The European Parliament approved the EU’s Cyber Resilience Act (CRA) on March 12th.
The Council is expected to formalize its adoption in April. Therefore, CRA is all set to become effective in a phased transition starting in late 2025.
CRA seeks to protect consumers and businesses from products with inadequate security. To achieve this, CRA imposes cybersecurity obligations on all products with digital elements (‘PDE’) commercially sold in the EU markets.
The PDE broadly refers to software and connected devices.
CRA sets requirements for these products to -
- Ensure prioritizing security through the product’s lifecycle
- Meet specific essential cybersecurity requirements
- Plan for vulnerability management
- Provide security updates throughout the Product Cycle
- Notifying exploitability incidents to CISRT within 24 hours
- Build, maintain, and use SBOM for internal and regulatory submission
SBOM in CRA
- The CRA text implies that the Software Bill of Materials (SBOM) is a critical product security artifact for confidentially communicating vulnerability risks between market surveillance authorities (‘local regulators’) and product manufacturers.
(22) … Market surveillance authorities should be able to request manufacturers of categories of products with digital elements established by ADCO to submit the software bills of materials (SBOMs) that they have generated pursuant to this Regulation. In order to protect the confidentiality of SBOMs, market surveillance authorities should submit relevant information about dependencies to ADCO in an anonymised and aggregated manner.
2. SBOM is identified as the base artifact to build vulnerability analysis. SBOM is encouraged but optional to be made public. SBOM is also described as an artifact that helps track newly reported vulnerabilities and cybersecurity risks in the software supply chain.
(78) In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up an SBOM. An SBOM can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, in particular it helps manufacturers and users to track known newly emerged vulnerabilities and cybersecurity risks. It is of particular importance that manufacturers ensure that their products with digital elements do not contain vulnerable components developed by third parties. Manufacturers should not be obliged to make the SBOM public.
3. The actual SBOM format, minimum elements, and procedures for vulnerability and exploitability notifications in SBOM are left to a commission. In preparation, Germany’s Federal Office for Information Security (“BSI”) has already published Technical Guidance with TR-03183 here.
(119) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to specify the technical description of the categories of important products with digital elements set out in an annex to this Regulation, specify the format and elements of the SBOM, specify further the ▌ format and procedure of the notifications of actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements submitted by manufacturers, establish common specifications covering technical requirements that provide a means to comply with the essential requirements ▌set out in an annex to this Regulation, ▌lay down technical specifications for labels, pictograms or any other marks related to the security of the products with digital elements, their support period and mechanisms to promote their use and to increase public awareness about the security of products with digital elements, specify the simplified documentation form targeted at the needs of microenterprises and small enterprises, and decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the proper functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(34).
4. BSI’s TR-03183 refers to SBOM produced with CycloneDX 1.4 and up and SPDX 2.3 and up, leaving some flexibility in the depth of the SBOM.
CRA is still a month from adoption and more than a year and a half from the start of the implementation.
However, the approved CRA text deeply underscores SBOM’s critical role in describing, communicating, and monitoring product security risks.
