EU Cyber Resilience Act
Does the CRA require an SBOM?
Yes. The Cyber Resilience Act’s vulnerability-handling requirements (Annex I, Part II) expect manufacturers to maintain a software bill of materials — a machine-readable inventory of the product’s components — covering at least the top-level dependencies.
Format and scope
The SBOM must be in a commonly used, machine-readable format; CycloneDX and SPDX are the established choices. It should be kept current as the product changes, because it underpins vulnerability monitoring: you can only track CVEs against components you have inventoried.
An SBOM is necessary but not sufficient — it feeds the vulnerability-handling process, which also covers triage, remediation or justified non-remediation (VEX), and timely security updates.
Key points
- Required by the CRA vulnerability-handling obligations (Annex I, Part II).
- Machine-readable format — CycloneDX or SPDX.
- At least top-level dependencies; keep it current.
- Generate one free with the Normproof OSS CLI / GitHub Action.
Frequently asked questions
- What is an SBOM and does the CRA require one?
- An SBOM is a machine-readable inventory of a product’s software components. The CRA’s vulnerability-handling requirements expect manufacturers to produce and maintain one in a common format such as CycloneDX or SPDX.
- Which SBOM format does the CRA require?
- The CRA requires a commonly used, machine-readable format rather than naming one; CycloneDX and SPDX are the widely accepted options.
Related
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.