OpenSSF's CRob: 'The Runway Is Rapidly Running Out' on EU CRA Readiness
4 hours ago
- #Software Supply Chain
- #Cybersecurity Regulations
- #EU Compliance
- The EU's Cyber Resilience Act (CRA) becomes enforceable in September 2026, imposing strict cybersecurity rules on nearly all digital products sold in the EU.
- Many companies, especially in North America, remain unaware or unprepared for CRA compliance, risking fines up to €15 million or 2.5% of global turnover.
- Compliance requires security risk assessments, secure design, vulnerability elimination, and timely updates; senior executive involvement is crucial but lacking.
- Poor strategies like passively waiting for upstream fixes or maintaining private forks increase costs and reduce supply chain transparency.
- The rapid adoption of AI in software security will exacerbate the volume of patches, challenging downstream enterprises like banks and hospitals.
- The Linux Foundation is escalating awareness efforts, including meetings with EU authorities and events focused on CRA and cybersecurity.