Supply chain transparency — SBOM as a first-class compliance artifact

From CycloneDX ingest to CRA Article 13 evidence — your Software Bill of Materials becomes a continuous regulatory signal, not a one-off PDF.

Pain

Generating SBOMs is easy. Mapping them to CRA Article 13 + NIS2 supply chain + AI Act dataset provenance + reading CVEs per dependency = chaos.

What you want

Ingest your SBOM (CycloneDX or SPDX), get continuous compliance signal mapped per regulation, per dependency, per CVE.

What you get

SBOM intelligence engine. CVE tracking per version. CRA Article 13 evidence auto-generated. Supply chain Trust Passport.

Why supply-chain teams use NexCyber

CRA Article 13 demands a documented vulnerability handling process tied to a continuously-maintained SBOM. NIS2 Article 21.2 demands supply chain risk management. AI Act Article 10 demands dataset provenance.

1. Multi-format SBOM ingest. CycloneDX 1.5+, SPDX 2.3+, syft / cosign attestations. The platform normalizes, deduplicates, and indexes per component.

2. CVE intelligence. OSV.dev + NVD + GHSA cross-referenced per dependency version. Flagged by CRA Article 13 severity tier (low / medium / high / critical).

3. Supply chain Trust Passport. Each upstream supplier gets a tier (Trusted / Verified / Unverified / At Risk) based on their SBOM hygiene + MRCC status + CVE backlog.

Three supply-chain use-cases

CRA Article 13 evidence pipeline. Each CI run pushes SBOM → platform tags vulnerabilities → evidence file with timestamp + signature → audit-ready.

NIS2 essential-entity supplier audit. Identify suppliers in your stack that themselves qualify as essential entities (NIS2 Annex I). Map their incident reporting obligations to your contract.

AI Act dataset provenance. For AI/ML systems, ingest dataset SBOM (DVC, CycloneDX-ML). Generate the dataset provenance evidence (AI Act Article 10).

Get started

Free SBOM ingest. Upload a CycloneDX JSON. See the intelligence report in 30 seconds. EU-hosted.

Versus what you do today

Big4 consulting · In-house spreadsheet · NexCyber.

Dimension	Big4 / Consulting	In-house spreadsheet	NexCyber
First assessment delay	4–8 weeks	2–6 weeks	5 minutes
Cost per regulation cycle	€90k–170k	€30k+ hidden	Included
Reproducibility	Slide deck of the day	Depends on editor	Deterministic, identical re-runs
Article-level traceability	Footnote	Often missing	Live link to EUR-Lex
Update when law changes	Re-billed mission	Restart from scratch	Automatic, MRCC re-signed
Deliverable format	Static PDF	XLSX/Word	PDF + MRCC machine-verifiable
Auditor verification	Email + chase	Not verifiable	sha256 verified in seconds
Multi-regulation simultaneous	1 mission per regulation	Duplicates & conflicts	5 regulations, 1 source of truth
New product line evolution	Re-billed mission	Full re-entry	Clone + delta