People interested in what's happening with the EU CRA should consider attending this SPDX General meeting presentation:
Special Presentation: SBOMs in the Era of the CRA <https://www.google.com/url?q=https%3A%2F%2Fopenssf.org%2Fblog%2F2025%2F10%2 F22%2Fsboms-in-the-era-of-the-cra-toward-a-unified-and-actionable-framework% 2F&sa=D&source=calendar&ust=1765147800000000&usg=AOvVaw3ibvT3asViw0tlu4kByPT 0> - Madalin Neag, EU Policy Advisor at the OpenSSF. IMO, Madalin is one of the most knowledgeable people I know when it comes to understanding EU CRA requirements and current happenings. He is "plugged in". Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Lifetime IEEE Member <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T Risk always exists, but trust must be earned and awarded.T https://businesscyberguardian.com/ Email: [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Greg Shue via lists.spdx.org Sent: Tuesday, December 2, 2025 4:54 PM To: [email protected] Subject: [spdx-tech] EU CRA submission documentation I mentioned that the EU CRA submission documentation covers more than the SBOM. Here are some key clauses in the EU CRA original text <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/> that support this conclusion. As you can see, the technical documentation covers much more than what the EU CRA calls "the software bill of materials". Notably the technical documentation includes internal designs, rationale, and test reports for both the product and the vulnerability reporting/handling. The interesting question for SPDX is "How much of the CRA submission Technical Documentation files change when expressed in SPDX vs a different encoding?" EU CRA Article 77 includes the following statements: * "In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up an SBOM." * "Manufacturers should not be obliged to make the SBOM public." EU CRA ANNEX VII CONTENT OF THE TECHNICAL DOCUMENTATION includes the following statements (emphasis mine): The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: 1. a general description of the product with digital elements, including: a. its intended purpose; b. versions of software affecting compliance with essential cybersecurity requirements; c. where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; d. user information and instructions as set out in Annex II; 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: a. necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; b. necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; c. necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; 5. a list of the harmonised standards applied in full or in part ... , and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in ...; 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; 7. a copy of the EU declaration of conformity; 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. Best regards, Greg Shue -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6045): https://lists.spdx.org/g/Spdx-tech/message/6045 Mute This Topic: https://lists.spdx.org/mt/116584863/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
