German BSI TR-03183: How It Extends CRA SBOM Requirements

Germany's BSI has published TR-03183, a technical requirement that goes beyond CRA's baseline SBOM expectations. If you're selling products with digital elements in Germany, understanding TR-03183 helps you meet both CRA and the elevated expectations of the German market.

This guide explains what TR-03183 requires and how it relates to CRA compliance.

What Is TR-03183?

BSI TR-03183 "Cyber Resilience Requirements for Manufacturers and Products" is a technical requirement published by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Status: Technical requirement, not law. But:

• Referenced by German procurement requirements
• Expected by German customers
• Demonstrates best practice for CRA compliance
• May inform future CRA harmonized standards

TR-03183 Structure

TR-03183 STRUCTURE

Part 1: General Requirements
├── Scope and applicability
├── Relationship to CRA
├── Product security requirements
└── Conformance criteria

Part 2: Software Bill of Materials (SBOM)
├── SBOM generation requirements
├── Required fields and metadata
├── Format specifications (CycloneDX, SPDX)
├── Delivery and update requirements
└── Quality criteria

Part 3: Vulnerability Reports and Advisories
├── Vulnerability disclosure requirements
├── Report format (CSAF)
├── Advisory publication
├── VEX (Vulnerability Exploitability eXchange)
└── Coordination requirements

TR-03183 vs CRA: Key Differences

SBOM Requirements

Vulnerability Handling

TR-03183 Part 2: SBOM Deep Dive

Required SBOM Formats

TR-03183 accepts:

• CycloneDX 1.4 or later (preferred)
• SPDX 2.3 or later

Other formats (SWID, custom) are not compliant.

Required Fields

TR-03183 specifies minimum required fields:

SBOM REQUIRED FIELDS (TR-03183)

DOCUMENT METADATA:
├── SBOM format and version
├── Document name/identifier
├── Creation timestamp
├── Creator tool information
├── Document namespace (SPDX) / serialNumber (CycloneDX)
└── Specification version

PRIMARY COMPONENT (the product):
├── Name
├── Version
├── Supplier/manufacturer
├── Unique identifier (purl, CPE)
└── Description

EACH COMPONENT:
├── Name
├── Version
├── Supplier
├── Unique identifier (purl preferred)
├── License(s)
├── Hash/checksum (SHA-256 minimum)
├── Component type (library, framework, etc.)
└── Relationship to parent

RELATIONSHIPS:
├── Dependency relationships
├── Contains relationships
└── Build tool relationships (if applicable)

SBOM Quality Criteria

TR-03183 defines quality expectations:

Completeness:

• All direct dependencies included
• Transitive dependencies included
• Operating system components (if embedded)
• Build tools (if relevant to security)

Accuracy:

• Correct version numbers
• Valid unique identifiers (purl format)
• Accurate license information
• Functional hashes

Timeliness:

• SBOM reflects current product version
• Updated with each release
• Vulnerabilities assessed against current SBOM

SBOM Generation Example

Compliant SBOM structure (CycloneDX):

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2027-01-15T10:00:00Z",
    "tools": [
      {
        "vendor": "Syft",
        "name": "syft",
        "version": "0.98.0"
      }
    ],
    "component": {
      "type": "firmware",
      "name": "SmartSensor Pro",
      "version": "2.4.1",
      "supplier": {
        "name": "Example GmbH",
        "url": ["https://example.de"]
      },
      "purl": "pkg:firmware/example/smartsensor-pro@2.4.1"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "openssl",
      "version": "3.0.12",
      "purl": "pkg:generic/openssl@3.0.12",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "abc123..."
        }
      ],
      "supplier": {
        "name": "OpenSSL Software Foundation"
      }
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:firmware/example/smartsensor-pro@2.4.1",
      "dependsOn": [
        "pkg:generic/openssl@3.0.12"
      ]
    }
  ]
}

TR-03183 Part 3: Vulnerability Handling

CSAF Format Requirement

TR-03183 requires security advisories in CSAF (Common Security Advisory Framework) 2.0 format.

Why CSAF:

• Machine-readable
• Standardized structure
• Supports automation
• Includes product tree and vulnerability mapping

CSAF Advisory Structure

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "publisher": {
      "category": "vendor",
      "name": "Example GmbH",
      "namespace": "https://example.de"
    },
    "title": "Security Update for SmartSensor Pro",
    "tracking": {
      "current_release_date": "2027-02-01T10:00:00Z",
      "id": "EXAMPLE-2027-001",
      "initial_release_date": "2027-02-01T10:00:00Z",
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "category": "product_name",
        "name": "SmartSensor Pro",
        "branches": [
          {
            "category": "product_version_range",
            "name": "vers:generic/<2.4.2",
            "product": {
              "name": "SmartSensor Pro < 2.4.2",
              "product_id": "CSAFPID-0001"
            }
          }
        ]
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2027-XXXXX",
      "product_status": {
        "fixed": ["CSAFPID-0002"],
        "known_affected": ["CSAFPID-0001"]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to version 2.4.2",
          "product_ids": ["CSAFPID-0001"]
        }
      ]
    }
  ]
}

VEX Requirements

TR-03183 expects VEX (Vulnerability Exploitability eXchange) documents:

Purpose: Communicate whether a known vulnerability in a component actually affects your product.

Status Options:

• not_affected: Vulnerability doesn't affect this product
• affected: Vulnerability affects this product
• fixed: Vulnerability was present but is now fixed
• under_investigation: Still assessing

VEX Example (CycloneDX VEX):

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2027-XXXXX",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2027-XXXXX"
      },
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "detail": "The vulnerable function is not called in our implementation."
      },
      "affects": [
        {
          "ref": "pkg:generic/openssl@3.0.12"
        }
      ]
    }
  ]
}

Practical Implementation

SBOM Generation Workflow

TR-03183 COMPLIANT SBOM WORKFLOW

1. BUILD PHASE
   ├── Generate SBOM during build
   ├── Tool: Syft, Trivy, or similar
   ├── Format: CycloneDX 1.5
   └── Include all dependencies

2. VALIDATION PHASE
   ├── Verify required fields present
   ├── Check purl format validity
   ├── Validate hashes
   └── Confirm completeness

3. VULNERABILITY SCAN
   ├── Scan SBOM against vulnerability databases
   ├── Document findings
   ├── Generate VEX for false positives
   └── Track remediation for true positives

4. DELIVERY
   ├── Attach to product release
   ├── Publish to customer portal
   ├── Provide on request
   └── Update with each version

5. MAINTENANCE
   ├── Re-scan periodically
   ├── Update VEX as needed
   ├── Publish advisories (CSAF)
   └── Track through product lifecycle

Advisory Publication Process

VULNERABILITY → ADVISORY WORKFLOW

Discovery
    │
    ▼
Assessment
├── Affected versions
├── Severity (CVSS)
└── Exploitability
    │
    ▼
Remediation Development
├── Patch development
├── Testing
└── Release preparation
    │
    ▼
Advisory Creation (CSAF)
├── Document metadata
├── Product tree
├── Vulnerability details
└── Remediation info
    │
    ▼
Publication
├── CSAF to distribution channels
├── Web advisory (human-readable)
├── Customer notification
└── Update VEX documents
    │
    ▼
Monitoring
├── Track patch adoption
├── Monitor for exploitation
└── Update advisory if needed

TR-03183 Compliance Checklist

TR-03183 COMPLIANCE CHECKLIST

PART 2 - SBOM:

Format:
[ ] CycloneDX 1.4+ or SPDX 2.3+
[ ] Valid according to schema
[ ] Machine-readable

Metadata:
[ ] Document identifier/serial number
[ ] Creation timestamp
[ ] Creator tool information
[ ] Specification version

Primary Component:
[ ] Product name
[ ] Product version
[ ] Supplier information
[ ] Unique identifier (purl)

Each Component:
[ ] Name and version
[ ] Supplier information
[ ] Unique identifier (purl preferred)
[ ] License information
[ ] Hash (SHA-256+)
[ ] Component type

Relationships:
[ ] Dependency relationships defined
[ ] Complete dependency tree

Quality:
[ ] All direct dependencies included
[ ] Transitive dependencies included
[ ] Versions accurate and current
[ ] Identifiers valid

PART 3 - VULNERABILITY HANDLING:

Advisory Format:
[ ] CSAF 2.0 format capability
[ ] Product tree defined
[ ] Vulnerability mapping

VEX:
[ ] VEX documents for SBOM components
[ ] Status for known vulnerabilities
[ ] Justification for "not_affected"

Process:
[ ] Vulnerability monitoring active
[ ] Response process defined
[ ] Advisory publication process
[ ] Customer notification process

Relationship to CRA Compliance

TR-03183 as CRA Best Practice

TR-03183 operationalizes CRA requirements:

Compliance Strategy

If targeting Germany specifically:

• Implement TR-03183 fully
• Demonstrates CRA compliance plus German market alignment

If targeting broader EU:

• CRA compliance is the legal requirement
• TR-03183 represents elevated best practice
• Consider implementing even for non-German markets

Future Harmonization

TR-03183 may influence:

• Future CRA harmonized standards
• European standardization (CEN/CENELEC)
• Other member state technical requirements

Implementing TR-03183 now positions you ahead of potential future requirements.

German Market Considerations

BSI Certification

For certain products, BSI certification may be relevant:

• IT security products
• Cloud services
• Critical infrastructure components

TR-03183 compliance supports (but doesn't replace) certification processes.

Public Procurement

German public sector procurement increasingly expects:

• SBOM provision
• Vulnerability handling capability
• Standards compliance

TR-03183 compliance addresses these expectations.

Customer Expectations

German enterprise customers often expect:

• Detailed SBOMs
• Prompt vulnerability communication
• Formal advisory process

TR-03183 provides the framework they recognize.

Tools for TR-03183 Compliance

SBOM Generation

SBOM Validation

CSAF Creation

VEX Management

Related guides:

• SBOM Requirements Under the Cyber Resilience Act
• How to Generate a CRA-Compliant SBOM: Tools, Formats, and CI/CD Integration

How CRA Evidence Helps

CRA Evidence supports TR-03183 compliance:

• SBOM management: CycloneDX and SPDX support
• Validation: Check SBOM completeness against TR-03183 requirements
• VEX tracking: Manage vulnerability status across products
• Advisory support: CSAF generation assistance
• German market: Specific guidance for BSI alignment

Meet TR-03183 requirements at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.

VERIFY WITH PRIMARY SOURCE: TR-03183 details should be verified against the official BSI publication, as specifications may be updated.