CRA Compliance: A Wake-up Call for Open Source | OpenSSF

By Christopher (CRob) Robinson, OpenSSF

For the better part of two years, discussions surrounding the European Cyber Resilience Act (CRA) have been somewhat theoretical: mapping requirements, debating definitions, and analyzing how the requirements will impact our amazing ecosystem. But folks, it’s mid-2026, and the CRA is live. Theory is officially in the rearview mirror as implementation milestones roll out over the next two years.

I’ve just finished reviewing the finalized 2026 CRA Awareness and Readiness Report, a joint effort with LF Research experts, and to be blunt, the results are a sobering reality check. Despite tireless community work, the broader ecosystem is far from ready for CRA compliance.

CRA Awareness Has Stalled

The most disappointing finding is that awareness surrounding this regulation has decreased year-over-year. Today, 66% of respondents remain unfamiliar with the CRA, a slight increase from 62% in 2025. That means a growing portion of the software ecosystem is unaware of a regulation with global consequences and hefty fines.

CRA Compliance: A Wake-up Call for Open Source | OpenSSF

Other newsrooms on this story

Related reading

News – Open Source Initiative

Other newsrooms on this story

Related reading

News – Open Source Initiative

The 2026 State of Open Source Report

Is a Security Baseline Enough for Open-Source Software?

CRACI raises €1.4M for EU cybersecurity compliance platform

State of Open Source on Hugging Face: Spring 2026

The Cyberlaw Podcast: Regulating Personal Data for National Security