With increasing demands for cybersecurity and transparency, SBOM becomes increasingly important. Many industries and authorities, including the EU and USA, are now working to make SBOM a standard practice. It's no longer just about being proactive – it will soon be a requirement to comply with new laws and regulations. And just like with GDPR, the penalty amounts are set high, making it an expensive mistake to ignore the requirements.
Some regulations driving the need for SBOM
EO14028 (USA)
In May 2021, US President Biden signed an executive order (EO14028) requiring all federal agencies and their suppliers to use SBOM. The purpose is to increase transparency in software development and reduce the risk of cyberattacks.
SBOM is a central part of this, as it provides insight into which components are used and how they are managed.
NIS2 (EU)
The EU's new directive for network and information security, NIS2, places higher demands on organizations when it comes to cybersecurity. An important part is that companies must be able to show which components are included in their software and how they handle vulnerabilities. SBOM becomes an important tool here to meet the requirements.
CRA (Cyber Resilience Act, EU)
CRA is a new proposal from the EU aimed at strengthening cybersecurity for hardware and software products. According to this proposal, manufacturers and developers must be able to show that their products are secure and that they have a clear overview of all components. SBOM is a key to meeting these requirements.
DORA (Digital Operational Resilience Act, EU)
DORA focuses on strengthening the financial sector's resilience against cyber threats. Part of this is that organizations must be able to demonstrate transparency and responsibility for the software components they use. SBOM becomes an important part of meeting the requirements here.
Why SBOM becomes a necessity
The impact of vulnerabilities in software has become so extensive that legislators and authorities can no longer ignore the problem. Cyberattacks that exploit vulnerabilities in software components have caused major damage, both economically and to socially important functions. Therefore, the software industry is now being regulated in a way that has not happened before.
SBOM is a central part of this, as it provides transparency and responsibility for the components used and delivered. By using SBOM, organizations can not only improve their security but also build trust and meet future regulations.
The future with SBOM
With these new laws and directives, it is clear that SBOM is no longer a voluntary "nice-to-have" – it becomes a necessity. Companies that do not adapt risk not only large fines but also losing trust with customers and partners.
Starting to work with SBOM now is therefore not only a way to improve security, but also an investment in being ready for the future.
SBOM is here to stay, and those who take it seriously will be better prepared for the challenges ahead. If you haven't started working with SBOM yet, a tip is to start right away.