Who it affects: Manufacturers placing products with digital elements on the EU market who need a concrete technical baseline for SBOM format and content. BSI TR-03183-2 is widely treated as the de facto reference for satisfying the EU Cyber Resilience Act’s SBOM expectations, especially for German federal procurement.
Need help with compliance? We can help you navigate your SBOM compliance journey.
Get in TouchOverview
The BSI Technical Guideline TR-03183-2 (“Cyber Resilience Requirements - Part 2: SBOM”), published by Germany’s Federal Office for Information Security (BSI), specifies the format and content of Software Bills of Materials. Where the EU Cyber Resilience Act tells manufacturers that an SBOM is required, BSI TR-03183-2 spells out what that SBOM must look like in practice.
The current version is v2.1.0 (2025-08-20). It is binding for German federal procurement and is increasingly referenced by EU-market vendors as a concrete baseline that aligns with CRA expectations.
Format requirements (§4)
| Requirement | Detail |
|---|---|
| Encoding | JSON or XML |
| Format | CycloneDX v1.6 or later, OR SPDX v3.0.1 or later |
SBOM-level required fields (§5.2.1)
| Field | Description |
|---|---|
| Creator of SBOM | Email address or URL identifying the SBOM author |
| Timestamp | Date and time the SBOM was compiled |
Component-level required fields (§5.2.2)
| Field | Description |
|---|---|
| Component creator | Email address or URL |
| Component name | Name of the component |
| Component version | Version string, or RFC 3339 file modification date if no version exists |
| Filename | Actual filename of the component (not a path) |
| Dependencies | Dependency relationships, with a completeness indicator |
| Distribution licences | SPDX identifiers or expressions |
| Hash | SHA-512 of the deployable component |
| Executable property | Whether the component is executable |
| Archive property | Whether the component is an archive |
| Structured property | Whether the component is structured or unstructured |
Conditional fields - required if present (§5.2.3, §5.2.4)
- SBOM-URI - canonical URI of the SBOM document
- Source code URI - location of the component’s source code
- URI of deployable form - location of the deployable artifact
- Other unique identifiers - CPE, purl, etc.
- Original licences - upstream licence declarations
Critical requirements
- No vulnerability data in the SBOM (§3.1) - vulnerability information must be exchanged out-of-band (e.g. via VEX/VDR), not embedded in the SBOM itself.
- SPDX licence identifiers (§6.1) - all licence values must use SPDX identifiers or expressions; free-form licence strings are not compliant.
Score uploaded SBOMs against the BSI checklist
sbomify ships a BSI TR-03183-2 v2.1.0 plugin that grades each uploaded SBOM against the format, SBOM-level, and component-level requirements above and surfaces the result on the SBOM detail page. Enable it from the Plugins page in your workspace sidebar:
Related frameworks
- EU Cyber Resilience Act (CRA) - the regulation BSI TR-03183-2 is designed to support
- Schema Crosswalk - field mappings across CycloneDX 1.7, SPDX 2.3, and SPDX 3.0
- NTIA Minimum Elements (2021) - the US baseline; BSI’s component fields go further
Additional resources
- BSI TR-03183 official page (English)
- BSI CycloneDX Property Taxonomy - the property names BSI uses to express its extra fields in CycloneDX
Disclaimer: This page represents our interpretation of the referenced framework. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.