'Unaware and Uncertain': Report Finds Widespread Unfamiliarity With 2027's EU Cyber Resilience Requirements (linuxfoundation.org)
(Saturday March 22, 2025 @12:34PM (EditorDavid)
from the yes-and-know dept.)
- Reference: 0176781621
- News link: https://news.slashdot.org/story/25/03/21/0212206/unaware-and-uncertain-report-finds-widespread-unfamiliarity-with-2027s-eu-cyber-resilience-requirements
- Source link: https://www.linuxfoundation.org/press/linux-foundation-research-reports-reveal-wide-spectrum-for-cyber-resilience-act-readiness-and-compliance
Two "groundbreaking research reports" on open source security were [1]announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and "highlight knowledge gaps and best practices for CRA compliance."
" [2]Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source " includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.")
> Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with [3]another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)
"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."
[1] https://www.linuxfoundation.org/press/linux-foundation-research-reports-reveal-wide-spectrum-for-cyber-resilience-act-readiness-and-compliance
[2] https://www.linuxfoundation.org/research/cra-readiness?hsLang=en
[3] https://www.linuxfoundation.org/research/cra-compliance-best-practices?hsLang=en
" [2]Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source " includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.")
> Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with [3]another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)
"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."
[1] https://www.linuxfoundation.org/press/linux-foundation-research-reports-reveal-wide-spectrum-for-cyber-resilience-act-readiness-and-compliance
[2] https://www.linuxfoundation.org/research/cra-readiness?hsLang=en
[3] https://www.linuxfoundation.org/research/cra-compliance-best-practices?hsLang=en
China? (Score:2)
by Teun ( 17872 )
So mow much of this equipment is made in China?
Sounds like they have two years to ask. (Score:2)
This is kinda a non story about people thinking two years is a insufficient amount of time to ask questions and find the answers in order to properly implement it. We all know some will wait to the last minute and just pay a huge fee to some consultant to give them a plan. Those will be the ones whining the loudest. If they don't they will pay the price while those that do it right will get a edge in the market. I'm thankful the EU is pushing back against these companies and forcing them comply to a st