admin The finding has sharpened concern across the software supply chain because the CRA’s vulnerability and incident reporting duties begin on 11 September 2026, well before the wider compliance regime takes full effect on 11 December 2027. The law, formally Regulation 2024/2847, entered into force on 10 December 2024 and applies to products with digital elements placed on the EU market, including software, connected hardware and certain standalone components.
The Open Source Security Foundation has said 66% of open source practitioners are either unaware of the CRA deadline or not prepared for it, despite the law already being in force. Its wider research points to uncertainty among maintainers, manufacturers and open-source stewards over who carries responsibility for reporting exploited vulnerabilities, maintaining security processes and documenting compliance across projects that often rely on unpaid contributors.
The compliance challenge is particularly acute because modern software products depend heavily on open-source components. Enterprise platforms, cloud services, mobile applications, industrial systems and internet-connected devices frequently include packages maintained by distributed communities outside the commercial structures that ultimately place products on the EU market. That separation between upstream code creation and downstream commercial use has become one of the central tensions in the CRA debate.
The regulation treats open source differently depending on whether it is offered commercially. Free and open-source software that is not monetised and is not made available on the market in the course of commercial activity is generally outside the main manufacturer obligations. Individual developers contributing code to projects that are not under their responsibility are also not treated as manufacturers. However, companies that place products containing such software on the EU market remain responsible for compliance, while a new category of open-source software steward covers legal entities that provide sustained support for projects intended for commercial use.
Open-source software stewards face a lighter regime than manufacturers, but they still have obligations. These include maintaining a cybersecurity policy, supporting secure development, handling vulnerabilities and cooperating with market surveillance authorities. They must also report actively exploited vulnerabilities and severe security incidents affecting relevant products, although the CRA does not subject stewards to administrative fines for infringements.
Manufacturers face a tougher framework. Products covered by the Act must be designed, developed and maintained with cybersecurity in mind throughout their lifecycle. Companies will need processes for vulnerability handling, software updates, technical documentation, conformity assessment and incident reporting. Serious breaches can lead to fines of up to €15 million or 2.5% of global annual turnover, whichever is higher, while other infringements may attract lower but still significant penalties.
The first major test arrives with the September 2026 reporting duty. Manufacturers will need to report actively exploited vulnerabilities and severe incidents through the EU reporting architecture, involving ENISA and national computer security incident response teams. For companies that ship products with long chains of open-source dependencies, this means identifying which components are present, whether they are maintained, how vulnerabilities are tracked and who can act quickly when exploitation is detected.
That requirement has pushed software bills of materials, vulnerability disclosure policies, secure build systems and dependency mapping higher on boardroom agendas. Tools such as OpenSSF Scorecard, SLSA and project security baselines are gaining attention as organisations seek practical ways to measure upstream risk and demonstrate due diligence. Larger technology companies including Red Hat, Microsoft, GitHub and Ericsson have been active in policy and standards discussions, while foundations and working groups are trying to translate legal obligations into workflows that fit open collaboration.
Smaller developers and SMEs remain a weak point. Many lack legal teams, security staff or dedicated compliance budgets, even when their software is embedded in commercial products sold across Europe. OpenSSF has warned that weak readiness among smaller participants could reduce project diversity, increase pressure on volunteer maintainers and shift costs towards communities that were not designed to operate as regulated suppliers.
The CRA was created after a series of software supply-chain incidents exposed the fragility of widely used digital infrastructure. The Log4j vulnerability, attacks on package repositories and repeated exploitation of outdated dependencies strengthened the case for mandatory security-by-design rules. The EU’s approach seeks to make manufacturers responsible not only for product functionality at release, but also for security support and vulnerability management after deployment.
