Software Supply Chains Are Heading for a Transparency Test

The European Union’s Cyber Resilience Act (CRA) will become enforceable in December 2027, obligating manufacturers of any product with digital components to produce and maintain a Software Bill of Materials (SBOM). By codifying supply‑chain transparency alongside traditional product‑security duties, the CRA turns what was once a best‑practice recommendation into a legal requirement. ENISA’s 2026 SBOM Adoption State of Play survey shows that firms across the continent are already reshaping development pipelines, investing in tooling, and redefining compliance roadmaps to meet the upcoming deadline.

Survey results reveal that 39 % of respondents now generate SBOMs automatically during the build process, and many cite rising budgets for automation platforms. The most common use cases—vulnerability management, third‑party risk assessment, and licensing compliance—are being integrated into CI/CD workflows. However, the same data expose a persistent blind spot: only a minority receive reliable SBOMs from external vendors, especially for commercial off‑the‑shelf software. This supplier opacity hampers incident response and limits the effectiveness of internal risk‑scoring models.

Achieving a high‑quality, complete SBOM remains a steep hurdle, with 62 % of participants rating it ‘quite difficult’ or worse. Inconsistent metadata, mismatched vulnerability identifiers, and a shortage of skilled staff all degrade data usefulness. Industry groups are therefore calling for standardized reference implementations, conformance testing suites, and shared best‑practice libraries to lower the expertise barrier. As the CRA deadline approaches, organizations that master end‑to‑end SBOM governance will gain a competitive edge in both security posture and regulatory compliance.