{"id":4103,"date":"2026-05-20T14:14:30","date_gmt":"2026-05-20T14:14:30","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/20\/openssfs-crob-the-runway-is-rapidly-running-out-on-eu-cra-readiness\/"},"modified":"2026-05-20T14:14:30","modified_gmt":"2026-05-20T14:14:30","slug":"openssfs-crob-the-runway-is-rapidly-running-out-on-eu-cra-readiness","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/20\/openssfs-crob-the-runway-is-rapidly-running-out-on-eu-cra-readiness\/","title":{"rendered":"OpenSSF\u2019s CRob: \u2018The Runway Is Rapidly Running Out\u2019 on EU CRA Readiness"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

The EU\u2019s Cyber Resilience Act kicks into high gear this September, and companies are still clueless about how they must obey its strictures.<\/strong><\/em><\/p>\n

MINNEAPOLIS \u2014 At <\/span>Open Source Summit North America<\/span><\/a>, Christopher \u201cCRob\u201d Robinson, Chief Security Architect for the <\/span>Open Source Software Foundation (OpenSSF)<\/span><\/a>, spoke about the <\/span>European Union\u2019s (EU) Cyber Resilience Act (CRA<\/span><\/a>). CRob warned that companies are still \u201crunning straight at that wall\u201d as the first CRA enforcement date draws ever closer.<\/span><\/p>\n

The CRA, for those who don\u2019t know it, sets mandatory cybersecurity rules for nearly all \u201cproducts with digital elements,\u201d which means hardware and software, sold on the EU market, with most obligations falling on manufacturers but some also on importers and distributors. That means if you sell pretty much anything in the EU, you must include a security risk assessment; design them with secure default configurations and the ability to restore to a secure state; eliminate known exploitable vulnerabilities; and provide and deploy security updates. If you don\u2019t, the EU will sock you with fines of up to \u20ac15 million or 2.5% of worldwide annual turnover, whichever is higher.<\/span><\/p>\n

Scary stuff, right? You\u2019d think companies would be working their fingers to the bone getting their goods ready for the post-CRA market. You\u2019d be wrong.\u00a0<\/span><\/p>\n

\u201cIt\u2019s wild,\u201d CRob said. \u201c<\/span>We did a report last year<\/span><\/a>\u2026 and we\u2019re doing the sequel. And people still are not aware of what they need to do and are not prepared, but the runway is rapidly running out.\u201d\u00a0<\/span><\/p>\n

How bad is it? CRob said, \u201c62% of people in Europe were unaware of what they needed to do last year. This year it\u2019s 66%, which is statistically the same.\u201d<\/span><\/p>\n

It\u2019s even worse outside Europe. In a blog post, CRob pointed out that \u201cThe geographic disparity is even more alarming. In the United States and Canada, nearly <\/span>72% of respondents are unfamiliar with the regulation<\/span><\/a>. It cannot be understated: If you are a North American company selling software products into the EU market, you are legally required to comply with the CRA. However, the majority of the neighborhood is still walking unprepared toward a September 2026 reporting deadline.\u201d<\/span><\/p>\n

The <\/span>Linux Foundation <\/span><\/a>and partners had expected their second CRA readiness survey to show clear progress after a year of talks and guidance aimed directly at manufacturers and developers. Instead, the tech business remains oblivious.<\/span><\/p>\n

\u201cThe TL;DR is we and other groups within the industry have been working on this very hard for a year, and we thought we had done a better job of getting in the rooms where the manufacturers or developers are,\u201d CRob said. \u201cWe had expected that the second iteration of the report was going to be amazing\u2026 but the results are very middling.\u201d<\/span><\/p>\n

Looking ahead, the Linux Foundation is taking its message to Brussels, the de facto EU capital, in June. There, \u201cwe\u2019re going to talk with the European Commission and ENISA.\u201d In addition, <\/span>Linux Foundation Europe<\/span><\/a> will host a European policy day on June 8, followed by a June 9 event focused \u201cpurely on cyber security, mostly the CRA,\u201d but\u00a0 Robinson expects the AI Act will also be on the agenda. In short, \u201d people need to wake up.\u201d\u00a0<\/span><\/p>\n

Robinson argues that CRA compliance cannot be delegated to technical teams alone and says senior executives are not yet sufficiently engaged. \u201cIt\u2019s an urgent wake\u2011up call, that\u2019s for damn sure,\u201d he added, \u201cYou need the C-suite, and it needs to get involved. This can only happen from the top down, and they\u2019re just not going to pay attention to the open-source conferences.\u201d<\/span><\/p>\n

Beyond awareness, Robinson says many companies are making structurally bad bets about how to meet CRA obligations around vulnerability management and updates. In a separate Linux Foundation economics study on <\/span>ROI for Open Source Software Contribution<\/span><\/a>, he cites \u201ca little over half\u201d of organizations reporting that they \u201cpassively wait for upstream to do something before they react.\u201d<\/span><\/p>\n

\u201cWith the CRA, Robinson continued, \u201cthat\u2019s like a really bad move because the upstream doesn\u2019t have the deadlines and the fines,\u201d he said. \u201cThey\u2019ll try to work as quickly as they can, but\u2026 they\u2019re not going to be yelled at or threatened to work any faster.\u201d<\/span><\/p>\n

Others respond by forking open source code and maintaining private branches: \u201cThey\u2019ll do private forks, where they\u2019ll have a private copy, they might do their own patches and not contribute that upstream,\u201d Robinson said. \u201cThat was like over almost $260,000 of either expense or engineering labor for each product release by those organizations, that\u2019s the technical bet they\u2019re taking.\u201d He argues that those numbers should \u201cwake up the C-suite,\u201d given the number of releases many vendors cut each year.<\/span><\/p>\n

For large organizations (5,000+ employees), CRob added,\u00a0 \u201cThis burden exceeds 11,152 labor hours per cycle. Maintaining these divergent codebases is a giant bill for a strategy that actually makes supply chain transparency worse. Contributing fixes upstream isn\u2019t just being a \u2018good neighbor\u2019 \u2013 it\u2019s the only financially rational path forward.\u201d<\/span><\/p>\n

Robinson also links CRA readiness to the rapid adoption of AI in software security, which he says will massively increase the volume of fixes vendors must handle. \u201cIt\u2019s an explosion of AI. I see it in three tiers right now.\u201d<\/span><\/p>\n

At the top are upstream maintainers, who he expects will \u201cfigure a way to manage this\u201d by automating and leveraging new tools, but who will also generate \u201cexponentially more patches every day.\u201d The second tier consists of manufacturers \u201con the hook for things like the CRA,\u201d who must \u201cretool internal processes that have existed for decades\u2026 very conservative, very brittle, slow processes.\u201d<\/span><\/p>\n

The third, and in his view least prepared, group is downstream enterprises such as \u201ca bank, or a hospital, or whatever.\u201d \u201cAll these people\u2026 are totally unprepared for thousands of fixes hitting their inbox,\u201d Robinson warned, adding that bad actors will inevitably weaponize AI\u2011driven vulnerabilities and exploits. He asked, \u201cHow do we prepare purely downstream consumers to be able to take these patches, deploy them quickly, so that they aren\u2019t\u2026 a victim to some attack?\u201d\u00a0<\/span><\/p>\n

That\u2019s a good question, and for now, there are no good answers. Companies will soon have no choice but to figure it out. All the hysteria about how bad Y2K was going to be turned out to be so much hype because the hard work had already been done. When it comes to the CRA, however, far too few companies have done their homework.<\/span><\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

The EU\u2019s Cyber Resilience Act kicks into high gear this September, and companies are still clueless about how they must […]<\/p>\n","protected":false},"author":1,"featured_media":4104,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4103"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4103\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4104"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}