The Eclipse Foundation today launched an Open Source Compliance: Comprehensive Techniques and Essential Tools (OCCTET) project specifically designed to help smaller organizations comply with the Cyber Resilience Act (CRA) enacted by the European Union (EU).

Scheduled to take effect by September 2026, the CRA defines a mandatory set of cybersecurity requirements for all digital products, including software, sold in the EU, that apply to manufacturers, software vendors and maintainers of open-source software projects.

The OCCTET project is creating a toolkit that includes a CRA compliance checklist, conformity assessment specifications, automated evaluation methods and tools, a federated database for publishing assessments of open source software components, inventories of automatic dependency analysis tools, and a reporting tool for generating documentation and evidence. At the same time, the Eclipse Foundation last year set up an Open Regulatory Compliance (ORC) Working Group, which today also revealed that Microsoft, Red Hat, ekxide, GitHub, Google and Open Source Matters have now also joined. In total, the ORC Working Group now has more than 50 member organizations, including Nokia and Mercedes-Benz.

The overall goal is to make it simpler for organizations, despite how executives may feel about, achieve and maintain CRA compliance.

Thabang Mashologu, vice president of community and outreach for the Eclipse Foundation, said the OCCTET project, in addition to streamlining compliance workflows for smaller organizations, can also serve as a framework for larger organizations that will eventually require a more comprehensive framework of their own. In the meantime, however, organizations of all sizes should be cognizant of the simple fact that they now have little more than a year to achieve CRA compliance, he added.

Less clear is the degree to which CRA might prove to be the foundation upon which all other compliance frameworks might be based. Given its current scope, organizations that achieve CRA compliance should be able to more easily comply with most any other set of requirements that might be applied in other countries or a highly-regulated industry. In fact, this is not the first time that a regulation defined by the EU winds up being the de facto foundation upon which workflows around the world are based, simply because organizations generally prefer to keep business processes as consistent as possible from one region to another.

Of course, each organization will need to determine to what degree CRA requirements might force them to abandon operating in Europe because regulations have become too onerous. Hopefully, however, CRA will improve the overall state of cybersecurity by raising the compliance bar. After all, far too many organizations still only seek to achieve the bare minimum level of cybersecurity and resiliency required by regulations that might apply to them. Those same organizations, of course, more often than not are likely to be victimized by cybercriminals that usually have a much keener appreciation for the limitations of existing compliance regulations.

Ultimately, each organization will need to determine for itself to what degree CRA requirements might apply to them, but at the very least, there is now a requirement that, hopefully, in the age of artificial intelligence (AI), will continue to become easier to achieve and maintain.