The 2026 CRA Awareness and Readiness Report assesses how the global software ecosystem is preparing for the European Cyber Resilience Act (CRA). Building on the 2025 study, Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source, this year’s research incorporates a larger sample of 843 respondents, a 23% increase from the previous year, alongside a security analysis of over 12,000 open source projects. The findings show stagnating awareness and structural unreadiness as the December 2027 full compliance deadline draws near.
The 2027 deadline is a forcing function, but it points toward something worth building: software supply chains that are more secure, and more sustainably supported than those that exist today. Explore the complete, data-driven insights compiled by The Linux Foundation and the Open Source Security Foundation (OpenSSF) to prepare your organization for the impending reporting obligations and full enforcement timelines.
