SBOM Service

What is a Software Bill of Materials?

A Software Bill of Materials (SBOM) is a detailed, machine-readable inventory of all software components, libraries, packages, and dependencies that make up your digital product. Think of it as an ingredient list for your software—it provides complete transparency into what's inside, enabling you to identify and manage security risks effectively.

An SBOM typically includes component names and versions, dependencies and relationships between components, license information for all software, vulnerability and security metadata, supplier and vendor details, and patches or security advisories.

Why does SBOM matter? First, it provides supply chain transparency so you know exactly what's in your software. Second, it enables rapid vulnerability response by helping you quickly identify affected components. Third, it ensures license compliance by tracking open-source obligations. Fourth, it supports security incident response by allowing you to assess breach impact instantly. Finally, it ensures regulatory compliance by helping you meet CRA, DORA, and other requirements.

SBOM: A Mandatory CRA Requirement

The EU Cyber Resilience Act (CRA) mandates that all manufacturers of products with digital elements create and maintain a Software Bill of Materials. This isn't optional—it's a legal requirement for selling in the EU.

What's Required

The CRA requires SBOMs in a machine-readable format such as SPDX, CycloneDX, or SWID. Your SBOM must include all top-level software components and versions, vulnerability and security information, license information, and supplier and third-party software details.

When It's Due

The compliance deadline is December 2027. This applies to all products with digital elements, including manufacturers, importers, and distributors selling in the EU.

What Happens If You Don't Comply

Non-compliance carries serious consequences. Market surveillance authorities can impose penalties, products can be recalled from the EU market, you may face legal liability for security incidents, and significant fines and reputational damage can result.

The Opportunity

Companies that prepare early gain competitive advantage. You can demonstrate security commitment to customers, reduce time-to-market for EU sales, build trust with regulators, and establish secure development practices.