SBOM Requirements Under the EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (CRA) makes Software Bills of Materials (SBOMs) a legal requirement for every product with digital elements sold in the European Union. This guide explains what the CRA and BSI TR-03183 require, which formats are accepted, what fields your SBOM must contain, and when the compliance deadlines hit.

What Is an SBOM?

A Software Bill of Materials (SBOM) is a structured inventory of every software component in a product — libraries, frameworks, operating system packages, and their dependencies. Think of it as a nutrition label for software: it lists exactly what's inside so that buyers and regulators can assess risk, track vulnerabilities, and verify license compliance.

What Does the CRA Require for SBOMs?

The CRA references SBOMs in two critical sections:

Annex I: Essential Requirements

"Manufacturers shall identify and document vulnerabilities and components contained in products, including by drawing up a software bill of materials in a commonly used and machine-readable format."

This means:

• SBOMs are mandatory, not optional
• They must be in machine-readable format (not PDFs or spreadsheets)
• They must cover all components, including transitive dependencies

Annex VII: Technical Documentation

The technical file must include SBOM information that enables:

• Component-level vulnerability tracking
• Supplier identification
• License compliance verification
• End-of-life planning

Which SBOM Formats Are Accepted Under the CRA?

The CRA requires "commonly used and machine-readable" formats. In practice, two standards qualify:

Both formats are accepted, but CycloneDX is increasingly preferred for security use cases due to its native support for:

• Vulnerability Exploitability eXchange (VEX)
• Security advisories
• Dependency graphs

graph TD
    SBOM((SBOM))
    SCN[Component Names] --> SBOM
    VS[Versions] --> SBOM
    SUP[Supplier Info] --> SBOM
    DEP[Dependencies] --> SBOM
    LIC[Licenses] --> SBOM
    PURL[Package URLs] --> SBOM
    HASH[Hash Values] --> SBOM
    OSC[Open Source Components] --> SBOM
    style SBOM fill:#008080,color:#fff,stroke:#006666,stroke-width:4px
    style SCN fill:#e8f4f8,stroke:#008080,color:#333
    style VS fill:#e8f4f8,stroke:#008080,color:#333
    style SUP fill:#e8f4f8,stroke:#008080,color:#333
    style DEP fill:#e8f4f8,stroke:#008080,color:#333
    style LIC fill:#e8f4f8,stroke:#008080,color:#333
    style PURL fill:#e8f4f8,stroke:#008080,color:#333
    style HASH fill:#e8f4f8,stroke:#008080,color:#333
    style OSC fill:#e8f4f8,stroke:#008080,color:#333

What Fields Must an SBOM Contain?

Germany's Federal Office for Information Security (BSI) has published TR-03183, which provides detailed SBOM quality requirements that go beyond the CRA minimum. Use it as your compliance target.

Mandatory Fields (BSI TR-03183)

• Component name and version
• Supplier/manufacturer information
• Unique identifiers (PURL, CPE)
• Dependency relationships
• License information

Quality Levels

TR-03183 defines three quality tiers:

While TR-03183 is a German standard, it's becoming the de facto quality benchmark for CRA compliance across the EU.

What Are the CRA SBOM Compliance Deadlines?

The CRA has a phased enforcement timeline:

Products placed on the EU market after December 2027 that lack a compliant SBOM cannot carry the CE marking and cannot be legally sold.

What Happens If You Don't Comply?

Non-compliance with the CRA carries severe consequences:

• Fines up to EUR 15 million or 2.5% of global annual turnover (whichever is higher)
• Product recall or withdrawal from the EU market
• Market ban — non-compliant products cannot carry CE marking
• Supply chain impact — your customers may be unable to use your product in their own CRA compliance

Market surveillance authorities in each EU member state will enforce these penalties.

Common SBOM Mistakes

1. Incomplete Dependency Trees

Many tools only capture direct dependencies. The CRA requires transitive dependencies, meaning components that your dependencies depend on.

Your Product
├── Library A (direct) ✓
│   ├── Library B (transitive) ← Often missing!
│   └── Library C (transitive) ← Often missing!
└── Library D (direct) ✓

2. Missing Version Information

An SBOM without accurate version information is nearly useless for vulnerability matching. Ensure every component has:

• Exact version numbers (not ranges)
• Hash values for binary components
• PURL identifiers where possible

3. Stale SBOMs

An SBOM generated at build time but never updated creates a false sense of security. Implement:

• CI/CD integration for automatic SBOM generation
• Version control for SBOM artifacts
• Regular drift detection between builds

4. Ignoring Firmware and Hardware

For products with embedded components, remember to include:

• Firmware versions and components
• Hardware Bill of Materials (HBOM) where applicable
• Bootloader and kernel components

How to Get Started

1. Audit your current state: Do you generate SBOMs today? What format? What coverage?

2. Choose your format: CycloneDX for security focus, SPDX for license compliance (or both)

3. Automate generation: Integrate SBOM generation into your CI/CD pipeline using tools like Syft, Trivy, or cdxgen

4. Validate quality: Check your SBOMs against TR-03183 requirements — are all mandatory fields populated?

5. Implement monitoring: Link SBOMs to vulnerability databases (NVD, OSV, GitHub Advisory Database, CISA KEV)

6. Plan for updates: Establish processes so every product release generates a fresh, validated SBOM

How CRA Evidence Helps

CRA Evidence provides comprehensive SBOM management:

• Upload & Validation: Support for CycloneDX and SPDX with TR-03183 quality scoring
• Vulnerability Scanning: Automatic matching against NVD, OSV, and other databases
• Version Tracking: SBOM history and drift detection across product versions
• Export: Include validated SBOMs in your Annex VII technical file

Getting your SBOM practice right is foundational to CRA compliance. Start building these capabilities now — the September 2026 vulnerability reporting deadline is approaching fast.

Related Guides

Generation: Learn how to automate SBOM creation in our SBOM generation guide.

Quality: Understand SBOM quality requirements in our BSI TR-03183 guide.

VEX: Pair your SBOM with vulnerability data using VEX documents.

Technical File: See how SBOMs fit into the CRA technical file (Annex VII).

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.