CRA Compliance: A Wake-up Call for Open Source

The EU Cyber Resilience Act (CRA) is now live, yet a 2026 awareness report reveals 66% of the software ecosystem remains unfamiliar with it — up from 62% in 2025. In North America, 72% are unaware despite legal obligations for companies selling into the EU. Key findings: 51% of manufacturers still passively rely on upstream projects for security fixes, private forks cost organizations an average of $258,000 per release cycle in labor, and CVEs surged 394% in Q1 2026. The report argues that upstream investment is both financially rational and a compliance necessity. OpenSSF points to existing resources including a free training course, the OSPS Baseline, and a Global Cyber Policy Working Group. The September 2026 vulnerability reporting deadline is approaching fast, with fuller CRA requirements due December 2027.