← CRA Glossary
Software Supply Chain

SPDX (Software Package Data Exchange)

SPDX (Software Package Data Exchange) is an ISO-standardised SBOM format (ISO/IEC 5962:2021) that describes software components, their versions, licences, and provenance in a machine-readable structure. SPDX is one of the two dominant SBOM formats alongside CycloneDX and is accepted for CRA technical documentation purposes.

SPDX (Software Package Data Exchange) is an ISO-standardised SBOM format (ISO/IEC 5962:2021) that describes software components, their versions, licences, and provenance in a machine-readable structure. SPDX is one of the two dominant SBOM formats alongside CycloneDX and is accepted for CRA technical documentation purposes.

Software Supply Chain
Free CVD portal →

What Is SPDX?

SPDX (Software Package Data Exchange) is an open standard for communicating software bill of materials information — the components that make up a software product, their versions, licensing terms, and relationships. Developed by the Linux Foundation, SPDX was standardised as ISO/IEC 5962:2021, making it the only SBOM format with formal international standard status. SPDX supports multiple serialisation formats: tag:value (human-readable), JSON, YAML, XML, and RDF. Each SPDX document identifies packages, files, and snippets with their associated licences, copyright notices, and relationships (e.g., 'contains', 'depends on', 'generated from'). SPDX is widely used in open source supply chain compliance and is gaining traction in regulated industry contexts including automotive (SBOM for automotive components) and healthcare.

CRA reference:Annex VII

SPDX for CRA Compliance

SPDX satisfies the CRA's Annex VII SBOM requirement. Its ISO standardisation status provides additional regulatory credibility when submitted to Notified Bodies or market surveillance authorities. Key CRA-relevant capabilities:

  • Component inventory: SPDX documents all packages in a product with version information, supporting SBOM-based CVE correlation.
  • Licence compliance: SPDX's detailed licence expression syntax (using SPDX licence identifiers) enables manufacturers to document their intellectual property obligations alongside security posture.
  • Relationship tracking: SPDX explicitly models relationships between components — 'package A depends on package B' — supporting dependency analysis for vulnerability impact assessment.
  • SBOM provenance: SPDX documents the tool that generated the SBOM and the entity responsible for it, providing an audit trail relevant to Annex VII requirements.
  • NTIA minimum elements: SPDX fully satisfies the US NTIA SBOM minimum elements, demonstrating alignment with international SBOM requirements.
CRA reference:Annex VII

SPDX 3.0: Key Updates for Security Use Cases

SPDX 3.0, released in 2024, significantly improved support for security use cases that are directly relevant to CRA compliance:

  • Security profile: A dedicated security profile adds support for CVE information, VEX status, CVSS scores, and exploitation data within the SPDX document — capabilities previously the domain of CycloneDX.
  • AI/ML profile: Coverage of AI and machine learning model components, relevant for products incorporating AI elements.
  • Modular structure: SPDX 3.0 uses a modular profile architecture, allowing documents to include only the profiles relevant to their use case, reducing verbosity.
  • Improved PURL support: Better integration with Package URL (PURL) identifiers enabling more precise component identification for vulnerability correlation.

Manufacturers evaluating SPDX should target SPDX 3.0 for new implementations, as it offers security capabilities comparable to CycloneDX.

SPDX and NTIA Minimum Elements

The US NTIA (National Telecommunications and Information Administration) published a set of minimum elements for SBOMs that has been widely adopted as a baseline internationally. These include: supplier name, component name, version, other unique identifiers (e.g., PURL or CPE), dependency relationships, author of the SBOM data, and timestamp. SPDX fully satisfies all NTIA minimum elements. For CRA Annex VII purposes, manufacturers should ensure their SPDX documents include at minimum: all NTIA minimum elements for each component; cryptographic hashes for integrity verification; licence information per component; and generation metadata (tool, date, author). Documenting NTIA minimum element compliance in the technical file demonstrates alignment with international SBOM norms, which strengthens the CRA compliance case.

CVD Portal makes SPDX (Software Package Data Exchange) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is SPDX preferable to CycloneDX for CRA compliance?+

Neither is inherently preferable — both satisfy the CRA's SBOM requirement. The choice depends on tooling, workflow, and primary use case. SPDX's ISO standardisation is a regulatory advantage in some contexts. CycloneDX's richer native VEX support and wider adoption in security tooling is an operational advantage. Many mature organisations generate both formats. If starting from scratch, CycloneDX is typically easier to adopt for security-first workflows; SPDX is more natural for licence compliance-first workflows.

Can a single SPDX document cover both security and licence compliance?+

Yes, and this is one of SPDX's strengths. A single SPDX 3.0 document can include both the security profile (CVE information, VEX status) and the licence compliance profile (SPDX licence identifiers, copyright notices), providing a unified supply chain intelligence document. This reduces duplication between security and legal teams and creates a single source of truth for all component information relevant to CRA technical documentation.

Are there free tools to generate SPDX SBOMs?+

Yes. The SPDX project provides open-source tooling including spdx-tools and various language-specific generators. Syft (Anchore) generates SPDX SBOMs from container images and filesystems. The Linux Foundation's OpenChain project maintains a directory of SPDX-compatible tools. Many CI/CD platforms and SCA tools support SPDX output. The choice of tool depends on the programming language ecosystem and build system in use.

Related terms

Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.CycloneDXCycloneDX is an open-standard SBOM format maintained by OWASP that represents software components, their relationships, and associated metadata in a machine-readable structure. It is one of the two dominant SBOM formats alongside SPDX and is widely used for CRA compliance documentation.Package URL (PURL)A Package URL (PURL) is a standardised string format for uniquely identifying software packages across different package ecosystems. PURLs enable precise component identification in SBOMs, allowing vulnerability databases and security tools to reliably correlate SBOM entries with CVE records.Software Composition Analysis (SCA)Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how SPDX (Software Package Data Exchange) fits into your complete CRA compliance programme.

View checklists →