EU Starts Cyber Resilience Act Rollout as 66% of Firms Lack Awareness
Updated
Updated · InfoWorld · Jun 10
EU Starts Cyber Resilience Act Rollout as 66% of Firms Lack Awareness
3 articles · Updated · InfoWorld · Jun 10
Summary
June 11 marks the first Cyber Resilience Act deadline, with EU member states starting designation of conformity assessment bodies before broader vendor obligations phase in.
66% of organizations surveyed by OpenSSF said they were unfamiliar with the law, and 56% did not know non-compliance fines can reach €15 million or 2.5% of global annual turnover.
September 11 will require manufacturers to report product vulnerabilities to authorities, while the rest of the act — including open-source stewardship and software supply-chain controls — applies from December 11, 2027.
41% of manufacturers expect full compliance by December 2027, while 39% do not know when they will comply; experts say AI-generated code and opaque open-source dependencies could make compliance harder.
The act reaches beyond EU vendors because customers must understand what software they use, and similar rules are already under consideration in countries including Japan.
Is AI-generated code creating a compliance minefield for companies under the EU's strict new cybersecurity law?
With massive fines looming, are the days of freely using open-source components in commercial software now numbered?
The EU's new law ends the 'ship and forget' era. Are businesses globally ready for this cybersecurity reckoning?
Countdown to CRA Compliance: Two-Thirds Unaware of EU Cyber Resilience Act Ahead of September 2026 Deadline
Overview
As of mid-2026, most of the industry and two-thirds of the open-source community remain unaware of the EU Cyber Resilience Act (CRA) and its critical deadlines. This widespread lack of understanding poses a significant risk, especially as the crucial September 11, 2026 deadline for vulnerability reporting quickly approaches. The CRA, published on June 1, 2026, is a landmark regulation that mandates minimum cybersecurity standards for all connected products in the EU market, making cybersecurity a required product feature. Immediate action is essential for organizations to prepare for these new obligations and avoid compliance risks.