Understanding the Impact of DORA, NIS-2, and the EU CRA on the Software Supply Chain

The European regulatory climate for digital products has shifted significantly with the introduction of the Digital Operational Resilience Act (DORA), the updated Network and Information Security Directive (NIS-2), and the forthcoming EU Cyber Resilience Act (CRA). These initiatives are redefining how organizations must manage their software supply chain, and at the heart of these changes lies the Software Bill of Materials (SBOM). Understanding what these regulations actually require - particularly regarding SBOM production, handling, and sharing - is essential for any company that develops software or digital products for the European market.

New Regulatory Frameworks: What You Need to Know

DORA

The Digital Operational Resilience Act targets the financial sector and its extended supply chain. It requires organizations like banks, insurance companies, fintech providers, and their key technology partners to demonstrate operational resilience in the face of digital threats. Among other obligations, they must fully document and secure each layer of their software supply chain.

NIS-2

This updated directive broadens the range of organizations required to maintain strong cybersecurity risk management. Sectors considered essential or important to society must assess, mitigate, and be prepared to report incidents related to supply chain cybersecurity.

EU Cyber Resilience Act (CRA)

Expected to come into effect in the near future, the CRA establishes clear cybersecurity and transparency requirements for everyone involved in manufacturing, importing, or distributing digital products in the EU. Organizations will need to detail every component that goes into their software and make this information accessible to regulators and customers alike.

The Central Role of SBOMs

An SBOM serves as a comprehensive list of all open source, proprietary, and third-party components included in a software product. Think of it as a detailed ingredients label for your application, capturing every library and package that contributes to your final product.

Why are SBOMs so important now?

• Transparency: SBOMs provide clear visibility into what makes up a software product, allowing security teams, regulators, and users to assess risks more easily.
• Accountability: With a complete SBOM, it becomes easier to trace vulnerabilities or licensing issues to their source, hold the right parties accountable, and respond swiftly.
• Incident Response: As soon as a new software vulnerability is announced, companies that maintain good SBOM practices can rapidly check their exposure and take appropriate action.

What the Regulations Require About SBOMs

DORA

Organizations must maintain accurate, up-to-date SBOMs for all software in their supply chain. They should be ready to share these documents with regulators or critical partners if requested and use them in risk assessments or incident response activities.

NIS-2

NIS-2 expects “appropriate and proportionate” cybersecurity measures, which in practice means keeping detailed records of software components. SBOMs are a practical way to verify your compliance during audits or investigations.

Cyber Resilience Act (CRA)

The CRA imposes very specific SBOM requirements:

• Maintain a current SBOM for every digital product offered in the market
• Include all components, including those not directly added by the organization but pulled in as dependencies of dependencies
• Make SBOMs available to customers at time of purchase, download, or upon request
• Keep SBOMs updated throughout the entire product lifecycle, including after updates or patches
• Ensure authorities and customers can access SBOMs quickly if required

Organizations that fail to meet these criteria risk facing fines, product bans, and serious reputational damage.

From Requirements to Practice: How to Prepare

Automate SBOM Generation

Given the complexity and speed of releases in most modern software teams, SBOM generation and updating must be automated. Make SBOM creation a step in your build or deployment pipeline, so every change in your codebase or dependencies is tracked automatically.

Use Standardized Formats

Regulators and customers will expect SBOMs to be delivered in standard forms like SPDX or CycloneDX. This makes it much easier to exchange, analyze, and audit SBOMs across organizations and tools.

Organize Retention and Sharing

Store your SBOMs in a secure and organized way so that you can produce them for auditors or customers whenever required. Establish clear processes for internal access and external distribution.

Manage Lifecycle Updates

Every product update or patch should trigger a new SBOM version. Track changes over time so you can show historic as well as current data when needed.

Connect SBOMs to Your Risk Processes

Link your SBOM system to vulnerability databases and incident response processes. When a new vulnerability affects a component in your SBOM, your team should receive an alert and follow a defined plan to assess and mitigate risk.

Action Steps for Compliance

1. Evaluate your SBOM readiness: Benchmark your current SBOM processes against the requirements coming into force with DORA, NIS-2, and the CRA.
2. Automate and standardize SBOM collection: Implement automation so every build produces an SBOM in a recognized standard format.
3. Update governance policies: Define clear responsibilities for SBOM creation, maintenance, storage, and sharing within your organization.
4. Prepare for audits and customer inquiries: Ensure you can provide complete and current SBOMs whenever they are requested.
5. Monitor regulatory changes: Keep an eye on further clarifications and technical standards as these regulations are finalized and enforced.

Conclusion

DORA, NIS-2, and the EU Cyber Resilience Act will significantly raise the bar for software supply chain transparency and security across Europe. For all organizations impacted, having robust processes for SBOM automation, management, and sharing is no longer optional - it’s a regulatory and business imperative. Staying ahead means not just ticking compliance boxes, but also building trust with customers and partners through transparency and rapid response to emerging threats.

If your current approach to SBOMs isn’t ready for this new era, contact Exodos Labs. We specialize in helping organizations automate SBOM management and align with global compliance requirements. Visit our Contact page or explore our solutions to see how you can turn regulatory pressure into a competitive advantage.

For ongoing insights on regulatory trends and supply chain best practices, keep following the Exodos Labs blog.