Preparing for the EU Cyber Resilience Act (CRA): Software Bill of Materials (SBOM) Requirements¶

If you manufacture hardware, connected consumer electronics, IoT devices, or develop commercial software sold in the European Union, a massive regulatory wave is about to hit your engineering team.

The EU Cyber Resilience Act (CRA) represents the most sweeping cybersecurity law for physical and digital products in the world.

Under the CRA, cybersecurity is no longer treated as a post-launch software update or a marketing feature. It has become a mandatory condition for CE Marking.

If your "product with digital elements" does not meet the CRA's strict security-by-design standards, you cannot legally affix the CE Mark, and your product is banned from entering the European market. Penalties for non-compliance are severe, reaching up to €15 million or 2.5% of global turnover.

To maintain EU market access, software and hardware product teams must master the CRA's core technical requirement: the Software Bill of Materials (SBOM).

1. What is a "Product with Digital Elements"?¶

The CRA defines a "product with digital elements" as any software or hardware product whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

This broad definition covers: * Hardware: Smart home appliances, connected toys, routers, smartwatches, and industrial machinery. * Software: Operating systems, SaaS platforms integrated with physical hardware, firmware, and mobile applications.

The law categorizes products by risk. While "Default" products (like smart home lightbulbs) can rely on self-declaration, "Important" and "Critical" products (like VPNs, firewalls, and microprocessors) require mandatory third-party audits by a notified body.

2. The Core Technical Requirement: What is an SBOM?¶

Just as a physical product has a Bill of Materials (BOM) listing its copper, plastic, and screws, a digital product must now have a Software Bill of Materials (SBOM).

An SBOM is a formal, machine-readable inventory of all software components, open-source libraries, dependencies, and licensing details nested within your product's code.

Why is the EU Mandating SBOMs?¶

Most software products rely heavily on open-source libraries. If a critical vulnerability (like the infamous Log4j flaw) is discovered in a widely used open-source library, most companies have no idea if their products are vulnerable because they don't have a clear ingredient list of their code.

The CRA mandates that manufacturers must maintain a machine-readable SBOM in a standardized, interoperable format (such as SPDX or CycloneDX).

What Your SBOM Must Include:¶

• Component Name and Version: The exact name and version of every open-source library or third-party dependency.
• Dependency Relationships: Clear maps showing how components inherit vulnerabilities from other libraries.
• Vulnerability Status: Continuous tracking of known vulnerabilities (CVEs) associated with those components.

3. The 24-Hour Incident Reporting Mandate¶

Under the CRA, you cannot sit on a vulnerability. The regulation imposes strict, mandatory reporting timelines: * Active Exploited Vulnerabilities: If you discover an actively exploited vulnerability in your product, you must notify the European Union Agency for Cybersecurity (ENISA) and the national competent authority within 24 hours. * Detailed Warning: A comprehensive report detailing the technical parameters, risk mitigation steps, and software patches must be submitted within 72 hours.

Furthermore, manufacturers must guarantee free security updates for the product's expected lifetime (or a minimum of 5 years).

4. The Path to Compliance: Integrating CRA with CE Marking¶

Because the CRA is integrated into the New Legislative Framework (NLF), your cybersecurity documentation cannot live in an isolated engineering silo. It must be woven directly into your standard European compliance processes.

Your CE Mark Declaration of Conformity (DoC) must officially declare compliance with the CRA, and your secure Technical Construction File (TCF) must house your machine-readable SBOMs, cybersecurity risk assessments, and vulnerability disclosure policies.

5. Automating Cyber Compliance with Sustalium¶

Engineering teams use specialized tools to scan code, while compliance teams manage legal paperwork in separate systems. This disconnect leads to massive regulatory gaps.

Sustalium’s CRA & CE Mark compliance software bridges this gap.

Our platform connects your software development workflows directly to your legal compliance records. You can upload machine-readable SBOMs (CycloneDX or SPDX formats) directly to your product's technical file. Sustalium securely stores your vulnerability disclosure policies, risk assessments, and software lifecycle data, generating the exact CRA-compliant Declarations of Conformity required by EU market surveillance authorities.

Frequently Asked Questions¶

When does the Cyber Resilience Act go into full effect? While the CRA entered into force in late 2024, the transition period is ramping up rapidly. The mandatory reporting requirements for actively exploited vulnerabilities take effect first, with full enforcement of all product design and SBOM requirements mandatory by late 2027.

Are open-source developers legally liable under the CRA? No. The CRA explicitly exempts non-commercial open-source developers from liability. However, if a commercial company integrates an open-source library into a product sold on the EU market, that commercial company assumes full legal and financial liability for the security of that open-source code.

Related Articles¶

• CE Mark Declaration of Conformity: A Complete Guide — Understand how cybersecurity compliance integrates with your physical product safety files.

Last updated: June 5, 2026