ENISA finds Cyber Resilience Act driving SBOM adoption across industries
SBOM adoption is advancing, but data quality, skills, and completeness gaps remain, according to ENISA’s findings.
The European Union Agency for Cybersecurity (ENISA) has published a report on Software Bill of Materials (SBOM) adoption, finding that the Cyber Resilience Act (CRA) is accelerating investment in software supply chain transparency across organisations. The report, titled ‘SBOM Adoption State of Play – 2026‘, analyses survey results gathered at the end of 2025.
The survey examined how organisations of different sizes and across multiple sectors are approaching SBOM adoption in response to the Cyber Resilience Act. ENISA said the regulation is transforming SBOMs from a voluntary software supply chain security practice into a mandatory requirement for products with digital elements placed on the EU market.
The report found that 78% of respondents had already begun implementing SBOMs, while 44% were in a pilot or limited deployment phase. ENISA also said 79% of organisations expect to reach the necessary SBOM maturity level by the time the Cyber Resilience Act becomes fully applicable in December 2027.
Organisations are investing in SBOM generation, automation, and integration into the software development lifecycle. Respondents cited benefits including risk reduction, cost avoidance, operational efficiency, regulatory compliance, contractual alignment and competitive advantage.
ENISA also identified barriers to the adoption of SBOMs at scale. Key challenges include achieving greater SBOM completeness, improving data quality, correlating vulnerabilities, obtaining SBOMs from suppliers and third parties, and developing the necessary internal expertise and staffing.
The report says further progress will depend on shared implementation practices, supplier transparency, workforce capabilities, and clearer integration of SBOMs into operational risk management. ENISA said organisations would also benefit from external support, including reference implementations, tool-selection guidance, conformance testing, standardised formats and clearer definitions of what constitutes a sufficiently complete SBOM.
Why does it matter?
Software supply chains have become a major cybersecurity concern as organisations increasingly rely on complex networks of open-source and third-party components. SBOMs provide visibility into the software components used within products, helping organisations identify vulnerabilities, assess risks and respond more effectively to security incidents.
The report highlights how the Cyber Resilience Act is driving a shift from voluntary software transparency practices to formal compliance requirements. The findings also illustrate that while adoption is progressing, organisations continue to face technical, organisational and supply-chain challenges that could influence the effectiveness of future software security efforts.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!