Software program provide chain visibility is turning into a part of product safety work because the EU Cyber Resilience Act (CRA) strikes towards utility in December 2027. ENISA’s SBOM Adoption State of Play 2026 shows organizations getting ready for CRA obligations by way of SBOM tooling, automation, and adjustments to software program improvement practices.
Degree of SBOM adoption based mostly on organisation measurement (Supply: ENISA)
SBOMs transfer from finest observe to requirement
The CRA requires producers to create, preserve, and, the place essential, present Software program Payments of Supplies for merchandise with digital parts. The requirement locations software program provide chain transparency alongside different product safety obligations and offers organizations a structured method to monitor software program elements and dependencies all through a product’s lifecycle.
An SBOM serves as a list of the elements, libraries, dependencies, and licensing data that make up a software program product. That visibility helps vulnerability administration, provider threat assessments, license compliance, and technical documentation.
SBOM packages have gotten a part of broader product safety efforts. Adoption is underway all through the software program ecosystem, particularly in organizations that anticipate to fall throughout the scope of the CRA.
Adoption beneficial properties momentum
Most respondents stated their organizations have already began implementing SBOM-related processes and capabilities.
The regulation is influencing funding selections, with many organizations rising spending on SBOM tooling and automation. Respondents anticipate important progress earlier than the CRA turns into relevant, pushed by efforts to combine software program provide chain transparency into improvement and safety practices.
Widespread makes use of embody vulnerability administration, software program inventories, third-party threat assessments, and compliance actions.
Restricted provider visibility
SBOM era is turning into a part of software program improvement workflows. Thirty-nine % of respondents generate SBOMs throughout software program builds, making build-time era the most typical strategy.
The survey reveals rising funding in automation. Respondents reported utilizing tooling to generate, replace, and preserve SBOMs all through the product lifecycle in help of vulnerability dealing with, software program stock administration, and compliance efforts.
Many respondents reported challenges acquiring SBOMs from suppliers, significantly for industrial software program merchandise acquired from third events. Restricted entry to provider SBOMs reduces visibility into elements and dependencies that originate outdoors a corporation’s improvement setting.
These gaps have an effect on a variety of actions, together with vulnerability evaluation, software program stock administration, incident response, and software program provide chain threat assessments. Visibility into internally developed software program is enhancing. Provider transparency stays inconsistent.
Constructing full SBOMs stays tough
Producing an SBOM is just a part of the method. Organizations want to make sure that the knowledge is full, correct, and helpful for safety and compliance actions.
Sixty-two % of respondents rated reaching a excessive diploma of SBOM completeness as fairly tough or extraordinarily tough. Monitoring software program elements and dependencies all through the event lifecycle requires substantial effort, significantly in advanced software program environments.
Information high quality points, vulnerability matching, and shortages of inside experience gradual adoption efforts. They’ll scale back the usefulness of SBOM information and make it more durable to find out which software program elements are affected by newly disclosed vulnerabilities.
Organizations are on the lookout for sensible help to handle these points. Widespread requests embody reference implementations, steerage on software choice, conformance testing, and shared practices for integrating SBOMs into software program improvement, threat administration, and compliance processes.
Apply now: Simplify security management with CIS SecureSuite Platform