{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreidxrisbeluqvmgmubwwomobkddslggvv2zpoejkruxnlkljrtqzbm",
"uri": "at://did:plc:qz6ohvpdsdvv5kniizyfz25y/app.bsky.feed.post/3mnwkpeevtq62"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreibsbg63cvga3xdgrdicbcdwf6b4vbxl24xrfo6divgklrb23jafuq"
},
"mimeType": "image/jpeg",
"size": 774970
},
"path": "/article/4183415/eu-rules-on-securing-it-products-begin-this-week-but-enterprises-arent-ready.html",
"publishedAt": "2026-06-10T09:57:54.000Z",
"site": "https://www.cio.com",
"tags": [
"IT Governance, IT Leadership, Open Source, Security, Software Development",
"survey by Open Source Security Foundation",
"implications for users of open-source software",
"Christoph",
"e",
"r Robinson",
"Hans Study",
"Michael Callahan"
],
"textContent": "Too many enterprises remain ignorant of the European Union’s 2024 Cyber Resilience Act, the first elements of which enter force on June 11, according to a new survey.\n\nTwo-thirds of respondents to the survey by Open Source Security Foundation said they were unfamiliar with the CRA, which aims to make hardware and software sold in the EU more secure.\n\nAs well as the CRA’s demands on vendors, it also has implications for users of open-source software, hence the Foundation’s interest in the topic. Among other measures, the CRA creates the role of open-source steward within the enterprise, with responsibility for ensuring that a security policy is in place for any software being used within the organization.\n\nThe first part of the CRA to enter force, on June 11, concerns the designation of conformity assessment bodies by member states. Then, from September 11, manufacturers will be required to begin reporting vulnerabilities in their products to the relevant authorities. The remaining obligations under the Act, which include substantial financial penalties, will apply from December 11, 2027.\n\nThe impending sanctions seem not to have concerned businesses: 56 percent of respondents to the OpenSSF survey were unaware that non-compliance fines could reach €15 million or 2.5 percent of global annual turnover.\n\nThe lack of knowledge about the implications of the Act surprised OpenSSF CTO Christopher Robinson. “We’ve been speaking on this topic for some time and we’re scratching our heads on why more companies are not aware of the implications of the Act,” he said.\n\n## Global concern\n\nHe surmised that some companies don’t think EU regulations on hardware and software security apply to them — but such concerns will soon be a global matter. “Other countries, like Japan, are considering similar laws,” he said.\n\nOne area of misunderstanding could be that the CRA applies to vendors, and their customers may think that the requirements under the Act didn’t apply to them. He said that this was a misguided approach, particularly when the CRA’s application to open-source software is taken into account.\n\n“There are about 700 million projects in Git Hub. If you work for an organization like a bank, you have little idea which of those projects are being used,” he said.\n\nUnder the Act, software companies will have to supply a software bill of materials (SBOM) that has been passed as secure, he said.\n\nCompanies that supply US federal government organizations already face this requirement, he said: “If you’re selling to the US government — which is the largest customer on the planet – you should be providing an SBOM.”\n\nCybersecurity consultant Hans Study said that by addressing the supply chain issue, the CRA is a step in the right direction. “Almost every application has dependencies, whether that is free and open-source software, commercial packages, or some mix of both. The problem has always been responsibility, and the blame game that comes with it. What the CRA does is make it harder for companies to dodge that responsibility when they are building, selling, or placing products with digital elements on the market,” he said.\n\n## AI ignorance\n\nAccording to Michael Callahan, VP of Cyber Strategy at Salt Security, one of the issues that could cause problems in the future is the growing use of AI in the software development process. “The Cyber Resilience Act assumes enterprises know what is in their software. That assumption breaks down when AI coding assistants are generating a significant share of code. An AI assistant has never read your organization’s security policies, your licensing obligations, or your open-source governance standards. The code it produces may contain dependencies, patterns, or vulnerabilities that your security team cannot easily trace back to a specific decision or a specific developer.”\n\nEnterprises are quickly running out time to fix issues and many are pessimistic about their chances. According to the OpenSSF survey, only 41percent of manufacturers expect to be fully compliant by December 2027, while 39 percent do not know when they will be.\n\nIt may be that the proposed fines could concentrate minds. Robinson said that it could be like GDPR where a few heavy fines drew companies’ attention to the regulation. The upper limit on fines is per infraction, not per company, he said: “Something like that could wipe out an SME and seriously hit large corporations.” The legislation should be something that all businesses need to be aware of, but there is still a long way to go.",
"title": "EU rules on securing IT products begin this week, but enterprises aren’t ready"
}