← CRA Guide
Article 64

Administrative Fines for CRA Non-Compliance

Article 64 sets out the administrative fine regime for CRA violations. It creates a graduated penalty structure calibrated to the seriousness of the infringement: the most severe fines apply to products that fail the essential cybersecurity requirements or lack vulnerability handling processes; lower tiers apply to other obligation breaches; and a separate tier covers the provision of incorrect or misleading information to authorities. Member state market surveillance authorities apply these fines, subject to national procedural law.

Effective: December 2027Applies to: Manufacturers placing non-compliant products on the EU market
Free compliance portal →

Tier 1: Fines for Essential Requirements and Vulnerability Handling Violations

The most serious category of CRA violations attracts fines of up to €15,000,000 or 2.5% of total worldwide annual turnover in the preceding financial year, whichever is higher.

  • Products placed on the market that do not conform to the essential cybersecurity requirements in Annex I (security properties, documentation, and reporting obligations)
  • Manufacturers who fail to meet the vulnerability handling requirements in Part II of Annex I (vulnerability disclosure, SBOM, CVD policies, coordinated disclosure)

For SMEs and microenterprises, regulators are expected to apply the percentage cap, since the absolute figure may be disproportionate. The dual cap (higher of absolute or percentage) ensures large multinationals cannot rely on low absolute thresholds relative to their scale.

CRA reference:Article 64(1)

Tier 2: Fines for Other Manufacturer, Importer, and Distributor Obligations

A mid-tier fine of up to €10,000,000 or 2% of total worldwide annual turnover applies to violations of a broad set of other CRA obligations, including:

  • Failure to register products or maintain a SBOM as required
  • Non-compliance with conformity assessment procedures (Module A, third-party assessment for Annex III products)
  • Placing CE marking without completing the required assessment
  • Failure to draw up or maintain a proper EU Declaration of Conformity or technical documentation
  • Non-compliance with importer obligations (Article 19) or distributor obligations (Article 20)
  • Failure of authorised representatives to carry out their mandated functions
  • Non-compliance with corrective action orders from market surveillance authorities

This tier captures procedural and documentation violations that, while serious, do not necessarily mean the product itself is insecure.

CRA reference:Article 64(2)

Tier 3: Fines for Incorrect or Misleading Information

The lowest fine tier of up to €5,000,000 or 1% of total worldwide annual turnover applies to the provision of incorrect, incomplete, or misleading information to notified bodies, market surveillance authorities, or the Commission in response to requests for information.

This tier reflects the importance of maintaining information integrity in the CRA's enforcement framework. Market surveillance relies on accurate technical documentation and responsive cooperation from economic operators. Deliberate misrepresentation or systematic failure to provide accurate information undermines the entire enforcement architecture.

Note that this tier addresses informational obligations — a manufacturer who provides false information in a Declaration of Conformity or to a notified body during assessment may also face Tier 1 or Tier 2 fines for the underlying substantive violation.

CRA reference:Article 64(3)

Factors in Setting Fine Levels

Article 64 does not prescribe fixed fines — it sets maximum caps. Market surveillance authorities and, where relevant, data protection or competition-adjacent enforcement bodies, apply national procedural law when determining the appropriate fine within the cap. Key factors typically include:

  • Severity of the security risk: A vulnerability in safety-critical infrastructure attracts heavier fines than one in low-risk consumer software
  • Duration of the infringement: Ongoing failures treated more seriously than isolated incidents
  • Degree of cooperation: Manufacturers who proactively report and remediate are treated more favourably
  • History of compliance: Prior violations or systemic non-compliance are aggravating factors
  • Size of the manufacturer: The dual cap structure (absolute or percentage) inherently scales penalties to company size
  • Nature of affected products: Annex III Class II or Annex IV products in critical infrastructure contexts attract higher scrutiny

The CRA recitals emphasise that fines should be effective, proportionate, and dissuasive.

CRA reference:Article 64(4)

Interaction with Other EU Regulatory Penalties

The CRA fine regime coexists with other EU regulatory fine frameworks. Key interactions:

GDPR: Where a cybersecurity incident also constitutes a personal data breach, GDPR Article 83 fines (up to €20M or 4% of global turnover) may apply in addition to CRA fines. Regulators are expected to coordinate to avoid double-counting the same conduct, but they operate under different legal bases.

NIS2 Directive: Essential entities and important entities under NIS2 face separate fines under that regime for security failures. A CRA-non-compliant product deployed in an NIS2-regulated entity may trigger enforcement actions under both frameworks.

Product liability: The new EU Product Liability Directive (2024/2853) creates civil liability for damage caused by defective digital products. CRA non-compliance is not directly relevant to product liability, but evidence of regulatory violations may be relevant in liability proceedings.

CRA reference:Article 64, Recitals

Application to SMEs and Microenterprises

The CRA includes specific provisions requiring that fines imposed on SMEs and microenterprises be proportionate to their size, nature, and resources. Article 64 must be read alongside these proportionality requirements.

  • National authorities are expected to take a graduated approach, reserving maximum fines for large manufacturers with significant resources
  • First-time, minor procedural violations by SMEs are unlikely to attract fines near the maximum
  • The SME support structures under Article 25 (including technical assistance from ENISA and member states) are relevant context — a manufacturer who sought assistance and acted in good faith is in a different position from one who ignored compliance requirements

SMEs should not assume they are exempt from fines — the percentage cap applies equally and can still represent a material sum for growing companies.

CRA reference:Article 64, Article 25

CVD Portal helps you comply with Article 64 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.

Start your free portal

Frequently asked

Can a manufacturer face fines from multiple EU member states for the same violation?+

CRA enforcement is primarily conducted by the member state where the violation occurs or where the product was placed on the market. The CRA's market surveillance framework includes coordination mechanisms to avoid duplication, but a manufacturer active across multiple EU markets could face separate proceedings in multiple jurisdictions for the same product failure. The Commission can intervene where member states diverge significantly in their enforcement approach.

Are the CRA fine limits per product, per violation, or per company?+

Article 64 sets company-level caps based on global annual turnover. A manufacturer with multiple non-compliant product lines could face fines for each distinct violation, but the caps apply to the company as a whole. In practice, enforcement actions typically address systemic failures rather than individual product lines in isolation.

When can a market surveillance authority impose a fine without a prior corrective action order?+

Article 64 fines can be imposed for non-compliance with the CRA's substantive requirements without necessarily requiring a prior corrective action order. However, in practice, market surveillance authorities typically issue a corrective action order first, giving the manufacturer an opportunity to remediate. Fines are more commonly used where: the manufacturer refuses to comply with a corrective action order; the violation is deliberate or negligent; or the risk to users is imminent and serious.

Does the fine regime apply to open source software maintainers?+

Open source software developed outside a commercial context is largely out of scope of the CRA under Article 3's commercial activity threshold. Open source maintainers who publish software as a hobby or without commercial intent are not subject to the Article 64 fine regime. However, companies that commercialise, distribute for a fee, or provide support contracts for open source software remain subject to the CRA and its penalties.

How does the CRA fine regime compare to GDPR fines?+

GDPR fines can reach €20M or 4% of global annual turnover — higher absolute caps than the CRA's maximum tier of €15M or 2.5%. However, GDPR fines apply to data processors and controllers for privacy violations; CRA fines target product manufacturers for cybersecurity compliance failures. For a manufacturer whose insecure product causes a data breach, both regimes may apply, and regulators are expected to coordinate but not necessarily consolidate.

Related CRA Articles

Article 6Essential Cybersecurity Requirements for Products with Digital ElementsArticle 13Obligations of ManufacturersArticle 32Conformity Assessment Procedures: Module A vs Third-Party AssessmentArticle 59Joint Activities of Market Surveillance AuthoritiesArticle 52Market Surveillance Coordination Between EU Member States

Need a CVD policy that satisfies Article 64?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →