The Cyber Resilience Act (CRA) is not a voluntary guideline – it is an EU regulation with far-reaching enforcement mechanisms. Manufacturers who fail to meet the requirements risk significant fines, product bans, and lasting reputational damage. This article explains the penalties for CRA non-compliance and why early action makes economic sense.
Fines: Up to 15 Million Euros or 2.5% of Revenue
The CRA provides a tiered penalty system based on the severity of the violation.
For breaches of the essential security requirements – the core obligations such as security by design, SBOM creation, vulnerability management, and secure default settings – fines of up to 15 million euros or 2.5 percent of global annual turnover can be imposed, whichever is higher. This ceiling targets companies that systematically disregard fundamental security requirements.
For violations of other CRA obligations – such as documentation requirements, reporting duties, or labeling obligations – fines can reach up to 10 million euros or 2 percent of annual turnover.
For misleading or incomplete information provided to market surveillance authorities, fines of up to 5 million euros or 1 percent of annual turnover may be imposed.
For comparison: these fine ranges are on par with the GDPR and significantly exceed the penalties under most existing product safety regulations. The EU is signaling that it takes product cybersecurity as seriously as data protection.
Product Recalls and Market Bans
Beyond fines, market surveillance authorities have the power to intervene directly in distribution. This includes ordering corrective measures within a specified timeframe, prohibiting the product from being made available on the market, ordering a recall of already sold devices, and requiring the destruction of non-compliant products.
A market ban often hits manufacturers harder than a fine. When a product can no longer be sold, not only current revenues disappear but also existing contracts, maintenance income, and planned follow-up projects. For manufacturers with a core product, a market ban can threaten the company's existence.
Market surveillance is carried out by national authorities. In Germany, this is likely to be the Federal Office for Information Security (BSI), which already has extensive experience monitoring IT security products.
Reporting Obligations and Their Consequences
From September 2026, manufacturers must report actively exploited vulnerabilities to ENISA (European Agency for Cybersecurity) within 24 hours. A detailed report with assessment and planned countermeasures must follow within 72 hours.
Failing to meet this reporting obligation is an independent violation that can be penalized regardless of the vulnerability itself. This means: even if you patch the vulnerability quickly but miss the reporting deadline, you face sanctions. Manufacturers therefore need a functioning process for vulnerability detection and reporting from September 2026 onwards.
Reputational Damage and Economic Impact
Beyond direct penalties, CRA non-compliance carries significant indirect consequences. Market surveillance authorities can make information about non-compliant products public. For B2B manufacturers, this can mean that customers – particularly large enterprises and public sector buyers – switch suppliers.
In many industries, CRA compliance is already becoming an established procurement criterion. Manufacturers of IoT devices, industrial components, and network equipment report that customers increasingly demand evidence of cybersecurity measures. Those who can demonstrate CRA compliance gain a competitive advantage. Those who cannot lose contracts – before authorities even intervene.
Who Is Liable: Manufacturers, Importers, and Distributors
The CRA distributes responsibility across the entire supply chain. Manufacturers bear primary responsibility for product conformity. Importers must ensure that only compliant products are brought into the EU. Distributors must verify that required markings and documents are present.
For manufacturers outside the EU selling directly on the EU market, the obligation to appoint an authorized representative in the EU applies. Without this representative, the product may not be made available on the EU market.
How to Avoid CRA Penalties
The most effective strategy against CRA penalties is obvious: begin compliance work early. The transition periods until December 2027 may seem generous, but implementing the requirements – particularly integrating security by design into existing development processes – takes time.
Start with an inventory: Which of your products fall under the CRA? Into which category (standard, important Class I/II, critical) do they fall? Which requirements do you already meet, and where are the gaps?
Kunnus helps manufacturers of digital products keep track of their CRA obligations and build compliance systematically. From SBOM management through vulnerability monitoring to complete technical documentation.
Take the first step: Our free CRA readiness assessment shows you in just a few minutes where you stand and what needs to happen next. Avoid unpleasant surprises when enforcement deadlines arrive.