A leading open source security body has warned of “stagnating awareness and structural unreadiness” in the community ahead of a key December 2027 deadline for compliance with the Cyber Resilience Act (CRA).
The CRA is an EU effort to introduce minimum security standards for hardware and software products sold in the region.
Manufacturers must build security into their products from planning to end of life, including handling vulnerability management and managing software supply chain risks.
However, 66% of global manufacturers, developers and others polled by OpenSSF said they were “not familiar at all” or “only slightly familiar” with the CRA – rising to 72% in the US and Canada.
“Given that any organization placing commercial products on the EU market must comply, this geographic disparity suggests a major segment of the global supply chain remains materially unprepared,” OpenSSF warned in a new report.
Read more on the CRA: EU Adopts Cyber Resilience Act for Connected Devices
Other findings highlighted by the OpenSSF report include:
- 41% of organizations have still not determined if the regulation applies to them
- 45% are uncertain about compliance deadlines
- 56% are unaware of the penalties for non-compliance
- 54% are still unclear on the roles of “manufacturers” and “stewards,” which carry different regulatory obligations
- Just 32% of manufacturers produce Software Bills of Materials (SBOMs) for all products
Private Forks Raise CRA Compliance Risks
Under the CRA, manufacturers are legally responsibility for the security of the components they integrate. Yet over half (51%) told the OpenSSF that they continue to rely passively on upstream projects for security fixes. This is a significant red flag for CRA compliance.
Worse, many try to mitigate upstream security issues – such as an open source project that refuses to patch or which goes end of life – by maintaining a private fork.
In theory, this gives them control over patching and improves SBOM transparency. On average, organizations maintain 86 private forks, the report noted.
However, the OpenSSF warned that this approach creates huge technical debt, costing the average organization $258,000 in labor per release cycle.
“For large organizations (5000+ employees), this burden exceeds 11,000 labor hours per cycle, suggesting the CRA may ultimately force a shift toward upstream contribution as the only financially rational path forward,” it added.
SMEs are most exposed to these issues as 62% rely on open source for more than three quarters of their products, while the figure is just 35% for larger organizations, the report claimed.
“To bridge the readiness gap, the ecosystem must move from policy analysis to operational toolkits, such as automated compliance tools and clearer guidance for the 61% of non-commercial developers who are currently unsure of their status under the CRA,” OpenSSF said.
“Financial and legal support for stewards is also essential to manage rapid vulnerability response. Ultimately, success will require moving beyond official regulatory channels to community-driven spaces, such as open source foundations, online discussions, and social media, where the majority of practitioners learn and collaborate.”
The growing use of AI tools for vulnerability research and exploit development adds extra urgency to the CRA compliance mission.
Data from over 12,000 open source projects indexed on the Linux Foundation Exchange (LFX) platform revealed a 394% year-on-year increase in published CVEs in Q1 2026, with high-severity findings up 811%, OpenSSF said.
