Does the Cyber Resilience Act require an SBOM?
Direct answer
Yes. The Cyber Resilience Act requires manufacturers to identify and document a product's components, including by drawing up a software bill of materials in a commonly used, machine-readable format. The SBOM lives in the internal technical documentation; it does not have to be published publicly.
Key Facts
- Required by Annex I and included in the technical documentation (Annex VII).
- Must be machine-readable and cover the product's top-level dependencies.
- Held internally; disclosed to market surveillance authorities on justified request.
- No obligation to publish the SBOM publicly.
- Underpins the 24-hour reporting duty: you cannot report fast on components you cannot see.
Yes. Manufacturers must identify and document the components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format that covers at least the top-level dependencies (Annex I; Annex VII). The SBOM is part of the internal technical documentation. It must be made available to market surveillance authorities on justified request, but there is no requirement to publish it on your website or share it with customers. In practice the SBOM is what makes the 24-hour reporting clock survivable: when a vulnerability lands in a shared library, you can only report quickly if you already know which products ship that component.
Regulatory References