Penalties

Before Cyber Resilience Act, many manufactures had little incentive to spend resources on the cybersecurity aspect of their products, as any damages due to neglect mostly hit the users. Given the huge amount of devices and the large number of vulnerabilities found in them, the lack of security in such devices have been deemed a threat to society.

The penalties for non-compliance are up to EUR 15 000 000 or 2.5% of the total worldwide annual turnover, whichever is higher.

The text laying out penalties are found in Article 64. Below is a shortened version glossing over some of the details.

Non-compliance with the essential cybersecurity requirements (Annex I) and manufactures obligations (art. 13, 14) is subject to fines of EUR 15,000,000 or up to 2.5 % of it's total worldwide annual turnover, whichever is higher.

Non-compliance with obligations for authorized representatives, economic operators, declaration of conformity, conformity assessment, affixing the CE marking, technical documentation is subject to fines of EUR 10,000,000 or up to 2% of its total worldwide annual turnover, whichever is higher.

The supply of incorrect, incomplete or misleading information in reply to a request by authorities is subject to fines of up to EUR 5,000,000, or up to 1% of its total worldwide annual turnover, whichever is higher.

The concept of proportionality in regard to size of fines also applies here, as also seen in other EU legislation. The size of the undertaking will also be taken into account for smaller enterprises.