ENISA Publishes 2026 Report on the State of SBOM Adoption Across Europe

The European Union Agency for Cybersecurity (ENISA) has published the report SBOM Adoption State of Play – 2026, presenting findings from a survey that assessed how organisations across different sectors are approaching the adoption of Software Bills of Materials (SBOMs).

According to ENISA, the report explores organisational experiences, priorities and challenges related to SBOM implementation, including the perceived influence of the Cyber Resilience Act (CRA) on cybersecurity and software supply-chain practices.

Cyber Resilience Act Influencing SBOM Adoption

Survey findings suggest that the CRA is already influencing investment decisions and capability development across organisations, despite remaining within a transitional implementation period.

Respondents indicated that the regulation is accelerating SBOM implementation efforts and encouraging organisations to prepare for future CRA-related expectations. ENISA notes that many organisations view the CRA as an important factor shaping cybersecurity practices, software supply-chain transparency and compliance strategies.

SBOMs Supporting Cybersecurity and Compliance

The report identifies several areas where organisations perceive value in SBOM implementation.

Respondents highlighted benefits including:

• Risk reduction;

• Cost avoidance;

• Operational efficiency;

• Vulnerability management;

• Licence compliance;

• Regulatory compliance.

According to the survey results, organisations primarily view SBOMs as a mechanism for improving visibility into software components and supporting software supply-chain security activities.

Implementation Challenges Remain

Despite growing adoption, the report identifies several challenges that continue to affect implementation quality and scalability.

Among the most frequently cited challenges are:

• SBOM completeness;

• Data quality limitations;

• Lack of internal expertise;

• Shortage of specialised personnel.

The findings suggest that effective SBOM adoption depends not only on technical tooling but also on organisational processes, workforce capabilities and governance arrangements.

Demand for Greater Standardisation and Guidance

The survey highlights broad support for greater alignment on SBOM requirements and implementation practices.

Respondents indicated that additional guidance could help accelerate adoption, particularly in areas such as:

• Defining what constitutes a "good enough" SBOM;

• Standardisation of SBOM formats and required data fields;

• Development of risk assessment approaches that leverage SBOM information.

ENISA also reports that organisations are seeking clearer guidance on integrating SBOM generation and consumption into software development, vulnerability management and risk management processes.

Integration into the Software Development Lifecycle

The report indicates that many organisations are generating and using SBOMs during software build-stage activities rather than treating them solely as post-release documentation.

According to ENISA, this approach can improve visibility across the software lifecycle, support vulnerability analysis and contribute to software supply-chain risk management efforts.

The findings also highlight the importance of visibility into both direct and transitive dependencies when assessing vulnerabilities and software supply-chain risks.

Relevance for Medical Device and IVD Manufacturers

Although the report is not focused specifically on the healthcare sector, several of its findings may be relevant to organisations developing software-enabled medical devices, Software as a Medical Device (SaMD) solutions and connected in vitro diagnostic (IVD) technologies.

Topics discussed in the report that may have particular relevance for these organisations include:

• Software supply-chain visibility;

• Vulnerability management;

• Cybersecurity risk management;

• Regulatory compliance;

• Data quality and governance;

• Secure software development practices.

As organisations prepare for the implementation of the Cyber Resilience Act, the report provides insight into current industry perspectives, implementation challenges and emerging practices related to SBOM adoption and software transparency.