{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiczmi4b73et3m6pzdl4i4n7firrc6sdvu5czvuh3e6osr3qbd5ji4",
"uri": "at://did:plc:eux4xqpsnfr42jfbtaegp6qd/app.bsky.feed.post/3mp73roxvuli2"
},
"path": "/blog/2026/06/25/the-cra-readiness-reality-what-changed-and-what-didnt-between-2025-and-2026/",
"publishedAt": "2026-06-25T19:12:23.000Z",
"site": "https://openssf.org",
"tags": [
"Blog",
"EU Cyber Resilience Act",
"Guest Blog",
"CRA",
"Cyber Resilience Act",
"Global Cyber Policy",
"OpenSSF",
"OSS Security"
],
"textContent": "In 2025, Linux Foundation Research, Linux Foundation Europe, and Open Source Security Foundation (OpenSSF) published Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source. It took a survey-based look at how prepared the open source ecosystem was for the European Union's Cyber Resilience Act (EU CRA). The headline finding was blunt: 62% of respondents had little to no familiarity with a regulation that would reshape how software gets built, shipped, and maintained across global supply chains. The hope was that with a year to go before the CRA enters into force, community education initiatives and a growing body of guidance would move the readiness needle. They didn't.",
"title": "The CRA Readiness Reality: What Changed (and What Didn’t) Between 2025 and 2026?"
}