OSCRAT, created to support European small and medium-sized enterprises (SMEs) in meeting the requirements of the Cyber Resilience Act (CRA), is now moving into an active phase. The project, in which PMF Research (the R&D center of the JO Group) is proudly involved as a partner, aims to develop a free and open-source tool to help companies assess their cybersecurity systems.
Between September and December 2025, four training sessions were organized to clarify CRA compliance obligations. The sessions covered key topics such as cybersecurity regulations and standards. Recordings of the sessions will be available on the OSCRAT website.
Table of contents
WP2 completed and beta release in February 2026
Work Package 2 has been successfully completed, resulting in the Comprehensive Project Requirements Document, which brings together all the feedback collected through surveys and meetings with SMEs.
In addition, the beta version of the OSCRAT toolset will be available starting in mid-February 2026. All participating stakeholders are therefore invited to take part in the survey, which will help shape the final version of the tool.
Workshops scheduled from January to April 2026
Between January and April 2026, OSCRAT will organize a series of workshops enabling European SMEs to apply what they learned during the training phase. Each workshop will address specific aspects of CRA compliance, such as required technical documentation, vulnerability management, risk management, and more. Each session will be followed by a practical demonstration showing how OSCRAT simplifies the path to compliance.
Here is the full program:
Workshop 1 – January 28, 2026: technical documentation and CRA compliance
The first workshop will focus on the documentation requirements set out by the CRA, product relevance assessment, and audit evidence.
Workshop 2 – February 23, 2026: incident management
The second workshop will focus on incident management, the creation of detailed reports, and ensuring traceability.
Workshop 3 – March 30, 2026: vulnerability management
The third workshop will explain how to use OSCRAT tools to monitor and manage vulnerabilities.
Workshop 4 – April 27, 2026: risk management
The fourth and final workshop will cover risk identification and prioritization, as well as the types of risk treatment required to achieve full CRA compliance.
BCC2025 and the CRA Standards Unlocked EU Tour in Zagreb
The Bucharest Cybersecurity Conference (BCC2025) has already demonstrated that OSCRAT tools can effectively support SMEs in achieving CRA compliance. In addition, on January 20, 2026, an OSCRAT delegation took part in the CRA Standards Unlocked EU Tour event in Zagreb, which brought together cybersecurity experts from around the world.
Why OSCRAT
OSCRAT was created because CRA compliance is not a one-time goal, but an ongoing process that must be built and maintained every day through continuous improvement and regular updates.
The key takeaways from the training sessions include:
- CRA compliance must be maintained throughout the entire lifecycle of SMEs;
- evidence is the product: it can only be considered secure if it aligns with all relevant security standards;
- alignment with standards is essential to ensure compliance;
- OSCRAT accelerates and simplifies the path to CRA compliance.
The workshops will also provide actionable workflows and demonstrate how the tools developed within the project can truly simplify CRA compliance.
Join the workshops and follow us on LinkedIn
As an OSCRAT partner, PMF Research invites European SMEs and cybersecurity professionals to register for the workshops. For further updates, follow us on LinkedIn.
Cybersecurity is no longer optional, and OSCRAT represents a unique initiative to strengthen the cyber resilience of SMEs across Europe.
If you would like to learn more about OSCRAT or similar projects, get in touch by filling out the contact form at the bottom of the page or emailing [email protected].