B
BOM (Bill of Materials)
A Bill of Materials is a structured inventory of all components in a product. The term originates from manufacturing and was adopted for software supply chain transparency following the 2020-2021 wave of supply chain attacks (SolarWinds, Codecov, Kaseya). In software, the term becomes SBOM (Software BOM); in hardware, HBOM. The EU Cyber Resilience Act and US Executive Order 14028 both make the SBOM a regulatory requirement.
C
CE Conformity
In the CRA context, the CE marking confirms that a product with digital elements meets all requirements of Annex I — including the SBOM obligation. Without complete technical documentation that includes the SBOM, no CE mark may be affixed and the product may not be placed on the EU market. This applies from 11 December 2027.
CISA (Cybersecurity and Infrastructure Security Agency)
CISA is the US federal agency responsible for national cybersecurity, operating under the Department of Homeland Security. It co-authored the VEX concept with NTIA, maintains the Known Exploited Vulnerabilities (KEV) catalogue, and oversees SBOM requirements under Executive Order 14028. CISA published the foundational "Types of SBOM" document that distinguishes design, source, build, analysed, and deployed SBOMs — a taxonomy now widely adopted in industry.
CPE (Common Platform Enumeration)
CPE is a structured naming scheme maintained by NIST for identifying IT products, operating systems, and applications. The format reads cpe:2.3:a:vendor:product:version (e.g., cpe:2.3:a:apache:log4j:2.14.1). In SBOMs, CPE serves as an identifier for matching components against the NVD. Package-URL (purl) is the newer, more ecosystem-aware alternative that is increasingly preferred in modern SBOM tooling.
CRA (Cyber Resilience Act)
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 establishes horizontal cybersecurity requirements for products with digital elements. It entered into force on 10 December 2024. Reporting obligations apply from 11 September 2026; full application including the SBOM mandate from 11 December 2027. Non-compliance carries fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher.
CSIRT (Computer Security Incident Response Team)
A CSIRT is a specialised unit for handling cybersecurity incidents at national level. Under the CRA (Article 14), manufacturers must report actively exploited vulnerabilities to the relevant national CSIRT within 24 hours. Each EU member state designates its own CSIRT — Germany uses the BSI, France uses CERT-FR. In the United States, CISA fulfils a comparable coordination role.
CVE (Common Vulnerabilities and Exposures)
CVE is the global identification system for security vulnerabilities, managed by the MITRE Corporation and funded by CISA. Each vulnerability receives a unique identifier in the format CVE-YYYY-NNNNN (e.g., CVE-2021-44228 for Log4Shell). SBOM management tools match component lists against CVE databases to flag vulnerable dependencies. The CVE programme has been running since 1999 and currently contains over 250,000 entries.
CycloneDX
CycloneDX is an SBOM format developed by the OWASP Foundation, first released in 2017, currently at version 1.6. It supports software, hardware, service, and ML model inventories with native VEX (Vulnerability Exploitability eXchange) integration. CycloneDX is the dominant SBOM format in cloud-native and DevSecOps environments. Both the EU CRA and US federal guidance recognise it as a commonly used, machine-readable format.
D
Dependency
A dependency is an external software component required at build time or runtime. Direct dependencies are explicitly declared by the developer; transitive dependencies are pulled in indirectly through other packages. The CRA requires at minimum the documentation of top-level (direct) dependencies in the SBOM (Annex I Part 2 No. 1). The NTIA Minimum Elements likewise list "dependency relationship" as a required data field.
Dependency-Track
Dependency-Track is an open-source platform by the OWASP Foundation for centralised SBOM management and analysis. It ingests CycloneDX and SPDX documents, automatically correlates components against the NVD, OSV, and other vulnerability databases, and provides policy-based alerting. It is the most widely deployed open-source solution for organisation-wide SBOM management and supports both the CRA and EO 14028 compliance workflows.
E
ENISA (European Union Agency for Cybersecurity)
ENISA, headquartered in Athens, coordinates cybersecurity across the EU. Under the CRA it operates the central vulnerability reporting platform. Manufacturers must submit an early warning within 24 hours and a full notification within 72 hours to ENISA (Article 14 CRA). ENISA then distributes relevant information to national CSIRTs across affected member states.
Executive Order 14028
Signed by US President Biden on 12 May 2021, EO 14028 ("Improving the Nation's Cybersecurity") was the first government mandate requiring SBOMs from federal software suppliers. Section 4 directed NIST to publish guidance on secure software development and NTIA to define SBOM minimum elements and formats. This executive order directly catalysed the global adoption of CycloneDX and SPDX and laid the groundwork for the EU's CRA SBOM mandate.
I
Importer
Under the CRA (Article 3(15)), an importer is any EU-based entity that places a product with digital elements from a third-country manufacturer on the EU market. Importers must verify that the manufacturer has completed the conformity assessment and that technical documentation including the SBOM exists. If an importer markets a product under its own name or brand, it assumes the manufacturer's full CRA obligations.
M
Manufacturer
Under the CRA (Article 3(13)), a manufacturer is any natural or legal person who develops or has developed a product with digital elements and places it on the market under their own name or brand. The manufacturer bears primary responsibility for SBOM creation, CE conformity assessment, vulnerability handling, and providing security updates for the entire support period — a minimum of five years.
N
NTIA Minimum Elements
In July 2021, the US National Telecommunications and Information Administration published "The Minimum Elements for a Software Bill of Materials." The document defines three categories: data fields (supplier name, component name, version, unique identifier, dependency relationship, author of SBOM data, timestamp), automation support (machine-readable format required), and practices and processes (frequency, depth, known unknowns, distribution and access). These elements remain the baseline for US federal SBOM requirements and heavily informed the CRA's Annex I SBOM provisions.
NVD (National Vulnerability Database)
The NVD is the US government vulnerability database maintained by NIST. It enriches CVE entries with CVSS severity scores, CPE mappings, and references. SBOM management tools like Dependency-Track automatically match component inventories against the NVD to identify vulnerable dependencies. Since early 2024 the NVD has struggled with a significant analysis backlog, making supplementary sources like the OSV database and GitHub Advisory Database increasingly important.
O
Open-Source Steward
The open-source steward is a new role created by the CRA (Article 3(14)) for legal persons — typically foundations such as the Apache Software Foundation, the Eclipse Foundation, or the Linux Foundation — that systematically support the development of open-source software intended for commercial use. Stewards have lighter obligations than manufacturers: they must document a cybersecurity policy and cooperate with market surveillance authorities, but are exempt from CE conformity assessment and product liability.
P
Package-URL (purl)
Package-URL is a standardised URI scheme for uniquely identifying software packages across ecosystems and package managers. The format is pkg:type/namespace/name@version (e.g., pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1). Purl is supported by both CycloneDX and SPDX and is the preferred component identifier in modern SBOMs. The NTIA Minimum Elements require a "unique identifier" for each component; purl is the de facto standard for fulfilling this requirement.
Product with Digital Elements
The CRA's core term (Article 3(1)) covers any software or hardware product and its remote data processing solutions, including separately marketed components. This includes standalone software, firmware, operating systems, and hardware with embedded software. Pure cloud-only SaaS services with no local component are excluded, as are products already regulated under sector-specific legislation (medical devices under MDR, vehicles under UNECE, aviation under EASA regulations).
R
Reporting Obligation
The CRA (Article 14) mandates a two-stage reporting obligation for actively exploited vulnerabilities: an early warning within 24 hours and a full notification with technical analysis within 72 hours, submitted to the relevant national CSIRT and ENISA. This obligation applies from 11 September 2026 — 15 months before full CRA application. In the US, CISA's KEV catalogue serves a similar purpose for federal agencies, though the reporting mechanism differs. A current SBOM is operationally essential for rapidly identifying which products are affected by a newly disclosed vulnerability.
S
SBOM (Software Bill of Materials)
A Software Bill of Materials is a structured, machine-readable inventory of all components in a software product — including name, version, supplier, licence, cryptographic hash, and dependency relationships. The EU CRA (Regulation 2024/2847, Annex I Part 2 No. 1) mandates SBOMs from 11 December 2027 for all products with digital elements placed on the EU market. US Executive Order 14028 (May 2021) established the first binding SBOM requirement globally for federal software suppliers. The two dominant formats are CycloneDX (OWASP) and SPDX (Linux Foundation, ISO/IEC 5962:2021).
SPDX (Software Package Data Exchange)
SPDX is an SBOM format by the Linux Foundation, standardised as ISO/IEC 5962:2021. It offers the most detailed licence and copyright documentation of any SBOM format and is the native format of the Yocto embedded build system. SPDX 3.0, released in April 2024, modularised the specification into core, software, security, licensing, and build profiles. The new Security Profile supports native VEX representation, closing a gap that previously required external tooling.
Support Period
The CRA (Article 13(8)) requires manufacturers to provide security updates for the expected product lifetime, but no less than five years from placing on the market. The support period must be stated on the packaging and in accompanying documentation. Throughout this period the SBOM must be regenerated on each release and known vulnerabilities communicated via VEX statements. In the US, CISA recommends similar long-term support commitments in its Secure by Design guidance.
T
Top-Level Dependency
A top-level dependency is a component directly included by the manufacturer — as opposed to transitive dependencies pulled in indirectly. The CRA mandates at minimum the documentation of top-level dependencies in the SBOM (Annex I Part 2 No. 1). The NTIA Minimum Elements go further by requiring "dependency relationship" as a data field, implicitly encouraging deeper graph coverage. In practice, documenting only top-level dependencies is insufficient for effective vulnerability management.
Transitive Dependency
A transitive dependency is a software component not directly declared but pulled into the project as a dependency of a direct dependency. Modern projects typically have 5 to 20 times more transitive than direct dependencies. Log4Shell (CVE-2021-44228) is the canonical example: the vulnerable log4j-core library was a transitive dependency in thousands of Java applications whose developers were unaware of its presence until the vulnerability was disclosed in December 2021.
V
VEX (Vulnerability Exploitability eXchange)
A VEX document supplements an SBOM with the manufacturer's assessment of whether a known vulnerability in a component is actually exploitable in the specific product. The four defined statuses are: not affected, affected, fixed, and under investigation. VEX was conceived by NTIA/CISA in 2021 and is natively integrated into CycloneDX. For SPDX, a separate workflow via the OpenVEX format exists. VEX is critical for reducing alert fatigue: without it, every new CVE in any component triggers an investigation, even when the vulnerable code path is never executed in the product.