The Linux Foundation announced the publication of two groundbreaking research reports, both in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe (LF Europe), that explore community-driven strategies to address open source security and the European Union's Cyber Resilience Act (CRA). Authored by industry leaders and open source policy experts, these reports highlight knowledge gaps and best practices for CRA compliance, providing an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets.
"As regulatory landscapes evolve, Linux Foundation Research remains committed to supporting security best practices through data-driven, empirical insights," said Hilary Carter, SVP Research at the Linux Foundation. "These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force. We hope that these reports catalyze higher levels of collaboration across the open source community."
The first report, Pathways to Cybersecurity Best Practices in Open Source: How the Civil Infrastructure Platform, Yocto Project, and Zephyr Project are Closing the Gap to Meeting the Requirements of the Cyber Resilience Act, examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements. The report provides a textual analysis of the CRA, a brief overview of the Civil Infrastructure Platform (CIP), Yocto Project, and Zephyr Project, and details the best practices each project has adopted to comply with the core requirements of the CRA. The report provides insight on the elements needed to ensure leadership in cybersecurity best practices, and includes a set of resources to aid other open source stakeholders in their CRA compliance journeys.
"Navigating the CRA requires a strategic approach that balances compliance with the fundamental principles of open source development," said Gabriele Columbro, General Manager of Linux Foundation Europe. "At the Linux Foundation, we host some of the most important projects running global critical infrastructure, and this research underscores our commitment to provide actionable insights based on the CRA readiness of three of these projects, with immediate relevance to manufacturers, industry leaders, and open source communities across Europe and around the world."
The second report, Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source, highlights significant knowledge gaps in the open source ecosystem regarding the CRA, which imposes cybersecurity requirements on products with digital elements. Survey data outlined in the report reveals that most respondents are unfamiliar with the CRA, uncertain about compliance deadlines, and unaware of non-compliance penalties. Manufacturers, who bear primary responsibility, lack readiness-many passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
"Ensuring software supply chain security is essential for maintaining trust in open source," said Steve Fernandez, General Manager, OpenSSF. "This report highlights significant knowledge gaps and key strategies to help organizations meet regulatory obligations outlined in the CRA regarding secure software development, while preserving the collaborative and decentralized nature of open source."
Linux Foundation Research will continue to support open source communities, industry partners, and regulatory bodies to advance secure software development practices that recognize the unique dynamics of open source, while balancing regulatory compliance with open innovation.