What is the EU Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

When does the CRA take effect?

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Who does the CRA apply to?

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

What is an SBOM and why does the CRA require it?

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

How does Complaro help with CRA compliance?

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

CRA Penalties: What Happens If You Don't Comply

The EU Cyber Resilience Act carries penalties comparable to GDPR — up to EUR 15 million or 2.5% of global annual turnover. But unlike GDPR, the CRA also gives authorities the power to pull your product from the EU market entirely.

Here is what the enforcement landscape looks like and how to assess your risk.

Penalty Tiers

The CRA establishes three tiers of administrative fines, set out in Article 64 of Regulation 2024/2847:

Tier 1: Up to EUR 15 Million or 2.5% of Turnover

This is the maximum penalty, applied for failure to meet the essential cybersecurity requirements in Annex I. This includes:

Placing a product on the EU market with known exploitable vulnerabilities
Failing to implement vulnerability handling processes
Not maintaining an SBOM
Not providing security updates during the product's support period
Failing to design products with appropriate cybersecurity measures

This tier covers the core obligations — the things the CRA was designed to enforce.

Tier 2: Up to EUR 10 Million or 2% of Turnover

Applied for non-compliance with other CRA obligations, including:

Failing to report actively exploited vulnerabilities to ENISA within the required timeframes (see our ENISA reporting guide)
Not maintaining technical documentation
Failure to apply CE marking correctly
Not completing the appropriate conformity assessment
Obligations of importers and distributors

Tier 3: Up to EUR 5 Million or 1% of Turnover

Applied for providing incorrect, incomplete, or misleading information to market surveillance authorities or notified bodies. This includes falsifying conformity documentation or misrepresenting product capabilities.

In all cases, the fine is whichever amount is higher — the fixed sum or the percentage of turnover. For a company with EUR 1 billion in revenue, Tier 1 could mean a EUR 25 million fine.

Beyond Fines: Product Withdrawal

Fines are not the only enforcement tool. Market surveillance authorities have the power to:

Order corrective action: require you to bring your product into compliance within a specified period
Restrict or prohibit availability: prevent your product from being sold on the EU market
Order withdrawal: require you to remove your product from the EU market entirely
Order recall: require you to retrieve products already sold to end users

For many companies, product withdrawal is a more severe consequence than a fine. Losing access to the EU market — or having to recall products already deployed — can be existential.

Who Enforces the CRA?

Enforcement is handled by market surveillance authorities in each EU member state. These are the same authorities that enforce product safety regulations for physical goods. Each member state designates its own authority.

ENISA plays a coordination role, particularly for cross-border issues and vulnerability reporting, but does not directly issue fines. The market surveillance authorities investigate, determine non-compliance, and impose penalties.

The European Commission can also intervene for products that present a serious risk across multiple member states, requiring coordinated action.

How Enforcement Will Work in Practice

The CRA's enforcement model draws on existing EU product safety enforcement, which suggests:

Reactive enforcement: authorities investigate specific complaints, security incidents, or reports of non-compliance. If a widely-publicized security breach involves a product that lacked basic CRA compliance (no SBOM, no vulnerability handling, no ENISA reporting), expect scrutiny.

Proactive market surveillance: authorities may conduct spot checks, test products, and verify documentation. Products in the important and critical categories (see our classification guide) are more likely to face proactive checks.

Cross-border coordination: ENISA and the European Commission facilitate information sharing between member states. Non-compliance discovered in one country can trigger investigations in others.

Comparison to GDPR Enforcement

The CRA's penalty structure mirrors GDPR's tiered approach, and lessons from GDPR enforcement are instructive:

Early enforcement focused on large, visible cases. Expect the first CRA fines to target large companies involved in high-profile security incidents.
Regulators ramped up over time. GDPR fines were modest in 2018 and grew significantly by 2022. Expect a similar trajectory for the CRA.
Complaints drive action. GDPR enforcement was heavily complaint-driven. For the CRA, security researchers reporting non-compliant products could trigger investigations.
Documentation matters. GDPR showed that having documented processes — even imperfect ones — was treated more favorably than having nothing at all.

Enforcement Timeline

September 11, 2026: vulnerability reporting obligations begin. Failure to report actively exploited vulnerabilities to ENISA triggers Tier 2 penalties.
December 11, 2027: full compliance required. All essential requirements, SBOM, CE marking, conformity assessment, and documentation must be in place. All penalty tiers become enforceable.

Do not wait for December 2027 to start. The September 2026 reporting deadline is the first enforcement trigger, and it applies to all manufacturers regardless of product category.

How to Assess Your Risk

Consider these factors:

Product category. Important and critical products will face more scrutiny than default category products.
Market visibility. Products with large EU user bases are higher-risk for enforcement attention.
Incident history. A security breach in an unpatched product with no SBOM and no ENISA report is the worst-case scenario.
Documentation. Having processes in place — even early-stage ones — demonstrates good faith effort.

The most dangerous position is to have no compliance program at all. Start with the basics: generate an SBOM, set up vulnerability monitoring, and prepare for ENISA reporting. Use our CRA compliance checklist to track your progress.

Complaro helps engineering teams build CRA compliance infrastructure — SBOM management, vulnerability monitoring, and ENISA report generation — so you can demonstrate compliance before enforcement begins. Get started free.

CRA Penalties and Enforcement: What Happens If You Don't Comply

Penalty Tiers

Tier 1: Up to EUR 15 Million or 2.5% of Turnover

Tier 2: Up to EUR 10 Million or 2% of Turnover

Tier 3: Up to EUR 5 Million or 1% of Turnover

Beyond Fines: Product Withdrawal

Who Enforces the CRA?

How Enforcement Will Work in Practice

Comparison to GDPR Enforcement

Enforcement Timeline

How to Assess Your Risk

Ready to automate CRA compliance?

Related articles

What Is the EU Cyber Resilience Act? A Complete Guide for 2026

CRA Compliance Checklist: What You Need Before September 2026

How to Generate an SBOM for CRA Compliance