SBOM Requirements for CRA

The European Parliament approved the EU's Cyber Resilience Act (CRA) on March 12th.

‍CRA uses the Software Bill of Materials (SBOM) to describe, record, and monitor product security. Therefore, a formal document outlining CRA compliance requirements and specifically describing all SBOM-specific requirements is expected soon.

‍However, in anticipation of the adoption of the CRA, Germany's Federal Office of Information Security (BSI) has been working to clarify SBOM requirements. The Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)) has been published since November 28th.