The open source community faces widespread unpreparedness for the European Union's Cyber Resilience Act (CRA) deadline in December 2027, according to a new report from the Open Source Security Foundation (OpenSSF). The survey of global manufacturers and developers found that 66% are either unfamiliar or only slightly familiar with the regulation, rising to 72% in the US and Canada. The CRA mandates minimum security standards for hardware and software products sold in the EU, requiring manufacturers to integrate security throughout the product lifecycle, manage vulnerabilities, and address software supply chain risks.

The knowledge gap extends beyond basic awareness. OpenSSF's research shows 41% of organizations have not yet determined whether the CRA applies to them, 45% remain uncertain about compliance deadlines, and 56% are unaware of penalties for non-compliance. Additionally, 54% lack clarity on the regulatory distinctions between "manufacturers" and "stewards," roles that carry different legal obligations under the act. Only 32% of manufacturers currently produce Software Bills of Materials (SBOMs) for all their products, a key requirement for supply chain transparency.

A critical compliance risk emerges from how organizations handle open source dependencies. Over half (51%) of respondents rely passively on upstream projects for security fixes, despite the CRA making manufacturers legally responsible for all integrated components. Many organizations attempt to address upstream security issues by maintaining private forks, averaging 86 per organization. However, this approach creates substantial technical debt, costing an average of $258,000 in labor per release cycle. For large organizations with over 5,000 employees, this burden exceeds 11,000 labor hours per cycle.

Small and medium enterprises face disproportionate exposure, with 62% relying on open source for more than three-quarters of their products, compared to 35% for larger organizations. The financial burden of maintaining private forks may ultimately force a shift toward upstream contribution as the only economically rational compliance strategy. The challenge intensifies as AI-driven vulnerability research accelerates threat discovery, with data from over 12,000 open source projects showing a 394% year-on-year increase in published CVEs in Q1 2026, and high-severity findings up 811%.

OpenSSF recommends the ecosystem move from policy analysis to operational implementation, including automated compliance tools and clearer guidance for the 61% of non-commercial developers uncertain about their regulatory status. The foundation emphasizes that financial and legal support for open source stewards is essential for rapid vulnerability response. Success will require leveraging community-driven channels such as open source foundations, online discussions, and social media platforms where practitioners collaborate, rather than relying solely on official regulatory communications.

Source: https://www.infosecurity-magazine.com/news/open-source-unaware-cyber/