'Unaware and Uncertain': Report Finds Widespread Unfamiliarity With 2027's EU Cyber Resilience Requirements

Two 'groundbreaking research reports' on open source security were announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and 'highlight knowledge gaps and best practices for CRA compliance.'

'Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source' includes a survey which found that when it comes to CRA requirements, 62% of respondents were either 'not familiar at all' (36%) or 'slightly familiar' (26%) — while 51% weren't sure about its deadlines. ('Only 28% correctly identified 2027 as the target year for full compliance,' according to one infographic, which adds that CRA 'is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.')

Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.


The research also provides 'an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets,' with another report that 'examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements' and 'provides insight on the elements needed to ensure leadership in cybersecurity best practices.' (It also includes CRA-related resources.)

'These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force,' according to a Linux Foundation reserach executive cited in the announcement. 'We hope that these reports catalyze higher levels of collaboration across the open source community.'

Read more of this story at Slashdot.