Article 64 Penalties

Summary What does Article 64 of the CRA regulation say?

This is the enforcement and penalties article of the Cyber Resilience Act, establishing a three-tier structure of administrative fines for different categories of non-compliance.

Member States are responsible for setting and implementing penalty rules, but the regulation itself defines the maximum fine levels, ranging from EUR 15 million (or 2.5% of global turnover) at the top end, down to EUR 5 million (or 1% of global turnover) for supplying misleading information to authorities.

The article also carves out certain exemptions for microenterprises, small enterprises, and open-source software stewards.

Important points:

The highest tier of fines — up to EUR 15 000 000 or 2.5% of total worldwide annual turnover — applies to economic operators that fail to meet the essential cybersecurity requirements or the core manufacturer obligations set out in Articles 13 and 14.
Member States are required to lay down their own penalty rules and notify the Commission of those rules, though the fine ceilings are set directly by this regulation.
Microenterprises and small enterprises are exempt from certain fines related to early notification deadlines, and open-source software stewards are fully exempt from the administrative fines covered by the lower two tiers.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and measures and shall notify it, without delay, of any subsequent amendment affecting them.
1. Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.
1. Non-compliance with the obligations set out in Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
1. The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
1. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:
  1. the nature, gravity and duration of the infringement and of its consequences;
  2. whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement;
  3. the size, in particular with regard to microenterprises and small and medium sized-enterprises, including start-ups, and the market share of the economic operator committing the infringement.
1. Market surveillance authorities that apply administrative fines shall communicate that application to the market surveillance authorities of other Member States through the information and communication system referred to in Article 34 of Regulation (EU) 2019/1020.
1. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.
1. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies according to the competences established at national level in those Member States. The application of such rules in those Member States shall have an equivalent effect.
1. Administrative fines may be imposed, depending on the circumstances of each individual case, in addition to any other corrective or restrictive measures applied by the market surveillance authorities for the same infringement.
1. By way of derogation from paragraphs 3 to 9, the administrative fines referred to in those paragraphs shall not apply to the following:
  1. manufacturers that qualify as microenterprises or small enterprises with regard to any failure to meet the deadline referred to in Article 14(2), point (a), or Article 14(4), point (a);
  2. any infringement of this Regulation by open-source software stewards.

Relevant recitals

Recital 120 Administrative fines

In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national law for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account and, as a minimum, those explicitly established in this Regulation, including whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up, and whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement. Such circumstances could be either aggravating, in situations where the infringement by the same economic operator persists on the territory of Member States other than that where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of infringement should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality. Given that administrative fines do not apply to microenterprises or small enterprises for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities or severe incidents having an impact on the security of the product with digital elements, nor to open-source software stewards for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities.

Recital 121 Administrative fines for natural persons

Where administrative fines are imposed on a person that is not an undertaking, the competent authority should take account of the general level of income in the Member State as well as the economic situation of the person when considering the appropriate amount of the fine. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines.

Recital 122 Revenues from penalties

Member States should examine, taking into account national circumstances, the possibility of using the revenues from the penalties as provided for in this Regulation or their financial equivalent to support cybersecurity policies and increase the level of cybersecurity in the Union by, inter alia, increasing the number of qualified cybersecurity professionals, strengthening capacity building for microenterprises and small and medium-sized enterprises and improving public awareness of cyber threats.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.