CRA Penalties in Practice: What Market Surveillance Actually Looks Like

The CRA includes penalty provisions that can reach €15 million or 2.5% of global turnover. But what does enforcement actually look like? How do market surveillance authorities operate? And what triggers the highest penalties?

This guide explains CRA enforcement mechanisms and how to stay on the right side of regulators.

CRA Penalty Structure

Three Penalty Tiers

The CRA establishes maximum administrative fines based on violation severity:

CRA PENALTY TIERS

TIER 1: Essential Requirements Violations (Article 64(2))
─────────────────────────────────────────────────────────────
Maximum: €15,000,000 or 2.5% of worldwide annual turnover
         (whichever is higher)

Violations include:
- Non-compliance with Annex I essential requirements
- Placing non-conforming products on market
- Missing or invalid conformity assessment
- Providing false information to authorities

TIER 2: Other Obligation Violations (Article 64(3))
─────────────────────────────────────────────────────────────
Maximum: €10,000,000 or 2% of worldwide annual turnover
         (whichever is higher)

Violations include:
- Documentation deficiencies
- Missing or incorrect CE marking
- Importer/distributor obligation failures
- Notification requirement failures

TIER 3: Information Violations (Article 64(4))
─────────────────────────────────────────────────────────────
Maximum: €5,000,000 or 1% of worldwide annual turnover
         (whichever is higher)

Violations include:
- Providing incorrect/incomplete information to authorities
- Failing to provide information on request
- Obstruction of market surveillance activities

How Penalties Are Calculated

Authorities must consider (Article 64(5)):

Penalty Examples (Illustrative)

EXAMPLE SCENARIOS (Illustrative, not precedent)

Scenario A: Documentation Gap
─────────────────────────────────────────────────────────────
Violation: Technical file incomplete (missing risk assessment)
Circumstances: First offense, promptly corrected, cooperative
Likely outcome: Warning or low fine
Estimated range: €0 - €50,000

Scenario B: Missing Conformity Assessment
─────────────────────────────────────────────────────────────
Violation: Important Class II product sold without NB assessment
Circumstances: Knew requirement, proceeded anyway
Likely outcome: Significant fine + product withdrawal
Estimated range: €100,000 - €1,000,000+

Scenario C: Known Vulnerability Unpatched
─────────────────────────────────────────────────────────────
Violation: Critical vulnerability known, not addressed for 6 months
Circumstances: Customer harm resulted, poor cooperation
Likely outcome: Major fine + potential recall
Estimated range: €500,000 - €5,000,000+

Scenario D: Systematic Non-Compliance
─────────────────────────────────────────────────────────────
Violation: Multiple products, no conformity assessment, false DoC
Circumstances: Large company, ongoing, evidence of intent
Likely outcome: Maximum penalties + market ban
Estimated range: Up to €15,000,000 or 2.5% turnover

Market Surveillance: How It Works

Who Enforces CRA?

Market surveillance authorities (MSAs) in each member state enforce the CRA. These are typically:

• Consumer protection agencies
• Industrial/product safety authorities
• Sectoral regulators

Coordination: The EU Product Compliance Network coordinates cross-border enforcement.

Surveillance Methods

MARKET SURVEILLANCE ACTIVITIES

PROACTIVE SURVEILLANCE:
├── Market monitoring (online and physical)
├── Random product sampling
├── Complaint-driven investigations
├── Sector-focused campaigns
└── Cross-border information sharing

REACTIVE SURVEILLANCE:
├── Incident reports from users
├── Vulnerability disclosures
├── Competitor complaints
├── Whistleblower information
└── RAPEX/Safety Gate alerts

DOCUMENTATION REQUESTS:
├── EU Declaration of Conformity
├── Technical file (or relevant parts)
├── SBOM
├── Test reports
├── Conformity assessment evidence
└── Vulnerability handling records

Typical Enforcement Sequence

ENFORCEMENT ESCALATION LADDER

1. INFORMATION REQUEST
   ├── Authority requests documentation
   ├── Manufacturer provides within deadline
   └── If satisfactory → Case closed

2. COMPLIANCE ASSESSMENT
   ├── Authority reviews documentation
   ├── May conduct product testing
   ├── Identifies deficiencies (if any)
   └── If compliant → Case closed

3. CORRECTIVE ACTION REQUEST
   ├── Authority identifies non-compliance
   ├── Requests corrective measures
   ├── Sets deadline for correction
   └── Manufacturer implements corrections

4. FORMAL WARNING
   ├── Corrections inadequate or delayed
   ├── Formal notice of violation
   ├── Final opportunity to correct
   └── Penalty warning issued

5. ADMINISTRATIVE MEASURES
   ├── Product withdrawal order
   ├── Import/sale prohibition
   ├── Public warnings issued
   └── Administrative fine imposed

6. ESCALATED ENFORCEMENT
   ├── Product recall ordered
   ├── Maximum fines applied
   ├── Criminal referral (if applicable)
   └── EU-wide market ban

What Authorities Actually Do

Documentation Review:

• Request technical file (or summary)
• Verify DoC accuracy
• Check SBOM availability
• Review vulnerability handling evidence

Product Testing:

• Purchase products from market
• Laboratory testing against requirements
• Penetration testing (for cybersecurity)
• Vulnerability scanning

On-Site Inspection:

• Visit manufacturing facilities
• Review quality systems
• Interview responsible persons
• Examine records

Beyond Fines: Other Consequences

Product Withdrawal

What it means: Remove product from market (stop sales).

When ordered: Product presents risk or non-compliance that can be corrected.

Your obligations:

• Stop sales immediately
• Notify distributors
• Implement corrections
• Seek re-approval before resuming sales

Product Recall

What it means: Retrieve products already sold to customers.

When ordered: Product presents serious risk even in user hands.

Your obligations:

• Contact all known customers
• Provide return/replacement instructions
• Cover recall costs
• Report to authorities on progress

Import Prohibition

What it means: Product cannot enter EU market.

When applied: Non-compliant products intercepted at border or systemic issues with manufacturer.

Consequences:

• Products held at customs
• May be destroyed or returned
• Affects all future shipments

Public Naming

What it means: Authority publishes details of non-compliance.

Why it matters:

• Reputational damage
• Customer trust impact
• Competitor advantage
• Procurement disqualification

EU-Wide Measures

For serious or widespread issues, EU-wide action:

• Safety Gate (RAPEX) notification
• Coordinated market surveillance
• Union-wide market ban

What Triggers Enforcement

High-Priority Triggers

Authorities prioritize cases involving:

Common Enforcement Triggers

Based on enforcement experience from similar regulations:

1. Competitor complaints - Business rivals report suspected non-compliance
2. Customer incidents - Users report security breaches or harms
3. Random sampling - Authority purchases and tests products
4. Import inspection - Customs flags documentation issues
5. Vulnerability disclosure - Security researchers report unpatched issues
6. Whistleblowers - Employees report internal non-compliance

Lower-Priority Situations

Authorities have limited resources. Lower priority for:

• Minor documentation formatting issues
• First-time, quickly corrected issues
• Low-risk products with good track record
• Cooperative manufacturers actively improving

How to Avoid Enforcement Action

Prevention Strategy

ENFORCEMENT PREVENTION CHECKLIST

DOCUMENTATION:
[ ] Technical file complete and accessible
[ ] DoC accurate and signed
[ ] SBOM current and available
[ ] Risk assessment documented
[ ] Test reports retained

CONFORMITY:
[ ] Correct assessment route selected
[ ] Assessment actually completed (not just declared)
[ ] CE marking properly applied
[ ] Product identification traceable

VULNERABILITY HANDLING:
[ ] Security contact published
[ ] CVD policy in place
[ ] Response capability demonstrated
[ ] Updates delivered when needed

COOPERATION POSTURE:
[ ] Respond promptly to authority requests
[ ] Provide complete information
[ ] Don't hide problems
[ ] Document good-faith efforts

If Enforcement Begins

Do:

• Respond within deadlines
• Provide complete documentation
• Acknowledge issues honestly
• Propose corrective actions
• Document your cooperation
• Seek legal advice early

Don't:

• Ignore requests (makes everything worse)
• Provide false information (Tier 3 violation becomes Tier 1)
• Delay without explanation
• Blame others without evidence
• Destroy documents

Cooperation Benefits

Demonstrated cooperation significantly affects outcomes:

SME Considerations

Proportionality

CRA penalties must be "effective, proportionate and dissuasive." For SMEs:

• Percentage-of-turnover caps matter (€15M unlikely for small company)
• Proportionality principle applies
• First-time minor violations often get warnings

SME Reporting Exemption

SMEs are exempt from fine-specific penalties for missing 24h/72h ENISA reporting deadlines (Article 64(7)). But:

• Still must report (just not fined for timing)
• Other penalties still apply
• Not a free pass for systematic failures

Resource Reality

MSAs understand SME resource constraints:

• More likely to offer guidance first
• May allow longer correction periods
• Focus on substantive compliance over perfection

But fundamental violations (no conformity assessment, false declarations) are treated seriously regardless of size.

Cross-Border Enforcement

Single Market Principle

Non-compliance finding in one member state affects entire EU market:

• Product may be prohibited across EU
• Information shared via EU systems
• Coordinated enforcement possible

Practical Implications

If German authority finds non-compliance:

• Information shared with other MSAs
• Products in Spain, France, etc. affected
• Must correct across all markets

Choosing Battles Carefully

Some manufacturers try to "authority shop" (engage with friendlier MSAs). This rarely works:

• Authorities coordinate
• Serious issues get escalated
• Reputation with all MSAs matters

What Good Compliance Looks Like to Authorities

Authorities recognize genuine compliance efforts:

MARKS OF GENUINE COMPLIANCE

Documentation:
✓ Technical file exists and is current
✓ Clear decision rationale documented
✓ Updates tracked and versioned
✓ Accessible within 48 hours of request

Process:
✓ Vulnerability handling actually works
✓ Updates actually delivered
✓ Customers actually notified
✓ Issues actually fixed (not just documented)

Attitude:
✓ Takes security seriously (not just compliance)
✓ Responds constructively to reports
✓ Cooperates with investigations
✓ Learns from issues

Enforcement Readiness Checklist

ENFORCEMENT READINESS CHECKLIST

DOCUMENTATION READY:
[ ] Technical file complete
[ ] DoC signed and dated
[ ] SBOM available
[ ] Test reports accessible
[ ] Risk assessment documented
[ ] Conformity assessment evidence

RESPONSE CAPABILITY:
[ ] Authority contact point designated
[ ] Response process defined
[ ] Legal counsel identified
[ ] Documentation retrieval tested
[ ] Response timeline understood (typically 10-30 days)

ISSUE TRACKING:
[ ] Known vulnerabilities documented
[ ] Remediation status tracked
[ ] Customer notification records
[ ] Incident history maintained

INTERNAL AWARENESS:
[ ] Staff know not to ignore authority contact
[ ] Escalation path to compliance/legal
[ ] No one authorized to provide false information
[ ] Document retention enforced

POST-INCIDENT:
[ ] Root cause analysis process
[ ] Corrective action tracking
[ ] Regulator communication log
[ ] Lessons learned documented

How CRA Evidence Helps

CRA Evidence supports enforcement readiness:

• Documentation repository: Technical files accessible for authority requests
• Audit trail: Compliance decisions documented with rationale
• SBOM management: Current SBOMs available on demand
• Vulnerability tracking: Response history documented
• Export capability: Generate documentation packages for authorities

Be enforcement-ready at app.craevidence.com.

Related Guides

Compliance: Start your compliance journey with our implementation timeline.

Documentation: Build your evidence package with our technical file guide.

Reporting: Understand the 24-hour rule in our ENISA vulnerability reporting guide.

Costs: Plan your budget with our CRA compliance cost estimation guide.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.