← Standards library

EU CRA Clause Article 64

Administrative fines and penalty tiers

Regulation (EU) 2024/2847 (Cyber Resilience Act)

Article 64 of the EU Cyber Resilience Act sets a three-tier penalty regime. The top tier — up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher — covers breaches of the essential cybersecurity requirements and the manufacturer obligations in Articles 13 and 14, which means reporting failures sit at the highest level. A second tier (€10M / 2%) covers other obligations, and a third (€5M / 1%) covers supplying incorrect or misleading information. The ceilings are set by the regulation, not by member states.

Where Forge applies this

Verified against the primary source. Standards are periodically revised — always confirm the current text.