CRA SBOM and CBOM

SBOM and CBOM Processes for CRA (Cyber Resilience Act)

The European Union’s Cyber Resilience Act (CRA) introduces a new approach to cybersecurity by requiring manufacturers, software vendors, and service providers to demonstrate that digital products are secure throughout their entire lifecycle. Two of the most important artefacts supporting CRA compliance are the Software Bill of Materials (SBOM) and the Cybersecurity Bill of Materials (CBOM). While the SBOM focuses on software components and dependencies, the CBOM extends visibility to security controls, cryptographic assets, hardware trust anchors, firmware, and other cybersecurity-related elements.

An SBOM is essentially a detailed inventory of all software components that make up a product. It identifies every library, framework, package, and dependency used during development. For example, a connected device may contain OpenSSL for encryption, libcurl for network communications, zlib for compression, SQLite for local storage, and numerous third-party packages. The SBOM documents these components, their versions, suppliers, licenses, and relationships to one another. This creates transparency throughout the software supply chain and enables organizations to quickly identify whether a vulnerability affects their products.

The SBOM process begins during the software development lifecycle. Development teams collect information about every software component integrated into the product. Modern Software Composition Analysis (SCA) tools can automatically scan source code, build environments, and package repositories to generate an accurate inventory. This inventory is then enriched with metadata such as component names, version numbers, suppliers, licensing information, cryptographic usage, and dependency relationships. Once generated, the SBOM becomes a living document that is continuously updated as software evolves.

Under CRA requirements, maintaining an accurate SBOM is critical because organizations must be able to assess vulnerabilities and manage cybersecurity risks throughout the product lifecycle. When a new vulnerability is announced, such as a flaw in OpenSSL, manufacturers can immediately search their SBOMs to determine which products contain the affected version. This dramatically reduces response times and improves vulnerability management processes. Rather than manually investigating hundreds of systems, organizations gain instant visibility into their software estate.

The CBOM builds upon the SBOM by documenting the security architecture and cybersecurity capabilities of a product. Whereas the SBOM answers the question, “What software is inside this product?”, the CBOM answers, “How is this product protected?” The CBOM includes inventories of cryptographic modules, hardware security components, authentication mechanisms, secure boot processes, firmware update systems, API security controls, encryption technologies, logging systems, and trust anchors.

The CBOM process starts by identifying all security-relevant assets within the product architecture. Security teams document components such as API gateways, identity providers, multi-factor authentication systems, encryption services, Hardware Roots of Trust, Trusted Platform Modules (TPMs), secure elements, secure boot chains, and firmware update mechanisms. Each component is recorded together with its purpose, configuration, ownership, dependencies, and security relevance. This creates a comprehensive map of the product’s cybersecurity posture.

A practical CBOM for an IoT device might include an API Gateway responsible for controlling external communications, AES-256 encryption protecting stored data, TLS certificates securing communications, OAuth authentication services managing user access, a secure firmware update service enabling over-the-air updates, and a hardware security module safeguarding cryptographic keys. By documenting these elements, organizations gain a clear understanding of how cybersecurity functions are implemented across the product.

One of the most important aspects of the CBOM under the CRA is cryptographic visibility. As the European Union prepares for the transition to Post-Quantum Cryptography (PQC), manufacturers must understand where cryptographic algorithms are deployed within their products. The CBOM provides this visibility by cataloguing algorithms, key lengths, certificate chains, cryptographic libraries, and security protocols. This information becomes essential when organizations need to migrate from traditional algorithms to quantum-resistant alternatives.

The SBOM and CBOM processes work together throughout the product lifecycle. During development, both inventories are generated and maintained as part of secure-by-design practices. During testing, they support security assessments, penetration testing, and compliance reviews. During deployment, they provide transparency for customers and regulators. During operations, they enable vulnerability management, incident response, and risk assessment. Finally, during product retirement, they help organizations understand residual risks and support secure decommissioning procedures.

For CRA compliance, organizations should treat SBOMs and CBOMs as living documents rather than one-time deliverables. Every software update, firmware release, security enhancement, or architectural change should trigger a review and update of both inventories. Automated tooling can significantly reduce the effort required to maintain accuracy while ensuring that documentation remains aligned with the actual product configuration.

From a governance perspective, the SBOM supports software supply chain management, vulnerability tracking, and dependency analysis. The CBOM supports security architecture management, risk assessment, compliance reporting, and cybersecurity assurance. Together they provide a comprehensive view of what a product contains and how it is protected. This combined visibility aligns closely with the CRA’s objective of creating secure, transparent, and resilient digital products within the European market.

Ultimately, the value of SBOMs and CBOMs extends beyond regulatory compliance. Organizations that maintain accurate inventories gain faster vulnerability response capabilities, improved risk management, greater supply chain transparency, and stronger cybersecurity governance. As CRA requirements mature and Post-Quantum Cryptography adoption increases, SBOMs and CBOMs will become foundational elements of cybersecurity programs across Europe and globally.