THE LINUX FOUNDATION PROJECTS

CRA tooling for SMEs by the OCCTET project

By 2026-03-26April 1st, 2026Featured

The goals of the OCCTET project are:

  1. Help SMEs understand and apply the CRA: Make it simpler for SMEs(Small and Medium-sized Enterprises) to know what the rules are and how to follow them, which will improve their overall cybersecurity.
  2. Automate handling of Open Source Software (OSS) components: Develop tools that can automatically check open source parts of software for compliance.
  3. Increase visibility and impact: Make these tools widely available and promote a shared approach to data, using open source solutions themselves.

How OCCTET plans to achieve this (the Toolkit):

The project offers a step-by-step process:

  1. Input: SMEs or developers upload their project and its open source parts for analysis.
  2. Eclipse Apoapsis (Security and Compliance Automation Platform): This platform manages the scanning process and collects information from various tools, like ORT (Open-Source Review Toolkit).
  3. OSS Review Toolkit (ORT): This is the core tool that scans software, identifies dependencies, licenses, and vulnerabilities.
  4. OCCTET Tools: Additional tools within OCCTET include a Compliance Checklist, a Conformity Evaluation Tool, and a Reporting Tool.
  5. Output: Finally, a CRA Readiness Report is generated, giving an overview of compliance and suggesting next steps.

Key components and standards discussed:

  • ORT-SERVER: This seems to be a central hub for compliance, connecting to various package management systems (like Java, Node, Python), pulling data on vulnerabilities, community metadata, and different report formats (SPDX, CycloneDX). It also includes an “Evaluator rule engine” and tools like ScanCode for code analysis.
  • Standards are crucial: The presentation emphasized that good data is useless without good standards. They highlighted the use of:
    • PURL (Package-URL) for identifying software packages.
    • SPDX License expressions for licenses.
    • SBOMs (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange), using formats like CycloneDX and SPDX for SBOMs, and CSAF/CycloneDX for VEX/VDR.
  • OCCTET Curator: This is a web application with AI integration to help manage security vulnerabilities, generate reports (SBOM, VEX/VDR), and support users in managing their open source components.

CRA Self-Assessment and Timeline:

The project includes an OCCTET CRA Self-Assessment Platform (cra.occet.eu), which is a free web tool. It guides users through three questionnaires:

  1. Applicability & Role: “Does CRA apply to me?” – Helps identify if the regulations apply, based on company role (manufacturer, importer, distributor) and product type, and clarifies exclusions.
  2. Classification & Conformity Route: “What level of assurance do I need?” – Helps classify the product (Default, Important, Critical) and determine the required conformity assessment (self-assessment, third-party, or certification).
  3. Readiness & Maturity Checklist: “How prepared am I?” – Evaluates current practices against CRA security requirements, assessing maturity (Basic, Intermediate, Advanced) and providing tailored improvement recommendations. This generates a visual readiness score, highlighting areas needing attention.

Overall, the OCCTET project is a European initiative, co-funded by the EU, aiming to create comprehensive tools and resources to simplify open source compliance and cybersecurity for SMEs, especially in light of upcoming regulations like the CRA. It focuses on practical, automated solutions and clear guidance to help businesses navigate these complex requirements. During the presentation it was also mentioned that OCCTET can be even installed on local machine which definitely can make it popular and more people can decide to try it.