OCCTET: An Open Source Lifeline for CRA Compliance in Europe

Open Source Everywhere — And a New Challenge

On any given day, tech companies in Europe are shipping products with digital elements. Under the hood, chances are it’s running a wealth of Open Source-code. From encryption libraries to web frameworks, Open Source has become the backbone of digital innovation—indeed, a typical modern software product is often over 90% Open Source by codebase volume ¹. This ubiquity of open source is a double-edged sword: it accelerates development, but also brings security and compliance worries. High-profile software supply-chain attacks and vulnerabilities have alarmed regulators, and now the European Union is stepping in with a sweeping new law to bolster cybersecurity. Enter the Cyber Resilience Act (CRA), a regulation that aims to ensure all products with digital elements are cyber-safe by design. For companies both large and small, the CRA is rapidly becoming the defining challenge of the moment.

The CRA introduces strict requirements for anyone producing or integrating digital products in the EU ². It essentially mandates that manufacturers consider cybersecurity in the planning, design, development, production, delivery and maintenance” of products and document all cyber risks ². Perhaps its most daunting demand is that every software component must be continuously checked for vulnerabilities ². In practice, this means if you are an SME building a digital product, you need to keep tabs on every Open Source-library, every snippet of code, throughout your product’s lifecycle. You must be able to prove (via audits and paperwork) that you have identified your software’s components and addressed any known security issues before your product hits the market – and even long after, since the CRA calls for ongoing duty to patch vulnerabilities for years. While pure Open Source-projects released by hobbyists aren’t directly governed by the CRA, any commercial use of Open Source in a product brings that code under the compliance umbrella ².

SMEs in the Crosshairs of Compliance

For Europe’s small and medium-sized enterprises (SMEs), who have leaned on Open Source to stay competitive, the CRA’s new obligations can feel overwhelming. Suddenly, a startup that was happily cobbling together Open Source-components must inventory every line of code and produce a “cybersecurity certificate” of sorts for their product. They need a Software Bill of Materials (SBOM) that lists all Open Source-components, complete with licenses and vulnerability statuses, and processes to swiftly update or fix any component that goes rogue.

Creating a complete and correct SBOM is notoriously difficult and time-consuming ². It’s not enough to just list declared dependencies from a package manager. What’s required is a deep scan of the codebase to uncover embedded code, transitive dependencies, snippets, and files copied without attribution. These components often sit below the surface, easily missed and skipped in shallow scans. Automated tools exist and can scan your codebase to spit out a list of components, but they are far from perfect. In real projects, Open Source pieces are often deeply embedded: a few files from one library copied here, a utility function borrowed there. These fragments might not be obvious at first glance, and scanners frequently miss them or misidentify them ². Conversely, scanners sometimes flag code as Open Source when it’s actually proprietary or so common it isn’t copyrighted – these are false positives that have to be manually curated. The result is that many firms still rely on painstaking manual audits by experts (or “Open Source auditors”) to validate and fill in the gaps of what automated tools find ².

All of this can push costs and effort through the roof. One German SME recounted that auditing a complex product (for example, an Android-based system) to compile an SBOM and review all licenses can quickly run up six-figure euro costs ¹. For a medium-sized company, such unplanned expenses and delays can be ruinous. Yet ignoring compliance isn’t an option – the CRA carries the force of regulation, and non-compliance could mean blocked market access or hefty penalties. Log4j vulnerability exposed a structural weakness in how we manage Open Source security. A single bug in a widely embedded dependency rippled across industries, catching even major enterprises off guard. The reality is, many companies, especially SMEs, simply don’t know which Open Source-components are buried in their products, let alone how to track their risks ³. The pressure is especially intense because many SMEs don’t even have a clear picture of the Open Source they use. A recent survey found that 68% of companies have no internal policy on Open Source usage, and most developers are aware of less than 10% of the Open Source-components in their products ⁴. In short, small businesses face a challenge: Open Source everywhere, new rules demanding detailed oversight, and insufficient tools or resources to bridge the gap.

From Problem to Solution: OCCTET

This is the context in which the OCCTET project was born. OCCTET, short for Open Source-Compliance Comprehensive Tools and Resources – emerged as a collaborative response to the question on every SME owner’s mind: How on earth do we comply with the CRA without breaking the bank? The project’s mission is, at its core, to ensure that Europe’s Open Source reliant businesses can thrive under the new rules rather than be crushed by them. Funded by the EU and bringing together a consortium of industry leaders, cybersecurity experts, and Open Source advocates, OCCTET is building a lifeline for SMEs in the form of a free, Open Source-compliance toolkit ⁵.

The OCCTET toolkit aims to simplify and even automate large parts of the CRA compliance process for software that contains Open Source. Think of it as an all-in-one toolbox that an SME can incorporate and run to handle much of the heavy lifting: identifying Open Source-components in their product, checking licenses and security issues, and generating the documentation needed for CRA conformity. The toolkit is still in development (OCCTET kicked off in late 2024). It will include components such as: an intelligent scanner to build your SBOM, a compliance checklist and self-assessment checklist to tell you what requirements you need to meet, and reporting tools to produce the necessary legal and security docs. All of it is designed to be easy to use and tailored to SME needs, based on extensive input from small businesses and Open Source-developers during the project’s research phase ⁵. In early 2025, OCCTET held workshops and surveys with SMEs to make sure their pain points are understood ⁵. This user-driven approach ensures the toolkit is based on real-world struggles that companies described, from confusion about the CRA’s legal lingo to frustration with existing scanning tools.

The project relies on Open Source by building its toolchain on existing Open Source-compliance software, notably the OSS Review Toolkit (ORT) and ScanCode (developed by AboutCode). These are both well-established frameworks for scanning code bases and managing Open Source findings. By adopting and extending these tools, OCCTET can focus on extending functionality rather than reinventing the wheel. The consortium behind OCCTET includes organizations like the Eclipse Foundation, AboutCode, the European DIGITAL SME Alliance, and specialized companies who each bring expertise to different parts of the puzzle. Bitsea is leading the charge on some of the toolkit’s most innovative features. The project is currently in development, with the final version of the OCCTET toolkit expected to be released by mid-2026, ahead of the anticipated full enforcement phase of the Cyber Resilience Act.

Bitsea’s Role in OCCTET: AI-Powered Compliance Assistance

Bitsea is contributing something special with a dose of artificial intelligence aimed at the gnarliest compliance challenges. If the OCCTET toolkit is the car taking you to CRA compliance, think of Bitsea’s contributions as the smart navigation system that helps you steer around potholes and traffic jams automatically. The focus is on making the toolkit not just comprehensive, but intelligent and efficient where it matters most.

One area Bitsea is researching on is “license curation autopilot.” In a typical compliance audit, after a tool scans your code and lists 100 Open Source-components, someone has to go through that list and verify the licenses. “Is this component truly MIT-licensed, or did it switch to a copyleft license in a recent version?” “Is this a valid copyright?” “Did the developer include a custom license exception in a README file?” These nuances are critical as misidentifying a license could mean missing a legal obligation. Today, compliance experts handle this manually, comparing scan results with known databases and their own experience. Bitsea’s plan is to embed AI support into the toolkit’s license checker to automate much of this curation work. The AI can be trained on the huge corpus of Open Source-licensing data out there from standard licenses to the quirks of specific projects and learn to recognize patterns. For example, if a component’s metadata is incomplete, the AI might look at the file headers, code snippets, or even historical version information to infer what license applies, it can quickly cross-reference multiple sources. By supporting the license analysis with AI, the toolkit can suggest the correct license classifications and even fill in missing details with a high degree of confidence, leaving the human expert to review and confirm the tough cases. This not only saves time, but also helps prevent human error in an area where mistakes can be costly.

Furthermore, Bitsea is exploring the use case of introducing AI backed filtering of false positives – essentially, cutting through the noise that plagues Open Source-scanning. Anyone who’s run an Open Source scan knows the result can be a tangled list: you might see dozens of entries that aren’t actually separate components but fragments or duplicates. The scanner might flag a piece of code as “GPL-licensed” because it found the word “GPL” in a comment, when that comment was merely referencing something else. Bitsea’s work uses AI to detect these false positives and duplicates automatically, so the toolkit can present a cleaner SBOM. For example, through pattern recognition, the system can learn to identify that the suspicious “GPL” hit is not a licensed component at all. This has huge implications for efficiency: it means the SME’s engineers won’t waste time chasing ghosts in the machine. Instead, they can focus on the real issues, the genuine Open Source-components that need attention. Bitsea’s AI essentially adds a filter to the process, one that gets smarter over time as it sees more examples of what’s a true positive vs. a false alarm.

Another notable feature in development is an AI-assisted writing helper designed to support the repetitive documentation tasks that arise during license curation. In curation and auditing workflows, compliance analysts frequently write similar investigative comments when documenting license findings, often repeating sentence structures and phrasing. The toolkit, with Bitsea’s enhancements, will offer autocomplete suggestions or templated text blocks to streamline this process. For instance, when documenting a BSD-3-Clause license finding, the system could pre-fill a standardized justification that analysts can tweak as needed. While this doesn’t replace the human in final documentation, it significantly reduces the manual writing overhead during the audit phase.

In auditing and curation workflows, test files often clutter the scan results. These files meant only for internal validation never make it into the final product, and yet, they get swept up in audits, triggering license checks and creating unnecessary noise. At Bitsea, we saw how much time teams lose chasing down irrelevant license flags from test directories. That’s why, as part of our work in OCCTET, we’re developing an automated method to identify and exclude test code from compliance scans altogether. By teaching the toolkit to recognize patterns and paths typical of test code, we aim to streamline audits so that only what truly matters gets attention. It’s a small fix with a big payoff: clearer results, faster curation, and one less obstacle for SMEs trying to stay compliant under the CRA.

The benefits of OCCTET extend beyond individual businesses. By making CRA compliance attainable for SMEs, OCCTET helps ensure that Europe’s overall cybersecurity posture is strengthened across the entire supply chain, not just in big corporations. OCCTET’s toolkit is under active development, and the consortium is engaging with stakeholders. European SMEs, cybersecurity professionals, Open Source maintainers, and policy experts all have a role to play in this unfolding narrative. The project’s community-driven approach means that feedback and contributions are welcome.