ENISA report finds Cyber Resilience Act driving SBOM adoption across Europe
A new ENISA report suggests that organisations are accelerating adoption of Software Bills of Materials as they prepare for compliance with the EU Cyber Resilience Act.
The European Union Agency for Cybersecurity has published a report examining the state of Software Bill of Materials (SBOM) adoption across organisations preparing for the implementation of the Cyber Resilience Act.
The report, SBOM Adoption State of Play – 2026, is based on survey data collected at the end of 2025 and analyses how organisations across sectors are approaching software supply chain transparency requirements.
According to ENISA, 78% of surveyed organisations have already started implementing SBOMs, while 44% are currently in a pilot phase or have deployed them on a limited basis. The agency also found that 79% of respondents expect to reach the required level of SBOM maturity before the Cyber Resilience Act becomes fully applicable in December 2027.
An SBOM is a structured inventory of software components used within a product. It is designed to help organisations identify dependencies, assess vulnerabilities, and respond more effectively to cybersecurity incidents.
The report indicates that organisations are investing in automated SBOM generation, integration into software development processes, and software supply chain management practices. Respondents cited benefits including regulatory compliance, risk reduction, operational efficiency, and improved alignment with customer and contractual requirements.
At the same time, ENISA identified several barriers to wider adoption. These include incomplete software inventories, inconsistent data quality, difficulties obtaining SBOMs from suppliers, challenges correlating vulnerabilities with software components, and shortages of internal expertise.
The report also highlights the need for additional guidance and support, including reference implementations, standardised formats, conformance testing, and clearer definitions of what constitutes a sufficiently complete SBOM.
The Cyber Resilience Act will become fully applicable in December 2027, when SBOM-related obligations begin to form part of the compliance framework for products with digital elements placed on the EU market.
