A new survey shows that open source developers and organizations remain largely unprepared for the European Union's Cyber Resilience Act despite a year of awareness efforts. The 2026 CRA Awareness and Readiness Report found that unfamiliarity with the regulation increased to 66 percent from 62 percent in 2025.
The report, released in early June by LF Research, OpenSSF, Balena, Ericsson, and Revanite, surveyed a broader group including more respondents from the United States and Canada. There, 72 percent said they were unfamiliar with rules that will apply to products sold in the EU market.
Key gaps persist among those aware of the CRA. Roughly 40 percent have not determined if the regulation applies to their work. Only 34 percent correctly identified December 2027 as the full compliance deadline. Just 41 percent of manufacturers expect to meet that deadline, while 39 percent remain uncertain.
Other metrics stayed flat or worsened. The share of respondents producing Software Bill of Materials for all products held at 32 percent. Reliance on upstream projects for fixes rose to 51 percent. The report also noted a 394 percent year-over-year surge in published CVEs across more than 14,000 projects in the first quarter of 2026.