SBOM and vulnerability management: the practical foundation of CRA compliance

What an SBOM is and why CRA requires it

An SBOM (Software Bill of Materials) is a structured inventory of the software components a product is made of – including third-party libraries and dependencies. A modern product contains dozens to hundreds of them, and most vulnerabilities appear precisely there. CRA therefore assumes an SBOM as part of vulnerability management.

How an SBOM helps in practice

The value of an SBOM shows the moment a new vulnerability appears in a widely used component. Without an SBOM the search begins: which of our products use that library? With an up-to-date SBOM the answer is a matter of minutes.

• quickly identify which products are affected by a new vulnerability,
• input for deciding the priority and timing of fixes,
• evidence for the technical documentation that you track components,
• a basis for communicating with suppliers about their components.

Vulnerability management is not a one-off task

CRA requires vulnerability management throughout the product support period – generally at least five years. That means a continuous process, not a project with an end. A working process usually includes:

1. 1a channel for receiving vulnerability reports from researchers and users (coordinated vulnerability disclosure),
2. 2triaging and assessing the severity of reported vulnerabilities,
3. 3remediation through updates and their secure delivery to users,
4. 4ongoing tracking of SBOM components against vulnerability databases.

The reporting obligation from September 2026

Vulnerability management is followed by the reporting obligation. From 11 September 2026 manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA within set deadlines. To meet those deadlines, a company needs the process, roles and templates ready before a real situation arises.