EU CRA SBOM Requirements: What You Need to Know for 2027
The EU Cyber Resilience Act requires SBOMs for all software sold in the EU by 2027. Here's what you need to do to comply.
The EU Cyber Resilience Act (CRA) is the most significant software security regulation in decades. By 2027, every manufacturer selling digital products in the EU market must provide a Software Bill of Materials (SBOM) for their products.
What is the EU CRA?
The Cyber Resilience Act, adopted in 2024, establishes cybersecurity requirements for products with digital elements sold in the European Union. It applies to both hardware and software, including standalone software, IoT devices, and cloud services.
Key SBOM Requirements
The CRA requires manufacturers to:
1. Maintain an SBOM for each product, documenting all software components 2. Track vulnerabilities in those components throughout the product lifecycle 3. Provide SBOMs to authorities upon request during market surveillance 4. Update components when vulnerabilities are discovered
What Must Be in Your SBOM?
The CRA references both CycloneDX and SPDX formats. Your SBOM should include:
- Component name and version
Timeline
- 2024: CRA adopted
How to Prepare
1. Start generating SBOMs now using tools like Syft or CycloneDX
VulnLedger generates CycloneDX SBOMs and checks them against OSV.dev for known vulnerabilities, giving you compliance-ready documentation in one command.
Conclusion
The EU CRA is not optional. Companies that don't prepare now risk losing access to the EU market. Start generating SBOMs today — it's easier than you think.