The EU’s Cyber Resilience Act kicks into high gear this September, and companies are still clueless about how they must obey its strictures.
MINNEAPOLIS — At Open Source Summit North America, Christopher “CRob” Robinson, Chief Security Architect for the Open Source Software Foundation (OpenSSF), spoke about the European Union’s (EU) Cyber Resilience Act (CRA). CRob warned that companies are still “running straight at that wall” as the first CRA enforcement date draws ever closer.
The CRA, for those who don’t know it, sets mandatory cybersecurity rules for nearly all “products with digital elements,” which means hardware and software, sold on the EU market, with most obligations falling on manufacturers but some also on importers and distributors. That means if you sell pretty much anything in the EU, you must include a security risk assessment; design them with secure default configurations and the ability to restore to a secure state; eliminate known exploitable vulnerabilities; and provide and deploy security updates. If you don’t, the EU will sock you with fines of up to €15 million or 2.5% of worldwide annual turnover, whichever is higher.
Scary stuff, right? You’d think companies would be working their fingers to the bone getting their goods ready for the post-CRA market. You’d be wrong.
“It’s wild,” CRob said. “We did a report last year… and we’re doing the sequel. And people still are not aware of what they need to do and are not prepared, but the runway is rapidly running out.”
How bad is it? CRob said, “62% of people in Europe were unaware of what they needed to do last year. This year it’s 66%, which is statistically the same.”
It’s even worse outside Europe. In a blog post, CRob pointed out that “The geographic disparity is even more alarming. In the United States and Canada, nearly 72% of respondents are unfamiliar with the regulation. It cannot be understated: If you are a North American company selling software products into the EU market, you are legally required to comply with the CRA. However, the majority of the neighborhood is still walking unprepared toward a September 2026 reporting deadline.”
The Linux Foundation and partners had expected their second CRA readiness survey to show clear progress after a year of talks and guidance aimed directly at manufacturers and developers. Instead, the tech business remains oblivious.
“The TL;DR is we and other groups within the industry have been working on this very hard for a year, and we thought we had done a better job of getting in the rooms where the manufacturers or developers are,” CRob said. “We had expected that the second iteration of the report was going to be amazing… but the results are very middling.”
Looking ahead, the Linux Foundation is taking its message to Brussels, the de facto EU capital, in June. There, “we’re going to talk with the European Commission and ENISA.” In addition, Linux Foundation Europe will host a European policy day on June 8, followed by a June 9 event focused “purely on cyber security, mostly the CRA,” but Robinson expects the AI Act will also be on the agenda. In short, ” people need to wake up.”
Robinson argues that CRA compliance cannot be delegated to technical teams alone and says senior executives are not yet sufficiently engaged. “It’s an urgent wake‑up call, that’s for damn sure,” he added, “You need the C-suite, and it needs to get involved. This can only happen from the top down, and they’re just not going to pay attention to the open-source conferences.”
Beyond awareness, Robinson says many companies are making structurally bad bets about how to meet CRA obligations around vulnerability management and updates. In a separate Linux Foundation economics study on ROI for Open Source Software Contribution, he cites “a little over half” of organizations reporting that they “passively wait for upstream to do something before they react.”
“With the CRA, Robinson continued, “that’s like a really bad move because the upstream doesn’t have the deadlines and the fines,” he said. “They’ll try to work as quickly as they can, but… they’re not going to be yelled at or threatened to work any faster.”
Others respond by forking open source code and maintaining private branches: “They’ll do private forks, where they’ll have a private copy, they might do their own patches and not contribute that upstream,” Robinson said. “That was like over almost $260,000 of either expense or engineering labor for each product release by those organizations, that’s the technical bet they’re taking.” He argues that those numbers should “wake up the C-suite,” given the number of releases many vendors cut each year.
For large organizations (5,000+ employees), CRob added, “This burden exceeds 11,152 labor hours per cycle. Maintaining these divergent codebases is a giant bill for a strategy that actually makes supply chain transparency worse. Contributing fixes upstream isn’t just being a ‘good neighbor’ – it’s the only financially rational path forward.”
Robinson also links CRA readiness to the rapid adoption of AI in software security, which he says will massively increase the volume of fixes vendors must handle. “It’s an explosion of AI. I see it in three tiers right now.”
At the top are upstream maintainers, who he expects will “figure a way to manage this” by automating and leveraging new tools, but who will also generate “exponentially more patches every day.” The second tier consists of manufacturers “on the hook for things like the CRA,” who must “retool internal processes that have existed for decades… very conservative, very brittle, slow processes.”
The third, and in his view least prepared, group is downstream enterprises such as “a bank, or a hospital, or whatever.” “All these people… are totally unprepared for thousands of fixes hitting their inbox,” Robinson warned, adding that bad actors will inevitably weaponize AI‑driven vulnerabilities and exploits. He asked, “How do we prepare purely downstream consumers to be able to take these patches, deploy them quickly, so that they aren’t… a victim to some attack?”
That’s a good question, and for now, there are no good answers. Companies will soon have no choice but to figure it out. All the hysteria about how bad Y2K was going to be turned out to be so much hype because the hard work had already been done. When it comes to the CRA, however, far too few companies have done their homework.