By 
Düsseldorf-based cybersecurity firm ONEKEY has redefined the Software Bill of Materials (SBOM), evolving it from a simple component list into a dynamic “security passport.”
RELATED: ONEKEY offes complete vulnerability management amid record 40,000 CVEs
This critical upgrade to its platform is designed to help manufacturers of smart products navigate the stringent documentation and vulnerability management requirements of the incoming EU Cyber Resilience Act (CRA).
The CRA Challenge: From Basic SBOMs to Enriched Security Passports
The EU Cyber Resilience Act will soon mandate that all manufacturers of connected digital products provide a detailed SBOM. This document must catalog every software component, including version numbers, licenses, and known vulnerabilities. However, complex global supply chains often lead to incomplete or outdated SBOMs, rendering them non-compliant and useless for security purposes.
ONEKEY’s new feature addresses this gap by automatically generating “enriched SBOMs.” These go beyond a simple list, integrating a full risk assessment and all necessary compliance evidence into a single, audit-ready file.
“This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment,” explained Jan Wendenburg, CEO of ONEKEY.
A Strategic Platform Shift: From Detection to Holistic Management
The introduction of the enriched SBOM marks a strategic expansion of the ONEKEY platform from a vulnerability detection tool to a comprehensive vulnerability management environment. The platform now automates workflows, provides contextual risk analysis, and generates the documentation required for CRA compliance, significantly reducing the manual burden on security teams.
“Identifying deficiencies is only the first step,” says Wendenburg. “Now we are taking further steps to relieve manufacturers as much as possible of time-consuming manual tasks and help them achieve CRA compliance.”
This shift allows product security teams to focus less on administrative paperwork and more on their core mission: enhancing the security of their devices and systems ahead of the CRA’s enforcement.
