Two pairs of hands exchanging Euro banknotes, symbolizing finance and transaction.

CRA Compliance Costs Money – But What Does Non-Compliance Really Cost?

ByStefan Karg

In discussions with manufacturers about the Cyber Resilience Act, one recurring theme is: “Compliance is expensive.” True, implementing CRA requirements does require significant investment. However, the costs of non-compliance and incidents can be far greater – and the financial risks are often underestimated.

What I’ve observed in practice: Many manufacturers focus solely on the upfront costs of compliance, such as risk assessments and SBOMs. Yet, these initial investments are minor compared to the potential financial consequences of non-compliance and incidents – consequences that can be devastating for businesses of any size.

What Compliance Actually Involves

The Cyber Resilience Act demands substantial investment from manufacturers. Compliance costs vary depending on product complexity and organizational size. Manufacturers should allocate budgets for:

  • Security risk assessments
  • Integration of requirements into products and manufacturing processes
  • PSIRT setup and operations
  • SBOM implementation and maintenance
  • Vulnerability management processes
  • Conformity assessment preparation and documentation
  • Ongoing compliance maintenance

While initial compliance requires significant investment, these costs are predictable and controllable. The financial risks of non-compliance, however, can be catastrophic – ranging from incident costs to fines that may reach up to €15 million or 2.5% of global turnover for serious violations.

The Costs of Non-Compliance

1. Financial Penalties

The CRA penalties are substantial (Article 64 of the Cyber Resilience Act):

  • Up to €15 million or 2.5% of global turnover for violations of essential requirements
  • Up to €10 million or 2% of turnover for other violations
  • Up to €5 million or 1% of turnover for providing incorrect information

For SMEs, these penalties can be particularly damaging – according to the formal limits stated in Article 64 potentially exceeding annual revenues and far outweighing compliance costs. However, the CRA considers company size when imposing fines (Article 64(5)(c)), meaning SMEs may face proportionate penalties based on their resources and market position.

Examples from another European regulation, the GDPR, illustrate the severe consequences of non-compliance:

Even small and medium-sized enterprises are not exempt from GDPR penalties. In one case, a French e-commerce SME was fined €250,000 for permanently recording all employee-client conversations without a valid legal basis. This case underscores how basic compliance failures – such as excessive data retention or lack of transparency—can lead to financially damaging fines for SMEs.

2. The Cost of an Incident

Beyond fines for non-compliance, the cost of an actual incident due to existing vulnerabilities in the product can be even higher.

If attackers exploit these vulnerabilities successfully, the company faces not only financial losses but also reputational damage. Customer trust erodes, and depending on contractual agreements, liabilities can result in significant additional costs besides the costs of fixing the product under high pressure.

The Bottom Line

CRA compliance requires significant investment. But non-compliance may cost far more – both in fines (Article 64) and incident-related expenses. For SMEs, the financial impact can be devastating.

The choice isn’t between spending and saving. It’s between controlled investment and uncontrolled risk. For manufacturers targeting the EU market, compliance isn’t optional – it’s essential for business continuity.

Similar Posts