This post was originally published by the Linux Foundation Research.
By Angelah Liu, Linux Foundation
In 2025, Linux Foundation Research, Linux Foundation Europe, and Open Source Security Foundation (OpenSSF) published Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source. It took a survey-based look at how prepared the open source ecosystem was for the European Union’s Cyber Resilience Act (EU CRA). The headline finding was blunt: 62% of respondents had little to no familiarity with a regulation that would reshape how software gets built, shipped, and maintained across global supply chains. The hope was that with a year to go before the CRA enters into force, community education initiatives and a growing body of guidance would move the readiness needle.
They didn’t.
The latest 2026 CRA Awareness and Readiness Report – produced in partnership with LF Research, OpenSSF, Balena, Ericsson, and Revanite – arrived in early June with a sobering update.












