{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiczmi4b73et3m6pzdl4i4n7firrc6sdvu5czvuh3e6osr3qbd5ji4",
    "uri": "at://did:plc:eux4xqpsnfr42jfbtaegp6qd/app.bsky.feed.post/3mp73roxvuli2"
  },
  "path": "/blog/2026/06/25/the-cra-readiness-reality-what-changed-and-what-didnt-between-2025-and-2026/",
  "publishedAt": "2026-06-25T19:12:23.000Z",
  "site": "https://openssf.org",
  "tags": [
    "Blog",
    "EU Cyber Resilience Act",
    "Guest Blog",
    "CRA",
    "Cyber Resilience Act",
    "Global Cyber Policy",
    "OpenSSF",
    "OSS Security"
  ],
  "textContent": "In 2025, Linux Foundation Research, Linux Foundation Europe, and Open Source Security Foundation (OpenSSF) published Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source. It took a survey-based look at how prepared the open source ecosystem was for the European Union's Cyber Resilience Act (EU CRA). The headline finding was blunt: 62% of respondents had little to no familiarity with a regulation that would reshape how software gets built, shipped, and maintained across global supply chains. The hope was that with a year to go before the CRA enters into force, community education initiatives and a growing body of guidance would move the readiness needle. They didn't.",
  "title": "The CRA Readiness Reality: What Changed (and What Didn’t) Between 2025 and 2026?"
}