In 2025, Linux Foundation Research, Linux Foundation Europe, and Open Source Security Foundation (OpenSSF) published Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source. It took a survey-based look at how prepared the open source ecosystem was for the European Union's Cyber Resilience Act (EU CRA). The headline finding was blunt: 62% of respondents had little to no familiarity with a regulation that would reshape how software gets built, shipped, and maintained across global supply chains. The hope was that with a year to go before the CRA enters into force, community education initiatives and a growing body of guidance would move the readiness needle.
They didn't.
The latest 2026 CRA Awareness and Readiness Report – produced in partnership with LF Research, OpenSSF, Balena, Ericsson, and Revanite – arrived in early June with a sobering update.
Far from narrowing, the awareness gap has widened: the proportion of respondents unfamiliar with the regulation rose to 66%, up from the 62% reported just one year prior (2026 report, p. 7). The 2026 survey reached a broader audience, particularly in the United States and Canada, where 72% of respondents are unfamiliar with a regulation they'd need to comply with if their products with digital elements land in the EU market (2026 report, p. 8). That geographic gap matters more now than it did a year ago: September 2026 marks the first hard deadline for manufacturers, requiring them to begin reporting actively exploited vulnerabilities and severe security incidents.
Among respondents who already knew about the CRA, the knowledge gaps look almost identical to 2025. In both surveys, roughly 4 in 10 still hadn't determined whether the regulation applied to their organization at all (2026 report, p. 9). The percentage who were uncertain about compliance deadlines dropped modestly, from 51% to 46%, but just 34% correctly identified December 2027 as the full compliance date (2026 report, p. 9). The manufacturer-versus-steward distinction, a foundational concept for determining how you or your organization complies with the regulation's essential requirements, remained unclear to 54% of CRA-aware respondents, down only slightly from 57% the year before (2026 report, p. 9; 2025 report, p. 8).
Time is running out, yet just 41% of manufacturers anticipate achieving total compliance by the December 2027 deadline. A nearly equal share, 39%, remains entirely uncertain regarding their ability to meet these requirements (2026 report, p. 15), highlighting a persistent lack of industrial readiness as the final deadline sits less than 18 months in the distance.
The numbers are stuck. The share of respondents producing Software Bill of Materials (SBOMs) for all products held at 32%, and the share that passively rely on upstream projects for security fixes actually climbed, from 46% to 51% (2026 report, p. 13).
The data suggests that treating upstream security as an external dependency rather than a shared responsibility leads to a costly trap: the proliferation of isolated, private forks for localized patching. Anticipating that the ecosystem will provide turn-key compliance without strategic corporate investment is an unsustainable strategy, one that ultimately forces organizations to carry a staggering operational weight (and cost) alone.
An analysis drawing on LF Research's ROI for Open Source Software Contribution found that organizations maintaining these private forks carry an average of 86 forks, at roughly 60 labor hours per fork per release cycle, totaling around $258,000 USD in labor costs per release. For organizations with more than 5,000 employees, that figure exceeds 11,000 labor hours (2026 report, p. 14).
This is exactly where the EU CRA changes the game. The law basically says: you can’t just hide behind messy, unverified private copies anymore – you must prove your software is secure and tracked.
The CRA's transparency and provenance requirements make these siloed private forks increasingly hard to sustain as a compliance strategy, which means upstream contribution stops being optional goodwill and becomes the economically rational path.
Two findings from this year's report didn't have a direct 2025 equivalent.
The first is the CVE surge: across more than 14,000 open source projects indexed on LFX, Q1 2026 saw a 394% year-over-year increase in published CVEs, with high-severity vulnerabilities up 811% (2026 report, p. 24). The report attributes part of this to AI-powered automated scanning surfacing latent issues, but the volume is real and manufacturers dependent on those projects are exposed to it.
The second finding concerns organizational diversity as a predictor of security posture. Analysis of 12,863 LFX-indexed projects shows a strong correlation between the number of distinct organizations contributing to a project and its security score, a Spearman coefficient of 0.57 (2026 report, p. 23). Investing in upstream projects is, in measurable terms, investing in your own compliance posture.
Non-commercial contributors remain caught in the same uncertainty loop as last year. In 2025, 59% weren't sure whether the CRA applied to their contributions. In 2026, that figure sits at 61% (2026 report, p. 20; 2025 report, p. 15). The CRA explicitly excludes non-commercial development from its scope, and the European Commission's March 2026 draft guidance, published after this survey closed, is a step toward giving that population the scenario-based clarity they've been asking for.
The 2026 report is worth reading alongside the 2025 one. Together they make the case that awareness campaigns alone aren't closing the gap, and that the next phase of work needs to happen in developer spaces, via conferences, OSS tooling documentation, and community channels, where 48% of respondents who do know about the CRA actually learned about it. Official EU channels reached just 25% (2026 report, p. 8).
Ultimately, the core challenge is about driving awareness. The materials and initiatives are already in place. To start, explore the free course, Understanding the EU Cyber Resilience Act (CRA) (LFEL1001), and join the Global Cyber Policy Working Group and its SIGs. Check out the OpenSSF Open Source Project Security Baseline (OSPS Baseline), which gives a minimum set of security-related best practices for open source software projects.
To anchor all of these efforts, the OpenSSF CRA Policy Page serves as our central hub for ongoing policy updates and compliance frameworks. From this foundation, community members can directly engage with the broader ecosystem by joining the Global Cyber Policy Working Group and its specific Special Interest Groups (SIGs).
For small-to-medium-sized enterprises, open source stewards, and independent contributors navigating this shifting regulatory landscape, the compliance weight can be significantly mitigated by leveraging these dedicated resources. The OpenSSF CRA Portal hosts a vital repository of industry documentation, including:
Crucially, because these community resources are built to align with the evolving regulatory text, the most important baseline resource for tracking official enforcement timelines, standardizations, and legislative FAQs remains the European Commission CRA Implementation Page.
And of course, be sure to read the full 2026 CRA Awareness and Readiness Report and the 2025 report, Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source, to understand the full scope of the road ahead.