Germany

German-grade SBOM requirements

BSI TR-03183 is the German federal cybersecurity agency’s technical requirement for products, and its SBOM part defines with unusual precision what a software bill of materials must contain and how it must be formatted. It anticipates EU CRA obligations, which makes it a preview of what European conformity will demand of everyone.

Who this applies to Vendors selling software or connected products into Germany and the EU, especially those preparing CRA conformity early against a concrete, testable specification.
What it asks for
Prescribed formats
Machine-readable SBOMs in accepted formats such as CycloneDX, with defined structural expectations.
Field-level requirements
Precise required attributes per component: names, versions, identifiers, licenses, hashes, and relationships.
Depth and completeness
Expectations about dependency depth and the honest treatment of components that cannot be fully resolved.
How SecuNexa and BOMNexa map to it
Format conformance
CycloneDX 1.6 output with the structural completeness the technical requirement expects, generated automatically per build.
Field coverage
Components carry names, versions, identifiers, licenses, hashes, and full dependency relationships resolved from real artifacts.
Honest completeness
Known-unknowns are declared explicitly, matching the requirement’s treatment of unresolvable components rather than silently omitting them.

Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.

Frequently asked questions
Why conform to a German requirement if we sell EU-wide?

Because it is the most concrete SBOM specification in Europe and a strong predictor of CRA conformity practice. Meeting the strictest testable version early means the rest of the EU market is covered by construction.

Does SecuNexa target a specific TR-03183 version?

SBOM output tracks the requirement’s current published expectations for fields and format. For a conformity declaration, ask us for the field-level mapping against the version you are citing and we will provide it for your evaluation.

Walk through your BSI TR-03183 evidence gaps with us, live.
Request a demo