The EU Cyber Resilience Act (CRA) is reshaping global expectations for software security – and putting Software Bill of Materials (SBOMs) at the center of compliance. In this episode, Shinobi and Gen break down what the CRA requires, how it compares to U.S. regulations, and what engineering and legal teams must do now to stay ahead. Whether you’re shipping to Europe or just want to future-proof your software supply chain, this episode will help you understand what a complete, compliant, and consumable SBOM really looks like.
[0:08] Shinobi: Hey everyone, welcome back to another episode of Sushi Bites, the AI powered podcast where software supply chain integrity gets the spotlight it deserves. I’m Shinobi Ninja by name, SBOM expert by nature.
[0:22] Gen: And I’m Gen, compliance nerd and part time translator of EU regulatory frameworks. Today we’re taking on a big one, the Cyber Resilience Act.
[0:32] Shinobi: Yep, the CRA is about to shake up how software is built, shipped and secured, especially if your users are in the EU.
[0:41] Gen: And spoiler alert, if you thought SBOMs were just a nice to have, buckle up, they’re about to become mandatory.
[0:48] Shinobi: The Cyber Resilience Act, or CRA, is the European Union’s sweeping legislation aimed at improving the cyber security of “products with digital elements”. That includes software and physical products that contain software.
[1:01] Gen: Think of it as the GDPR of software security, only instead of data privacy, it’s about provenance vulnerability handling. And yes, that means SBOMs.
[1:13] Shinobi: Yeah, it looks like under the CRA, software teams will have to provide detailed information about the component inside their applications and not simply the open source pieces.
[1:24] Gen: Which means if you’re shipping software into the EU, you’ll need an SBOM. Not just any will do a complete, consumable and compliant Software Bill of Materials.
Now, if you’re dealing with the US, this might sound familiar. The Executive Order 14028 already nudged federal contractors toward SBOM adoption.
[1:46] Shinobi: But the CRA is going further and faster. It applies broadly to software vendors and embedded system manufacturers. It has legal enforcement mechanisms, and it defines how vulnerabilities should be disclosed and handled within specific timeframes.
[2:00] Gen: So while the US is nudging, the EU is mandating.
[2:04] Shinobi: And for global dev teams, that means you’ll need to step up your compliance efforts. Not just “policy on paper”, but “process and practice”!
[2:12] Gen: That’s right. I heard Gary Armstrong of FossID mentioned that in a webinar last week – too many teams write up the policy and call it a day. But Step 2 is process and Step 3 is evidence. All right, so let’s get practical Shinobi. What does a CRA-ready SBOM actually need?
[2:32] Shinobi: For starters, it must be
- Machine readable, think SPDX or Cyclone DX.
- Importantly, it must also be comprehensive (including open source and commercial components)
- Linked to known vulnerabilities from central databases like CVE along with VEX information for context.
- And it must be up to date, include provenance, be version specific and traceable to the build process.
[2:58] Gen: Oh, and you need to be ready to share it with regulators and such authorities either shipped with the product or available upon request.
The tough part might be SBOM “management” to control versioning and also types source SBOM versus build SBOM for example and being able to share the right one with the right recipient. I hear industry leaders saying SBOM management tools, not just SBOM generation, are going to be a game changer.
[3:26] Shinobi: That’ll be interesting and I just want to double click on this one again. Incomplete SBOMs are as risky as no SBOMs. If your tooling only lists top level packages that are listed in a package manager, you’re missing a lot. Internal forks (aka “drift”) copy-pasted or AI generated snippets of libraries and whatever commercial components you also have.
[3:49] Gen: Definitely, and the CRA goes into effect in phases, but the compliance pressure is already rising as this legislation has been in the works for a while, so everyone knows it’s coming.
[4:00] Shinobi: That’s right Jen, if you wait until the last minute to implement full SBOM generation and vulnerability handling, you’ll be playing catch up under regulatory scrutiny.
[4:09] Gen: And let’s be real, retrofitting compliance under pressure is way harder than baking it into your workflow now.
[4:17] Shinobi: Especially if you’re selling into medical, industrial or IoT markets where the CRA will hit hardest.
[4:23] Gen: So let’s recap for the audience, Shinobi. What should teams be doing today?
4:29 Shinobi: Start by auditing your current SBOM capabilities:
- First, are you scanning for all third-party components? Not just open source listed in the package manager. But also, commercial software and not just complete unaltered stuff find the modified and forked components too.
- Second, can you consolidate and output SPDX or CycloneDX formats automatically and that includes modified and forked components too?
- Third, are vulnerabilities tied to real component metadata and along with VEX context?
- And fourth, can your legal team easily trace provenance and license obligations to specific files?
[5:10] Gen: If not, it might be time to upgrade your tooling or ask your SCA partner how to tune your setup.
[5:17] Shinobi: Yep, the Cyber Resilience Act is going to raise the bar for software transparency, and SBOMs are front and center as the key form of evidence that your process matches your policy.
[5:27] Gen: Alright, and it looks like we’re out of time. Thanks for tuning into Sushi Bites. We’ll be back soon with more hot takes on software risk, open source compliance, and how to stay one step ahead of the regulations.
[5:39] Shinobi: That’s right! OK, rolling out. Bye everyone.
Related Resources
Subscribe to Sushi Bytes
Get new episodes delivered straight to your inbox and never miss a beat!
Talk to a Software Supply Chain Ninja
Book a discovery call with one of our experts to discuss your business needs and how our tools and services can help.