Cyber Resilience Act (CRA) & SBOM Framework
- Ira Goel

- Jun 23
- 4 min read

The Software Bill of Materials (SBOM) is a central requirement of the Cyber Resilience Act, designed to improve transparency and vulnerability management across the software supply chain. Under CRA, an SBOM is defined as a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements.
Specific Requirements of SBOM under CRA:
The specific requirements regarding SBOMs include the following:
1. Manufacturer Obligations
Mandatory Creation: As part of their vulnerability handling processes, manufacturers must identify and document all components contained in their products by drawing up an SBOM.
Scope of Content: At a minimum, the SBOM must cover the top-level dependencies of the product.
Format: The SBOM must be produced in a commonly used and machine-readable format. The European Commission is empowered to adopt implementing acts to further specify the exact format and elements required for these records.
Due Diligence: Manufacturers are required to use the SBOM to ensure that their products do not contain vulnerable components developed by third parties.
2. Inclusion in Technical Documentation
Manufacturers must include the SBOM within the technical documentation for the product.
This documentation must be kept for at least 10 years after the product is placed on the market or for the duration of the support period, whichever is longer.
3. Access and Confidentiality
Not Mandatory for Public Disclosure: Manufacturers are not required to make the SBOM public.
Market Surveillance Access: Manufacturers must provide the SBOM to market surveillance authorities upon a reasoned request, provided it is necessary for the authority to check compliance with essential cybersecurity requirements.
User Information: If a manufacturer chooses to make the SBOM available to users, they must provide information in the user instructions on where the SBOM can be accessed.
4. Regulatory and Supervisory Use
Union Dependency Assessments: The administrative cooperation group (ADCO) may decide to conduct Union-wide dependency assessments to understand the Union's reliance on specific software components, particularly free and open-source ones.
Data Handling: To protect confidentiality, when market surveillance authorities request SBOMs for these assessments, they must provide the information to ADCO in an anonymized and aggregated manner.
Vulnerability Tracking: The SBOM serves as a tool to help both manufacturers and users track newly emerged vulnerabilities and cybersecurity risks throughout the product's lifecycle.
Specifics of Machine-Readable SBOMs
Regarding specific machine-readable formats, the regulation provides the following requirements and provisions:
General Requirement: Manufacturers are required to draw up an SBOM in a commonly used and machine-readable format. At a minimum, this record must cover the top-level dependencies of the product.
Future Specification: The Regulation does not explicitly list the names of specific formats (such as SPDX or CycloneDX). Instead, it empowers the European Commission to adopt implementing acts that will specify the exact formats and elements required for an SBOM.
Standards and Best Practices: In specifying these formats, the Commission is directed to take into account European or international standards and best practices.
Purpose of Machine-Readability: The requirement for a machine-readable format is intended to ensure that the information is easily and automatically processable. This facilitates the ability of manufacturers and users to track newly emerged vulnerabilities and cybersecurity risks effectively across the supply chain.
SBOM Obligations for Microenterprises
Under the Cyber Resilience Act, the manufacturer remains responsible for drawing up the Software Bill of Materials (SBOM), regardless of whether they are a microenterprise.
While the responsibility for creating and maintaining the SBOM does not shift, the Regulation includes several provisions designed to alleviate the administrative and financial burden on smaller entities:
Mandatory Requirement for All Manufacturers: Annex I, Part II explicitly states that manufacturers must identify and document components contained in their products, including by drawing up an SBOM in a commonly used and machine-readable format. This is considered a core part of the vulnerability handling processes that every manufacturer must implement.
Simplified Technical Documentation: Because the SBOM is part of the technical documentation required for a product, microenterprises and small enterprises are permitted to use a simplified technical documentation form. The European Commission is tasked with specifying this format to ensure it is concise while still covering all applicable elements.
Helpdesk and Technical Support: Member States are required to provide tailored support to microenterprises, including awareness-raising, training, and the establishment of dedicated communication channels to provide advice on implementing the Regulation. Additionally, CSIRTs (Computer Security Incident Response Teams) must provide helpdesk support to microenterprises regarding their reporting obligations.
Financial and Fee Reductions: The Regulation mandates that conformity assessment bodies take the specific needs of microenterprises into account when setting fees, ensuring they are reduced proportionately. Member States and the Commission also aim to provide financial support through Union programs to ease the compliance burden.
In summary, while a microenterprise is legally responsible for producing the SBOM to ensure their product is secure, the Regulation provides a framework of simplified procedures and institutional support to help them meet this obligation
Looking for a solution tailored to your unique challenges? Gira Group provides expert consultation and specialized training designed to drive results. Let’s work together - reach out to our team or learn more about our services at www.gira.group.




Comments