OCCTET Deliverables
OCCTET produces a range of deliverables to support SMEs in understanding and complying with the Cyber Resilience Act (CRA).
Below you will find all available project deliverables.
Work Package 1: Project Management and Coordination
D1.1 - Project Management Handbook
Version 1.1
The Project Management Handbook outlines the governance structure, management procedures, and coordination mechanisms for the OCCTET project.
It establishes the rules and procedures for the 24-month, EU-funded OCCTET project, which aims to develop open-source tools to simplify Cyber Resilience Act (CRA) compliance for SMEs using FOSS.
The project is coordinated by the Eclipse Foundation (ECL) and governed by an organizational structure including the Executive Board. The Handbook defines essential management tools (GitLab for tracking, Matrix for communication) and details protocols for:
- Project Management: Using GitLab for issue tracking and progress monitoring.
- Meetings Management: Defining the purpose, frequency, and documentation of all project meetings.
- Risk Management: Establishing a proactive process for identifying and mitigating technical, compliance, and operational risks.
- Reporting: Outlining requirements for internal quarterly reports and official periodic reports to the EU Commission.
- Deliverables Management: Defining a rigorous review and submission process for quality assurance.
- Legal and Ethical Ground Rules: Ensuring compliance with the Grant Agreement, GDPR, and research integrity standards.
D1.2 - Impact Assessment Plan
Version 1.1
This deliverable describes the methodology and framework for assessing the impact of OCCTET’s activities on SMEs and the open-source ecosystem.
The plan utilizes the RE-AIM framework (Reach, Effectiveness, Adoption, Implementation, Maintenance) to ensure a holistic evaluation of both internal execution and real-world impact. Key objectives and their corresponding performance indicators (KPIs) are defined across these five dimensions:
- Reach: Engage at least 100 SMEs and achieve 5,000 unique web users.
- Effectiveness: Achieve 100% coverage of pre-market CRA requirements and reduce self-assessment time by over 25%.
- Adoption: Integrate solutions into the operational workflows of 100+ SMEs.
- Implementation: Ensure timely, high-quality delivery of 10-15 project tools (95%+ adherence to timeline).
- Maintenance: Ensure long-term sustainability with 250+ regular tool users 12 months post-project.
D1.3 - Ethics, Data and IPR Management Report
Version 1.1
This report details the ethical considerations, data management procedures, and intellectual property rights framework for the OCCTET project.
The framework is built on four core pillars: maintaining high Ethical standards, using open source licenses for project outputs (IPR), ensuring secure and GDPR-compliant data handling (Data), and implementing privacy-by-design (Privacy). The project engages participating SMEs in three stages to gather baseline, ongoing, and concluding data, focused on CRA compliance metrics.
Work Package 2: Requirements Analysis and Self-Assessment Tools
D2.1 - CRA SME Requirements and Self-Assessment Checklists
Version 1.3
This deliverable provides detailed requirements analysis for SMEs under the CRA, along with practical self-assessment checklists to help organizations evaluate their compliance readiness.
The objective of this document is to consolidate regulatory obligations stemming from the Cyber Resilience Act (CRA) and translate them into structured compliance requirements tailored to Small and Medium-sized Enterprises (SMEs) and the Free and Open Source Software (FOSS) ecosystem.
The framework is grounded in a structured methodological approach combining regulatory analysis, stakeholder engagement, survey results from SMEs and FOSS contributors, desk research, and expert consultation within the consortium. The survey instruments were aligned with the structure of the CRA, enabling direct mapping between stakeholder realities and regulatory domains, including essential cybersecurity requirements, role-based responsibilities, vulnerability handling, lifecycle management, and conformity assessment pathways.
D2.2 - SME CRA Self-Assessment Model & Survey
Version 1.1
This document presents the self-assessment model and survey tool designed to help SMEs evaluate their current cybersecurity posture and CRA compliance level.
The objective of this deliverable is to provide a structured, legally grounded and operationally practical framework enabling small and medium-sized enterprises (SMEs) to assess their level of alignment with the requirements of the Cyber Resilience Act (CRA).
The model translates CRA Articles and Annexes obligations into structured assessment questions, supported by scoring logic, explanatory guidance and evidence indicators. The methodology ensures traceability between legal provisions and questionnaire items. The deliverable describes:
- The legal mapping methodology linking CRA provisions to assessment criteria
- The scoring model and maturity structure
- The Oxy AI support mechanism used to assist interpretation
- Validation activities conducted with consortium partners and SMEs
- Tool testing evidence (further detailed in Annex 2)
The model contributes to OCCTET’s objective of strengthening SME capacity for CRA compliance by providing a free, structured and open methodology aligned with EU legislative requirements.
D2.3 - CRA Adoption Best Practices
Version 1.1
This document guides Small and Medium-sized Enterprises (SMEs) on achieving compliance with the Cyber Resilience Act (CRA) when using Free and Open Source Software (FOSS).
It emphasizes the risk-based approach of the CRA, where risk is contextual to the FOSS component’s criticality and usage. The guide promotes a proportional, risk-based philosophy for FOSS developers, focusing on:
- Integrating security across the lifecycle.
- Ensuring governance and transparency (e.g., security contacts).
- Building supply chain resilience (secure release practices).
The document also clarifies the roles of Open Source Stewards regarding CRA Article 25 attestations and provides specific SME CRA compliance guidelines, including advice on due diligence for consuming FOSS and security attestations.
Work Package 3: Technical Implementation
D3.1 - FedDB Beta
Version 1.1
The deliverable describes the federated database implementation for managing and sharing cybersecurity information across the OCCTET ecosystem.
FedDB-Beta-Del is the first demonstrator release for a reference federated software metadata platform under the OCCTET project. It establishes the basis for an open, resilient, and collaborative base system for sharing essential free and open source software (FOSS) metadata (origin, licenses, vulnerabilities) and enables more efficient Cyber Resilience Act (CRA) compliance processes for SMEs.
To overcome the bottlenecks of centralized systems, OCCTET is implementing a decentralized approach building on proven AboutCode open source technologies and designs. This initial demonstrator focuses on providing decentralized access to curated, open-source vulnerability data with key features including
- Decentralized Data Access
- PURL-Based Discovery with AboutCode Hashid
This demonstrator validates that the core data components are available and can be used, either through direct access keyed by PURL, in bulk or through the public APIs. PURL adoption further validates our approach as the base for the next deliverables in a world where FOSS software packages (and PURL) are the key software supply chain entities.
D3.2 - BasicChain
Version 1.1
This deliverable presents the BasicChain implementation, providing a blockchain-based solution for secure and transparent tracking of compliance activities.
This initiative addresses the critical need for compliance tools among Small and Medium-sized Enterprises (SMEs) following the EU’s Cyber Resilience Act (CRA), which mandates “security by design,” vulnerability management, and documentation (like SBOM and VEX).
The OCCTET project delivers a holistic, integrated, open-source solution comprising:
- ORT Toolchain (ort-server): Provides automated dependency analysis, license scanning, vulnerability identification, policy evaluation, and generation of standard SBOMs (SPDX, CycloneDX), accessible via a central server and GUI.
- Occtet-Curator: An AI-supported web application for human-in-the-loop audit workflows, inventory management, and planned VEX generation to streamline compliance.
- Federated Database (VulnerableCode, etc.): Delivers essential, aggregated security vulnerability and reference data to enrich the SBOMs.
Work Package 5: Communication and Dissemination
D5.1 - Communication, Dissemination and Outreach Strategy
Version 1.1
This strategy document outlines the communication and dissemination activities planned to maximize the impact and reach of OCCTET’s results to the SME community and broader stakeholders.
he core objective is to raise awareness and drive the adoption of the toolkit, targeting at least 1,000 active users within the 24-month project duration. The strategy is executed in three phases:
- Pre-launch (M1–M8): Branding, anticipation building, and needs analysis workshops.
- Post-Launch (M9–M20): Active promotion through webinars, training, social media, and industry events.
- Sustainability (M20–M24): Ensuring long-term use and maintenance via knowledge transfer.
Key audiences include SMEs, Open-Source Developers, Regulatory Authorities, and European Digital Innovation Hubs (EDIHs). Communication leverages a multi-channel approach (website, LinkedIn, GitHub, events) tailored with key messages on “Simplifying CRA compliance” and “Open Source Security.”
About OCCTET Deliverables
All deliverables are produced as part of the OCCTET project, which is funded by the European Union. These documents are regularly updated as the project progresses. For the latest versions, please check this page regularly or subscribe to our newsletter.
For questions about any deliverable, please contact us.