Back

SBOM Adoption in 2026: High Generation, Low Utilization

Severity: Low (Score: 21.9)

Sources: www.enisa.europa.eu, Aikido.Dev

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: sbom, adoption, state, play, them, enisa, survey

Severity indicators: pla

Summary

ENISA's SBOM Adoption State of Play 2026 report reveals that while 78% of organizations have started generating Software Bills of Materials (SBOMs), actual usage remains low. The EU Cyber Resilience Act (CRA) is a significant driver, with 43% of organizations citing it as a major influence on their SBOM investments. However, challenges persist, as 58% of organizations struggle with vulnerability matching and 60% face data quality issues. Only 29% of organizations receive comprehensive SBOMs from suppliers, highlighting a critical gap in supply chain transparency. The report indicates that many organizations are at risk of not meeting the CRA's requirements by December 2027. Aikido Security offers solutions to enhance SBOM integration into vulnerability management workflows. Key Points: • 78% of organizations have begun generating SBOMs due to the EU Cyber Resilience Act. • 58% of organizations report challenges with vulnerability matching related to SBOMs. • Only 29% of organizations receive complete SBOMs from their suppliers.

Detailed Analysis

**Impact** 334 organizations participated in the ENISA survey, with 65% based in the EU and 80% directly impacted by the Cyber Resilience Act (CRA). Approximately 78% of organizations have begun generating SBOMs, and 79% expect to meet CRA maturity requirements by December 2027, leaving about 20% at risk of non-compliance. The main sectors affected include software development and supply chain management, with vulnerabilities in transitive dependencies posing significant risk due to incomplete SBOM coverage and poor data quality. Operational consequences include limited vulnerability and licensing management capabilities, increasing exposure to supply chain attacks. **Technical Details** No specific attack vectors, TTPs, malware, CVEs, or infrastructure details are provided in the articles. The main technical challenge lies in the generation, automation, and consumption of SBOMs, particularly in aligning vulnerability data (CPE/PURL matching) and ensuring completeness of component depth. The kill chain stage most impacted is vulnerability management and supply chain risk assessment, with gaps in supplier SBOM receipt and integration limiting detection and response capabilities. **Recommended Response** Prioritize automating SBOM generation at every build and continuously updating SBOMs throughout the product lifecycle. Integrate SBOM data into vulnerability and licensing workflows to improve detection and remediation of risks. Ensure supplier SBOMs are obtained and incorporated into monitoring systems to cover transitive dependencies. Deploy tools like Aikido Device Protection to inventory and secure build environments, mitigating risks from compromised development infrastructure. Monitor SBOM data quality and depth to close visibility gaps.

Source articles (2)

  • SBOMs in 2026: Everyone's Generating Them, No One's Using Them — Aikido.Dev · 2026-06-10
    ENISA just published its SBOM Adoption State of Play 2026 , based on a survey of 334 organizations (65% EU-based, 80% directly impacted by the Cyber Resilience Act (CRA) ). It is the clearest snapshot…
  • SBOM Adoption State of Play 2026 — www.enisa.europa.eu · 2026-06-10
    ENISA launched a survey at the end of 2025 to gather factual data on how organisations across industries and of varying sizes are approaching Software Bill of Materials (SBOM) adoption in response to…

Timeline

  • 2025-12-01 — ENISA survey launched: ENISA initiated a survey to assess SBOM adoption across various organizations in response to the CRA.
  • 2026-06-10 — SBOM Adoption State of Play 2026 report published: ENISA released findings showing high SBOM generation but low utilization, with significant challenges identified.
  • 2026-06-10 — Aikido Security's SBOM solution announced: Aikido Security introduced tools to automate SBOM generation and improve integration into vulnerability management.

Related entities

  • Supply Chain Attack (Attack Type)
  • Germany (Country)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed