Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

CRA penalties under Article 64 of Regulation (EU) 2024/2847: €15 million or 2.5% of worldwide turnover at the top tier, three tiers in total, with a derogation for micro and small enterprises and a full exemption for open-source software stewards

Article 64 of the Cyber Resilience Act sets up three tiers of administrative fine, applied per case by national market surveillance authorities. Non-compliance with the essential cybersecurity requirements of Annex I and with the manufacturer obligations of Articles 13 and 14 carries the heaviest tier: up to €15,000,000 or 2.5% of worldwide annual turnover, whichever is higher. A second tier of up to €10 million or 2% covers a long list of process obligations. A third tier of up to €5 million or 1% covers incorrect information to notified bodies and market surveillance authorities. Micro and small enterprises are exempt from fines for missing the 24-hour Article 14 deadline. Open-source software stewards are fully exempt from administrative fines. This page maps every offence to its tier. CRACheck reduces the documentation half of the risk to €149.

Generate CRA dossier — €149Free: check if CRA applies to your product

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 64 three tiers · Art. 52 market surveillance · Art. 65 representative actions · 100% browser-side

Three tiers, three ceilings

€15M / 2.5%
Tier 1 — essential requirements, Arts 13 + 14 — Art. 64(2)
€10M / 2%
Tier 2 — process and conformity obligations — Art. 64(3)
€5M / 1%
Tier 3 — incorrect info to NB / MSA — Art. 64(4)

What each tier covers — verbatim from Article 64

Each tier lists the articles that, if breached, expose the manufacturer to the corresponding ceiling. Fines are per case; multi-market exposure can multiply.

1
Tier 1 — €15 million or 2.5% of worldwide annual turnover
Art. 64(2): non-compliance with the essential cybersecurity requirements set out in Annex I (Parts I and II) and the obligations set out in Articles 13 (manufacturer obligations) and 14 (reporting). Whichever amount is higher applies. For an undertaking with €1B annual turnover, 2.5% = €25M, which exceeds the absolute ceiling.
2
Tier 2 — €10 million or 2% of worldwide annual turnover
Art. 64(3): non-compliance with Articles 18–23 (authorised representatives, importers, distributors, modifier-as-manufacturer, identification of operators), Article 28 (EU declaration of conformity), Article 30(1)–(4) (CE marking rules), Article 31(1)–(4) (technical documentation), Article 32(1)–(3) (conformity assessment procedures), Article 33(5) (simplified technical documentation form), and Articles 39, 41, 47, 49, 53.
3
Tier 3 — €5 million or 1% of worldwide annual turnover
Art. 64(4): the supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request.
4
Aggravating and mitigating factors
Art. 64(5): nature, gravity and duration of the infringement and its consequences; whether the same or other market surveillance authorities have already fined the same operator for similar infringement; the size of the operator (in particular SMEs and start-ups) and market share.
5
Cross-Member-State coordination
Art. 64(6): market surveillance authorities that apply administrative fines shall communicate that application to other Member States through the information and communication system referred to in Article 34 of Regulation (EU) 2019/1020. This prevents both double-jeopardy and free-riding.
6
Public authorities
Art. 64(7): each Member State decides whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.
7
Court-imposed fines
Art. 64(8): depending on the legal system of the Member State, the rules on administrative fines may be applied so that the fines are imposed by competent national courts or other bodies. The effect must be equivalent across Member States.
8
Fines on top of corrective measures
Art. 64(9): administrative fines may be imposed in addition to any other corrective or restrictive measures applied by market surveillance authorities for the same infringement — e.g. withdrawal, recall, prohibition of making available.
9
Derogation — micro and small enterprises
Art. 64(10)(a): the fines in paragraphs 3–9 (Tiers 2 and 3 + cross-procedural rules) do NOT apply to manufacturers that qualify as microenterprises or small enterprises for a failure to meet the 24-hour deadline referred to in Article 14(2)(a) [vulnerability early warning] or Article 14(4)(a) [severe incident early warning].
10
Derogation — open-source software stewards
Art. 64(10)(b): no administrative fines are applicable to open-source software stewards for any infringement of the regulation. Stewards remain subject to the obligations of Article 24 and to corrective measures by market surveillance authorities (Art. 52(3)).
11
Representative actions by consumers
Art. 65: Directive (EU) 2020/1828 applies to representative actions brought against infringements of the CRA by economic operators that harm, or may harm, the collective interests of consumers. Effective from 11 December 2027 (Recital 124).

Common mistakes

FIRST-OFFENCE OPTIMISM

“First infringement, we will get a warning”

Article 64(1) requires Member State penalties to be ‘effective, proportionate and dissuasive’. There is no first-offence shield in the regulation. The ceilings start at €15M / 2.5% and the relevant circumstances of Art. 64(5) — not the count of prior infringements alone — govern the actual amount.

TURNOVER CONFUSION

“2.5% of EU turnover, not worldwide”

Art. 64(2): €15M or 2.5% of ‘total worldwide annual turnover for the preceding financial year, whichever is higher’. Same for Tier 2 (2% worldwide) and Tier 3 (1% worldwide). The base is global, not EU. The ceiling chosen is whichever yields the higher fine.

MULTI-MS DOUBLE-COUNTING

“Each Member State can fine us separately for the same infringement”

Art. 64(5)(b) treats prior fines by the same or other market surveillance authorities as a relevant circumstance to consider when setting the new fine. Art. 64(6) requires communication of fines across the Union via the Reg 2019/1020 Art. 34 system. The principle of proportionality limits the cumulative fine for the same type of infringement.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT
149
/ product
  • 8-document CRA dossier (ZIP)
  • Product Classifier + Technical Documentation
  • Risk Assessment + User Information
  • 10 regenerations · 30 days
  • 1 licence = 1 product
Buy licence →
PROFESSIONAL PACK
1,199
70 generations · 1 key
For multi-product catalogues
  • 70 generations with a single key
  • 70 complete dossiers (8 documents each)
  • Switch product between generations
  • Ideal for importers with large catalogues
  • For consultants billing CRA compliance
Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

2

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

3

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

4

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

5

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

6

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

7

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

8

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

💶 EXPOSURE — ONE TIER-1 FINE
€15,000,000
Or 2.5% of worldwide annual turnover, whichever is higher. Per case, per Member State (subject to Article 64(5)(b) coordination). Plus corrective measures: withdrawal, recall, prohibition.
CRACHECK — SAME OUTPUT
€149
Documentation half of the compliance burden — the part that triggers many Tier 1 fines under Art. 64(2) for breach of Article 13 — collapses to a one-time €149 with CRACheck.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Which articles, exactly, expose me to the €15M / 2.5% tier?
Article 64(2) lists two categories: (1) non-compliance with the essential cybersecurity requirements set out in Annex I (Parts I and II); (2) non-compliance with the obligations set out in Articles 13 (25 manufacturer duties) and 14 (vulnerability and incident reporting). Tier 1 covers the heart of the regulation — product properties, vulnerability handling, manufacturer process duties, and ENISA notifications.
When do penalties start applying?
Article 71(2) makes the regulation apply from 11 December 2027, with two earlier carve-outs: Article 14 reporting from 11 September 2026 and Chapter IV (notified bodies) from 11 June 2026. Penalties for Article 14 breaches can therefore apply from 11 September 2026. Penalties for the rest of the regime apply from 11 December 2027. Article 71 does not carve out penalties — they activate with the substantive obligations.
Is my micro / small enterprise fully exempt from fines?
No — only partially. Article 64(10)(a) exempts micro and small enterprises from fines under paragraphs 3–9 (Tiers 2 and 3 plus cross-procedural rules) for a failure to meet the 24-hour Article 14 deadlines. They remain exposed to Tier 1 fines under Art. 64(2) for non-compliance with the essential requirements and broader Article 13/14 obligations. Subject to the principle that penalties be effective, proportionate and dissuasive, Member States cannot impose other pecuniary penalties on them for the carved-out scenarios.
Can consumer organisations sue me under the CRA?
Yes, indirectly. Article 65 applies Directive (EU) 2020/1828 on representative actions to infringements of the CRA that harm or may harm the collective interests of consumers. Qualified entities can bring representative actions in Member State courts. Recital 124 confirms applicability of those actions to CRA infringements from 11 December 2027. This is in addition to, not instead of, administrative fines under Article 64.
Is this a subscription?
No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.
What if the regulation changes before I file my dossier?
Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.
€149 one-time
8-document ZIP · 15–25 minutes · Browser-side

Close the documentation half of your Article 64 exposure.

Article 64(2) Tier 1 fines target Articles 13 and 14 — the duties that depend on technical documentation, risk assessment, CVD policy and ENISA-ready reporting templates. CRACheck generates that documentation for €149.

Generate dossier — €149

Related CRA guides

FULL GUIDE

CRA manufacturer obligations — complete guide

DEC 2027

CRA compliance deadline — December 2027

SCOPE

CRA scope — which products are covered