Updated: 6 May, 2025
24 April, 2025
What is CRA?
The Cyber Resilience Act (CRA) is an EU‐wide regulation, formally Regulation (EU) 2024/2847 that sets mandatory cybersecurity and vulnerability‑management requirements for all “products with digital elements” placed on the EU market, whether they are hardware, software or a combination of both. It is the first horizontal EU law that treats insecure software much like unsafe physical products.
Listen to the summary of this article on The AppSec Management Podcast:
When does CRA come into effect?
The EU CRA regulation came into force on the 10th of January 2025, but there is a transition period for companies to fully comply with the regulation. We are currently in the transition period. By January 10th 2027 the vulnerability notification obligations start. And by December 11, 2027 CRA will fully apply.
It’s important to note that products already placed on the market before December 11, 2027, are generally exempt unless they undergo substantial modifications after that date. The term “placed on the market” refers to when an individual product is first made available in the EU, not the design or manufacturing date of the product type. Therefore, even if a product type was designed before the CRA takes effect, each individual unit must have been made available in the EU market before December 11, 2027, to be exempt. Otherwise, it must comply with the CRA to be sold in the EU after that date.
When do we expect the first CRA fines?
While there may be some fines in 2028 or even 2027, it will take a few years to really get up to speed on the sanctuary regime. Peak CRA fine year will likely be 2031. We learned this from the history of previous regulation introductions.
How big can CRA fines be?
The EU CRA outlines a tiered system for administrative fines depending on the nature of the infringement. These fines can be quite substantial, aiming to be effective, proportionate, and dissuasive. Here’s a breakdown of the maximum penalties:
- Up to €15 million or 2.5% of the total worldwide annual turnover of the preceding financial year (whichever is higher): This applies to non-compliance with the essential cybersecurity requirements outlined in Annex I of the CRA and the obligations set out in Articles 13 and 14, which relate to the design, development, and making available of products with digital elements.
- Up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher): This applies to non-compliance with other obligations under the CRA, such as those related to vulnerability handling (Articles 18 to 23), documentation (Article 28), cooperation with authorities (Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5)), and obligations of importers and distributors (Articles 39, 41, 47, 49, and 53).
- Up to €5 million or 1% of the total worldwide annual turnover of the preceding financial year (whichever is higher): This applies to the supply of incorrect, incomplete, or misleading information to notified bodies and market surveillance authorities in response to a request.
It’s important to note that the specific amount of the fine in each individual case will be determined by the relevant national market surveillance authorities, taking into account all relevant circumstances, such as the nature, gravity, and duration of the infringement, the size and market share of the company, and whether similar fines have already been applied.
Beyond financial penalties, non-compliant products may also be prohibited or restricted from being made available on the EU market, or authorities may order their withdrawal or recall. This can lead to significant reputational damage and loss of market access.
Who issues CRA fines?
The following national Market Surveillance Authorities can issue CRA fines.
| Member State | Existing product‑safety MSA likely to take the CRA role | Specialist cyber‑security body that may be co‑designated | |
| Austria | Bundesministerium für Arbeit & Wirtschaft (BAW) | CERT‑AT (GovCERT) | |
| Belgium | Federal Public Service Economy – DG Quality & Safety | Centre for Cyber Security Belgium (CCB) | |
| Bulgaria | State Agency for Metrological & Technical Surveillance | National Computer Security Incidence Response Team (CERT.BG) | |
| Croatia | State Inspectorate – Market Surveillance | National CERT (CARNET) | |
| Cyprus | Department of Electrical & Mechanical Services | Digital Security Authority | |
| Czechia | Czech Trade Inspection Authority (ČOI) | National Cyber & Information Security Agency (NÚKIB) | |
| Denmark | Danish Safety Technology Authority | Centre for Cyber Security (CFCS) | |
| Estonia | Consumer Protection & Technical Regulatory Authority (TTJA) | Estonian Information System Authority (RIA) | |
| Finland | Finnish Safety & Chemicals Agency (Tukes) | National Cyber Security Centre (Traficom‑NCSC) | |
| France | Direction générale de la concurrence, de la consommation et de la répression des fraudes (DGCCRF) | Agence nationale de la sécurité des systèmes d’information (ANSSI) | |
| Germany | Bundesnetzagentur (for radio/ICT products) & Bundesanstalt für Materialforschung und ‑prüfung (BAM) | Federal Office for Information Security (BSI) | |
| Greece | Hellenic Directorate for Technical & Vocational Education (market surveillance unit) | National Cyber Security Authority | |
| Hungary | National Consumer Protection Authority (NFH) | National Cyber Security Center (NCSC‑Hungary) | |
| Ireland | Competition & Consumer Protection Commission (CCPC) | National Cyber Security Centre (NCSC‑IE) | |
| Italy | Ministero delle Imprese e del Made in Italy – Market Surveillance | Agenzia per la Cybersicurezza Nazionale (ACN) | |
| Latvia | Consumer Rights Protection Centre (CRPC) | Information Technology Security Incident Response Institution (CERT‑LV) | |
| Lithuania | State Non‑Food Products Inspectorate (VVTAT) | National Cyber Security Centre (NCSC‑LT) | |
| Luxembourg | Inspection du Travail & des Mines (ITM) | GovCERT‑LU (CIRCL) | |
| Malta | Malta Competition & Consumer Affairs Authority (MCCAA) | Malta Information Technology Agency (MITA‑CERT) | |
| Netherlands | Nederlandse Voedsel‑ en Warenautoriteit (NVWA) | National Cyber Security Centre (NCSC‑NL) | |
| Poland | Trade Inspection (UOKiK / IH) | Governmental Computer Security Incident Response Team (CSIRT GOV) | |
| Portugal | Autoridade de Segurança Alimentar e Económica (ASAE) | Centro Nacional de Cibersegurança (CNCS) | |
| Romania | National Authority for Consumer Protection (ANPC) | Romanian National Cyber Security Directorate (DNSC) | |
| Slovakia | Slovak Trade Inspection (SOI) | National Security Authority (NBU‑SK CERT) | |
| Slovenia | Market Inspectorate of the Republic of Slovenia (TIRS) | National Cyber Security Response Centre (Si‑CERT) | |
| Spain | Agencia Española de Consumo, Seguridad Alimentaria y Nutrición (AECOSAN) | National Cybersecurity Institute (INCIBE‑CERT) | |
| Sweden | Swedish Consumer Agency (Konsumentverket) & Swedish Market Surveillance Council | Swedish National Cybersecurity Centre (NCSC‑SE) |
Is the industry ready for CRA?
How can we analyze the industry readiness for CRA?
OWASP SAMM is an inventory of all the recommended organizational processes around application security, categorized per maturity of the process or the broader security activity. Nobody does it all, and nor should they, that would be wasteful. Instead SAMM is used as an inventory and a map of the current situation, and to make strategic choices about investments in security. Choices depend on risk profiles, risk appetite, technological context, business context and regulatory context.
Therefore SAMM is ideal to provide concrete identification of the organizational processes around security that are needed in order to be able to comply with CRA.
The requirements of CRA were mapped to an OWASP SAMM posture, which is a list of minimal threshold maturity levels at each of the 30 organizational processes. This CRA ready posture was compared with the OWASP SAMM benchmark. The Benchmark data has detailed information to the degree of maturity for each one of these processes across the industry.
For 7 out of 15 security activities the industry maturity is below the threshold required to possibly be able to comply with CRA. The biggest problems are in 1: threat assessment, including having adequate application profiles and threat modeling 2: Patching, updating and legacy management processes and 3: All processes related to SBOMs and defect tracking. You can find the summary of the analysis at the bottom of this article.
How does the OWASP SAMM CRA target posture compare with current industry maturity?
| Activity | CRA needs | Industry today | Gap |
| Strategy and Metrics: Create and Promote | 1 | 1.48 | 0.48 |
| Strategy and Metrics: Measure and Improve | 0.5 | 0.93 | 0.43 |
| Policy and Compliance: Policy and Standards | 1.5 | 1.29 | -0.21 |
| Policy and Compliance: Compliance Management | 2.25 | 1.4 | -0.85 |
| Education and Guidance: Training and Awareness | 0 | 1.66 | 1.66 |
| Education and Guidance: Organization and Culture | 0 | 1.11 | 1.11 |
| Threat Assessment: Application Risk Profile | 3 | 1.42 | -1.58 |
| Threat Assessment: Threat Modeling | 2 | 0.82 | -1.18 |
| Security Requirements: Software Requirements | 1 | 1.31 | 0.31 |
| Security Requirements: Supplier Security | 2 | 2.09 | 0.09 |
| Secure Architecture: Architecture Design | 1 | 1.43 | 0.43 |
| Secure Architecture: Technology Management | 1 | 1.71 | 0.71 |
| Secure Build: Build Process | 0 | 1.64 | 1.64 |
| Secure Build: Software Dependencies | 2 | 1.07 | -0.93 |
| Secure Deployment: Deployment Process | 2 | 1.37 | -0.63 |
| Secure Deployment: Secret Management | 1 | 1.74 | 0.74 |
| Defect Management: Defect Tracking | 3 | 1.87 | -1.13 |
| Defect Management: Metrics and Feedback | 0 | 0.83 | 0.83 |
| Architecture Assessment: Architecture Validation | 2 | 1.23 | -0.77 |
| Architecture Assessment: Architecture Mitigation | 2 | 0.9 | -1.1 |
| Requirement Driven Testing: Control Verification | 1.5 | 1.16 | -0.34 |
| Requirement Driven Testing: Misuse/Abuse Testing | 1 | 0.8 | -0.2 |
| Security Testing: Scalable Baseline | 1 | 1.18 | 0.18 |
| Security Testing: Deep Understanding | 1 | 1.2 | 0.2 |
| Incident Management: Incident Detection | 2 | 1.65 | -0.35 |
| Incident Management: Incident Response | 2 | 2.24 | 0.24 |
| Environment Management: Configuration Hardening | 2 | 1.63 | -0.37 |
| Environment Management: Patch and Update | 3 | 1.86 | -1.14 |
| Operational Management: Data Protection | 2 | 1.29 | -0.71 |
| Operational Management: Legacy Management | 3 | 1.87 | -1.13 |
How to analyse your CRA readiness?
You can use SAMMY to do SAMM assessments and compare your posture to the CRA Readiness target posture. The CRA readiness target posture is integrated in SAMMY.
How does CRA compare to GDPR?
Under GDPR the most impactful aspect for businesses are the limitations around what you can do with the data of the individuals. The data can only leave the EU under certain strict conditions and can only be used for the purposes for which the subject provides consent. This means that companies (data controllers) must have contracts with all their suppliers (data processors) etc. Complying with the 8 data subject rights is relatively easy once we have a clear inventory of where the data is and a contractual agreement with everyone who processes the data.
CRA sets a minimum level of security for all products with a digital component, that includes all software that is sold, built to order, and on-prem SaaS solutions (it excluded cloud SaaS, and products covered by other legislation such as radio equipment and medical devices). It also includes physical things like baby monitors and smart fridges. Whereas GDPR is all about personal data, CRA includes B2C and B2B products. CRA is built on the CE product safety labeling system. This implies that companies have to demonstrate compliance and depending on the classification of criticality may need external verification or a certified quality control system. But the main challenge at this point is not the certification, it is the fundamental security practices that are needed to comply with the requirements of the regulation. These are required for all products with digital components, including those not deemed critical. In practice millions of companies, including worldwide suppliers will have to upgrade their appsec program or create an appsec program from scratch in order to have the security activities in place to comply with the regulation.
What does the history of GDPR fines tell us about CRA fines?
GDPR came into effect in 2018, this gives us 7 years of experience with the legislation and specifically a history of fines. In 2018 it was estimated that 30% of organizations fundamentally struggled with the application of the requirements of GDPR. Today, based on the OWASP analysis 70% to 90% of organizations struggle with fundamental requirements for compliance. However the fines are slightly lower and from the history of GDPR we would expect them to peak in year 5.
| GDPR 2018-2024 | CRA 2027-2033 | |
| Percentage of industry struggling to comply at start | 30% | 70%-90%* |
| Number of fines | 2281 | 5322 to 8843 |
| Max fines | 20 Million € or 4% of Turnover | 15 Million € or 2.5% of global Turnover |
| Average fine size | 2.46 Million € | 1.54 Million € |
| Total fines | 5.64 Billion € | 8.2 – 13.6 Billion € |
| Peak fine year | Y5: 2.43 Billion € | Y5: 3.52 – 5.85 Billion € |
*based on industry analysis with OWASP SAMM benchmark, see below)
Expectation of fines
How big will CRA fines be?
We expect an average fine size of €1.54 million. However this number is distorted by some very large fines. We expect the median fine to be €5.000 to €10.000.
How many fines will there be under CRA?
The industry expects between 5322 and 8843 fines over the first 7 years of the legislation being in full force.
There are some incognitos around the triggers of fines, depending on how most investigations start this number may be different. Under GDPR a case may start from a complaint of a citizen, under CRA this is less likely. A likely scenario is that an investigation would start after a security incident. According to EuRopoC, European Repository of Cyber Incidents there are currently around 1000 incidents per year.
What is the total value of EU CRA fines we expect?
We expect between €8.2 billion and €13.6 billion of CRA fines over the first 7 years starting in 2027.
How to prepare for CRA compliance?
Under GDPR we need to have a good picture of where data goes, think data flow diagrams including those of our subcontractors and their subcontractors. Without a strict control over where data travels, it is very challenging to comply with GDPR. In CRA we need to demonstrate that we have adequate security processes in place, and that we do not ship products with known vulnerabilities. So apart from having a good picture of the data flows we need to have a good picture of the processes in place. Based on GDPR, fines will start off slowly and then accelerate a few years into the regulation until the principles are well internalised and implemented by the industry. Then fines start decreasing. We can avoid risk, stress and fines by doing our homework and having our house in order from the start.
