Hi Dirk, thanks for sharing. I was wondering whether the CRA considers the European Union Agency for Cybersecurity (ENISA) as one of ASF’s stakeholders when it comes to SBOM analysis requirements. Since the ATR tooling team follows the CycloneDX format, for SBOM what should be considered our source of truth or what is the balance ?
Cheers, Kanchana On Fri, Jan 23, 2026 at 10:34 AM Dirk-Willem van Gulik <[email protected]> wrote: > Begin forwarded message: > >> It's a busy month for policy and open tech, but I would like to > encourage you to contribute to the open consultation on ENISA’s draft SBOM > Implementation Guide. The consultation seeks practical input to inform > guidance on the adoption of structured and scalable SBOM practices. > >> > >> The survey is open until 23 January, and contributions from across the > open technologies and policy community would be particularly valuable. > >> > >> You can participate here: > https://ec.europa.eu/eusurvey/runner/SBOM_Analysis_Implementation_Guide > >> > >> They really need your feedback here. The document is messy, it feels > like a product of students granted the right to cut and paste from various > sources without any experience in the field. I expected a higher level of > quality from Enisa. > >> > >> We need Enisa to get SBOMs right, the current state and where we are > going. > >> > >> Please spend some time here. > > I completely missed this call for input -- and I am guessing it is too > late now - but do jump on it if you have the time, knowledge or energy (or > tell me that I am silly - and we've long answered this already). > > With kind regards, > > Dw > >
