Software Supply Chains Face Crucial Transparency Challenges

Software supply chain visibility is becoming a core component of product security strategies as the EU Cyber Resilience Act (CRA) approaches implementation in December 2027.

SBOM Adoption State of Play 2026

A report by ENISA titled SBOM Adoption State of Play 2026 highlights how organizations are addressing CRA mandates through the use of SBOM tools, automated processes, and modifications to software development workflows.

SBOMs Transition from Optional to Mandatory

The report outlines the current state of SBOM adoption across different organizational sizes. SBOMs transition from optional practices to mandatory requirements under the CRA. The regulation compels manufacturers to create, maintain, and provide Software Bills of Materials for products containing digital elements.

SBOM Function and Integration

This obligation positions software supply chain transparency alongside other product security mandates, offering a systematic approach to track components and dependencies throughout a product’s lifecycle. An SBOM functions as an inventory of elements such as libraries, dependencies, and licensing details that constitute a software product.

Adoption and Challenges

SBOM initiatives are now integrated into broader product security frameworks. Adoption is expanding across the software ecosystem, particularly among entities anticipating CRA compliance. Adoption accelerates as organizations implement SBOM-related processes.

Regulatory Impact and Industry Response

The regulation is influencing financial allocations, with many entities increasing investments in SBOM tools and automation. Respondents anticipate substantial progress before the CRA takes effect, driven by efforts to embed supply chain transparency into development and security protocols.

Common Applications and Limitations

Common applications include vulnerability mitigation, software inventory tracking, third-party risk evaluations, and regulatory compliance. Limited supplier visibility persists despite advancements. SBOM generation is being incorporated into software development workflows.

Supplier Transparency Gaps

Thirty-nine percent of respondents generate SBOMs during software builds, making this the predominant method. The survey indicates rising automation investments. Organizations report utilizing tools to produce, update, and sustain SBOMs across the product lifecycle to support vulnerability management, inventory control, and compliance.

Challenges in SBOM Implementation

Many face difficulties in acquiring SBOMs from suppliers, especially for commercial software obtained through third parties. Restricted access to supplier SBOMs limits insight into components and dependencies originating outside an organization’s internal environment.

Data Quality and Resource Constraints

Visibility for internally developed software is improving, but supplier transparency remains uneven. Constructing comprehensive SBOMs remains challenging. Generating an SBOM is only part of the process.

Barriers to Completeness

Organizations must ensure the data is complete, accurate, and applicable for security and compliance purposes. Sixty-two percent of respondents described achieving high SBOM completeness as moderately or extremely difficult. Tracking components and dependencies across complex development lifecycles demands significant resources.

Call for Practical Support

Issues with data quality, vulnerability correlation, and a lack of internal expertise hinder adoption. These obstacles reduce the utility of SBOM data and complicate the identification of affected software components during new vulnerability disclosures.

Requests for Guidance

Organizations seek practical assistance to address these challenges. Common requests include reference implementations, guidance on tool selection, conformance testing, and shared methodologies for integrating SBOMs into development, risk management, and compliance workflows.

About Author

Anuj

See author's posts