Skip to main content
🎀 Speaking at KubeCon EU 2026 Lessons Learned Orchestrating Multi-Tenant GPUs on OpenShift AI View Session
🎀 Speaking at Red Hat Summit 2026 GPUs take flight: Safety-first multi-tenant Platform Engineering with NVIDIA and OpenShift AI Learn More
CRA Enforcement: Penalties, Market Surveillance, and What Happens If You Don't Comply
DevOps

CRA Enforcement: Penalties and Compliance

CRA penalties reach up to 15 million euros. How enforcement works, what market surveillance authorities will check, and how to prepare for inspections.

LB
Luca Berton
Β· 1 min read

CRA Enforcement: What Happens If You Don’t Comply

The CRA has teeth. Non-compliance means your products can be removed from the EU market, and fines can reach €15 million. Understanding enforcement helps you prioritize compliance efforts.

Penalty Structure

ViolationMaximum Fine
Essential cybersecurity requirements€15M or 2.5% global annual turnover
Other CRA obligations€10M or 2% global annual turnover
Incorrect/misleading information to authorities€5M or 1% global annual turnover

For each violation, the higher amount applies.

Market Surveillance

Member state authorities will conduct:

Reactive Surveillance

  • Respond to vulnerability reports and incidents
  • Investigate complaints from users or competitors
  • Follow up on ENISA vulnerability notifications

Proactive Surveillance

  • Random product testing and audits
  • Verification of CE marking and documentation
  • SBOM completeness checks
  • Security testing of products on the market

What Authorities Can Do

  1. Request documentation β€” technical files, SBOMs, test reports
  2. Order product testing β€” at the manufacturer’s expense
  3. Require corrective action β€” fix vulnerabilities, update documentation
  4. Issue product recalls β€” remove non-compliant products from the market
  5. Ban market access β€” prevent future sales until compliance is achieved
  6. Impose fines β€” up to the maximum amounts above

How to Prepare for Inspection

Compliance Package (ready at all times):
β”œβ”€β”€ EU Declaration of Conformity
β”œβ”€β”€ Technical Documentation
β”‚   β”œβ”€β”€ Product description
β”‚   β”œβ”€β”€ Security risk assessment
β”‚   β”œβ”€β”€ Design and development documentation
β”‚   └── Test reports
β”œβ”€β”€ Current SBOM
β”œβ”€β”€ Vulnerability handling procedures
β”œβ”€β”€ Security update policy and history
β”œβ”€β”€ Incident reports filed with ENISA
└── Evidence of security testing

Risk-Based Prioritization

Focus compliance efforts where enforcement risk is highest:

  1. Products involved in security incidents β€” these attract immediate attention
  2. Products with known unpatched vulnerabilities β€” visible in public databases
  3. Products without CE marking β€” easy to identify and enforce
  4. Class II/Critical products β€” higher scrutiny by design

Concerned about CRA enforcement? I help organizations build audit-ready compliance programs. Get in touch.

Related Articles

Git Worktrees: Work on Multiple Branches at Once
DevOps

Git Worktrees: Work on Multiple Branches at Once

Git worktrees let you check out multiple branches simultaneously in separate directories. Stop stashing and switching -- work on your feature, hotfix, and review in parallel.

Podman vs Docker in 2026: Which One Should You Use
DevOps

Podman vs Docker in 2026: Which One Should You Use

A practical comparison of Podman and Docker in 2026 covering rootless containers, Kubernetes integration, CI/CD workflows, and when each tool is the right choice.

Quay robot accounts for container registries
DevOps

Quay Robot Accounts for CI/CD Container Pulls

How to create and use Quay.io robot accounts for secure, automated container image pulls in CI/CD pipelines without exposing personal credentials.

Fix: OpenClaw in Docker β€” Connection Refused, Port Mapping, and Network Issues
DevOps

OpenClaw Docker: Connection Refused Fix

Running OpenClaw in Docker and getting connection refused? Common issues with port mapping, bind addresses, DNS resolution, and WebSocket upgrades.

All Articles
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens TechMeOut