Skip to main content

OCCTET

Open Source Compliance Toolkit

CRA Readiness for SMEs & OSS Projects

Our mission is to empower SMEs with accessible, efficient, and secure solutions for Open Source Software (OSS) integration, while strengthening the security posture of Open Source Communities.

The OCCTET project (Open-source Compliance: Comprehensive Techniques and Essential Tools) is an EU-funded initiative aimed at improving cybersecurity and compliance with the Cyber Resilience Act (CRA) for Small and Medium Enterprises (SMEs). The project focuses on creating an Open Source Toolkit to automate the compliance process for Free and Open Source Software (FOSS) used in digital products.

This toolkit is intended to provide a comprehensive suite of tools and resources tailored to the needs of SMEs:

  • Compliance Checklist
  • Conformity Assessment Specifications
  • Automated Evaluation Method and Tool
  • Federated Database platform for publishing the results of OSS component assessments allowing contributions from various stakeholders
  • Inventory of Automatic Dependency Analysis Tools
  • Reporting tool

🎥 Watch the OCCTET Presentation

Watch the OCCTET Presentation

Evaluate Your Cyber Resilience Readiness in Minutes

Strengthen your organization’s cyber resilience with our quick, easy, and completely free self-assessment tool. The platform helps you instantly measure your compliance and preparedness in line with the EU Cyber Resilience Act (CRA).

Free self-assessment • Confidential processing • Instant next steps


News

OCCTET Deliverables D3.3 and D3.4 – Toolkit Demo and Federated Database Final

July, 3, 2026

🛠️ How can SMEs turn open-source software analysis into practical CRA compliance evidence?

OCCTET has released two major Work Package 3 deliverables: D3.3 – Toolkit Demo and D3.4 – Federated Database Final.

Together, these deliverables demonstrate how OCCTET is building an open-source toolchain to help SMEs identify dependencies, detect vulnerabilities, generate SBOMs, curate findings, and reuse trusted software metadata across the open-source ecosystem.

D3.3 – Toolkit Demo

D3.3 presents the OCCTET Toolkit demonstrator, bringing together ORT Server, OCCTET Curator and supporting components to automate software composition analysis, vulnerability detection, SBOM generation, and CRA-oriented compliance evidence preparation.

What it demonstrates:

  • Automated dependency discovery and vulnerability analysis with ORT Server
  • Continuous monitoring of software projects and evolving security advisories
  • SBOM generation in standard formats such as SPDX and CycloneDX
  • Human-in-the-loop curation with OCCTET Curator
  • Support for VEX-oriented vulnerability evidence and CRA reporting workflows
  • Validation on widely used open-source projects and SME use cases

D3.4 – Federated Database Final

D3.4 presents the final demonstrator of the OCCTET federated and shared software metadata platform. It extends the earlier FedDB beta into an operational approach for sharing package origin, license, vulnerability and SBOM metadata using Package URL (PURL) as the common software supply chain identifier.

What it brings:

  • Federated software package metadata keyed by PURL
  • Reusable origin, license, advisory and SBOM information
  • CycloneDX SBOM generation through PurlDB
  • Support for more than 20 million tracked packages in the public PurlDB demonstrator
  • An advisory-centric VulnerableCode model designed to support actionable vulnerability management
  • Decentralized publication of software metadata through API-accessible services and Git-based repositories

These two deliverables mark an important step toward OCCTET's goal by reducing the CRA compliance burden for SMEs.

CRA compliance requires more than knowing that a vulnerability exists. SMEs need to understand where components come from, whether they are affected, how findings should be prioritised, and how evidence can be produced and reused. D3.3 and D3.4 directly address this challenge.

📥 Read the full deliverables

👉 Want to help test the OCCTET toolkit? Join the testing community

OCCTET Needs Analysis Workshop

OCCTET Needs Analysis Workshop

Monday, March 17, 2025

The Cyber Resilience Act (CRA) introduces new cybersecurity requirements for digital products, impacting SMEs, open-source developers, and software vendors across Europe. As compliance deadlines approach, many SMEs face uncertainty about how to meet these obligations, what tools to use, and what steps to take.

As part of its mission to simplify CRA compliance, OCCTET is hosting a Needs Analysis Workshop to gather insights from SMEs and key stakeholders. The goal is to identify compliance challenges, assess cybersecurity preparedness, and ensure that the OCCTET open-source toolkit is built to address real SME needs.

Agenda

  • Introduction to the OCCTET Project & Toolkit - Mikael Barbero (Eclipse Foundation)
  • Needs Analysis Miro Board Session - Davide Iaccarino (European DIGITAL SME Alliance)
  • Conclusion and Q&A

What to Expect from the Workshop

  • Introduction to OCCTET: Learn about the project’s mission, its objectives, and how it will help SMEs comply with the CRA.
  • Overview of the OCCTET Toolkit: Discover how the open-source compliance toolkit will support SMEs in managing cybersecurity risks and regulatory requirements.
  • Interactive MIRO Board Session: Engage in a collaborative discussion to map SME challenges and define the key features that the toolkit should include.
  • Q&A & Discussion: Share your thoughts, ask questions, and contribute directly to the project’s development.

This workshop is a key opportunity for SMEs to voice their challenges and influence the development of practical tools that will help them meet CRA requirements. By participating, you will be helping shape an accessible, open-source compliance solution tailored to SME needs.


Partners

  • AboutCode-logo
  • Bitsea-logo
  • DoubleOpen-logo
  • DSME-logo
  • Eclipse Foundation-logo
  • ExpertWare-logo
  • RedAlert-logo

Get Engaged

Help us build a collaborative, open-source–driven solution that empowers both SMEs and open-source communities.

Be part of the OCCTET journey!

Register to our newsletter and stay updated on progress, opportunities, and community events. (if you can’t see registration form please contact us directly)

Engages with Us Directly

Back to the top