← Back to blog
2026-07-02 · VulnLedger

EU CRA SBOM Requirements: What You Need to Know for 2027

The EU Cyber Resilience Act requires SBOMs for all software sold in the EU by 2027. Here's what you need to do to comply.

EU CRA SBOM Compliance Regulation

The EU Cyber Resilience Act (CRA) is the most significant software security regulation in decades. By 2027, every manufacturer selling digital products in the EU market must provide a Software Bill of Materials (SBOM) for their products.

What is the EU CRA?

The Cyber Resilience Act, adopted in 2024, establishes cybersecurity requirements for products with digital elements sold in the European Union. It applies to both hardware and software, including standalone software, IoT devices, and cloud services.

Key SBOM Requirements

The CRA requires manufacturers to:

1. Maintain an SBOM for each product, documenting all software components 2. Track vulnerabilities in those components throughout the product lifecycle 3. Provide SBOMs to authorities upon request during market surveillance 4. Update components when vulnerabilities are discovered

What Must Be in Your SBOM?

The CRA references both CycloneDX and SPDX formats. Your SBOM should include:

- Component name and version

  • Supplier information
  • Unique identifiers (CPE, PURL)
  • Dependency relationships
  • License information
  • Known vulnerabilities (CVEs)

    Timeline

    - 2024: CRA adopted

  • 2025: Member states begin transposition
  • 2026: Vulnerability reporting obligations begin
  • 2027: Full SBOM requirements enforced

    How to Prepare

    1. Start generating SBOMs now using tools like Syft or CycloneDX

  • 2. Establish a vulnerability management process 3. Automate SBOM generation in your CI/CD pipeline 4. Choose a tool that provides compliance-ready reports

    VulnLedger generates CycloneDX SBOMs and checks them against OSV.dev for known vulnerabilities, giving you compliance-ready documentation in one command.

    Conclusion

    The EU CRA is not optional. Companies that don't prepare now risk losing access to the EU market. Start generating SBOMs today — it's easier than you think.

    Try VulnLedger

    Generate SBOMs and scan for vulnerabilities in one command.

    Start Free