US critical infrastructure incident reporting law requiring CISA to finalize rules for covered cyber incident and ransom payment reporting by covered entities.
Incident Reporting
Ransomware Reporting
Evidence
Critical Infrastructure
Governance
adjacent SBOM relevance
Regulation
View details
Effective 2022-03-15
Evidence to prepare Incident classification workflow, reporting records, affected system and supplier maps, ransom payment decision evidence, recovery records.
Relevant reference CIRCIA covered cyber incident and ransom payment reporting
Exodos note Incident reporting is faster when asset, supplier, and component impact analysis is already mapped.
report covered cyber incidents to CISA
Official source
Voluntary US cybersecurity labeling program for consumer IoT products, built around conformance testing, label authorization, registry information, and NIST technical criteria.
IoT Labeling
Product Security
Vulnerability Management
Secure Updates
Technical Documentation
adjacent SBOM relevance
Certification
View details
Effective 2024-03-15
Evidence to prepare Conformance test report, update support evidence, product registry data, vulnerability disclosure process, lifecycle support records.
Relevant reference FCC IoT cybersecurity labeling program, Report and Order FCC 24-26
Exodos note Use product software inventory and update evidence to support label renewals and consumer transparency.
U.S. Cyber Trust Mark
Official source
UK framework for network and information system security in operators of essential services and relevant digital service providers, with security and incident reporting duties.
Risk Management
Incident Reporting
Operational Resilience
Evidence
Governance
implicit SBOM relevance
Regulation
View details
Effective 2018-05-10
Evidence to prepare Security controls, incident reporting process, supplier risk evidence, service continuity records, governance documentation.
Exodos note Supplier and component visibility helps evidence reasonable controls under service-resilience obligations.
Official source
PRA policy for more consistent reporting of operational incidents and material third-party arrangements by regulated financial firms.
Incident Reporting
Third-Party Risk
Operational Resilience
Supplier Risk
Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2026-03-18
Evidence to prepare Operational incident records, material third-party arrangement register, impact assessments, service mapping, supplier resilience evidence.
Exodos note Material software suppliers should be traceable to products, services, and incident impact paths.
Official source
Australian cyber reform package introducing ransomware and cyber extortion payment reporting and broader cyber incident coordination mechanisms.
Ransomware Reporting
Incident Reporting
Evidence
Governance
Critical Infrastructure
adjacent SBOM relevance
Regulation
View details
Effective 2024-11-29
Evidence to prepare Ransomware payment records, incident timeline, affected system map, supplier impact evidence, recovery and remediation records.
Relevant reference Cyber Security Act 2024, ransomware payment reporting
Exodos note Software and supplier dependency mapping shortens impact assessment for reportable cyber extortion events.
ransomware payment and cyber extortion payment reporting
Official source
Critical infrastructure security framework with mandatory cyber incident reporting and risk management obligations for covered assets.
Incident Reporting
Critical Infrastructure
Risk Management
Supplier Risk
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2018-07-11
Evidence to prepare Critical asset register, cyber incident reporting workflow, supplier dependency map, risk management program evidence, remediation records.
Exodos note Treat software and managed-service dependencies as part of the critical asset evidence base.
Official source
Canadian guidance for protecting organizations from software supply chain threats, including supplier assessment and software component inventory/SBOM considerations.
SBOM
Supplier Risk
Supply Chain Security
Vulnerability Management
Risk Management
explicit SBOM relevance
Guidance
View details
Effective 2023-03-01
Evidence to prepare Vendor SBOM questions, component inventory, supplier controls, vulnerability monitoring, procurement security requirements.
Exodos note Use this guidance as a practical procurement checklist for vendor SBOM and dependency evidence.
Official source
Draft METI and NCO guidelines describing expected roles for providers that develop, supply, and operate software and cyber infrastructure.
Secure Development
Supplier Risk
Vulnerability Management
Governance
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2025-10-30
Evidence to prepare Provider role mapping, secure development evidence, supplier controls, vulnerability handling records, customer-facing assurance materials.
Exodos note The provider-role model fits a trust center that separates producer, supplier, and operator evidence.
Official source
Foundational Chinese cybersecurity law covering network operator security duties, critical information infrastructure protections, security incidents, and network product obligations.
Risk Management
Incident Response
Critical Infrastructure
Product Security
Vulnerability Management
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2017-06-01
Evidence to prepare Security management system, network logs, data classification evidence, CII protection records, product vulnerability remediation records.
Exodos note Track product, vulnerability, and supplier evidence separately for China-facing network products and services.
Official source
Korean framework for protecting major information and communications infrastructure against electronic intrusion and disruption.
Critical Infrastructure
Risk Management
Incident Response
Evidence
Governance
implicit SBOM relevance
Regulation
View details
Effective 2020-12-10
Evidence to prepare Infrastructure protection plans, risk assessments, incident response records, supplier dependency evidence, security control evidence.
Exodos note Critical infrastructure protection benefits from traceable software and supplier dependencies for core systems.
Official source
KISA IoT security certification evaluates connected devices across authentication, data protection, cryptography, software security, updates, technical support, OS, network, and hardware security.
IoT Labeling
Product Security
Secure Updates
Vulnerability Management
Conformity Evidence
adjacent SBOM relevance
Certification
View details
Effective 2026-05-07
Evidence to prepare Certification test evidence, software security records, update and support records, vulnerability reporting channel, product security documentation.
Exodos note A reusable product evidence model reduces work across KISA, JC-STAR, FCC, UK PSTI, and EU product rules.
Official source
Minimum cybersecurity requirements for Saudi government organizations and critical national infrastructure operators, covering governance, defense, resilience, cloud, third parties, and ICS.
Governance
Risk Management
Third-Party Risk
Cloud Security
Industrial Control Systems
Evidence
implicit SBOM relevance
Framework
View details
Effective 2018-01-01
Evidence to prepare Cybersecurity strategy, asset inventories, third-party controls, cloud controls, ICS controls, compliance evidence.
Exodos note Supplier and software inventory supports ECC third-party, cloud, and asset-management evidence.
Official source
Saudi critical systems controls extending the ECC for national critical systems across governance, defense, resilience, and third-party/cloud cybersecurity.
Critical Infrastructure
Third-Party Risk
Cloud Security
Resilience
Evidence
implicit SBOM relevance
Framework
View details
Effective 2019-01-01
Evidence to prepare Critical system inventory, supplier security evidence, cloud controls, resilience evidence, risk management documentation.
Exodos note Critical system assurance should include software supplier and component evidence for operationally important platforms.
Official source
Vehicle type approval regulation requiring cybersecurity management systems and risk controls across vehicle lifecycle and supply chain.
Secure Development
Supply Chain Security
Vulnerability Management
Risk Management
Evidence
Audit Trail
implicit SBOM relevance
Regulation
View details
Effective 2021-01-22
Evidence to prepare CSMS evidence, supplier cybersecurity controls, vehicle software inventory, threat analysis, vulnerability and update processes, audit records.
Relevant reference UN Regulation No. 155, cybersecurity management system
Exodos note Automotive suppliers need product-line software evidence that can be reused across OEM and type-approval requests.
Cyber Security Management System
Official source
Vehicle type approval regulation for software update management systems, including safe and secure software update processes and update documentation.
Secure Updates
Change Management
Technical Documentation
Evidence
Audit Trail
implicit SBOM relevance
Regulation
View details
Effective 2021-01-22
Evidence to prepare SUMS evidence, software version records, update validation, rollback and safety evidence, vehicle configuration records.
Relevant reference UN Regulation No. 156, software update management system
Exodos note Pair SBOM versioning with update evidence so every vehicle software change has a traceable component history.
Software Update Management System
Official source
Automotive industry guidance on SBOM program design, supplier exchange, vulnerability operations, confidentiality, and automation across OEM and multi-tier supplier ecosystems.
SBOM
Supplier Risk
Vulnerability Management
Software Transparency
Secure Sharing
Evidence
explicit SBOM relevance
Guidance
View details
Effective 2025-01-17
Evidence to prepare Automotive SBOM policy, supplier exchange workflow, NDA or cybersecurity interface agreement controls, vulnerability triage records, SBOM tooling and automation evidence.
Relevant reference Auto-ISAC SBOM Informational Report, automotive SBOM use
Exodos note Auto-ISAC frames automotive SBOM as an operating model: trusted exchange, access control, vulnerability context, and supplier-tier visibility all need to work together.
automation is essential to SBOM adoption
Official source
International regulator guidance on SBOM principles and practices for medical device cybersecurity across manufacturers, healthcare providers, and other stakeholders.
SBOM
Vulnerability Management
Software Transparency
Post-Market Monitoring
Evidence
explicit SBOM relevance
Guidance
View details
Effective 2023-04-13
Evidence to prepare SBOM generation and maintenance process, stakeholder sharing model, component vulnerability monitoring, device inventory linkage, lifecycle evidence.
Relevant reference IMDRF N73 SBOM principles and practices for medical device cybersecurity
Exodos note IMDRF is a useful global baseline for medical device SBOM normalization and trust-center workflows.
Software Bill of Materials for Medical Device Cybersecurity
Official source
Joint international guidance setting a shared vision for SBOM as a core tool for vulnerability management, secure-by-design development, and software supply chain transparency.
SBOM
Software Transparency
Vulnerability Management
Secure Development
Supply Chain Security
explicit SBOM relevance
Guidance
View details
Effective 2025-09-09
Evidence to prepare SBOM production and sharing process, vulnerability exploitability context, procurement requirements, supplier SBOM intake, continuous monitoring evidence.
Relevant reference CISA and international partners shared vision for SBOM
Exodos note This is the clearest cross-border signal that SBOM programs should become operational infrastructure, not document exchange.
Software Bill of Materials
Official source
Industrial automation and control system standard defining secure product development lifecycle practices for component suppliers.
Secure Development
Vulnerability Management
Secure Updates
Technical Documentation
Evidence
explicit SBOM relevance
Standard
View details
Effective 2018-01-01
Evidence to prepare Secure development lifecycle evidence, vulnerability handling process, security update process, component traceability, release documentation.
Relevant reference IEC 62443-4-1, secure product development lifecycle requirements
Exodos note Use this as the operational bridge between CRA obligations and industrial product engineering evidence.
Secure product development lifecycle requirements
Official source
Component-level security standard for industrial control system products, covering embedded devices, host devices, network devices, and software applications.
Product Security
Secure Development
Vulnerability Management
Technical Documentation
Evidence
implicit SBOM relevance
Standard
View details
Effective 2019-02-01
Evidence to prepare Component security requirement mapping, test evidence, vulnerability management records, update evidence, product configuration records.
Relevant reference IEC 62443-4-2, IACS component technical security requirements
Exodos note Attach SBOMs to product component classes so vulnerability triage can follow the 62443 component boundary.
Technical security requirements for IACS components
Official source
Program-level industrial automation security management standard for asset owners operating control systems and OT environments.
Risk Management
Governance
Vulnerability Management
Supplier Risk
Evidence
implicit SBOM relevance
Standard
View details
Effective 2024-01-01
Evidence to prepare IACS asset inventory, supplier dependency map, security program records, vulnerability response records, risk assessments.
Relevant reference IEC 62443-2-1, IACS security program
Exodos note Software inventory makes OT asset ownership and supplier accountability easier to prove.
IACS security program
Official source
Industrial control system security standard defining system security requirements and target security levels for zones and conduits.
Risk Management
Product Security
Access Control
Monitoring
Evidence
adjacent SBOM relevance
Standard
View details
Effective 2013-08-01
Evidence to prepare Zone and conduit model, security level targets, component dependency evidence, security control mapping, test results.
Relevant reference IEC 62443-3-3, system security requirements and security levels
Exodos note Use SBOMs to connect software components to zones, conduits, and compensating controls.
System security requirements and security levels
Official source
International information security management system standard used as a baseline for governance, risk treatment, supplier controls, and audit evidence.
Governance
Risk Management
Supplier Risk
Evidence
Audit Trail
adjacent SBOM relevance
Standard
View details
Effective 2022-10-25
Evidence to prepare ISMS scope, risk treatment plan, supplier controls, asset inventory, audit evidence, corrective action records.
Relevant reference ISO/IEC 27001:2022, information security management systems
Exodos note SBOM and supplier evidence can be reused across ISMS risk treatment, supplier assurance, and audit workflows.
information security management systems
Official source
Reference control catalogue for information security controls, including supplier relationships, secure development, vulnerability management, and asset management.
Risk Management
Supplier Risk
Secure Development
Vulnerability Management
Evidence
adjacent SBOM relevance
Standard
View details
Effective 2022-02-15
Evidence to prepare Control mapping, supplier security records, secure coding evidence, vulnerability management records, asset and software inventory.
Relevant reference ISO/IEC 27002:2022, information security controls
Exodos note Map SBOM controls to ISO 27002 once and reuse the mapping for audits and customer assurance.
information security controls
Official source
Supplier relationship security standard family covering information security risks in ICT supplier and acquirer relationships.
Supplier Risk
Third-Party Risk
Procurement Security
Evidence
Governance
implicit SBOM relevance
Standard
View details
Effective 2023-01-01
Evidence to prepare Supplier security requirements, software transparency clauses, due diligence records, SBOM request workflow, contract evidence.
Relevant reference ISO/IEC 27036 supplier relationships
Exodos note Use supplier SBOM intake as a concrete evidence item inside broader supplier security governance.
information security for supplier relationships
Official source
Application security standard family for integrating security controls into application lifecycle and organizational governance.
Secure Development
Risk Management
Technical Documentation
Evidence
adjacent SBOM relevance
Standard
View details
Effective 2011-11-15
Evidence to prepare Application security controls, development lifecycle evidence, component and library inventory, vulnerability remediation records.
Relevant reference ISO/IEC 27034 application security
Exodos note SBOMs give application security programs traceability from code dependencies to release evidence.
application security
Official source
AI management system standard for organizations providing or using AI systems, supporting governance, risk controls, and lifecycle evidence.
AI Governance
Risk Management
Technical Documentation
Monitoring
Evidence
adjacent SBOM relevance
Standard
View details
Effective 2023-12-18
Evidence to prepare AI system inventory, model and software dependency records, risk controls, monitoring evidence, supplier and dataset provenance.
Relevant reference ISO/IEC 42001, artificial intelligence management system
Exodos note AI compliance increasingly needs software, model, data, and dependency evidence in one system of record.
artificial intelligence management system
Official source
US secure software development framework used by federal software supply chain policy and procurement assurance programs.
Secure Development
SBOM
Vulnerability Management
Evidence
Attestation
explicit SBOM relevance
Guidance
View details
Effective 2022-02-04
Evidence to prepare SSDF practice evidence, build provenance, vulnerability response records, SBOM generation records, secure development attestations.
Relevant reference NIST SP 800-218, PO.1.3 and PS/PW/RV practice groups
Exodos note SSDF is the common language for mapping engineering evidence to federal software security expectations.
Secure Software Development Framework
Official source
Cybersecurity supply chain risk management guidance for federal systems and organizations, covering suppliers, products, services, and system components.
Supplier Risk
Supply Chain Security
SBOM
Risk Management
Evidence
explicit SBOM relevance
Guidance
View details
Effective 2022-05-05
Evidence to prepare C-SCRM plan, supplier inventory, component inventory, acquisition controls, supplier assessment evidence, monitoring records.
Relevant reference NIST SP 800-161 Rev. 1, C-SCRM controls and practices
Exodos note Use SBOMs as machine-readable evidence inside broader supplier and acquisition risk workflows.
Cybersecurity Supply Chain Risk Management Practices
Official source
Cybersecurity risk management framework organized around govern, identify, protect, detect, respond, and recover outcomes.
Governance
Risk Management
Supplier Risk
Vulnerability Management
Evidence
implicit SBOM relevance
Framework
View details
Effective 2024-02-26
Evidence to prepare Cybersecurity profile, supply chain risk category mapping, asset inventory, vulnerability process evidence, improvement plan.
Relevant reference NIST CSF 2.0, GV.SC cybersecurity supply chain risk management
Exodos note CSF 2.0 is useful for executive reporting; SBOM evidence makes supplier risk measurable.
cybersecurity supply chain risk management
Official source
Federal security and privacy control catalogue with acquisition, supply chain, developer testing, and flaw remediation controls.
Supplier Risk
Secure Development
Vulnerability Management
Evidence
Audit Trail
implicit SBOM relevance
Framework
View details
Effective 2020-09-23
Evidence to prepare SA control implementation evidence, developer security testing, flaw remediation records, supplier requirements, acquisition records.
Relevant reference NIST SP 800-53 Rev. 5, SA and SR control families
Exodos note Link SBOM artifacts to SA/SR controls so authorization packages can reuse the same software evidence.
Security and Privacy Controls
Official source
Baseline SBOM guidance defining minimum data fields, automation support, and practices for generating, sharing, and using SBOMs.
SBOM
Software Transparency
Supplier Risk
Vulnerability Management
Evidence
explicit SBOM relevance
Guidance
View details
Effective 2021-07-12
Evidence to prepare Supplier name, component name, version, identifiers, dependency relationships, SBOM author, timestamp, automation format.
Relevant reference NTIA minimum elements for SBOM
Exodos note Use this as the minimum quality gate before accepting supplier SBOMs into the evidence system.
minimum elements for a Software Bill of Materials
Official source
Guidance for communicating whether a known vulnerability affects a product, reducing false positives in SBOM-driven vulnerability operations.
VEX
Vulnerability Management
Software Transparency
Evidence
Supplier Communication
explicit SBOM relevance
Guidance
View details
Effective 2022-06-01
Evidence to prepare VEX status, justification, affected product mapping, vulnerability analysis record, supplier communication trail.
Relevant reference CISA VEX status justifications
Exodos note VEX is where SBOM programs become useful for triage instead of creating vulnerability noise.
Vulnerability Exploitability eXchange
Official source
Catalog of vulnerabilities known to be exploited in the wild, used for prioritized remediation and risk-based vulnerability management.
Vulnerability Management
Remediation
Evidence
Incident Response
adjacent SBOM relevance
Guidance
View details
Effective 2021-11-03
Evidence to prepare KEV matching workflow, affected component map, remediation SLAs, exception records, vulnerability closure evidence.
Relevant reference CISA KEV catalog
Exodos note Joining KEV to SBOM inventory gives security teams a clean path from exploited CVE to affected products.
Known Exploited Vulnerabilities Catalog
Official source
Secure by Design guidance urging technology manufacturers to make secure product development and vulnerability handling core business practices.
Secure Development
Vulnerability Disclosure
Secure Defaults
Evidence
Governance
implicit SBOM relevance
Guidance
View details
Effective 2023-04-13
Evidence to prepare Secure development policy, product security roadmap, vulnerability disclosure process, secure default evidence, customer assurance materials.
Relevant reference CISA Secure by Design
Exodos note Use SBOM and VEX workflows to prove secure-by-design commitments with operational evidence.
Secure by Design
Official source
Open framework for improving build integrity and provenance across software supply chains, from source through build and distribution.
Build Provenance
Secure Development
Supply Chain Security
Evidence
Attestation
adjacent SBOM relevance
Framework
View details
Effective 2021-06-01
Evidence to prepare Build provenance, source integrity records, artifact signing, dependency evidence, CI/CD controls, release attestation.
Relevant reference SLSA v1.0 software supply chain integrity framework
Exodos note Pair SLSA provenance with SBOM content so teams can trust both what was built and how it was built.
Supply-chain Levels for Software Artifacts
Official source
Open-source project health and security scoring tool used to evaluate dependency risk signals across source repositories.
Supplier Risk
Open Source Risk
Secure Development
Evidence
adjacent SBOM relevance
Framework
View details
Effective 2020-11-01
Evidence to prepare Repository scorecard results, dependency risk policy, maintainer and project health signals, remediation evidence.
Relevant reference OpenSSF Scorecard project security checks
Exodos note Scorecard signals can enrich SBOM components with upstream project health context.
automated security tool
Official source
OWASP verification standard for software components and supply chain controls, including inventory, integrity, provenance, and vulnerability practices.
SBOM
Supply Chain Security
Secure Development
Vulnerability Management
Evidence
explicit SBOM relevance
Framework
View details
Effective 2023-01-01
Evidence to prepare Component inventory, verification controls, dependency provenance, vulnerability checks, package integrity evidence.
Relevant reference OWASP Software Component Verification Standard
Exodos note Use SCVS as a practical control checklist for SBOM quality and dependency assurance.
Software Component Verification Standard
Official source
Machine-readable bill of materials standard supporting SBOM, SaaSBOM, VEX, CBOM, and other software supply chain transparency use cases.
SBOM
VEX
Software Transparency
Vulnerability Management
Evidence
explicit SBOM relevance
Standard
View details
Effective 2017-01-01
Evidence to prepare CycloneDX SBOMs, component identifiers, dependency graph, vulnerability analysis, VEX, signatures and metadata.
Relevant reference CycloneDX bill of materials standard
Exodos note CycloneDX is especially useful when SBOM evidence needs to carry vulnerability, services, and cryptography context.
full-stack Bill of Materials standard
Official source
ISO-standardized SBOM and software package data exchange format used for component, license, security, and provenance transparency.
SBOM
Software Transparency
License Compliance
Provenance
Evidence
explicit SBOM relevance
Standard
View details
Effective 2021-08-01
Evidence to prepare SPDX documents, package identifiers, dependency relationships, license data, security references, document namespace and creator metadata.
Relevant reference SPDX specification and ISO/IEC 5962
Exodos note SPDX gives suppliers a standards-backed path for exchanging SBOMs across legal, security, and engineering teams.
Software Package Data Exchange
Official source
Federal cloud security authorization baseline based on NIST SP 800-53 Rev. 5 controls, including supply chain, vulnerability, and configuration evidence.
Cloud Security
Vulnerability Management
Supplier Risk
Evidence
Continuous Monitoring
implicit SBOM relevance
Framework
View details
Effective 2023-05-30
Evidence to prepare System security plan, continuous monitoring records, vulnerability scan results, supply chain controls, software component evidence.
Relevant reference FedRAMP Rev. 5 security authorization baseline
Exodos note For SaaS vendors, SBOM evidence can strengthen vulnerability and supply chain sections of FedRAMP packages.
Rev. 5 baselines
Official source
DoD contractor cybersecurity certification program for protecting federal contract information and controlled unclassified information.
Governance
Access Control
Incident Response
Supplier Risk
Evidence
adjacent SBOM relevance
Certification
View details
Effective 2024-12-16
Evidence to prepare CMMC assessment evidence, SSP, POA&M, supplier controls, vulnerability management and configuration evidence.
Relevant reference DoD CMMC program
Exodos note SBOMs are not the core CMMC artifact, but they help contractors prove software and supplier risk control maturity.
Cybersecurity Maturity Model Certification
Official source
Defense acquisition clause requiring safeguarding of covered defense information and cyber incident reporting by contractors.
Incident Reporting
Supplier Risk
Evidence
Access Control
Vulnerability Management
adjacent SBOM relevance
Regulation
View details
Effective 2016-10-21
Evidence to prepare Incident reports, affected system/component mapping, subcontractor flow-down evidence, NIST 800-171 control records, remediation evidence.
Relevant reference DFARS 252.204-7012 cyber incident reporting
Exodos note Component and supplier maps improve impact analysis when contractors report cyber incidents.
Safeguarding Covered Defense Information
Official source
Transportation Security Administration cybersecurity directives for critical pipeline owners and operators after major ransomware events.
Incident Reporting
Vulnerability Management
Operational Resilience
Critical Infrastructure
Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2021-05-27
Evidence to prepare Critical system inventory, vulnerability mitigation plans, incident reporting workflow, dependency map, recovery and resilience evidence.
Relevant reference TSA pipeline cybersecurity requirements
Exodos note Operational technology software dependencies need to be tied to response and recovery evidence.
critical pipeline owners and operators
Official source
TSA cybersecurity requirements for designated passenger rail, freight rail, and airport and aircraft operators.
Incident Reporting
Vulnerability Management
Access Control
Operational Resilience
Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2022-10-18
Evidence to prepare Cybersecurity implementation plan, network segmentation evidence, vulnerability management records, system dependency map, incident reporting evidence.
Relevant reference TSA transportation cybersecurity requirements
Exodos note SBOM-linked asset evidence helps transportation operators prioritize exposed software in critical operations.
cybersecurity requirements for airport and aircraft operators
Official source
EU cybersecurity certification framework for ICT products, services, and processes, supporting conformity evidence used by other EU product rules.
Certification
Product Security
Technical Documentation
Evidence
Risk Management
adjacent SBOM relevance
Regulation
View details
Effective 2019-06-27
Evidence to prepare Certification scope, assurance level evidence, technical documentation, vulnerability handling evidence, product configuration records.
Relevant reference Regulation (EU) 2019/881 cybersecurity certification
Exodos note Certification evidence becomes more valuable when connected to product software inventory and update history.
European cybersecurity certification framework
Official source
EU digital identity and trust services regulation expanding wallet, trust service, and assurance requirements for digital identity infrastructure.
Identity Assurance
Product Security
Technical Documentation
Certification
Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2024-05-20
Evidence to prepare Wallet component inventory, trust service dependency records, conformity evidence, vulnerability handling and update records.
Relevant reference Regulation (EU) 2024/1183 European Digital Identity Framework
Exodos note Digital identity products need supplier and component transparency because trust anchors depend on software integrity.
European Digital Identity Framework
Official source
EU medical device framework requiring safety, performance, technical documentation, risk management, and post-market surveillance for software-enabled devices.
Risk Management
Technical Documentation
Post-Market Monitoring
Vulnerability Management
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2021-05-26
Evidence to prepare Software lifecycle records, technical file, risk management, vulnerability and update process, post-market surveillance evidence.
Relevant reference Regulation (EU) 2017/745 medical devices
Exodos note MDR evidence should be linked to SBOM and vulnerability context for every software-containing device release.
medical devices
Official source
EU in vitro diagnostic medical device framework covering software-enabled diagnostics, technical documentation, lifecycle risk, and post-market evidence.
Risk Management
Technical Documentation
Post-Market Monitoring
Vulnerability Management
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2022-05-26
Evidence to prepare IVD software inventory, lifecycle documentation, risk controls, post-market records, supplier component and vulnerability evidence.
Relevant reference Regulation (EU) 2017/746 in vitro diagnostic medical devices
Exodos note IVD software evidence should be reusable across medical device, product security, and supplier risk workflows.
in vitro diagnostic medical devices
Official source
German IT security law and critical infrastructure obligations covering security measures, incident reporting, and evidence for operators and providers.
Critical Infrastructure
Incident Reporting
Risk Management
Supplier Risk
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2021-05-28
Evidence to prepare KRITIS scope evidence, security controls, incident reporting process, supplier dependency map, audit and assurance records.
Relevant reference BSI KRITIS cybersecurity requirements
Exodos note Component and supplier evidence supports KRITIS impact analysis and incident response.
Critical Infrastructures
Official source
BSI cloud security assurance catalogue used by cloud providers and customers for security, transparency, and audit-ready evidence.
Cloud Security
Supplier Risk
Vulnerability Management
Evidence
Audit Trail
adjacent SBOM relevance
Framework
View details
Effective 2020-01-01
Evidence to prepare C5 control evidence, supplier dependency records, vulnerability management process, secure operations records, audit reports.
Relevant reference BSI C5 cloud computing criteria catalogue
Exodos note SBOM inventory can strengthen cloud vulnerability, supplier, and change-management evidence under C5.
Cloud Computing Compliance Criteria Catalogue
Official source
Automotive assessment and exchange ecosystem for information security and vehicle cybersecurity assurance across OEM and supplier relationships.
Supplier Risk
Product Security
Secure Development
Evidence
Governance
implicit SBOM relevance
Framework
View details
Effective 2024-01-01
Evidence to prepare Assessment scope, supplier controls, product security process evidence, software dependency records, vulnerability handling workflow.
Relevant reference ENX vehicle cybersecurity assessment
Exodos note Automotive SBOM exchange should plug into existing OEM supplier assurance and TISAX-style evidence flows.
Vehicle Cyber Security
Official source
French cloud security qualification framework for cloud service providers serving sensitive public and private sector workloads.
Cloud Security
Supplier Risk
Vulnerability Management
Evidence
Certification
adjacent SBOM relevance
Certification
View details
Effective 2022-03-08
Evidence to prepare Cloud service component inventory, supplier controls, vulnerability management records, qualification evidence, operational security records.
Relevant reference ANSSI SecNumCloud qualification
Exodos note Cloud qualification evidence becomes stronger when software components and subservice providers are versioned.
SecNumCloud
Official source
Italian national cybersecurity perimeter requiring security measures and notifications for essential ICT assets and services.
Critical Infrastructure
Incident Reporting
Supplier Risk
Risk Management
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2019-11-21
Evidence to prepare Essential asset inventory, supplier dependencies, incident reporting process, vulnerability remediation records, security control evidence.
Relevant reference ACN national cybersecurity perimeter
Exodos note SBOM evidence helps operators understand which software dependencies support essential ICT services.
Perimetro di sicurezza nazionale cibernetica
Official source
Malaysian cybersecurity law establishing national critical information infrastructure duties, incident reporting, and cybersecurity service provider licensing.
Critical Infrastructure
Incident Reporting
Risk Management
Supplier Risk
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2024-08-26
Evidence to prepare NCII designation records, incident reporting workflow, supplier dependency evidence, cybersecurity risk assessment, service provider assurance.
Relevant reference Malaysia Cyber Security Act 2024
Exodos note Software dependency evidence supports NCII operator reporting and supplier assurance obligations.
Cyber Security Act 2024
Official source
Thai cybersecurity law establishing national cybersecurity governance and requirements for critical information infrastructure organizations.
Critical Infrastructure
Incident Response
Risk Management
Governance
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2019-05-28
Evidence to prepare CII scope evidence, security controls, incident response records, supplier dependency map, remediation evidence.
Relevant reference Thailand Cybersecurity Act B.E. 2562
Exodos note SBOM-derived software maps improve CII impact analysis and response planning.
Cybersecurity Act
Official source
UAE national information assurance controls for government and critical entities covering governance, risk, operations, and third-party security.
Governance
Risk Management
Third-Party Risk
Evidence
Incident Response
adjacent SBOM relevance
Framework
View details
Effective 2014-01-01
Evidence to prepare Control implementation evidence, supplier dependency records, risk assessments, incident response evidence, asset and software inventories.
Relevant reference UAE Information Assurance Regulation
Exodos note Software supplier evidence supports third-party and asset management controls in regulated UAE environments.
Information Assurance
Official source
Qatar national information assurance baseline for protecting government and critical information systems.
Governance
Risk Management
Third-Party Risk
Evidence
Incident Response
adjacent SBOM relevance
Framework
View details
Effective 2014-01-01
Evidence to prepare Security control evidence, system inventory, supplier dependency records, vulnerability remediation evidence, incident handling records.
Relevant reference Qatar national information assurance materials
Exodos note SBOM evidence can support asset, third-party, and vulnerability controls for critical systems.
National Cyber Security Agency
Official source
Brazil Central Bank cybersecurity policy and cloud outsourcing requirements for financial institutions and payment institutions.
Cybersecurity Policy
Third-Party Risk
Cloud Security
Incident Reporting
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2021-02-26
Evidence to prepare Cybersecurity policy, outsourced service inventory, cloud provider due diligence, incident records, software supplier dependency evidence.
Relevant reference BACEN Resolution CMN 4,893
Exodos note Financial cloud and software outsourcing evidence benefits from component and supplier-level traceability.
cybersecurity policy
Official source
HKMA supervisory guidance for authorized institutions managing technology risk, cyber resilience, outsourcing, and incident response.
Technology Risk
Third-Party Risk
Incident Response
Vulnerability Management
Evidence
implicit SBOM relevance
Guidance
View details
Effective 2023-06-21
Evidence to prepare Technology asset inventory, outsourcing records, vulnerability management evidence, incident response records, software supplier map.
Relevant reference HKMA technology risk management guidance
Exodos note SBOM and supplier evidence can improve financial technology asset and outsourcing risk visibility.
Technology Risk Management
Official source
Taiwan cybersecurity law governing government agencies and specific non-government agencies, including security maintenance and incident reporting.
Critical Infrastructure
Incident Reporting
Governance
Risk Management
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2019-01-01
Evidence to prepare Security maintenance plan, incident response evidence, supplier dependencies, software inventory, risk management records.
Relevant reference Taiwan Cyber Security Management Act
Exodos note Software dependency and supplier maps help regulated entities scope incidents and maintenance obligations.
Cyber Security Management Act
Official source
Information security standard requiring APRA-regulated entities to manage information security capability, controls, incidents, testing, audit, and third-party control assurance.
Information Security
Incident Reporting
Third-Party Risk
Control Assurance
Audit Trail
implicit SBOM relevance
Standard
View details
Effective 2019-07-01
Deadline 2019-07-01
Evidence to prepare Information asset inventory, third-party control assurance, security testing, incident notification records, internal audit evidence.
Exodos note Component and supplier inventories support information asset classification and third-party assurance.
Official source
Reliability standard requiring covered electric-sector entities to identify and manage cybersecurity risks from vendors and supply chain relationships.
Supplier Risk
Supply Chain Security
Access Control
Change Management
Evidence
Audit Trail
implicit SBOM relevance
Standard
View details
Effective 2020-10-01
Deadline 2020-10-01
Evidence to prepare Supply chain risk plan, vendor controls, remote access controls, vendor notification procedures, software integrity evidence.
Exodos note Supplier software evidence helps bridge procurement controls with operational cyber risk in critical energy systems.
Official source
Rules governing discovery, reporting, repair, and publication of security vulnerabilities in network products including hardware and software.
Vulnerability Disclosure
Vulnerability Management
Product Security
Incident Reporting
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2021-09-01
Deadline 2021-09-01
Evidence to prepare Vulnerability intake process, remediation records, disclosure controls, authority reporting evidence, affected product and component mapping.
Relevant reference China network product security vulnerability management provisions
Exodos note Component-level impact analysis is essential when vulnerability obligations attach to network products.
network product security vulnerabilities
Official source
CERT-In directions requiring covered entities to report specified cyber incidents rapidly and maintain relevant logs and security practices.
Incident Reporting
Logging
Evidence
Vulnerability Management
Governance
adjacent SBOM relevance
Regulation
View details
Effective 2022-06-27
Deadline 2022-06-27
Evidence to prepare Incident classification workflow, six-hour reporting process, log retention evidence, affected asset and supplier records, remediation evidence.
Exodos note Rapid reporting depends on knowing which software, vendors, and systems were affected at the time of discovery.
Official source
FDA cybersecurity expectations for medical device submissions and postmarket lifecycle management, including software component transparency and vulnerability management.
SBOM
Vulnerability Management
Coordinated Vulnerability Disclosure
Secure Development
Evidence
Post-Market Monitoring
explicit SBOM relevance
Regulation
View details
Effective 2023-10-01
Deadline 2023-10-01
Evidence to prepare Premarket SBOM, security risk management, support plan, vulnerability disclosure process, update process, postmarket monitoring evidence.
Relevant reference FD&C Act Section 524B(b)(3)
Exodos note A strong FDA-ready SBOM needs normalization, versioning, and vulnerability context across the device lifecycle.
provide a software bill of materials
Official source
RBI directions for regulated entities outsourcing IT services, covering governance, risk management, confidentiality, business continuity, audit, and third-party oversight.
Third-Party Risk
Supplier Risk
Business Continuity
Audit Trail
Evidence
Governance
implicit SBOM relevance
Regulation
View details
Effective 2023-04-10
Deadline 2023-10-01
Evidence to prepare IT outsourcing policy, risk assessments, service provider controls, business continuity plans, audit evidence, data confidentiality controls.
Exodos note For outsourced application and cloud services, SBOM requests can become part of due diligence and recurring assurance.
Official source
Requires public companies to disclose material cybersecurity incidents and annually describe cybersecurity risk management, strategy, governance, and oversight.
Incident Reporting
Governance
Risk Management
Evidence
Audit Trail
adjacent SBOM relevance
Regulation
View details
Effective 2023-09-05
Deadline 2023-12-18
Evidence to prepare Materiality decision records, incident timeline, risk management process evidence, board oversight documentation, third-party risk records.
Relevant reference SEC cybersecurity risk management, strategy, governance, and incident disclosure rule
Exodos note Component and supplier impact evidence can support faster materiality assessment after a software supply chain event.
material cybersecurity incidents
Official source
OSFI guidance setting expectations for federally regulated financial institutions to manage technology and cyber risks, including incident reporting and resilience.
Technology Risk
Incident Reporting
Governance
Resilience Testing
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2024-01-01
Deadline 2024-01-01
Evidence to prepare Technology asset inventory, control testing, incident reporting evidence, resilience testing records, risk appetite and governance documentation.
Exodos note Software provenance and dependency tracking strengthens technology asset and cyber risk evidence.
Official source
MAS technology risk obligations for payment service providers, including fast notification of relevant incidents and controls over technology operations.
Incident Reporting
Technology Risk
Governance
Evidence
Operational Resilience
adjacent SBOM relevance
Guidance
View details
Effective 2024-02-06
Deadline 2024-02-06
Evidence to prepare Incident notification workflow, technology asset map, security operations records, supplier dependency evidence, resilience records.
Exodos note Fast reporting obligations require pre-built evidence trails for affected applications and vendors.
Official source
Federal software supply chain policy requiring software producers serving the US government to attest to secure development practices, with SBOMs and artifacts used by agencies as supporting evidence.
Secure Development
SBOM
Vulnerability Disclosure
Evidence
Attestation
Supply Chain Security
explicit SBOM relevance
Regulation
View details
Effective 2021-05-12
Deadline 2024-03-11
Evidence to prepare Secure software attestation, SSDF practice evidence, SBOM artifacts where requested, vulnerability management records, build and provenance evidence.
Relevant reference Executive Order 14028, Section 4(e)(vii)
Exodos note Turn federal attestation from a form exercise into a reusable evidence workspace for every software product and version.
providing a purchaser a Software Bill of Materials
Official source
UK consumer connectable product security regime requiring manufacturers, importers, and distributors to meet minimum security requirements and provide statements of compliance.
Product Security
Vulnerability Disclosure
Technical Documentation
Conformity Evidence
Secure Defaults
adjacent SBOM relevance
Regulation
View details
Effective 2024-04-29
Deadline 2024-04-29
Evidence to prepare Statement of compliance, password/security requirement evidence, vulnerability reporting channel, support period disclosure, importer/distributor records.
Relevant reference UK PSTI product security regime, security requirements for connectable products
Exodos note A product trust center can connect PSTI support-period and vulnerability-channel evidence with component transparency.
statement of compliance
Official source
OSFI third-party risk guidance requiring federally regulated financial institutions to manage risks across outsourced and other third-party arrangements.
Third-Party Risk
Supplier Risk
Operational Resilience
Audit Trail
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2024-05-01
Deadline 2024-05-01
Evidence to prepare Third-party inventory, due diligence, subcontractor visibility, technology and cyber risk assessments, exit and continuity evidence.
Exodos note SBOM requests can become a standard control for elevated-risk software and SaaS third parties.
Official source
EU-wide cybersecurity framework for essential and important entities, including risk management, incident reporting, supervision, and supply chain security measures.
Risk Management
Incident Reporting
Supply Chain Security
Supplier Risk
Governance
Evidence
implicit SBOM relevance
Directive
View details
Effective 2023-01-16
Deadline 2024-10-17
Evidence to prepare Supplier inventory, risk assessments, incident handling records, business continuity evidence, technical and organizational controls, management accountability records.
Relevant reference Directive (EU) 2022/2555, Article 21 supply chain security
Exodos note Use SBOM and supplier transparency as evidence for supply chain risk management even where the law does not name SBOM directly.
security in network and information systems acquisition, development and maintenance
Official source
Chinese network data security regulation requiring data processors to implement protection measures and report network product or service security defects and vulnerabilities.
Vulnerability Disclosure
Incident Reporting
Data Security
Risk Assessment
Product Security
implicit SBOM relevance
Regulation
View details
Effective 2025-01-01
Deadline 2025-01-01
Evidence to prepare Network data security controls, vulnerability remediation records, user and authority notifications, risk assessment reports, supplier security requirements.
Exodos note A product security evidence system helps document vulnerability discovery, remediation, and notification timelines.
Official source
Operational resilience regime for financial entities covering ICT risk management, major incident reporting, resilience testing, information sharing, and ICT third-party risk.
Supplier Risk
Incident Reporting
Operational Resilience
Evidence
Audit Trail
Third-Party Risk
implicit SBOM relevance
Regulation
View details
Effective 2023-01-16
Deadline 2025-01-17
Evidence to prepare ICT asset and supplier registers, contractual controls, incident classification records, resilience testing evidence, exit plans, audit-ready third-party oversight.
Relevant reference Regulation (EU) 2022/2554, ICT third-party risk management
Exodos note Software component and supplier dependency visibility helps financial entities prove where operational ICT risk sits.
manage ICT third-party risk as an integral component of ICT risk
Official source
Japanese IoT product security conformity assessment scheme with baseline and higher assurance labels intended to support procurement and international alignment.
IoT Labeling
Product Security
Secure Updates
Vulnerability Management
Conformity Evidence
adjacent SBOM relevance
Certification
View details
Effective 2024-08-30
Deadline 2025-03-31
Evidence to prepare Security requirements mapping, conformance criteria, update and support evidence, vulnerability handling records, test or self-declaration records.
Exodos note Component and firmware inventory can reduce effort across label levels and export-market evidence requests.
Official source
Activates cybersecurity, privacy, and fraud-protection essential requirements for categories of internet-connected radio equipment under the Radio Equipment Directive.
Product Security
Vulnerability Management
Secure Development
Technical Documentation
Conformity Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2022-01-11
Deadline 2025-08-01
Evidence to prepare Conformity assessment records, secure update evidence, access control evidence, vulnerability handling process, privacy and fraud protection controls.
Relevant reference Delegated Regulation (EU) 2022/30, Article 3 internet-connected radio equipment
Exodos note Maintain firmware and software dependency records to support RED conformity and transition planning with CRA.
does not harm the network or its functioning
Official source
EU data access and cloud switching regulation affecting data processing services, interoperability, switching, and contractual transparency.
Cloud Portability
Technical Documentation
Supplier Risk
Governance
Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2024-01-11
Deadline 2025-09-12
Evidence to prepare Service dependency map, interoperability documentation, exit records, cloud supplier controls, software and API inventory.
Relevant reference Regulation (EU) 2023/2854 Data Act
Exodos note Cloud exit and interoperability evidence improves when runtime dependencies and third-party software are traceable.
switching between data processing services
Official source
Swiss cyberattack reporting obligation for operators of critical infrastructure with phased enforcement and notification duties.
Incident Reporting
Critical Infrastructure
Evidence
Risk Management
Supplier Risk
adjacent SBOM relevance
Regulation
View details
Effective 2025-04-01
Deadline 2025-10-01
Evidence to prepare Incident classification workflow, affected system and supplier map, reporting evidence, remediation and recovery records.
Relevant reference NCSC cyberattack reporting obligation
Exodos note Incident reporting gets faster when affected software and supplier dependencies are already mapped.
Reporting obligation for cyberattacks
Official source
Cybersecurity framework for critical information infrastructure, expanded by 2024 amendments to cover additional classes such as foundational digital infrastructure providers.
Critical Infrastructure
Incident Reporting
Cybersecurity Codes
Governance
Evidence
implicit SBOM relevance
Regulation
View details
Effective 2018-08-31
Deadline 2025-10-31
Evidence to prepare CII asset records, code of practice evidence, incident reports, cloud or data center dependency evidence, risk assessments.
Exodos note Cloud and data center providers need software dependency evidence that travels across virtualized infrastructure.
Official source
Mandatory Chinese vehicle cybersecurity and software update standards covering CSMS-style governance, technical controls, inspection and test methods, software update management, and vehicle evidence.
Cybersecurity Management System
Secure Updates
Vulnerability Management
Product Security
Technical Documentation
Evidence
implicit SBOM relevance
Standard
View details
Effective 2026-01-01
Deadline 2026-01-01
Evidence to prepare Vehicle cybersecurity management evidence, software update management evidence, technical test results, supplier cybersecurity records, vulnerability handling records, same-type justification.
Exodos note For China-facing vehicle programs, connect SBOM and update-package evidence to vehicle type, ECU, supplier, vulnerability, and test-result records.
Official source
Federal policy shifting software and hardware security assurance from universal attestation to agency risk-based contractual and validation approaches.
Risk Management
Secure Development
SBOM
Supplier Risk
Evidence
Procurement Security
explicit SBOM relevance
Policy
View details
Effective 2026-01-23
Deadline 2026-01-23
Evidence to prepare Risk-based supplier assessment, contractual SBOM terms where used, secure development evidence, hardware/software security validation records.
Relevant reference OMB M-26-05, software and hardware security validation
Exodos note Federal suppliers still need SBOM readiness, but now it sits inside agency-specific risk and contract decisions.
provide a current software bill of materials
Official source
Great Britain type approval implementation of UN R155 cybersecurity and UN R156 software update requirements, with phased dates for new vehicle types, complete vehicles, completed vehicles, and special purpose vehicles.
Cybersecurity Management System
Secure Updates
Supplier Risk
Technical Documentation
Evidence
Audit Trail
implicit SBOM relevance
Standard
View details
Effective 2025-11-13
Deadline 2026-06-01
Evidence to prepare R155/R156 approval evidence, supplier risk controls, cybersecurity and software update management records, vehicle configuration evidence, update and incident response process records.
Exodos note UK implementation makes supplier evidence more urgent for automotive programs that already map to UNECE approvals in EU and other markets.
Official source
APRA standard requiring regulated entities to manage operational risks, maintain critical operations through disruption, and manage service-provider arrangements.
Operational Resilience
Third-Party Risk
Supplier Risk
Business Continuity
Evidence
adjacent SBOM relevance
Standard
View details
Effective 2025-07-01
Deadline 2026-07-01
Evidence to prepare Critical operations map, material service provider register, business continuity tests, service provider controls, operational risk records.
Exodos note Map software suppliers and component dependencies into service-provider resilience evidence.
Official source
China cybersecurity labeling framework for internet-connected products, including security capability levels, testing, reports, conformity statements, and vulnerability handling.
IoT Labeling
Product Security
Vulnerability Management
Conformity Evidence
Technical Documentation
adjacent SBOM relevance
Certification
View details
Effective 2026-04-02
Deadline 2026-07-01
Evidence to prepare Security test report, label filing data, conformity statement, vulnerability reporting and remediation records, product capability evidence.
Exodos note Label evidence can reuse the same product software inventory used for CRA, PSTI, JC-STAR, and Cyber Trust Mark.
Official source
Risk-based AI regulation requiring technical documentation, logging, post-market monitoring, incident reporting, and cybersecurity measures for high-risk AI systems.
Technical Documentation
Incident Reporting
Post-Market Monitoring
Governance
Evidence
Risk Management
adjacent SBOM relevance
Regulation
View details
Effective 2024-08-01
Deadline 2026-08-02
Evidence to prepare AI system documentation, model and software provenance records, monitoring logs, risk controls, cybersecurity evidence, incident response workflow.
Relevant reference Regulation (EU) 2024/1689, Annex IV technical documentation
Exodos note AI governance is easier when software, model, dataset, and dependency provenance are managed as reusable evidence.
technical documentation shall be drawn up before that system is placed on the market
Official source
Updates EU machinery safety rules for connected and software-enabled machinery, including protection against corruption where safety functions depend on software or data.
Product Security
Technical Documentation
Risk Management
Secure Updates
Evidence
adjacent SBOM relevance
Regulation
View details
Effective 2023-07-19
Deadline 2027-01-20
Evidence to prepare Safety-related software inventory, change control records, cybersecurity risk assessment, update validation, conformity documentation.
Relevant reference Regulation (EU) 2023/1230, Annex III 1.1.9 protection against corruption
Exodos note Industrial teams should connect software change evidence with product safety documentation before the 2027 application date.
identify the software installed on it
Official source
Horizontal cybersecurity law for products with digital elements, combining secure-by-design duties, vulnerability handling, incident reporting, technical documentation, and software component transparency.
SBOM
Vulnerability Disclosure
Incident Reporting
Technical Documentation
Secure Development
Supply Chain Security
explicit SBOM relevance
Regulation
View details
Effective 2024-12-10
Deadline 2027-12-11
Evidence to prepare Product security risk assessment, SBOM or equivalent component records, vulnerability handling process, reporting workflow, conformity evidence, support period records.
Relevant reference Regulation (EU) 2024/2847, Annex I Part II, vulnerability handling requirements
Exodos note Anchor EU product compliance around a living component system of record, not a one-time SBOM export.
identify and document components contained in the products
Official source
