Skip to main content

CRA Non-Compliance: What's at Stake for Your Software?

Ignoring the Cyber Resilience Act for your game, app, or software tool? That's a risky move. The consequences aren't just a slap on the wrist.

Market Access Denied (The Big One)

If your software doesn't meet CRA standards, national market surveillance authorities can:

  • Order you to fix it (corrective actions) (Article 54 Paragraph 1).
  • Restrict or completely prohibit your software from being sold or made available in their EU country (Article 54 Paragraph 5).
  • Force a recall or withdrawal of your software from the market (Article 54 Paragraph 1).

Heavy Fines (This Will Sting)

The CRA sets some serious upper limits for fines, which Member States will implement (Article 64):

  • Up to EUR 15 million or 2.5% of your company's total worldwide annual turnover (whichever is higher) for failing to meet essential cybersecurity requirements (Annex I) or core manufacturer duties like vulnerability management (Articles 13, 14) (Article 64 Paragraph 2).
  • Up to EUR 10 million or 2% of turnover for other breaches, like incorrect documentation or CE marking issues (Article 64 Paragraph 3).
  • Up to EUR 5 million or 1% of turnover for supplying incorrect or misleading information to authorities (Article 64 Paragraph 4).

Fines consider the severity and your company's size, with some specific considerations for micro and small enterprises (Article 64 Paragraph 5). For instance, micro/small businesses might not get fined for missing the initial 24-hour reporting deadline for actively exploited vulnerabilities (Article 64 Paragraph 10). Open-source software stewards also have a specific liability shield from fines (Article 64 Paragraph 10).

Key Takeway

Beyond official penalties, non-compliance can severely damage your reputation and user trust. It's best to get it right.