EU CRA SBOM Requirements: Overview & Compliance Tips

A Quick History of SBOM Requirements in the EU

Before the EU Cyber Resilience Act (CRA), there were no specific, EU-wide legal requirements mandating the use of software bills of materials (SBOMs). However, there were related frameworks and industry guidance that touched on software supply chain transparency or product cybersecurity. Here’s a brief overview of what came before:

1. EU Cybersecurity Act (2019): Established ENISA (the EU cybersecurity agency) as a permanent agency and created a voluntary cybersecurity certification framework for ICT products. SBOMs were not required, but some certification schemes encouraged component transparency as a best practice.
2. ETSI Standards: ETSI (European Telecommunications Standards Institute) first published standards for consumer IoT security in June 2020. These recommended maintaining a list of third-party software and managing known vulnerabilities, which aligns with SBOM principles, but “SBOM” did not explicitly appear in the standards.
3. NIS Directive (2016) and NIS2 (2022 update): Focused on network and information system security, particularly for essential services. While NIS2 raised expectations for software supply chain security, it still did not mandate SBOMs.
4. TR-03183 Part 2 (2024): SBOMs became mandatory in the 2.0 updated release. The EU CRA adopts the mandatory SBOM requirement from this document when it is adopted later in 2024.

What Is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is a landmark regulation introduced by the European Commission to strengthen cybersecurity requirements for digital products sold in the EU. It applies to manufacturers, importers, and distributors of hardware and software with software components—ranging from smart devices to enterprise software—and requires them to build cybersecurity into their products from design through the entire lifecycle. The CRA’s goal is to reduce vulnerabilities, improve transparency around known risks, and ensure companies are accountable for maintaining product security, including after a product is released on the market.

By enforcing baseline security requirements and mandatory incident reporting, the CRA represents a shift from voluntary guidelines to legally binding obligations, positioning the EU as a global leader in regulating software and device security.

EU CRA Timeline

• Proposal Submission: September 15, 2022
• Political Agreement Reached: December 1, 2023
• European Parliament Approval: March 12, 2024
• Council Adoption: October 10, 2024
• Entry into Force: December 10, 2024
• Main Obligations Applicable From: December 11, 2027

An Overview of What the EU CRA Says About SBOMs

The European Union’s Cyber Resilience Act (CRA) mandates that manufacturers of products with software components create and maintain a software bill of materials (SBOM). This SBOM must be in a commonly used, machine-readable format and include, at a minimum, the top-level dependencies of the product.

While the CRA does not require manufacturers to make the SBOM publicly available, they must include it in the product’s technical documentation and provide it to market surveillance authorities upon request. The European Commission is empowered to specify the exact format and elements of the SBOM, potentially aligning with international standards.

An Introduction to SBOMs

A software bill of materials (SBOM) is a detailed inventory of all the components that make up a software application, including libraries, packages, and dependencies. Much like an ingredient list for packaged food, an SBOM provides transparency into what’s inside a piece of software—critical for identifying and managing security vulnerabilities, especially in third-party or open-source code.

Learn about the role that SBOMs for the security of your organization in this white paper.

Download Now

Steps to Prepare for the CRA SBOM Requirements

1. Generate SBOMs for all software products: Create a software bill of materials for every digital product you manufacture or distribute in the EU. The SBOM should list all top-level software components and be formatted in a commonly used, machine-readable standard (e.g., SPDX, CycloneDX, or SWID). Ensure it’s included in your product’s technical documentation.
   • Learn how to generate an SBOM with free open source tools
   • Learn about SBOM formats and standards
   • Explore solutions for automating SBOM generation and management
2. Automate vulnerability scanning: Use automated tools to continuously scan components listed in your SBOMs for known vulnerabilities. Integrate scanning into your CI/CD pipeline to detect issues early and maintain a real-time view of software risks.
   • Discover enterprise tools to automate vulnerability scanning
   • See how DreamFactory saves 75% more time with automated vulnerability management
3. Maintain a secure software development lifecycle (SSDLC): Embed security best practices throughout the product development process—from design and coding to testing and deployment. This includes threat modeling, code reviews, dependency management, and secure update mechanisms.
   • Learn how to use SBOMs and security policy-as-code to automate secure development practices
4. Document security policies and remediation processes: Maintain clear internal documentation outlining your approach to identifying, assessing, and remediating vulnerabilities. This documentation may be requested by market surveillance authorities under the CRA.
   • Don’t just document—automate compliance policy enforcement with Anchore Enforce‘s policy engine and policy-as-code language (i.e., DSL)
5. Collaborate with suppliers and partners on SBOM exchange: Ensure you can access and verify SBOMs from upstream software vendors and third-party suppliers. Establish trusted, standardized channels to receive, share, and validate SBOM data across your software supply chain.
   • Learn how Anchore SBOM automates SBOM ingest (in all standard formats) and SBOM export to downstream customers of your product/service (in the vendors preferred format)

CRA SBOM Compliance Checklist for Manufacturers (by December 2027)

• Generate a software bill of materials (SBOM) for each product
  • Include top-level software components
  • Use a commonly used, machine-readable format (e.g., SPDX, CycloneDX)
• Include the SBOM in the product’s technical documentation
  • Make documentation available to EU market surveillance authorities upon request
• Keep SBOMs up to date throughout the product lifecycle with regular or automated SBOM management
  • Reflect changes due to patches, component updates, or software modifications
• Request SBOMs or component lists from third-party suppliers for supply chain coordination
  • Ensure third-party software components are accounted for in your own SBOM
• Monitor developments from the European Commission regarding specific SBOM format requirements
  • Be prepared to align with additional formatting or content specifications as they are released

Final Thoughts

The Cyber Resilience Act reinforces the global movement toward greater transparency in the software supply chain. By proactively integrating SBOMs into your development and documentation processes now, your organization can stay ahead of compliance requirements and reduce risk. Taking early action not only streamlines future audits and reporting but also helps avoid costly remediation efforts and potential non-compliance penalties down the line.

Interested to learn about all of the software supply chain use-cases that SBOMs enable? Read our new white paper and start unlocking enterprise value.

Download Now