Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

OpenSSF flags CRA readiness gap

Regulatory/Legal (General)
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

OpenSSF warned that global manufacturers, developers, and open source stakeholders remain materially unprepared for Cyber Resilience Act (CRA) compliance ahead of the December 2027 deadline. The group said 66% of surveyed organizations were not familiar at all or only slightly familiar with the rule, with familiarity falling to 72% in the US and Canada. It also said many organizations still do not know whether the CRA applies to them, what deadlines and penalties look like, or how manufacturer and steward obligations divide across the software supply chain.

Related Happenings

CRA readiness gaps persist across global open source and manufacturing stakeholders

Trend
First: 08.06.2026 12:00 Last: 08.06.2026 12:00 Sources 1

How related: A leading open source security body has warned of “stagnating awareness and structural unreadiness” in the community ahead of a key December 2027 deadline for compliance with the Cyber Resilience Act (CRA).

About this happening: **OpenSSF** found **stagnating CRA readiness** across **global manufacturers, developers, and open source stakeholders**, leaving a large share of the ecosystem exposed to **Decem...

Open Happening

Widespread end-of-life package exposure across major open-source registries

Trend
First: 05.05.2026 17:00 Last: 05.05.2026 17:00 Sources 1

About this happening: End-of-life open source packages remain widespread across **major registries**, leaving **enterprise dependency graphs** exposed to versions with no patch path and limited CVE cov...

Open Happening

Chainguard longtail container CVE burden and rapid remediation trend

Trend
First: 08.01.2026 13:50 Last: 08.01.2026 13:50 Sources 1

About this happening: **Chainguard's quarterly telemetry** shows **98% of remediated CVEs** landed in the **longtail outside the top 20 images**, concentrating security burden across a broad production...

Open Happening

UK Business and Trade Committee proposal on software provider liability

Regulatory/Legal (General)
First: 26.11.2025 17:00 Last: 26.11.2025 17:00 Sources 1

About this happening: The **UK’s Business and Trade Committee** has proposed legislation to make software providers legally responsible for insecure products, a shift that could raise compliance burden...

Open Happening

Timeline

  1. 08.06.2026 12:00 2 articles · 8h ago

    OpenSSF warns of CRA readiness gap across the open source ecosystem

    Initial Disclosure

    OpenSSF warned that the open source ecosystem remains materially unprepared for Cyber Resilience Act compliance ahead of the December 2027 deadline, citing 66% of surveyed organizations that were not familiar at all or only slightly familiar with the CRA and 72% in the US and Canada. The report also said 41% had not determined whether the regulation applies to them, 45% were uncertain about compliance deadlines, 56% were unaware of the penalties for non-compliance, 54% were unclear on the roles of manufacturers and stewards, and only 32% of manufacturers produce SBOMs for all products. OpenSSF added that 51% still rely passively on upstream projects for security fixes, private forks create technical debt, and the ecosystem needs automated compliance tools and clearer guidance.

    Show sources
    Open in new tab