Summary

The EU Cyber Resilience Act imposes administrative fines for non-compliance, with varying amounts depending on the severity and nature of the infringement. Certain entities, such as microenterprises, small enterprises, and open-source software stewards, are exempt from certain fines.

Relevant CRA Provisions

– Recital 120, Recital 121
– Article 54, Article 58, Article 64, Article 65

Detailed Explanation

The EU Cyber Resilience Act (CRA) establishes a framework for penalties to ensure compliance with its provisions. Member States are required to implement rules on penalties, which must be effective, proportionate, and dissuasive. These penalties primarily take the form of administrative fines, the amounts of which vary based on the nature of the non-compliance.

Types of Penalties

1. Essential Cybersecurity Requirements and Obligations (Articles 13 and 14):
– Fines up to EUR 15,000,000 or 2.5% of the total worldwide annual turnover, whichever is higher.
2. Other Obligations (Articles 18 to 23, 28, 30(1) to (4), 31(1) to (4), 32(1), (2) and (3), 33(5), and Articles 39, 41, 47, 49, and 53):
– Fines up to EUR 10,000,000 or 2% of the total worldwide annual turnover, whichever is higher.
3. Incorrect, Incomplete, or Misleading Information:
– Fines up to EUR 5,000,000 or 1% of the total worldwide annual turnover, whichever is higher.

Exemptions

– Microenterprises and Small Enterprises: Exempt from fines for failing to meet certain deadlines.
– Open-Source Software Stewards: Exempt from all fines under the CRA.

Factors Considered in Determining Fines

– Nature, gravity, and duration of the infringement.
– Previous fines applied for similar infringements.
– Size and market share of the infringing entity, with special consideration for microenterprises and small and medium-sized enterprises.

Application of Fines

– Fines may be imposed by competent national courts or other bodies, depending on the Member State’s legal system.
– Fines can be cumulative with other corrective or restrictive measures.

Obligations for Stakeholders

– Manufacturers: Ensure compliance with essential cybersecurity requirements and obligations to avoid fines.
– Economic Operators: Cooperate with market surveillance authorities during evaluations and take corrective actions as required.
– Notified Bodies: Maintain compliance with requirements and obligations to avoid restriction, suspension, or withdrawal of notification.