Building Trust Through Transparency: How Axiros Uses SBOMs and Vulnerability Scans to Strengthen Software Security

In an era where digital systems underpin every critical operation, cybersecurity has become more than a compliance checkbox — it's a cornerstone of trust. With the introduction of the EU Cyber Resilience Act (CRA) and the NIS2 Directive, the expectations around software transparency, secure development, and end-to-end supply chain security have never been clearer.

Axiros has taken a proactive approach to meeting these expectations. Two important pillars of this approach are our use of Software Bills of Materials (SBOMs) and continuous vulnerability scanning. Together, they help us build secure-by-design products, demonstrate regulatory alignment, and deliver peace of mind to our customers.

Understanding the Landscape: CRA, NIS2, and the Shift Toward Secure-by-Design Software

The Cyber Resilience Act (CRA): SBOMs Become Mandatory

The CRA introduces baseline cybersecurity requirements for "products with digital elements" sold in the EU. One of its innovations is the requirement for manufacturers to create and maintain Software Bills of Materials (SBOMs) as part of their technical documentation.

SBOMs give authorities and customers clear visibility into the components included in a product, supporting transparency and accountability.

NIS2: Broader Cybersecurity and Supply Chain Obligations

Where the CRA focuses directly on product security, NIS2 expands the scope to organizational cybersecurity. It applies to entities across the EU and strengthens obligations around:

• Cyber risk management

• Incident reporting

• Governance and accountability

• Supply chain security

NIS2 strongly emphasizes understanding and managing risks arising from third-party software suppliers — a goal to which SBOMs are ideally suited.

Together, CRA and NIS2 form a complementary ecosystem: CRA focuses on secure-by-design products, while NIS2 focuses on secure-by-governance operations.

What Is an SBOM — and Why It Matters

A Software Bill of Materials is like an ingredient list for software. It provides a complete inventory of the libraries, packages, and components that make up a product, breaking each one down into its constituent parts to give a detailed, machine-readable view of everything included — even deep, nested dependencies that are easy to overlook.

Maintaining up-to-date SBOMs for our products allows us to:

• Maintain full visibility into our software supply chain

• Correlate dependencies with known vulnerabilities in real time

• Respond faster when new risks are disclosed

• Demonstrate transparency and compliance with CRA requirements

• Support supply chain due-diligence processes

Within the Axiros development lifecycle, SBOMs are automatically generated in our CI/CD pipeline in machine-readable CycloneDX format, ensuring interoperability, auditability, and alignment with industry norms.

Continuous Vulnerability Scanning: From Compliance to Confidence

Visibility is only valuable if it leads to action. Our SBOMs are closely integrated with automated vulnerability scanning that continuously evaluates the components for known vulnerabilities and misconfigurations.

Using a combination of application security testing and dependency monitoring, we maintain a structured approach to identifying and addressing risks in line with the vulnerability management expectations of ISO/IEC 27001.

When a new vulnerability is identified, our systems automatically correlate it with relevant SBOM entries, enabling us to:

1. Prioritize remediation based on severity and exploitability

2. Deploy patches or mitigations quickly

3. Communicate transparently with customers when necessary

This transforms vulnerability management from a reactive task into a structured and reliable process.

What This Means for Axiros' Customers

For our customers, these efforts translate into clear, tangible benefits:

• Greater trust: You know exactly what's in the software you rely on.

• Reduced risk: Vulnerabilities are identified and resolved quickly and transparently.

• Regulatory alignment: Our practices support your CRA and NIS2 compliance obligations.

• Higher resilience: With structured vulnerability management, incidents become less frequent and less severe.

Security isn't an add-on — it's woven into the fabric of our products.

Looking Ahead

As the CRA begins its phased enforcement and NIS2 obligations come into effect across the EU, we remain committed to leading by example. Our focus on transparency, automation, and secure-by-design engineering ensures that both we and our customers stay ahead of the curve.

Because in today's connected world, trust isn't assumed — it's earned. And SBOMs, combined with continuous vulnerability management, are two foundations for building it.

Written by Jakov Biondic
With over a decade of experience in the telecommunications industry, Jakov Biondic brings a background in software development, customer engagement, and security-focused engineering, with an emphasis on secure, modular architectures for networked device-management systems. He also works closely with corporate compliance and governance teams to align technical security controls with regulatory and organizational requirements through automated policy enforcement, monitoring, and reporting.