← CRA Guide
Article 32

Penalties for CRA Non-Compliance

Article 32 establishes the penalty regime for CRA violations — one of the most demanding in EU product regulation. Fines of up to €15 million or 2.5% of global annual turnover apply to the most serious violations of essential requirements and vulnerability handling obligations. These are maximum penalties; member states set the precise enforcement framework within these limits. Understanding the penalty structure is essential for risk quantification and compliance investment decisions.

Effective: September 2026Applies to: All manufacturers, importers, and distributors of products with digital elements
Free compliance portal →

Tier 1 Penalties: Annex I, Article 13, and Article 14 Violations

The most severe penalty tier under Article 32 applies to violations of the essential cybersecurity requirements in Annex I and the vulnerability handling obligations in Articles 13 and 14. Maximum penalties are:

€15,000,000 or 2.5% of total worldwide annual turnover of the preceding financial year, whichever is higher.

  • Products placed on the market with known exploitable vulnerabilities (Annex I Part I violations)
  • Failure to establish or maintain a CVD policy (Article 13)
  • Failure to send the 48-hour acknowledgment required by Article 13
  • Failure to file the 24-hour early warning or 72-hour notification required by Article 14
  • Failure to provide the final report required by Article 14
  • Failure to provide security updates during the support period (Annex I Part II violations)
  • Products that lack required security properties at the time of market placement

These are the maximum penalties — actual fines imposed by national authorities will depend on the gravity and duration of the violation, the degree of negligence or intentionality, and mitigating factors such as the manufacturer's cooperation with authorities.

CRA reference:Article 32(1)

Tier 2 Penalties: Other CRA Obligations

The second penalty tier applies to violations of CRA obligations not covered by Tier 1. Maximum penalties are:

€10,000,000 or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher.

  • Technical documentation requirements (Annex VII)
  • EU Declaration of Conformity requirements (Article 22)
  • CE marking requirements (Article 23)
  • Conformity assessment procedure requirements (Article 25)
  • Importer and distributor obligations (Articles 17–18)
  • Authorised representative requirements (Article 16)
  • Post-market monitoring obligations (Article 15)
  • Economic operator cooperation obligations (Article 21)

While these penalties are lower than Tier 1, they are still substantial. A €10 million fine or 2% of global turnover is a material financial penalty for any company, including large multinational manufacturers.

CRA reference:Article 32(2)

Tier 3 Penalties: Misleading Authorities

The third penalty tier specifically addresses misleading or obstructing market surveillance authorities. Maximum penalties are:

€5,000,000 or 1% of total worldwide annual turnover of the preceding financial year, whichever is higher.

  • Providing false or misleading information to market surveillance authorities during investigations
  • Obstructing authority access to product documentation or testing
  • Falsely representing product compliance status
  • Issuing a false or inaccurate EU Declaration of Conformity
  • Affixing the CE marking without completing the required conformity assessment

Although Tier 3 carries the lowest maximum penalty, these violations represent deliberate misconduct rather than mere compliance failures. Authorities are likely to treat misleading or obstructive behaviour as an aggravating factor that warrants penalties at the upper end of the range.

CRA reference:Article 32(3)

Factors in Penalty Calculation

Article 32 establishes maximum penalties but leaves the precise calculation of individual fines to national authorities, subject to a requirement that penalties be effective, proportionate, and dissuasive. National enforcement frameworks will specify how authorities weigh different factors when setting fines.

Factors likely to influence penalty levels include:

Gravity of the violation: A product with a known remote code execution vulnerability is more serious than a documentation formatting error.

Duration: Violations that persist over a long period after discovery — or where the manufacturer was warned but failed to remediate — attract higher fines.

Intentionality: Deliberate non-compliance is penalised more severely than negligent compliance failures.

Financial capacity: For the percentage-based cap to be meaningful, authorities will consider the manufacturer's turnover carefully.

Cooperation: Manufacturers who self-report, cooperate with authorities, and implement rapid remediation may receive reduced penalties.

Recidivism: Prior CRA violations will likely be treated as an aggravating factor.

CRA reference:Article 32(4)

Non-Financial Enforcement Measures

In addition to financial penalties, Article 32 enables national authorities to impose non-financial enforcement measures. These can include:

Market withdrawal orders: Requiring the manufacturer to withdraw non-compliant products from sale immediately

Product recall orders: Requiring the manufacturer to recall products already in users' hands, which can be enormously costly for large-scale consumer products

Prohibition on market placement: Preventing the manufacturer from placing the same or similar non-compliant products on the EU market until compliance is demonstrated

Mandatory corrective action: Ordering the manufacturer to implement specific technical or procedural changes within a defined timeframe

Non-financial measures can be more commercially damaging than the financial penalties themselves — a product recall for a widely-distributed consumer IoT device can cost tens of millions of euros in logistics, customer service, and replacement product costs, far exceeding the maximum fine.

CRA reference:Article 32(5)

CVD Portal helps you comply with Article 32 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Are the Article 32 penalties per violation or per product?+

The penalty amounts are expressed as maximum totals, not per-product figures. A single enforcement action might address multiple violations (for example, both CVD policy failures and missing technical documentation), with a single aggregated penalty up to the relevant maximum. However, separate enforcement actions for separate violations — for example, violations occurring in different time periods — could each attract separate penalties up to the maximum.

How do Article 32 penalties compare to GDPR penalties?+

GDPR's maximum penalties are €20 million or 4% of global annual turnover for the most serious violations. CRA Tier 1 penalties (€15 million / 2.5%) are lower but of comparable magnitude. The key difference is that GDPR penalties focus on data protection failures, while CRA penalties focus on product security failures. Both frameworks can apply simultaneously where a security breach also involves personal data.

Can a single cybersecurity incident result in penalties under both CRA and NIS2?+

Yes. The CRA and NIS2 have overlapping scope in some areas. If a manufacturer is also an essential or important entity under NIS2, a security incident resulting from a non-compliant product could attract penalties under both frameworks. Authorities are expected to coordinate to avoid double-jeopardy for the same underlying conduct, but the legal frameworks do not prevent cumulative enforcement in principle.

Are there any defences that can reduce or eliminate a CRA penalty?+

Article 32 does not specify formal defences, but proportionality requires authorities to consider mitigating circumstances. Practical mitigation factors include promptly self-reporting the violation, cooperating fully with the investigation, having taken reasonable steps to comply that nevertheless fell short, implementing rapid remediation, and no history of prior violations. Manufacturers who can demonstrate genuine good-faith efforts toward compliance will typically face lower penalties than those who ignored CRA obligations entirely.

Who actually imposes CRA penalties — the EU or national authorities?+

Penalties are imposed by national market surveillance authorities in each EU member state. There is no central EU enforcement body with penalty authority under the CRA. The Commission's role is to set the maximum penalty levels and ensure consistent enforcement across member states. In practice, enforcement intensity will vary across member states, at least initially, depending on national regulatory capacity and priorities.

Related CRA Articles

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 27Market Surveillance Coordination Between EU Member StatesArticle 30Joint Investigations Between National Market Surveillance AuthoritiesAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Need a CVD policy that satisfies Article 32?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →