Non-compliance with the CRA carries fines up to EUR 15 million, or 2.5% of worldwide annual turnover, whichever is higher. That is the highest fine bracket under Article 64(2), applied to non-compliance with the Annex I essential requirements and the obligations in Articles 13 and 14. The SBOM obligation sits in Annex I. Two dates govern your timeline. Article 14 vulnerability reporting becomes mandatory on 11 September 2026. Full enforcement follows on 11 December 2027. Products placed on the EU market after that date without a compliant SBOM cannot carry CE marking and cannot legally be sold.
Summary
- 11 September 2026: Article 14 vulnerability and incident reporting to ENISA becomes mandatory for manufacturers
- 11 December 2027: Full CRA enforcement begins, including the Annex I SBOM obligation
- Maximum fine: EUR 15 million or 2.5% of worldwide annual turnover (whichever is higher), Article 64(2)
- Retention: the SBOM must be kept for at least 10 years from the last unit placed on the market (Article 13(13))
CRA SBOM compliance deadlines
The CRA has a phased enforcement timeline. Two dates directly affect SBOM compliance:
| Date | Milestone |
|---|---|
| 11 September 2026 | Vulnerability reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities within 24 hours. |
| 11 December 2027 | Full enforcement. All products with digital elements must meet CRA requirements including complete SBOMs. |
Products placed on the EU market after December 2027 that lack a compliant SBOM cannot carry CE marking and cannot legally be sold. For the broader phased timeline covering Notified Bodies, harmonised standards, and Article 14 reporting, see the CRA implementation timeline.
Article 14 reporting cadence
The "24 hours" figure is only the first step. Article 14 establishes a tiered reporting cadence to the coordinating CSIRT and ENISA simultaneously, via the Article 16 single reporting platform.
| Step | Deadline | Article | Trigger |
|---|---|---|---|
| Early warning notification | Within 24 hours | Art. 14(2)(a) | Actively exploited vulnerability |
| Vulnerability notification | Within 72 hours | Art. 14(2)(b) | Actively exploited vulnerability |
| Final report | Within 14 days of corrective measure | Art. 14(2)(c) | Actively exploited vulnerability |
| Early warning notification | Within 24 hours | Art. 14(4)(a) | Severe incident |
| Incident notification | Within 72 hours | Art. 14(4)(b) | Severe incident |
| Final report | Within 1 month of incident notification | Art. 14(4)(c) | Severe incident |
Article 14 reporting applies from 11 September 2026. If your product has an actively exploited vulnerability after that date, you must send an early-warning notification to the coordinating CSIRT and ENISA within 24 hours, a fuller notification within 72 hours, and a final report within 14 days. This requires vulnerability monitoring infrastructure to already be in place before that date. The SBOM is the foundation of that monitoring: you cannot track what you have not documented.
What happens if you do not comply?
Non-compliance with the CRA carries both financial and commercial consequences. Market surveillance authorities in each EU member state will enforce these penalties.
| Financial | Commercial |
|---|---|
| Fines up to EUR 15 million or 2.5% of worldwide annual turnover (Art. 64(2)) | Product recall or withdrawal from the EU market |
| Tiered reporting failures may attract separate fines under Art. 64(2) and 64(3) | Market ban: non-compliant products cannot carry CE marking |
| False or incomplete information to authorities: up to EUR 5 million / 1% (Art. 64(4)) | Supply-chain impact: customers may be unable to use your product in their own CRA compliance |
Penalty exposure by operator type
Article 64 sets different fine ceilings depending on which obligation is breached and which operator is responsible. The SBOM obligation sits in Annex I, so a missing or non-compliant SBOM falls into the Article 64(2) bracket for manufacturers.
| Operator | Obligation breached | Article | Maximum fine |
|---|---|---|---|
| Manufacturer | Annex I essential requirements (incl. SBOM) or Articles 13–14 obligations | Art. 64(2) | €15,000,000 or 2.5% of worldwide annual turnover |
| Importer | Article 19 importer obligations (verification, labelling, documentation) | Art. 64(3) | €10,000,000 or 2% of worldwide annual turnover |
| Importer acting as manufacturer | Article 22 escalation: own brand or modified product triggers the full manufacturer regime | Art. 64(2) | €15,000,000 or 2.5% of worldwide annual turnover |
| Distributor | Article 20 distributor obligations (verification, cooperation with surveillance) | Art. 64(3) | €10,000,000 or 2% of worldwide annual turnover |
| All operators | Providing false, incomplete, or misleading information to authorities | Art. 64(4) | €5,000,000 or 1% of worldwide annual turnover |
Article 22 moves an importer into the full manufacturer regime when they place their own brand on a third-party product or modify the software before resale. The penalty exposure moves from €10M / 2% to €15M / 2.5%, and every Article 13 obligation applies including the Annex I SBOM requirement.
When setting the fine amount, authorities must give due regard to three factors under Article 64(5):
| Factor | Impact |
|---|---|
| Nature, gravity, and duration of the infringement | More serious and longer = higher fine |
| Whether fines have already been imposed for a similar infringement | Repeat enforcement = higher fine |
| Size of the economic operator, in particular SMEs and start-ups | Smaller operator = proportionally lower fine |
Microenterprises and small enterprises are exempt from administrative fines for late early-warning notifications under Articles 14(2)(a) and 14(4)(a). Open-source software stewards are exempt from the infringements covered by Article 64 paragraphs 3 to 9. The Annex I obligations themselves still apply; only the administrative-fine consequence is lifted in those specific situations.
Frequently asked questions
What is the maximum fine under the CRA?
Article 64(2) sets the maximum at €15 million or 2.5% of worldwide annual turnover, whichever is higher. For large companies, the turnover calculation can far exceed the fixed cap. The €15 million ceiling only applies where 2.5% of turnover falls below it.
Can a company be fined before the December 2027 deadline?
Products placed on the market after 11 December 2027 must comply fully. But the vulnerability reporting obligation under Article 14 takes effect on 11 September 2026. Authorities can enforce that obligation from that date. A company that ignores a confirmed actively exploited vulnerability after September 2026 is already exposed.
Do CRA fines apply per product or per company?
Fines are assessed per violation, not per unit sold. A single non-compliant product line constitutes one violation, but the penalty calculation considers the scale of non-compliance, the number of units in circulation, and any financial benefit gained. Systematic non-compliance across multiple product lines would typically be treated as separate violations.
Which authority enforces the CRA in each EU member state?
The CRA does not designate a single EU-wide enforcer. Each member state designates its own market surveillance authority. Germany's BSI, France's ANSSI, Italy's ACN, and Poland's CERT Polska are the national bodies expected to take leading roles. The EU Product Compliance Network coordinates cross-border enforcement when issues span multiple markets.
What triggers a CRA market surveillance investigation?
Common triggers include competitor complaints, customer-reported security incidents, random product sampling by authorities, import inspection flags, and publicly disclosed unpatched vulnerabilities. Authorities also run proactive sector campaigns targeting high-risk product categories.
How long must an SBOM be retained after a product is withdrawn?
The technical file, which includes the SBOM, must be retained for at least 10 years after the product with digital elements has been placed on the market, or for the support period, whichever is longer (CRA Article 13(13)). The SBOM must stay current throughout the active support period, which the CRA sets at a minimum of 5 years.