SBOMs Take Center Stage in the EU’s Cyber Resilience Act

Your Guide to the CRA: Learn how this EU regulation enhances the security of digital products and services while elevating the importance of SBOMs to secure software supply chains.

The introduction of the Cyber Resilience Act (CRA) in the EU is significant — not only for the cybersecurity of digital products, but also in terms of how Software Bills of Materials (SBOMs) will be leveraged by organizations across Member States moving forward. We’ll explore why in this blog post.

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a landmark proposal that was proposed in September 2022 and is slated for passage in spring 2024. Unlike the NIS2 Directive, which is more concerned with the operational aspects of cybersecurity, the CRA focuses on enhancing the cybersecurity of products with digital elements across the EU. While the act is still a proposal and subject to changes before final adoption, its key characteristics include:

1. More comprehensive cybersecurity coverage

The CRA aims to ensure a high common level of cybersecurity across all hardware and software products with digital elements sold in the EU market. It seeks to cover the entire lifecycle of these products — starting all the way from design and development. 

“Two main objectives were identified aiming to ensure the proper functioning of the internal market: (1) create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and (2) create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements (page 1).”

2. Increased transparency for customers

The CRA mandates greater transparency for consumers and users regarding the cybersecurity features and vulnerabilities of products. Manufacturers will need to provide accessible information about the cybersecurity measures implemented, including the duration of security support and updates.

“Four specific objectives were set out: (i) ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle; (ii) ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers; (iii) enhance the transparency of security properties of products with digital elements, and (iv) enable businesses and consumers to use products with digital elements securely (page 1).”

“...descriptions of procedures in accordance with which conformity assessment is carried out, ensuring the transparency and the ability of reproduction of those procedures. It shall have appropriate policies and procedures in place that distinguish between tasks it carries out as a notified body and other activities (page 51).”

3. Enforce compliance measures

The act establishes a framework for market surveillance and enforcement to ensure compliance with its provisions. This includes mechanisms for detecting and responding to non-compliant products, as outlined below:

“In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. In the same vein, this Regulation establishes maximum levels for administrative fines that should be provided in national laws for non-compliance with the obligations laid down in this Regulation (page 12).”

What are the implications of the CRA on SBOMs?

At the heart of the CRA are SBOMs, which are cited as a tool critical to maintaining both compliance and uniformity around cybersecurity practices. There are two particularly critical roles SBOMs will play in the context of this act:

1. Manufacturers will be strongly encouraged to use SBOMs. In the Cyber Resilience Act, SBOMs are highlighted as tools for manufacturers and users to identify and manage vulnerabilities in digital products — with the goal of preventing the inclusion of insecure third-party components. According to the act: 

   “...manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials. A software bill of materials can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, most notably it helps manufacturers and users to track known newly emerged vulnerabilities and risks. It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties (page 23).”

2. The European Commission will have the power to regulate SBOMs. The act also grants the European Commission the power to define SBOMs' format and elements, ensuring uniform cybersecurity practices across the EU. According to the CRA:

   “The Commission is also empowered to adopt implementing acts to: specify the format or elements of the reporting obligations and of the software bill of materials; specify the European cybersecurity certification schemes that can be used to demonstrate conformity with the essential requirements or parts thereof as set out in this Regulation; adopt common specifications; lay down technical specifications for the affixing of CE marking; adopt corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market (page 11).”

The integration of CRA into the EU's cybersecurity framework not only enhances the security of digital products and services but also elevates the importance of SBOMs. As this regulation evolves, SBOMs will increasingly become vital tools for organizations to ensure compliance and meet cybersecurity standards.