← CRA Glossary
Technical Security

Software Bill of Materials (SBOM)

An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.

An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.

Technical Security
Free CVD portal →

What Is an SBOM?

A Software Bill of Materials (SBOM) is a structured, machine-readable list of every software component that contributes to a product — analogous to an ingredients list on food packaging. It records each component's name, version, supplier, licence, cryptographic hash, and relationship to other components. The three dominant SBOM formats are CycloneDX (OASIS standard, widely used in Europe), SPDX (Linux Foundation / ISO/IEC 5962), and SWID Tags (ISO/IEC 19770-2). CycloneDX v1.5+ additionally supports hardware components and vulnerability data (VEX), making it particularly well-suited for embedded and IoT product manufacturers subject to the CRA.

CRA reference:Article 13(3), Annex I Part II

SBOM Requirements Under the CRA

Annex I Part II, §1 of the CRA requires manufacturers to identify and document components in their products, including third-party and open-source software. Article 13(3) requires this information to be maintained as part of technical documentation throughout the product support period. Practically, this means:

  • An SBOM must be generated at build time and updated with each release.
  • The SBOM must cover all components, including transitive dependencies.
  • It must be available to market surveillance authorities on request.
  • Manufacturers must monitor SBOM components against vulnerability feeds (CVE/NVD) to detect newly disclosed vulnerabilities affecting their products.

Public customer-facing SBOM disclosure is not explicitly required, but is increasingly expected by enterprise buyers.

CRA reference:Article 13(3), Annex I Part II

Generating and Maintaining SBOMs

For most manufacturers, SBOM generation is integrated into the build pipeline:

  1. Source-level scanning — tools analyse package manifests (npm, Maven, pip, Cargo, Conan) to enumerate declared dependencies.
  2. Binary analysis — for firmware and compiled artefacts, binary SCA tools identify components not visible from source alone.
  3. SBOM signing — the generated SBOM document is signed to ensure authenticity and detect tampering.
  4. Continuous monitoring — the SBOM is submitted to a vulnerability intelligence feed; new CVEs matching component versions trigger triage workflows.

Key tools in the CycloneDX ecosystem include Syft, cdxgen, and Dependency-Track (monitoring). SPDX tooling includes SPDX Tools and FOSSology.

CRA reference:Article 13(3), Annex I Part II

Common SBOM Mistakes

Manufacturers building SBOM programmes frequently encounter:

  • Incomplete dependency graphs — capturing only direct dependencies misses transitive vulnerabilities, which account for the majority of supply chain risks.
  • Static SBOMs — an SBOM generated once at initial release becomes inaccurate within weeks as dependencies change; automated regeneration per release is required.
  • No monitoring — an SBOM that is generated but never checked against vulnerability feeds provides no operational value.
  • Ignoring firmware components — OS kernels, bootloaders, and proprietary libraries embedded in firmware must be included; source-only SCA tools miss these.
  • Wrong format for the audience — SPDX is preferred for licence compliance; CycloneDX is preferred for security operations and CRA conformity assessment.

CVD Portal makes Software Bill of Materials (SBOM) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the CRA require us to publish our SBOM publicly?+

The CRA requires the SBOM to be included in technical documentation and made available to market surveillance authorities on request. There is no explicit requirement for public publication. However, enterprise customers and procurement frameworks are increasingly mandating supplier SBOMs, and ENISA's guidance encourages transparency. Publishing a customer-facing SBOM is best practice for high-risk product categories.

How often should we update our SBOM?+

The SBOM should be regenerated with every software release that changes any dependency. In practice, this means integrating SBOM generation into the CI/CD pipeline as a mandatory build step. Additionally, even without a software release, the monitoring process should flag when a newly published CVE affects a component in the existing SBOM — this may trigger a patch release and SBOM update outside the normal release cycle.

What format should we use — CycloneDX or SPDX?+

Both formats are acceptable under the CRA. CycloneDX is recommended for manufacturers because it supports VEX (Vulnerability Exploitability eXchange) documents, hardware components, and integrates with security tooling commonly used in product security workflows. SPDX is preferred in contexts where licence compliance is the primary concern. Many organisations generate both formats from the same source data.

Related terms

Software Supply Chain SecuritySoftware supply chain security encompasses the practices and controls that ensure the integrity, authenticity, and security of all software components — open-source libraries, commercial off-the-shelf modules, and development toolchains — that are integrated into a product. The CRA places explicit obligations on manufacturers to manage supply chain security throughout the product lifecycle.Software Composition Analysis (SCA)Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.Common Vulnerabilities and Exposures (CVE)CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.Technical Documentation (CRA)Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsAnnex IVCritical Products with Digital Elements — Highest-Risk Classification

Browse the full CRA Compliance Checklist

See how Software Bill of Materials (SBOM) fits into your complete CRA compliance programme.

View checklists →