欧盟网络安全局（ENISA）：2026年SBOM采用现状报告（英文版）

The EU Cyber Resilience Act (CRA) becoming fully applicable in December 2027, transforms the supply chain security landscape by making security-by-design and security-by-default, a legal obligation for all digital products entering the EU market. Software supply chain transparency thus becomes a required cybersecurity capability, positioning the Software Bill of Materials (SBOM) as an enabler and key mechanism for operational efficiency, vulnerability management, third-party risk management,