Software bill of materials (SBOM)
A formal record of the components, libraries, and modules contained in a software product, drawn up in a commonly used and machine-readable format. Under Annex I Part II of the CRA, manufacturers must produce an SBOM covering at least the top-level dependencies of their product. The SBOM does not need to be made public but must be available to market surveillance authorities on reasoned request.
Source citations
Regulation text
Annex I Part II §1 of Regulation (EU) 2024/2847 requires manufacturers to:
"identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products".
Key requirements
- Format: Must be machine-readable and use a commonly accepted format. Widely used formats include CycloneDX (ECMA-424) and SPDX (ISO 5962).
- Scope: At minimum, top-level dependencies must be covered. Deeper transitive dependencies are recommended best practice.
- Confidentiality: Manufacturers are not obliged to make the SBOM public (Art. 13 recital 77). It is provided to market surveillance authorities on reasoned request.
- Commission specification: The Commission may adopt implementing acts specifying the format and elements of the SBOM (Art. 13(24)).
Purpose
The SBOM enables manufacturers to:
- Track which third-party components are used
- Quickly assess whether known vulnerabilities (e.g. from the EU vulnerability database or CVE databases) affect components in the product
- Demonstrate due diligence when integrating third-party and open-source components
Relationship to Union dependency assessment
Market surveillance authorities may request SBOMs from manufacturers as part of a Union-wide dependency assessment for specific categories of products (Art. 13(25)), to understand dependencies on FOSS components.