What should larger manufacturers expect in terms of enforcement style and corrective actions from market surveillance authorities?

Larger manufacturers should expect earlier, more structured, and more demanding enforcement from market surveillance authorities, including the possibility of penalties and public corrective measures.

Authorities prioritize large manufacturers because fixes at scale have market-wide impact, and because these actors are presumed to have the resources to comply fully with the CRA's requirements.

Mirroring later-stage GDPR enforcement, authorities are more likely to use proactive audits, coordinated inspections, and sector-wide actions (Article 52; Recital 114). Corrective actions may require systemic remediation across product lines, not just fixes for individual issues. Persistent non-compliance, misleading security claims, or repeated vulnerabilities increase the likelihood of formal orders, withdrawals, recalls, or fines (Article 57).

When setting administrative fines, authorities must consider "all relevant circumstances of the specific situation" including whether the manufacturer is a microenterprise or SME, and whether similar fines have already been applied by other authorities for the same infringement (Recital 120). Penalties must always be proportionate, but large manufacturers with greater resources can expect less leniency than smaller entities.

For more on non-compliance consequences, see What will happen to non-compliant products?.