CRA Penalties in Practice: What Market Surveillance Actually Looks Like
Understanding CRA enforcement mechanisms, penalty structures, and what to expect from market surveillance. A practical guide to avoiding enforcement action.
In this article
- Summary
- What Are the CRA Penalty Tiers?
- Market Surveillance: How It Works
- Beyond Fines: Other Consequences
- What Triggers Enforcement
- How to Avoid Enforcement Action
- SME Considerations
- Cross-Border Enforcement
- What Good Compliance Looks Like to Authorities
- Enforcement Readiness Checklist
- Frequently Asked Questions
- Next Steps
The CRA includes penalty provisions that can reach €15 million or 2.5% of global turnover. But what does enforcement actually look like? How do market surveillance authorities operate? And what triggers the highest penalties?
This guide explains CRA enforcement mechanisms and how to stay on the right side of regulators.
Summary
- Maximum penalties: €15M or 2.5% global turnover for essential requirements violations
- Market surveillance authorities conduct inspections, request documentation, test products
- Graduated response: correction opportunities before penalties (usually)
- Worst outcomes: product withdrawal, recall, import bans
- Best defense: documented compliance decisions and responsive cooperation
What Are the CRA Penalty Tiers?
Three Penalty Tiers
The CRA establishes maximum administrative fines based on violation severity:
CRA PENALTY TIERS
TIER 1: Essential Requirements Violations (Article 64(2))
-------------------------------------------------------------
Maximum: EUR 15,000,000 or 2.5% of worldwide annual turnover
(whichever is higher)
Violations include:
- Non-compliance with Annex I essential requirements
- Placing non-conforming products on market
- Missing or invalid conformity assessment
- Providing false information to authorities
TIER 2: Other Obligation Violations (Article 64(3))
-------------------------------------------------------------
Maximum: EUR 10,000,000 or 2% of worldwide annual turnover
(whichever is higher)
Violations include:
- Documentation deficiencies
- Missing or incorrect CE marking
- Importer/distributor obligation failures
- Notification requirement failures
TIER 3: Information Violations (Article 64(4))
-------------------------------------------------------------
Maximum: EUR 5,000,000 or 1% of worldwide annual turnover
(whichever is higher)
Violations include:
- Providing incorrect/incomplete information to authorities
- Failing to provide information on request
- Obstruction of market surveillance activities
Warning: Maximum penalties reach €15 million or 2.5% of global annual turnover — whichever is HIGHER. For large companies, the turnover-based calculation can far exceed the fixed cap.
How Penalties Are Calculated
Authorities must consider (Article 64(5)):
| Factor | Impact on Penalty |
|---|---|
| Nature, gravity, duration | More serious = higher |
| Intentional vs negligent | Intent = higher |
| Actions to mitigate damage | Mitigation = lower |
| Previous violations | Repeat offenses = higher |
| Financial benefits gained | Profit from non-compliance = higher |
| Cooperation with authorities | Good cooperation = lower |
| Other aggravating/mitigating factors | Case-specific |
Penalty Examples (Illustrative)
EXAMPLE SCENARIOS (Illustrative, not precedent)
Scenario A: Documentation Gap
-------------------------------------------------------------
Violation: Technical file incomplete (missing risk assessment)
Circumstances: First offense, promptly corrected, cooperative
Likely outcome: Warning or low fine
Estimated range: EUR 0 - EUR 50,000
Scenario B: Missing Conformity Assessment
-------------------------------------------------------------
Violation: Important Class II product sold without NB assessment
Circumstances: Knew requirement, proceeded anyway
Likely outcome: Significant fine + product withdrawal
Estimated range: EUR 100,000 - EUR 1,000,000+
Scenario C: Known Vulnerability Unpatched
-------------------------------------------------------------
Violation: Critical vulnerability known, not addressed for 6 months
Circumstances: Customer harm resulted, poor cooperation
Likely outcome: Major fine + potential recall
Estimated range: EUR 500,000 - EUR 5,000,000+
Scenario D: Systematic Non-Compliance
-------------------------------------------------------------
Violation: Multiple products, no conformity assessment, false DoC
Circumstances: Large company, ongoing, evidence of intent
Likely outcome: Maximum penalties + market ban
Estimated range: Up to EUR 15,000,000 or 2.5% turnover
Market Surveillance: How It Works
Who Enforces CRA?
Market surveillance authorities (MSAs) in each member state enforce the CRA. These are typically:
- Consumer protection agencies
- Industrial/product safety authorities
- Sectoral regulators
Coordination: The EU Product Compliance Network coordinates cross-border enforcement.
Surveillance Methods
MARKET SURVEILLANCE ACTIVITIES
PROACTIVE SURVEILLANCE:
+-- Market monitoring (online and physical)
+-- Random product sampling
+-- Complaint-driven investigations
+-- Sector-focused campaigns
\-- Cross-border information sharing
REACTIVE SURVEILLANCE:
+-- Incident reports from users
+-- Vulnerability disclosures
+-- Competitor complaints
+-- Whistleblower information
\-- RAPEX/Safety Gate alerts
DOCUMENTATION REQUESTS:
+-- EU Declaration of Conformity
+-- Technical file (or relevant parts)
+-- SBOM
+-- Test reports
+-- Conformity assessment evidence
\-- Vulnerability handling records
Typical Enforcement Sequence
ENFORCEMENT ESCALATION LADDER
1. INFORMATION REQUEST
+-- Authority requests documentation
+-- Manufacturer provides within deadline
\-- If satisfactory → Case closed
2. COMPLIANCE ASSESSMENT
+-- Authority reviews documentation
+-- May conduct product testing
+-- Identifies deficiencies (if any)
\-- If compliant → Case closed
3. CORRECTIVE ACTION REQUEST
+-- Authority identifies non-compliance
+-- Requests corrective measures
+-- Sets deadline for correction
\-- Manufacturer implements corrections
4. FORMAL WARNING
+-- Corrections inadequate or delayed
+-- Formal notice of violation
+-- Final opportunity to correct
\-- Penalty warning issued
5. ADMINISTRATIVE MEASURES
+-- Product withdrawal order
+-- Import/sale prohibition
+-- Public warnings issued
\-- Administrative fine imposed
6. ESCALATED ENFORCEMENT
+-- Product recall ordered
+-- Maximum fines applied
+-- Criminal referral (if applicable)
\-- EU-wide market ban
What Authorities Actually Do
Documentation Review:
- Request technical file (or summary)
- Verify DoC accuracy
- Check SBOM availability
- Review vulnerability handling evidence
Product Testing:
- Purchase products from market
- Laboratory testing against requirements
- Penetration testing (for cybersecurity)
- Vulnerability scanning
On-Site Inspection:
- Visit manufacturing facilities
- Review quality systems
- Interview responsible persons
- Examine records
Beyond Fines: Other Consequences
Product Withdrawal
What it means: Remove product from market (stop sales).
When ordered: Product presents risk or non-compliance that can be corrected.
Your obligations:
- Stop sales immediately
- Notify distributors
- Implement corrections
- Seek re-approval before resuming sales
Product Recall
What it means: Retrieve products already sold to customers.
When ordered: Product presents serious risk even in user hands.
Your obligations:
- Contact all known customers
- Provide return/replacement instructions
- Cover recall costs
- Report to authorities on progress
Import Prohibition
What it means: Product cannot enter EU market.
When applied: Non-compliant products intercepted at border or systemic issues with manufacturer.
Consequences:
- Products held at customs
- May be destroyed or returned
- Affects all future shipments
Public Naming
What it means: Authority publishes details of non-compliance.
Why it matters:
- Reputational damage
- Customer trust impact
- Competitor advantage
- Procurement disqualification
EU-Wide Measures
For serious or widespread issues, EU-wide action:
- Safety Gate (RAPEX) notification
- Coordinated market surveillance
- Union-wide market ban
What Triggers Enforcement
High-Priority Triggers
Authorities prioritize cases involving:
| Trigger | Why High Priority |
|---|---|
| Safety incidents | Actual harm occurred |
| Actively exploited vulnerabilities | Immediate risk |
| Systematic fraud (false DoC) | Intentional deception |
| Critical infrastructure products | High-impact sector |
| Large-scale non-compliance | Many units affected |
| Repeat offenders | Pattern of disregard |
Common Enforcement Triggers
Based on enforcement experience from similar regulations:
- Competitor complaints - Business rivals report suspected non-compliance
- Customer incidents - Users report security breaches or harms
- Random sampling - Authority purchases and tests products
- Import inspection - Customs flags documentation issues
- Vulnerability disclosure - Security researchers report unpatched issues
- Whistleblowers - Employees report internal non-compliance
Lower-Priority Situations
Authorities have limited resources. Lower priority for:
- Minor documentation formatting issues
- First-time, quickly corrected issues
- Low-risk products with good track record
- Cooperative manufacturers actively improving
How to Avoid Enforcement Action
Tip: The best defense is documented compliance decisions. Even if your approach isn't perfect, showing a good-faith effort with documented rationale significantly reduces penalty risk.
Prevention Strategy
ENFORCEMENT PREVENTION CHECKLIST
DOCUMENTATION:
[ ] Technical file complete and accessible
[ ] DoC accurate and signed
[ ] SBOM current and available
[ ] Risk assessment documented
[ ] Test reports retained
CONFORMITY:
[ ] Correct assessment route selected
[ ] Assessment actually completed (not just declared)
[ ] CE marking properly applied
[ ] Product identification traceable
VULNERABILITY HANDLING:
[ ] Security contact published
[ ] CVD policy in place
[ ] Response capability demonstrated
[ ] Updates delivered when needed
COOPERATION POSTURE:
[ ] Respond promptly to authority requests
[ ] Provide complete information
[ ] Don't hide problems
[ ] Document good-faith efforts
If Enforcement Begins
Important: Never provide false information to market surveillance authorities. What starts as a Tier 3 violation (€5M max) becomes a Tier 1 violation (€15M max) if you lie.
Do:
- Respond within deadlines
- Provide complete documentation
- Acknowledge issues honestly
- Propose corrective actions
- Document your cooperation
- Seek legal advice early
Don't:
- Ignore requests (makes everything worse)
- Provide false information (Tier 3 violation becomes Tier 1)
- Delay without explanation
- Blame others without evidence
- Destroy documents
Cooperation Benefits
Demonstrated cooperation significantly affects outcomes:
| Behavior | Likely Impact |
|---|---|
| Prompt, complete responses | Lower penalties |
| Proactive self-reporting | Potentially no fine |
| Quick corrective action | Case may close early |
| Good-faith effort documented | Mitigating factor |
| Obstruction or delay | Aggravating factor |
| False information | Maximum penalties |
SME Considerations
Proportionality
CRA penalties must be "effective, proportionate and dissuasive." For SMEs:
- Percentage-of-turnover caps matter (€15M unlikely for small company)
- Proportionality principle applies
- First-time minor violations often get warnings
SME Reporting Exemption
Info: SMEs are exempt from fine-specific penalties for missing the 24h/72h ENISA reporting deadlines. However, this does NOT mean SMEs can skip reporting entirely — they must still report, just without timing-based fines.
SMEs are exempt from fine-specific penalties for missing 24h/72h ENISA reporting deadlines (Article 64(7)). But:
- Still must report (just not fined for timing)
- Other penalties still apply
- Not a free pass for systematic failures
Resource Reality
MSAs understand SME resource constraints:
- More likely to offer guidance first
- May allow longer correction periods
- Focus on substantive compliance over perfection
But fundamental violations (no conformity assessment, false declarations) are treated seriously regardless of size.
Cross-Border Enforcement
Single Market Principle
Non-compliance finding in one member state affects entire EU market:
- Product may be prohibited across EU
- Information shared via EU systems
- Coordinated enforcement possible
Practical Implications
If German authority finds non-compliance:
- Information shared with other MSAs
- Products in Spain, France, etc. affected
- Must correct across all markets
Choosing Battles Carefully
Some manufacturers try to "authority shop" (engage with friendlier MSAs). This rarely works:
- Authorities coordinate
- Serious issues get escalated
- Reputation with all MSAs matters
What Good Compliance Looks Like to Authorities
Authorities recognize genuine compliance efforts:
MARKS OF GENUINE COMPLIANCE
Documentation:
✓ Technical file exists and is current
✓ Clear decision rationale documented
✓ Updates tracked and versioned
✓ Accessible within 48 hours of request
Process:
✓ Vulnerability handling actually works
✓ Updates actually delivered
✓ Customers actually notified
✓ Issues actually fixed (not just documented)
Attitude:
✓ Takes security seriously (not just compliance)
✓ Responds constructively to reports
✓ Cooperates with investigations
✓ Learns from issues
Enforcement Readiness Checklist
ENFORCEMENT READINESS CHECKLIST
DOCUMENTATION READY:
[ ] Technical file complete
[ ] DoC signed and dated
[ ] SBOM available
[ ] Test reports accessible
[ ] Risk assessment documented
[ ] Conformity assessment evidence
RESPONSE CAPABILITY:
[ ] Authority contact point designated
[ ] Response process defined
[ ] Legal counsel identified
[ ] Documentation retrieval tested
[ ] Response timeline understood (typically 10-30 days)
ISSUE TRACKING:
[ ] Known vulnerabilities documented
[ ] Remediation status tracked
[ ] Customer notification records
[ ] Incident history maintained
INTERNAL AWARENESS:
[ ] Staff know not to ignore authority contact
[ ] Escalation path to compliance/legal
[ ] No one authorized to provide false information
[ ] Document retention enforced
POST-INCIDENT:
[ ] Root cause analysis process
[ ] Corrective action tracking
[ ] Regulator communication log
[ ] Lessons learned documented
Frequently Asked Questions
What is the maximum fine under the CRA?
Article 64(2) sets the maximum at €15 million or 2.5% of worldwide annual turnover, whichever is higher. For large companies, the turnover calculation can far exceed the fixed cap. The €15 million ceiling only applies where 2.5% of turnover falls below it.
Which authority enforces the CRA in each EU member state?
The CRA does not designate a single EU-wide enforcer. Each member state designates its own market surveillance authority. Germany's BSI, France's ANSSI, Italy's ACN, and Poland's CERT Polska are the national bodies expected to take leading roles. The EU Product Compliance Network coordinates cross-border enforcement when issues span multiple markets.
What triggers a CRA market surveillance investigation?
Common triggers include competitor complaints, customer-reported security incidents, random product sampling by authorities, import inspection flags, and publicly disclosed unpatched vulnerabilities. Authorities also run proactive sector campaigns targeting high-risk product categories.
Can a company be fined before the December 2027 deadline?
Products placed on the market after December 11, 2027 must comply fully. But the vulnerability reporting obligation under Article 14 takes effect September 11, 2026. Authorities can enforce that obligation from that date. A company that ignores a confirmed actively exploited vulnerability after September 2026 is already exposed.
Do CRA fines apply per product or per company?
Fines are assessed per violation, not per unit sold. A single non-compliant product line constitutes one violation, but the penalty calculation considers the scale of non-compliance, the number of units in circulation, and any financial benefit gained. Systematic non-compliance across multiple product lines would typically be treated as separate violations.
How does the CRA penalty framework compare to GDPR?
The maximums are similar: GDPR tops out at €20 million or 4% of global turnover, CRA at €15 million or 2.5%. Both use a tiered structure based on violation severity. The key difference is enforcement target: GDPR focuses on data processors and controllers, CRA targets product manufacturers, importers, and distributors. CRA enforcement sits with product safety authorities, not data protection regulators.
Next Steps
Managing CRA compliance across multiple products? CRA Evidence tracks your technical file evidence, vulnerability handling records, and conformity assessment status. Your documentation is ready when an authority requests it.
Once you understand the penalty structure, confirm your timeline with the CRA implementation timeline. Build your evidence package with the technical file guide before the first enforcement deadline arrives.
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.
Related Articles
ECSMAF v3.0 Explained: How ENISA Maps the EU Cybersecurity Market
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.