Skip to main content

Transparency Layer: Accessing the SBOM (If You Share It with Users)

A Software Bill of Materials (SBOM) lists the components within your software. While the CRA requires manufacturers to create an SBOM for their vulnerability handling processes (Annex I, Part II, point 1), making it directly available to end-users is optional.

However, if you, the manufacturer, decide to make the SBOM available to your users, the Cyber Resilience Act states you must tell them how to get it (Annex II, point 9).

Guiding Users to the SBOM

If you choose to share your software's SBOM with users, you need to provide:

  • Information on Where the SBOM Can Be Accessed:
    • This could be a direct download link.
    • It might be a page on your website.
    • It could be accessible through a specific feature within the software itself.

The key is clarity and accessibility for those users you've decided to share it with.

Why This Point Matters

This provision promotes transparency for users who are interested in the granular details of the software's composition, potentially for their own risk assessment or understanding. It applies only if you take the voluntary step of user-facing SBOM disclosure.

Remember, drawing up an SBOM is mandatory for your internal processes (Annex I, Part II, point 1); sharing it with users is your choice.

Key Takeaway

If you decide to provide your software's SBOM to users, you must also tell them where and how they can access it, as stipulated by Annex II, point 9.