Transparency across the Supply Chain – Extended Bill of Materials (HBOM & SBOM)

The term XBOM (“Extended Bill of Materials”) describes an advanced approach for the systematic recording and documentation of all software and hardware components used within a product or system.

It combines the established concepts of the Software Bill of Materials (SBOM) and the Hardware Bill of Materials (HBOM), addressing the increasing regulatory and cybersecurity requirements within the European Union.

XBOM serves as a key instrument for ensuring transparency across both digital and physical components.
With the growing relevance of the NIS-2 Directive, the Cyber Resilience Act (CRA), and the Supply Chain Act, traceable documentation of all components is becoming a mandatory element — not only for manufacturers, but also for system integrators, operators, and service providers.

 

Requirements for Companies

Organizations face the challenge of fully documenting the origin, security, and maintainability of all deployed components.
Introducing an XBOM structure supports compliance with regulatory obligations while enabling early identification of risks within the supply chain.

Key Requirements:

  • Component Transparency:
    All hardware and software components must be identifiable — including version, origin, manufacturer, and security status.

  • Security Evidence:
    Each component requires documented evidence of security testing, certification, or known vulnerabilities.

  • Lifecycle Management:
    The XBOM must be continuously maintained and updated to reflect product changes throughout its lifecycle.

  • Supply Chain Responsibility:
    Organizations must ensure that suppliers also provide transparent documentation and report any modifications.

  • Data Format and Traceability:
    The use of internationally recognized formats such as SPDX (ISO/IEC 5962:2021) or CycloneDX (ECMA-424) is recommended.

 

Necessary Steps for Implementation

Implementing an XBOM structure requires strategic planning, clear responsibilities, and integration into existing management systems (e.g., Quality Management, Information Security Management, and IT Service Management). A practical implementation roadmap includes the following steps:

  1. Inventory and Assessment
    Identify existing software and hardware inventories (e.g., CMDB, asset management, license management).

  2. Data Structuring
    Map components to products, systems, or services, and identify versions, dependencies, and origins.

  3. Format Definition
    Select the appropriate exchange formats (SPDX, CycloneDX) and define the required data depth and field sets.

  4. Process Integration
    Embed XBOM creation into development, procurement, and change/release management processes.

  5. Automation and Maintenance
    Utilize tools or collectors to automatically record components and version data.
    Within the HKM Framework, dedicated connectors and collectors are available for this purpose.

  6. Verification and Compliance Evidence
    Conduct regular reviews of XBOM data for accuracy, completeness, and compliance with regulatory requirements.

 

Which Companies Must Implement the Requirements and when?

The implementation of XBOM increasingly affects all organizations developing, integrating, or operating digital products.
The following sectors are directly impacted:

  • Manufacturers of hardware, software, or combined digital products,

  • Service providers and operators of critical infrastructure under NIS-2,

  • System integrators and suppliers providing components for security-relevant environments,

  • Companies subject to reporting obligations under the Cyber Resilience Act (CRA) or the Supply Chain Act.

 

Timeline and Strategic Preparation
The regulatory requirements arising from NIS-2 and the Cyber Resilience Act (CRA) will take effect in stages, with NIS-2 applicable from October 2025 and the main CRA obligations by December 2027.
Organizations are therefore strongly advised to begin establishing an XBOM framework during 2024.

This early preparation enables the development of the necessary technical and organizational foundations — minimizing the risk of delays, penalties, or compliance deviations.

A review of existing management systems such as Quality Management (QMS), Information Security Management (ISMS), IT Service Management (ITSM), and Data Protection Management (DSMS) is essential before integrating XBOM into the regulatory environments of CRA and NIS-2.
This ensures that XBOM is seamlessly embedded within existing governance structures and operated as part of a coherent, standards-based management framework.

 

Benefits of an XBOM Structure – Combining SBOM and HBOM

  • Transparency and Traceability across the entire supply chain

  • Risk Reduction through early identification of vulnerabilities and dependencies

  • Accelerated Audit and Compliance Readiness (CRA, NIS-2, ISO standards)

  • Efficient Lifecycle Management for product updates and changes

  • Enhanced Trust among customers and regulators through verifiable security documentation

XBOM is not a theoretical construct — it forms a practical foundation for digital resilience.
By combining SBOM (Software) and HBOM (Hardware), organizations achieve comprehensive transparency from development to deployment.
Those who act early establish trust, accountability, and a tangible competitive advantage.