Open-Source Ammo for EU Compliance: Tropic Square Joins the CCAT Project

‍

Let’s be real: EU cybersecurity regulations are getting tighter, and navigating the compliance landscape is increasingly complex. Between the Cybersecurity Act (CSA) and the Cyber Resilience Act (CRA), manufacturers of electronic devices, R&D teams, and security researchers are staring down a daunting new reality.

But compliance doesn't have to be a black-box nightmare. That is where the Cybersecurity Certification and Assessment Tools (CCAT) project comes in, and why Tropic Square is getting involved.

Funded by a €4.2 million Horizon Europe grant and coordinated by Masaryk University, CCAT is on a three-year mission to bridge the gap between heavy-duty academic research and the trenches of the tech industry. The goal? To take four cutting-edge, academic security assessment and auditability tools and forge them into practical, open-source utilities that device manufacturers, users, pentesters, and regulatory bodies can actually use.

What’s Being Built?
CCAT is redesigning and upgrading four core tools for real-world deployment:

• SCRUTINY: A versatile toolkit for evaluating cryptographic implementations in hardware devices (like smart cards) and software libraries, even in black-box setups.
• ALVIE: A specialized tool engineered to test the security architectures of embedded systems for high-level vulnerabilities.
• TLS-Scanner: A utility for evaluating operational system security by hunting down vulnerabilities and configuration flaws in TLS clients and servers.
• sec-certs: A platform that maps out the certification landscape, tracking the messy dependencies between certified products and emerging vulnerabilities.

Tropic Square’s Role: Keeping It Real for Hardware Security.
Academic tools are brilliant, but they need to survive contact with the real world. That is where we come in. Tropic Square is an active, associated partner in the CCAT project involved mainly in the requirement phase and testing.

We aren't just cheering from the sidelines; we are driving the feedback loop. As a start-up explicitly focused on security hardware, we are directly helping the consortium shape the tools through "purpose-driven enhancements". By testing these tools in diverse, practical application scenarios, we are ensuring they meet the gritty, day-to-day needs of developers, security and system solution architects.

We want to make sure that tools like SCRUTINY and sec-certs are completely optimized for evaluating cryptographic implementations and testing embedded security architectures.

We believe that navigating EU security certifications shouldn't require a crystal ball. By helping to operationalize these open-source tools, Tropic Square is working alongside top European universities and industry leaders to empower the ICT community. Whether you are designing the next generation of hardware, conducting deep-dive pentests, or leading R&D, CCAT will give you the transparent, accessible tools you need to secure your systems and confidently meet EU standards.

‍