Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
OCCTET (Open-source Compliance: Comprehensive Techniques and Essential Tools) is an EU-funded project designed to help SMEs and open-source developers understand and implement the requirements of the EU Cyber Resilience Act (CRA). It is not an EDR, WAF, or SOC platform in the traditional sense. Instead, it is an open-source toolkit focused on open-source software integration, software supply chain transparency, and the creation of compliance evidence.
Based on the project materials, OCCTET covers CRA self-assessment, compliance checklists, conformity assessment specifications, automated assessment tools, a federated OSS component assessment database, dependency analysis tool catalogs, and reporting tools. Its test scenarios also mention the ability to perform full dependency analysis on a product source code repository, check dependency versions and management practices, identify vulnerabilities across all dependencies, generate standardized SBOMs, and produce additional compliance and audit materials. The underlying toolchain is based on the open-source OSS Review Toolkit and ORT-server, with further enhancements being developed as part of the project.
The project explicitly emphasizes that it is free and open source. The self-assessment tool is completely free, and SMEs or open-source projects selected for testing can also receive automated analysis for free, provided they offer feedback. In terms of deployment, the materials disclose a web-based self-assessment tool and a model where the OCCTET toolchain analyzes source code repositories. The data processing environment is hosted in Europe in an ISO27001-certified hosting environment. There is no disclosed information on self-hosted deployment, SaaS subscriptions, APIs, CI/CD plugins, or enterprise pricing.
Its main strength is its highly focused positioning: around CRA, SMEs, and FOSS scenarios, it turns regulatory language into actionable workflows such as self-assessment, dependency analysis, SBOM generation, and reporting. Being free and open source also lowers the barrier for SMEs to try it. Participation from ecosystems such as the Eclipse Foundation should help the project gather feedback from the open-source community. The main limitation is that the project is still in the tool development, early testing, and community co-creation stage, with limited information on maturity, long-term support, alerting mechanisms, permission management, and enterprise-grade integration capabilities. Its core value is compliance preparation and software supply chain analysis, so it should not be seen as a replacement for runtime security protection products.
OCCTET is better suited for software and hardware SMEs targeting the European market that need to assess their CRA obligations, as well as open-source projects looking to map dependencies, vulnerabilities, and SBOMs. Chinese companies exporting digital products to the EU could use it as a reference tool for CRA pre-assessment and open-source compliance. The materials do not provide information on access from mainland China, payment, or local services, so its accessibility from China should be considered unknown. If domestic implementation support is required, local software supply chain security, SBOM, SCA, or compliance consulting providers could be used as alternatives or complements.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on occtet.eu official site.
occtet.eu is an EU Legal & Tax provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of Workable. Click "Visit Official Site" to reach occtet.eu directly.