"stagnating awareness and structural unreadiness," OpenSSF warned, urging action as the December 2027 compliance deadline for the EU's Cyber Resilience Act (CRA) approaches.
What the Cyber Resilience Act requires and why it matters
The CRA is described by OpenSSF as an EU effort to introduce minimum security standards for hardware and software products sold in the region. Under the law, manufacturers must build security into their products from planning to end of life, including handling vulnerability management and managing software supply chain risks. OpenSSF stresses that manufacturers are legally responsible for the security of the components they integrate, and that the roles of "manufacturers" and "stewards" carry different regulatory obligations.
Awareness, deadlines and uncertainty: the OpenSSF survey snapshot
OpenSSF polled global manufacturers, developers and others and found widespread unfamiliarity with the CRA: 66% reported they were "not familiar at all" or "only slightly familiar" with the legislation. That figure rises to 72% in the US and Canada. The survey also found:
- 41% of organizations have still not determined if the regulation applies to them;
- 45% are uncertain about compliance deadlines;
- 56% are unaware of the penalties for non-compliance;
- 54% are still unclear on the distinct roles and obligations of "manufacturers" and "stewards";
- Only 32% of manufacturers produce Software Bills of Materials (SBOMs) for all products.
OpenSSF urged a move "from policy analysis to operational toolkits," pointing specifically to automated compliance tools and clearer guidance for the 61% of non-commercial developers who are currently unsure of their status under the CRA.
Private forks, passive reliance on upstream projects, and the cost of technical debt
OpenSSF flagged a pair of operational practices that pose compliance risks. First, 51% of organizations reported they continue to rely passively on upstream projects for security fixes — a practice that conflicts with the CRA's requirement that manufacturers be responsible for the security of integrated components. Second, many organizations attempt to address upstream problems by maintaining private forks of open source projects. On average, organizations maintain 86 private forks.
But private forks carry a heavy price: the report places the average cost at $258,000 in labor per release cycle. For large organizations (defined in the report as 5,000+ employees), the burden exceeds 11,000 labor hours per cycle. OpenSSF warned this technical debt may ultimately "force a shift toward upstream contribution as the only financially rational path forward."
AI, CVEs and a sharp increase in high‑severity findings
OpenSSF highlighted data from over 12,000 open source projects indexed on the Linux Foundation Exchange (LFX) platform showing a striking rise in disclosed vulnerabilities: a 394% year‑on‑year increase in published CVEs in Q1 2026, with high‑severity findings up 811%. The report linked this surge and the growing use of AI tools for vulnerability research and exploit development to added urgency for CRA compliance efforts.
What this means for manufacturers, SMEs, and non‑commercial developers
- Manufacturers: Must determine whether the CRA applies, prepare SBOMs, and shift from passive reliance on upstream fixes to demonstrable vulnerability management. The report warns that continuing to depend on upstream projects without active contribution or robust internal patching risks non‑compliance.
- SMEs: Are particularly exposed because 62% rely on open source for more than three quarters of their products (versus 35% for larger organizations). That concentration, combined with limited resources, makes the cost of private forks and uncertainty over obligations a material operational and compliance risk.
- Non‑commercial developers and stewards: The report notes 61% of non‑commercial developers are unsure of their status under the CRA. OpenSSF calls for clearer guidance and for financial and legal support for stewards to enable rapid vulnerability response and meet the Act's expectations.
OpenSSF's prescription is concrete: move toward automated compliance tooling, clearer guidance, and financial and legal support for stewards — and engage community spaces such as open source foundations, online discussions, and social media, "where the majority of practitioners learn and collaborate."
With a December 2027 deadline on the calendar, OpenSSF's numbers draw a stark line between the regulatory obligations the CRA sets out and the state of readiness across much of the open source community. The report's data — 66% low familiarity, a triple‑digit surge in CVEs, and the steep labor costs of private forks — leaves one central question: can organizations convert policy awareness into the operational work required to meet the CRA's demands before that deadline?
