Got it , looks like we need to maintain our scope and balance as : CRA requirements are still evolving and may introduce new mandatory metadata. Enforcement will occur at the country level, not centrally. so we need to treat compliance support as an iterative capability, not a one-time project and influence reduces delta.
Thank you, Thank you, Thank you ! Cheers, Kanchana On Tue, Jan 27, 2026 at 5:27 AM Dirk-Willem van Gulik <[email protected]> wrote: > On 23 Jan 2026, at 19:13, Kanchana Welagedara <[email protected]> > wrote: > > > Hi Dirk, thanks for sharing. I was wondering whether the CRA considers > the > > European Union Agency for Cybersecurity (ENISA) as one of ASF’s > > stakeholders when it comes to SBOM analysis requirements. > > I'd say that they are an agency - with a range of roles defined by statue > - and while they coordinate; most regulatory action comes from country > level regulators. > > > Since the ATR tooling team follows the CycloneDX format, for SBOM what > should be > > considered our source of truth or what is the balance ? > > This is by and large going to depend on what the standards do - and how > normative they are. That is still work in progress - and I am > relying/hoping on ASF folks to be sufficiently involved to keep the delta > small. Depending on the outcome - it may either be another format that > gives you a defacto presumption of conformity or a list of requirements > that one needs to meed; and can meet with CycloneDX with the right fields > present. > > So by and large (and somewhat in theory) - it is up to us how much we > involve ourselves in the run up to this being defined and how much we get > surprised/confronted at the end. That said - given the low > quality/problematic and almost complete lack of (our software) industry > involvement at CENELEC - the bar may be very very low. > > With kind regards, > > Dw > > > On Fri, Jan 23, 2026 at 10:34 AM Dirk-Willem van Gulik < > [email protected]> > > wrote: > > > >> Begin forwarded message: > >>>> It's a busy month for policy and open tech, but I would like to > >> encourage you to contribute to the open consultation on ENISA’s draft > SBOM > >> Implementation Guide. The consultation seeks practical input to inform > >> guidance on the adoption of structured and scalable SBOM practices. > >>>> > >>>> The survey is open until 23 January, and contributions from across the > >> open technologies and policy community would be particularly valuable. > >>>> > >>>> You can participate here: > >> https://ec.europa.eu/eusurvey/runner/SBOM_Analysis_Implementation_Guide > >>>> > >>>> They really need your feedback here. The document is messy, it feels > >> like a product of students granted the right to cut and paste from > various > >> sources without any experience in the field. I expected a higher level > of > >> quality from Enisa. > >>>> > >>>> We need Enisa to get SBOMs right, the current state and where we are > >> going. > >>>> > >>>> Please spend some time here. > >> > >> I completely missed this call for input -- and I am guessing it is too > >> late now - but do jump on it if you have the time, knowledge or energy > (or > >> tell me that I am silly - and we've long answered this already). > >> > >> With kind regards, > >> > >> Dw > >> > >> > >
