apply them in practice:

• Each Member State sets its own penalty rules within the Article 64 ceilings. The regulation requires those rules to be "effective, proportionate and dissuasive," but the precise national frameworks are still being established.
• An Administrative Cooperation Group (ADCO) of market surveillance authority representatives has been set up to promote consistent application across the EU, but harmonised enforcement guidance is not yet final.
• The first live enforcement window opens 11 September 2026, when Article 14 reporting obligations switch on via ENISA's Single Reporting Platform. How authorities will respond to early reporting failures - whether with corrective action, fines, or both - is not yet settled.

The European Commission and ENISA have indicated they will provide ongoing guidance to operators and Member States as the CRA rolls out, but that guidance is still in progress.

---

The enforcement timeline in brief

Date	What switches on
10 Dec 2024	CRA entered into force
11 Jun 2026	Conformity assessment body notification rules apply
11 Sep 2026	Article 14 reporting obligations apply (24h / 72h / 14-day clock)
11 Dec 2027	Full application: essential requirements, CE marking, conformity assessment

The practical implication: if your product is in scope, you are already in the enforcement window for reporting from September 2026 - even if the product was placed on the market before the CRA existed. The Tier 1 fine ceiling applies to Article 14 failures from that date.

---

Where to go next on CRA Facts

• Check your timeline: every confirmed date is on the CRA deadlines page.
• Check your scope: use the CRA scope & class checker to confirm whether your product is in scope and which product class applies.
• Prepare your documentation: the CRA compliance checklist covers the evidence you need to have ready before an authority asks.
• SBOM requirements: see the SBOM guide for what the machine-readable bill of materials obligation requires in practice.