Unaware and Uncertain: Is the Open Source Community Prepared for the New Regulatory Reality of the Cyber Resilience Act?

In 2022, the Log4Shell vulnerability exposed a stark reality: open source software (OSS) is the foundation of the digital world, but without structured security processes, it can become a major attack vector. Log4j, a widely used open source logging library, was exploited by attackers, impacting thousands of organizations globally and forcing emergency security responses across industries.

Fast forward to today, and the stakes have only grown. With open source components making up as much as 96% of modern software, governments and regulators are stepping in to define cybersecurity standards for digital products. The European Union’s Cyber Resilience Act (CRA) is one of the most significant regulatory shifts yet. The CRA aims to ensure that software and hardware products meet strict security requirements throughout their lifecycle.

But the CRA doesn’t just affect commercial vendors, it introduces new responsibilities for open source software stewards—organizations that support, but don’t monetize, open source projects. This regulation acknowledges a fundamental challenge: security responsibility cannot solely rest on manufacturers who consume open source software; it must also involve the upstream communities that develop and maintain it.

Over the past few months, Linux Foundation Research fielded and analyzed a survey of open source community members on their awareness of the CRA and their organizational and project readiness to address regulatory obligations. Beyond measuring this readiness, the analysis collected actionable insights on how to support open source contributors in meeting emerging security standards. The full report is now published on the Linux Foundation website—download the PDF to read the full analysis!

Key findings 

• Overall awareness of CRA details is low. 62% of survey respondents reported being not familiar at all or only slightly familiar with the CRA. For those that have some familiarity, there exist some significant uncertainties: for example, only one-quarter correctly identified 2027 as the target year for full compliance, and over half of non-commercial OSS developers are uncertain whether they are affected. 
  
• Current security practices do not consistently meet the standards set out by the CRA. Only 34% of manufacturers surveyed produce comprehensive Software Bills of Materials (SBOMs), and 46% passively rely on upstream projects for security fixes. However, manufacturers who actively engage with OSS communities tend to have greater security maturity, and steward communities are showing promise, with 74% having security policies in place. 
  
• The CRA is expected to drive a 6% average price increase. Surveyed organizations expressed concern about the cost of requirements, and the manufacturers who have made preliminary assessments anticipate an average price increase of 6%. This suggests that compliance with the CRA could have market implications, particularly for software pricing and accessibility.
  
• Stewards experience significant resource constraints when considering how to meet the requirements of the CRA. The biggest gaps for this community include financial support (50%), legal guidance (47%), and technical resources (44%). Manufacturers are mainly concerned with overcoming the legal complexity and ensuring component safety from suppliers and OSS projects.
  

The Challenge Ahead

The Log4Shell crisis was a wake-up call for open source security. It forced companies, governments, and developers to reevaluate how security responsibilities are shared across the software supply chain. The Cyber Resilience Act now represents the next major test for the open source ecosystem.

As this report demonstrates, the open source community is facing a large and complex hurdle that impacts groups throughout the software pipeline. As a leader and a steward itself, the Linux Foundation is highly engaged in addressing these regulatory challenges while maintaining sustainable and healthy open source development. 

Stay tuned for our second blog in this series, “Pathways to Cybersecurity Best Practices in Open Source: How Three Linux Foundation Projects are Leading the Way in CRA Compliance,” out next week!