EU Cyber Resilience Act

Does the CRA require an SBOM?

Yes. The Cyber Resilience Act’s vulnerability-handling requirements (Annex I, Part II) expect manufacturers to maintain a software bill of materials — a machine-readable inventory of the product’s components — covering at least the top-level dependencies.

Format and scope

The SBOM must be in a commonly used, machine-readable format; CycloneDX and SPDX are the established choices. It should be kept current as the product changes, because it underpins vulnerability monitoring: you can only track CVEs against components you have inventoried.

An SBOM is necessary but not sufficient — it feeds the vulnerability-handling process, which also covers triage, remediation or justified non-remediation (VEX), and timely security updates.

Key points

  • Required by the CRA vulnerability-handling obligations (Annex I, Part II).
  • Machine-readable format — CycloneDX or SPDX.
  • At least top-level dependencies; keep it current.
  • Generate one free with the Normproof OSS CLI / GitHub Action.

Frequently asked questions

What is an SBOM and does the CRA require one?
An SBOM is a machine-readable inventory of a product’s software components. The CRA’s vulnerability-handling requirements expect manufacturers to produce and maintain one in a common format such as CycloneDX or SPDX.
Which SBOM format does the CRA require?
The CRA requires a commonly used, machine-readable format rather than naming one; CycloneDX and SPDX are the widely accepted options.

Related

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See exactly what the CRA requires for your product.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.