"SBOMs have become the litmus test of knowing what goes into your software. The EU Cyber Resilience Act applies to any product with digital elements, deliberately catch-all phrasing covering anything that connects to the internet. CRA is not about fines. They can actually block sales. Your products can be blocked from the European market."
"US Executive Order 14028, signed in 2021, made SBOMs a procurement condition for any organisation selling software to the federal government. The FDA requires them for medical devices sold in the US market, and PCI-DSS 4.0 mandates SBOM production for companies in the payment card industry. SOC 2 and ISO frameworks are predicted to follow."
Viktor Petersson, founder of sbomify, presented at QCon London 2026 on the critical need for Software Bills of Materials adoption. The EU Cyber Resilience Act applies to any product with digital elements and can block products from European markets, not just impose fines. Enforcement begins September 2026 with full compliance required by December 2027. US regulations include Executive Order 14028 for federal government software procurement, FDA requirements for medical devices, and PCI-DSS 4.0 mandates for payment card companies. Additional frameworks like SOC 2 and ISO standards are expected to follow. Two dominant SBOM standards exist: SPDX and another overlapping format. High-quality SBOM generation and proper artifact distribution are essential for compliance.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]