SBOM: what the CRA actually requires and how to prepare
Article 14 CRA Cybersécurité Firmware Gestion des vulnérabilités SBOM

SBOM: what the CRA actually requires and how to prepare

The SBOM (Software Bill of Materials) is required by Annex VII of the CRA, but its regulatory value exceeds the documentary checkbox: without an up-to-date SBOM that can be correlated against vulnerability databases, the 24-hour Article 14 deadline is unmanageable. Formats, minimum content, challenges specific to embedded firmware, and what a viable SBOM looks like for an industrial SME without a full CI/CD pipeline.

 1 May 2026  12 min
All ANFR Annexe III Article 14 CRA CVD Conformité Conformité CE Contrôle de marché Cybersécurité DDADUE DGCCRF Directive Machines Directive RED Dossier technique Due diligence EN 18031 EN 304 632 Firmware Gestion des vulnérabilités Marquage CE PSIRT SBOM Surveillance du marché