CRA-Durchführungsgesetz: Who Enforces the CRA in Germany

The EU Cyber Resilience Act writes the rules. Germany decides who enforces them. That answer arrived on 12 March 2026, when the Federal Ministry of the Interior published the Referentenentwurf for the CRA-Durchführungsgesetz.

Article 1 of the draft makes the Bundesamt für Sicherheit in der Informationstechnik (BSI) the central market surveillance authority for products with digital elements and the notifying authority for conformity assessment bodies. So the BSI prosecutes the Bußgeld and notifies which conformity assessment bodies may test your product (the underlying accreditation runs through the DAkkS). TeleTrusT's 1 April 2026 statement flags this dual support-and-enforcement role and the BSI's notification step without mandatory DAkkS accreditation; the Open Source Business Alliance pushes for explicit Open-Source carve-outs. Neither input has, so far, moved the BMI off the BSI lead.

Targeted entry into force: 11 June 2026, aligned with Chapter IV CRA on notifying bodies. Under Art. 64 CRA, the BSI's fine ceiling is EUR 15 million or 2.5% of global annual turnover, whichever is higher, for breaches of Annex I or Articles 13 and 14. Microenterprises and small enterprises stay exempt from fines for missing the 24-hour deadlines under Art. 14(2)(a) and 14(4)(a) by virtue of Art. 64(10) CRA. The substantive obligations themselves apply unchanged, and Art. 14 reporting kicks in on 11 September 2026 by direct effect of EU law.

The bill is still in Verbandsanhörung; the values are not in motion, the timing is. Among the founders I advise on connected hardware, the most common mistake is treating the CRA as "NIS2 for products" and waiting for the German law before doing anything. The substantive obligations come from the regulation itself; the BSI is just the agency that will read your incident report.