On 23 Jan 2026, at 19:13, Kanchana Welagedara <[email protected]> wrote:
> Hi Dirk, thanks for sharing. I was wondering whether the CRA considers the > European Union Agency for Cybersecurity (ENISA) as one of ASF’s > stakeholders when it comes to SBOM analysis requirements. I'd say that they are an agency - with a range of roles defined by statue - and while they coordinate; most regulatory action comes from country level regulators. > Since the ATR tooling team follows the CycloneDX format, for SBOM what should > be > considered our source of truth or what is the balance ? This is by and large going to depend on what the standards do - and how normative they are. That is still work in progress - and I am relying/hoping on ASF folks to be sufficiently involved to keep the delta small. Depending on the outcome - it may either be another format that gives you a defacto presumption of conformity or a list of requirements that one needs to meed; and can meet with CycloneDX with the right fields present. So by and large (and somewhat in theory) - it is up to us how much we involve ourselves in the run up to this being defined and how much we get surprised/confronted at the end. That said - given the low quality/problematic and almost complete lack of (our software) industry involvement at CENELEC - the bar may be very very low. With kind regards, Dw > On Fri, Jan 23, 2026 at 10:34 AM Dirk-Willem van Gulik <[email protected]> > wrote: > >> Begin forwarded message: >>>> It's a busy month for policy and open tech, but I would like to >> encourage you to contribute to the open consultation on ENISA’s draft SBOM >> Implementation Guide. The consultation seeks practical input to inform >> guidance on the adoption of structured and scalable SBOM practices. >>>> >>>> The survey is open until 23 January, and contributions from across the >> open technologies and policy community would be particularly valuable. >>>> >>>> You can participate here: >> https://ec.europa.eu/eusurvey/runner/SBOM_Analysis_Implementation_Guide >>>> >>>> They really need your feedback here. The document is messy, it feels >> like a product of students granted the right to cut and paste from various >> sources without any experience in the field. I expected a higher level of >> quality from Enisa. >>>> >>>> We need Enisa to get SBOMs right, the current state and where we are >> going. >>>> >>>> Please spend some time here. >> >> I completely missed this call for input -- and I am guessing it is too >> late now - but do jump on it if you have the time, knowledge or energy (or >> tell me that I am silly - and we've long answered this already). >> >> With kind regards, >> >> Dw >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
