Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 340, Issue 1IT NewsOperations

The SBOM Just Became a Liability With a Date on It

ActiveState, Tuesday, June 30th, 2026

SBOMs are shifting from voluntary best practice to mandated compliance documents that can become legal liabilities.

The article argues that software bills of materials are transitioning from optional security best practices into mandatory regulatory documents under the EU Cyber Resilience Act, effective December 2027.

Once required, an incomplete SBOM becomes a dated, signed record of what an organization did not know about its own software, converting untracked risk into a disclosed finding. It highlights concentration risk in ungoverned open-source dependencies, using an AI model shutdown as an example of supply chain fragility.

Regulatory obligations now create personal liability for named executives, elevating supply chain governance to a boardroom concern. The recommended defense is embedding SBOM generation into governance from source rather than reconstructing documents under deadline pressure.

more →  ·  More from Operations →