EU CRA SBOM Requirements: Complete SPDX 2.3 Implementation & Sample JSON Guide
This comprehensive framework helps organizations prepare for 2027 deadlines by implementing Software Bill of Materials that meet EU regulatory standards. Download sample JSON templates, understand SBOM metadata requirements, and master dependency tracking for industrial IoT devices, firmware, and software applications.
Learn SBOMs Interactively
Understand what's inside an SBOM with our free interactive visualizer. Upload any SPDX or CycloneDX file to see component breakdowns, dependency relationships, and metadata structure explained.
Try SBOM VisualizerCurrent Legal Text
The CRA's text in Annex I, Part II, requires a "commonly used and machine-readable format" but intentionally does not name a specific one. This ensures the regulation remains adaptable to technological evolution.
Future Specification
The European Commission is empowered to specify the exact format and minimum elements of the SBOM in the future through legally binding "implementing acts".
Industry Consensus
SPDX and CycloneDX are the dominant, internationally recognized standards for SBOMs and are explicitly cited as examples of formats that fulfill the CRA's requirements.
Essential SBOM Fields for EU CRA Compliance: SPDX 2.3 Mapping & Implementation
Compliance Disclaimer
The current landscape of EU CRA compliance is evolving, with implementing acts and delegated regulations still being finalized. This guide is purely based on Prismor's interpretation of the official sources available at the time of publication, including the CRA text (Regulation EU 2024/2847) and publicly available guidance documents. Prismor will not be responsible for any losses, damages, or compliance failures arising from the use of this information. Organizations should consult with qualified legal counsel and monitor official EU regulatory updates to ensure full compliance with all applicable requirements.
It is highly unlikely that the EU will create a new, bespoke SBOM standard from scratch. Key influences will undoubtedly include the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) "Minimum Elements for an SBOM" and the comprehensive data fields already supported by the SPDX and CycloneDX formats, which are the "commonly used" standards referenced in the CRA's text. The following table synthesizes these sources into a comprehensive set of fields that will position an organization for robust compliance.
| Field Name (SPDX 2.3 Mapping) | Description | Data Format/Example | Rationale for CRA Compliance |
|---|---|---|---|
| Document Creation Information | |||
| SPDXVersion | The version of the SPDX specification used. | String: SPDX-2.3 | Ensures machine-readability and interoperability, fulfilling a core CRA requirement. |
| DataLicense | The license under which the SBOM data is provided. | String: CC0-1.0 | Establishes clear terms for data usage by authorities. |
| SPDXID | A unique identifier for the SPDX document. | String: SPDXRef-DOCUMENT | Ensures document integrity and referential clarity. |
| DocumentName | A name for the SBOM document itself. | String: IndustrialSensor-Firmware-v2.1.sbom | Basic identification for human and machine parsing. |
| Creator | The entity that created the SBOM document. | String: Organization: ExampleCorp | Establishes authorship and responsibility, crucial for accountability under CRA. |
| Created | The timestamp of the SBOM's creation. | Timestamp: 2027-12-10T10:00:00Z | Essential for lifecycle management and proving timeliness of documentation. |
| Package Information (Repeated for each component) | |||
| PackageName | The name of the software component. | String: openssl | Core Requirement: The fundamental identifier for a component. |
| SPDXID (for package) | A unique identifier for this package within the document. | String: SPDXRef-Package-OpenSSL | Enables precise relationship mapping. |
| VersionInfo | The specific version of the component. | String: 3.0.12 | Core Requirement: Essential for matching components to known vulnerabilities in databases like NVD or the new EUVD. |
| Supplier | The name of the entity that created the component. | String: Organization: OpenSSL Project | Core Requirement: Crucial for supply chain transparency and identifying the source for patches. |
| PrimaryPackagePurpose | The primary purpose of the component (e.g., LIBRARY, FRAMEWORK, OPERATING-SYSTEM). | Enum: LIBRARY | Provides context for risk assessment; a kernel library poses a different risk than an application framework. |
| PackageFileName | The name of the file as distributed. | String: openssl-3.0.12.tar.gz | Provides a concrete link to the distributed artifact. |
| DownloadLocation | The URL from which the package can be downloaded. | URL: https://www.openssl.org/source/ | Aids in verification and provenance checks. |
| FilesAnalyzed | Indicates if the package's files were analyzed to generate the SBOM. | Boolean: false | A measure of the SBOM's accuracy and depth. |
| Checksum | A cryptographic hash of the component. | String: SHA256: 2d52943362134586... | High-Value Field: Provides strong integrity and authenticity verification, directly supporting CRA security goals. |
| LicenseConcluded | The license determined to apply to the package. | SPDX License ID: Apache-2.0 | While not a direct security field, license compliance is a critical part of software supply chain due diligence. |
| ExternalRef | External references, especially for package managers. | purl: pkg:generic/openssl@3.0.12 | Package URL (purl) is a best practice for uniquely and universally identifying components across different ecosystems. |
| Relationship Information | |||
| Relationship | Describes the relationship between two elements. | String: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-Firmware | Defines the top-level product being described. |
| Relationship | Describes a dependency. | String: SPDXRef-Package-Firmware DEPENDS_ON SPDXRef-Package-OpenSSL | Core Requirement: Explicitly fulfills the "top-level dependencies" mandate of Annex I. This section would be expanded to show transitive dependencies for best practice. |
This comprehensive approach ensures that organizations implementing SBOM generation today will be well-positioned for future CRA requirements, regardless of the specific technical details that emerge from the European Commission's implementing acts.
Industry Guidance and References
For comprehensive insights into implementing SBOMs in the context of the EU Cyber Resilience Act, we recommend reviewing these authoritative sources:
Download Sample SPDX 2.3 JSON for EU CRA SBOM Compliance
Download a production-ready SPDX 2.3 JSON template designed specifically for EU Cyber Resilience Act compliance. This annotated sample demonstrates complete SBOM implementation for industrial IoT firmware, including OpenSSL dependencies, FreeRTOS operating system components, and comprehensive metadata required for CRA Article 11. Each field includes detailed explanations of its purpose in meeting EU regulatory requirements.
Sample SBOM - Industrial Sensor Firmware
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "Secure-Industrial-Sensor-Firmware-v2.1.sbom.json",
"documentNamespace": "https://example.com/spdx/sensor-firmware-v2.1-...",
"creationInfo": {
"created": "2027-12-10T10:00:00Z",
"creators": ["Tool: Prismor-1.0.0", "Organization: ExampleCorp"]
},
"packages": [
{
"name": "Secure Industrial Sensor Firmware",
"SPDXID": "SPDXRef-Package-Firmware",
"versionInfo": "2.1.0",
"supplier": "Organization: ExampleCorp",
"primaryPackagePurpose": "FIRMWARE",
"checksums": [{"algorithm": "SHA256", ...}]
},
{
"name": "OpenSSL",
"versionInfo": "3.0.12",
"supplier": "Organization: OpenSSL Project",
"licenseConcluded": "Apache-2.0",
"externalRefs": [{"referenceType": "purl", "referenceLocator": "pkg:generic/openssl@3.0.12"}]
}
],
"relationships": [
{"relationshipType": "DESCRIBES"},
{"relationshipType": "DEPENDS_ON"}
]
}How Prismor Helps with CRA Compliance
Prismor is the only platform that combines deep regulatory expertise with automated security tooling, so your team can meet EU CRA requirements without manual overhead.
Vulnerability Fixes
Automatically detect and fix known CVEs across your entire dependency tree, no manual patching required.
SBOM & VEX Generation with Compliance Reporting
Produce CycloneDX and SPDX-compliant SBOMs and VEX documents automatically on every build, with audit-ready reports aligned to EU CRA.
Software Supply Chain Monitoring
Continuous monitoring of your software supply chain with real-time alerts on new vulnerabilities and dependency changes.