A report by OpenSSF reveals that two-thirds of the open source community is unaware of the Cyber Resilience Act (CRA) set for compliance by December 2027. The CRA aims to establish security standards for software and hardware in the EU, requiring manufacturers to embed security across the product lifecycle. Key findings include: 66% of stakeholders are unfamiliar with the CRA, 41% are uncertain about its applicability, and 51% rely on upstream projects for security fixes, creating risks for compliance.
The report emphasizes the need for operational toolkits and community-driven support to bridge the compliance gap, especially regarding rising vulnerability concerns correlated with AI development.