ENISA Report Shows SBOM Adoption Accelerating Ahead of EU Cyber Resilience Act Deadline
A new ENISA report finds that organizations are ramping up Software Bill of Materials adoption in preparation for the EU Cyber Resilience Act, which will make SBOMs a legal requirement in December 2027.
The European Union Agency for Cybersecurity (ENISA) has published its *SBOM Adoption State of Play 2026* report, revealing that software supply chain transparency is shifting from a best practice to a regulatory imperative. With the EU Cyber Resilience Act (CRA) set to take effect in December 2027, organizations across the software ecosystem are investing in SBOM tooling, automation, and development process changes to meet the incoming mandate.
The CRA requires manufacturers of products with digital elements to create, maintain, and provide Software Bills of Materials. An SBOM is an inventory of the components, libraries, dependencies, and licensing information that make up a software product. The regulation places supply chain transparency alongside other product security obligations, giving organizations a structured way to track software components throughout a product's lifecycle.
According to the ENISA report, most respondents have already started implementing SBOM-related processes. The regulatory deadline is driving investment decisions, with many organizations increasing spending on tooling and automation. Common use cases include vulnerability management, software inventory management, third-party risk assessments, and compliance activities. Build-time SBOM generation is the most common approach, used by 39% of respondents.
A key finding is the persistent challenge of supplier visibility. While SBOM generation is becoming standard for internally developed software, many organizations report difficulty obtaining SBOMs from suppliers of commercial software products. This limited access reduces visibility into components and dependencies that originate outside the organization's own development environment, affecting vulnerability analysis, incident response, and supply chain risk assessments.
Building complete SBOMs remains difficult. Sixty-two percent of respondents rated achieving a high degree of SBOM completeness as quite difficult or extremely difficult. Tracking components throughout the development lifecycle requires substantial effort, especially in complex software environments. Data quality issues, vulnerability matching problems, and shortages of internal expertise slow adoption and reduce the usefulness of SBOM data.
Organizations are looking for practical support to address these challenges. Common requests include reference implementations, guidance on tool selection, conformance testing, and shared practices for integrating SBOMs into development, risk management, and compliance processes. The ENISA report underscores that the industry still has work to do to make SBOMs fully operational for security and compliance at scale.