Operationalising EUCC Article 33: SBOM as a Practical Enabler of Lifecycle Vulnerability Management (A20a)
Regulation (EU) 2024/482 places extensive vulnerability management obligations on certificate holders, certification bodies and ITSEFs throughout the entire lifecycle of certified ICT products, particularly under Articles 33-36 and Annex IV. Meeting these obligations— continuous CVE monitoring, vulnerability impact analysis, patch management and certificate maintenance—is operationally demanding and currently relies on non-standardised component inventories produced ad hoc during each evaluation. This talk proposes the introduction of a mandatory Software Bill of Materials (SBOM) within the EUCC evaluation process, drawing on the approach already operationalised by NIAP through Policy #30 and its December 2025 addendum. The goal is not to add a regulatory burden, but to provide stakeholders with a concrete, machine-readable instrument that simplifies and strengthens compliance with existing EUCC duties. The talk outlines: the regulatory rationale linking SBOM to the EUCC vulnerability framework; a lightweight workflow for SBOM submission, validation and reuse across evaluation, maintenance and re-assessment activities; and the expected benefits for ITSEFs, CBs and vendors in terms of traceability, efficiency and alignment with the Cyber Resilience Act.