BSA: Clear SBOM Rules Can Help the EU Lead on Cyber Resilience

BRUSSELS - The Business Software Alliance (BSA) has welcomed the EU's focus on strengthening software security and said the Cyber Resilience Act (CRA) offers a good opportunity to accelerate the meaningful use of Software Bills of Materials (SBOMs) across Europe.

In comments submitted to ENISA, BSA noted that SBOM adoption is growing across the industry and that one of the tools can play a valuable role in improving cybersecurity when aligned with global best practices. As BSA's submission explains, SBOMs deliver real benefits when they support automation and modern security tooling, rather than being treated as a compliance paperwork exercise.

To ensure the CRA succeeds, BSA encouraged the Commission and ENISA to provide clear guidance, particularly on its scope, the group said, confirming that pure SaaS falls outside that scope and therefore is not subject to SBOM requirements. This would give companies certainty while preventing unnecessary exposure of cloud infrastructure. SBOMs for SaaS, BSA warned, could inadvertently reveal attack surfaces that are not accessible today.

"Europe has a real chance to align with global benchmarks for practical, effective SBOM use," said Hadrien Valembois, Director, Policy - EMEA, BSA. "Clear, internationally aligned rules will help accelerate adoption, support innovation, and strengthen cybersecurity for citizens and businesses. With the right approach, SBOMs can become a powerful part of Europe's security toolkit."

BSA also highlighted the importance of protecting intellectual property, avoiding overly prescriptive format mandates, and supporting a phased, actionable rollout that reflects real-world software development.