By December 2027, the EU Cyber Resilience Act (CRA) will require Software Bills of Materials (SBOMs) for almost all software products placed on the European market. For teams working with Java, this is a significant compliance task, given their work with deep dependency trees, complex build systems and layered deployment models. This is an architectural and operational deadline that demands immediate attention.
The purpose of this session is to provide a clear and technical overview of what Java engineers, architects and DevOps teams must understand in order to meet CRA expectations and to avoid risk under NIS2 and DORA. These two initiatives increasingly treat SBOMs as evidence of supply-chain control. In this session, we provide a comprehensive explanation of the essential elements that an SBOM must capture in a Java ecosystem, including transitive dependencies, shaded JAR contents, BOM-managed versions, container layers, embedded services, and runtime components.
Attendees will learn how to integrate SBOM generation into Maven and Gradle pipelines with CycloneDX, how to supplement artefact SBOMs with container-image inventories, and how to implement them using Dependency-Track for vulnerability and license visibility. We also outline the minimal governance and workflow changes needed to ensure SBOMs stay correct throughout releases and updates without slowing developers down.
The objective is clear: to provide senior Java practitioners with the clarity, urgency, and practical guidance required to make their systems SBOM-ready before CRA enforcement begins, while enhancing overall software quality and supply-chain resilience.