CRA SBOM

A Software Bill of Materials (SBOM) is a machine-readable inventory of all software components, libraries and dependencies in a product � comparable to an ingredient list. The Cyber Resilience Act (EU 2024/2847) mandates SBOMs from December

2027 for all products with digital elements. Manufacturers must document at least top-level dependencies in a standardized format and retain the SBOM for

10 years. Non-compliance carries fines up to EUR

15 million or 2.5% of global annual turnover.

Both formats meet CRA requirements and are recognized by BSI TR‑03183‑2. CycloneDX (OWASP) is optimized for security use cases and offers native VEX support (Vulnerability Exploitability eXchange) for vulnerability communication. SPDX (Linux Foundation, ISO/IEC 5962:2021) focuses on license compliance and is established as an ISO standard. For organizations focused on security and CRA compliance, we recommend CycloneDX 1.6. For open-source-intensive projects with license requirements, SPDX 2.3 is preferable.

Automated SBOM creation works by integrating SBOM tools into the build pipeline. Common open-source tools include Syft (Anchore) for containers and file systems, cdxgen for multi-language support, and Trivy (Aqua Security) for combined vulnerability scanning with SBOM generation. In the CI/CD pipeline, the SBOM is automatically generated at every build, validated against CRA requirements, and stored as a versioned artifact. Quality gates check completeness and quality before deployment.

BSI Technical Guideline TR‑03183–2 defines the German minimum requirements for SBOMs in the context of the Cyber Resilience Act. It requires: machine-readable formats (CycloneDX or SPDX), unique component identification (CPE, PURL), documentation of all top-level dependencies, supplier and license information, and regular updates when changes occur. TR‑03183–2 serves as the German reference for CRA-compliant SBOM creation.

No, the Cyber Resilience Act does not require SBOM publication. However, manufacturers must create the SBOM as part of technical documentation and retain it for

10 years. It must be available for market surveillance authorities (the BSI in Germany) upon request. Many companies voluntarily share SBOMs with customers to promote transparency and trust in the supply chain.

Several open-source and commercial tools support CRA-compliant SBOM creation: Syft (Anchore) generates SBOMs from containers and file systems in CycloneDX and SPDX. cdxgen supports over

30 programming languages and produces CycloneDX SBOMs. Trivy combines SBOM generation with vulnerability scanning. SPDX tools provide validation and conversion. Commercial solutions like FOSSA, Snyk and Black Duck add license compliance and enterprise features.

The CRA takes effect in phases: since November 2024, regulation EU 2024/2847 is legally binding. From September 2026, reporting obligations apply � manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA within

24 hours. From December 2027, all products with digital elements must include a complete SBOM as part of technical documentation. Early preparation is critical as SBOM implementation requires both technical and organizational changes.