Knowledge base

Who needs an SBOM? The regulations driving demand

A few years ago an SBOM was a nice-to-have. Now it is a procurement requirement in several major markets. Here is who is mandating them and when.

7 min read · Updated June 26, 2026

From nice-to-have to requirement

Most of the current momentum traces to a single event: the wave of software supply-chain attacks (SolarWinds, then Log4Shell) that made governments treat opaque software as a national-security problem. The response, across multiple jurisdictions, was to require transparency, and the SBOM is the unit of that transparency.

United States: Executive Order 14028 and OMB

Executive Order 14028 ("Improving the Nation’s Cybersecurity"), signed May 12, 2021, directed the NTIA to define the SBOM minimum elements and NIST to publish secure-development guidance. It is the origin point for SBOMs as a federal procurement expectation.

Two OMB memos, M-22-18 (September 2022) and its update M-23-16 (June 2023), require software producers selling to the government to self-attest to conformance with the NIST Secure Software Development Framework (SSDF, SP 800-218), with an SBOM as a supporting artifact.

Status caveat

The federal self-attestation form and its collection program have been revised repeatedly through 2024 and 2025. The underlying memos and the SSDF anchor are stable; the exact operational requirement is not. Confirm the current state with CISA before relying on specifics.

European Union: the Cyber Resilience Act

The EU Cyber Resilience Act (CRA) entered into force on December 10, 2024. It applies to products with digital elements sold in the EU and requires manufacturers to, among many other things, produce a machine-readable SBOM and practice secure-by-design development.

The timeline is staged: vulnerability and incident reporting obligations apply from September 11, 2026, and the main obligations apply from December 11, 2027. The Act does not mandate a specific format, but SPDX and CycloneDX are the de-facto choices.

United States: FDA medical devices

Section 524B of the Federal Food, Drug, and Cosmetic Act, added by the Consolidated Appropriations Act, 2023 (effective March 29, 2023), requires that "cyber devices" include an SBOM in their premarket submissions. The FDA began issuing Refuse-to-Accept decisions on these grounds from October 1, 2023. For medical-device makers, an SBOM is now a gate to market.

Beyond compliance: customers and M&A

Regulation is only half the demand. Enterprise buyers increasingly ask vendors for an SBOM as part of security review, and acquirers run an open-source audit during due diligence: license risk and security debt found late can change a deal’s price or kill it. Having a current SBOM and a clean license posture is fast becoming table stakes for selling and for being acquired.

The timeline at a glance

Driver	Jurisdiction	Key date
Executive Order 14028	US federal	May 12, 2021
OMB M-22-18 / M-23-16	US federal	Sep 2022 / Jun 2023
FDA Section 524B	US (medical devices)	Effective Mar 29, 2023
EU CRA in force	EU	Dec 10, 2024
EU CRA reporting	EU	Sep 11, 2026
EU CRA main obligations	EU	Dec 11, 2027

Frequently asked questions

Is an SBOM legally required?

In several markets, yes. Software sold to the US federal government, products covered by the EU Cyber Resilience Act, and medical devices reviewed by the FDA all face SBOM requirements. Outside those, it is strongly encouraged and increasingly expected by enterprise customers.

When does the EU Cyber Resilience Act take effect?

It entered into force on December 10, 2024. Reporting obligations apply from September 11, 2026, and the main obligations, including the SBOM requirement, apply from December 11, 2027.

Does the FDA require an SBOM?

Yes. Under Section 524B of the FD&C Act, "cyber devices" must include an SBOM in premarket submissions, and the FDA has refused to accept submissions that lack one since October 1, 2023.

Why do acquirers care about SBOMs?

During mergers and acquisitions, the buyer audits the target’s open-source usage for license risk and security debt. Problems found in diligence can lower the price or end the deal, so a current SBOM and clean license posture speed the process.

Keep reading

What is an SBOM? A Software Bill of Materials is a complete, machine-readable inventory of everything your software is built from. Here is what that means, what goes in one, and why it has become a requirement rather than a nice-to-have. SPDX vs CycloneDX If you are producing an SBOM, you will produce it in one of two formats: SPDX or CycloneDX. Here is where each came from, what each is good at, and how to choose. What is software composition analysis (SCA)? If an SBOM is the inventory of what your software is made of, software composition analysis is what reads that inventory and tells you where the risk is.

Sources

Part of the software supply-chain field notes on this site. Written by Antoni K Pestka.