66% of respondents in the 2026 CRA Awareness and Readiness Report have little to no familiarity with the EU Cyber Resilience Act, up from 62% last year. That's not a stall. It's a backslide.
Awareness Gap Widened Despite a Year of Warnings
Linux Foundation Research and OpenSSF surveyed a broader audience this cycle, especially in the US and Canada where 72% of respondents are unfamiliar with a regulation that applies to any product with digital elements landing in the EU market. The proportion of CRA-aware respondents who still haven't determined whether the regulation applies to their organization held at roughly 4 in 10. Only 34% correctly identified December 2027 as the full compliance deadline. The manufacturer-versus-steward distinction, a foundational concept, remains unclear to 54% of those who have heard of the CRA.
September 2026 is the first hard deadline for manufacturers to report actively exploited vulnerabilities and severe incidents. Less than 18 months until full compliance, yet only 41% of manufacturers expect to be compliant by December 2027. Another 39% are entirely uncertain.
Private Forks Are a $258k Per Release Compliance Trap
The share of organizations producing SBOMs for all products stayed flat at 32%. Worse, the share that passively rely on upstream projects for security fixes climbed from 46% to 51%. That's a dangerous shift. LF Research's ROI for Open Source Software Contribution analysis found organizations maintaining private forks carry an average of 86 forks, at roughly 60 labor hours per fork per release cycle. That's $258,000 in labor costs per release. For companies with over 5,000 employees, it exceeds 11,000 labor hours.
The CRA's transparency and provenance requirements make siloed private forks increasingly untenable as a compliance strategy. Upstream contribution stops being optional goodwill and becomes the economically rational path.
CVE Volume Exploded 394% - Here's What That Means for Compliance
Across more than 14,000 open source projects indexed on LFX, Q1 2026 saw a 394% year-over-year increase in published CVEs. High-severity vulnerabilities jumped 811%. The report attributes part of this to AI-powered automated scanning surfacing latent issues, but the volume is real. Manufacturers relying on those projects are exposed.
Another striking finding: organizational diversity correlates strongly with security posture. Analysis of 12,863 LFX-indexed projects yields a Spearman coefficient of 0.57 between the number of distinct organizations contributing and the project's security score. Investing in upstream projects is, in measurable terms, investing in your own compliance posture.
The next deadline hits in three months. The community materials - OpenSSF CRA Portal, OSPS Baseline, the free LFEL1001 course - exist. The gap isn't information; it's action. If your organization hasn't started mapping dependencies and contributing upstream, September is coming faster than you think.
Source: The CRA Readiness Reality: What Changed (and What Didn't) Between 2025 and 2026?
Domain: openssf.org
Comments load interactively on the live page.