By The Big Picture: The EU Cyber Resilience Act (CRA) is no longer pending — vulnerability reporting obligations are live, and manufacturers worldwide face five-year support mandates, mandatory SBOM documentation, and billion-euro fines for non-compliance. Most software-producing organizations still lack basic visibility into their own dependency stacks.
The Guest: Brian Fox, Co-founder & CTO at Sonatype
The Guest: Christopher “CRob” Robinson, CTO at OpenSSF
Key Takeaways:
• The September 2026 vulnerability reporting deadline is already in effect — manufacturers selling into the EU must have processes in place now, not by 2027
• An SBOM covering all transitive dependencies is the non-negotiable first step — if you can’t answer “where are we exposed to this CVE?” within hours, you are not compliant
• AI is accelerating both vulnerability discovery and maintainer overload — open source projects face a flood of LLM-generated reports with no corresponding resources to address them
• The Product Liability Directive runs parallel to the CRA — it removes software’s historical exemption from product liability, creating direct consumer lawsuit exposure on top of regulatory fines
• Open source is not categorically exempt — commercially entangled open source falls within scope, and downstream manufacturers will be pressing upstream maintainers for compliance documentation
In a recent TFiR interview, Swapnil Bhartiya spoke with Brian Fox, Co-founder & CTO at Sonatype, and Christopher “CRob” Robinson, CTO at OpenSSF about the current state of CRA enforcement, the open source liability question, and what manufacturers must do before December 2027.
THE CRA ENFORCEMENT TIMELINE
The Cyber Resilience Act operates on two tracks. The first — vulnerability reporting obligations — came into effect September 11, 2026. The second — covering full cybersecurity requirements including risk management methodologies, third-party component due diligence, and secure-by-design SDLC requirements — takes effect December 11, 2027.
Robinson described the gap between those two dates as deceptively short: “Those December 2027 requirements are much more challenging. They involve risk management methodologies, documentation, component due diligence, and a secure-by-design software development lifecycle. These are very large lifts for a commercial entity. They need to start now.”
Fox drew a direct parallel to GDPR’s rollout: manufacturers who waited for fines before acting faced a painful scramble. The pattern, he argued, will repeat. “The viewers watching this have a leg up. It’s all the folks we haven’t been able to reach collectively that are going to have that wake-up call.”
OPEN SOURCE AND THE GRAY ZONE
One of the most contested dimensions of the CRA is how it applies to open source software. The law attempts to distinguish between pure open source projects and commercially entangled open source — but that line is imprecise, and the implications extend well beyond the manufacturers directly covered.
Fox pointed to a draft guidance document published by the European Commission that provides use-case-level clarity: “It’s more like a narrative, with specific examples for people to be able to find the example that applies to their situation.” He noted that open source foundations helped shape that language significantly—in some cases, text was adopted almost verbatim from community working groups.
However, the broader concern remains the downstream pressure. “Commercial manufacturers will start demanding compliance documentation from open source projects. We’re going to see a little bit of chaos when that first rolls out, even though open source was intended to be somewhat carved out.”
“If you’re selling software, you’re probably already a global company. It more or less applies to everybody selling software, unless you happen to be in a niche where you’re not selling into Europe,” Fox said.
AI, AUTOMATION, AND THE MAINTAINER FLOOD
Robinson framed the current moment as two crises converging: the CRA compliance wave and the AI-generated vulnerability report flood. Large language models are increasingly capable of identifying potential vulnerabilities at scale — and routing those reports upstream to open source maintainers who have neither the capacity nor the funding to respond.
“We’re in the middle of an epidemic where these large language models are getting better and are able to find more information, but they’re flooding upstream maintainers. These teams don’t have the capability to handle this. We’re going to have this perfect storm: AI models doing a great job of finding problems, throwing thousands of vulnerability reports upstream, and then thousands of manufacturers harassing maintainers to go do all this free work for them.”
Fox added that AI’s role in software production further complicates the picture: “As companies move more into AI, and into the AI SDLC, this problem will explode. You start throwing agents in there, and you have by definition no humans in the loop. The ability to govern these decisions at scale becomes even more important.”
THE PRODUCT LIABILITY DIRECTIVE — THE COMPLIANCE STORY MOST TEAMS ARE MISSING
Running alongside the CRA is the Product Liability Directive, an update to Europe’s liability regime that removes software’s longstanding exemption from product liability law. Fox argued this piece receives insufficient attention even among compliance-focused organizations.
“You think about all of the product liability that comes with selling physical things—cars, medical devices. Software is going to fall into that camp. The fact that you had an SBOM doesn’t save you. If something still fails and hurts a person, you’re responsible regardless of how hard you tried. That will complete the loop and make organizations focus on this—not as a check-the-box exercise, because the liability stands.”
The timing mirrors the CRA, with initial implications already taking effect by the end of 2026 for consumer-facing software products.
