The floor every SBOM must clear
Published under a US executive order, the NTIA minimum elements are the common answer to "what counts as an SBOM": required data fields, machine-readable formats, and the practices around producing them. Customers and regulators worldwide borrowed it as their baseline.
Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.
Is meeting the minimum elements enough?
It is the floor, not the target. Regulations like the EU CRA and FDA guidance build on it with support-status, vulnerability linkage, and lifecycle expectations, all of which the platform’s BOM outputs already carry.
Depth: top-level or full tree?
The minimum elements require at least top-level dependencies with known-unknowns declared. SecuNexa SBOMs carry the complete transitive graph, which future-proofs you against the direction every framework is moving.