Digital resilience is high on the European agenda. With the introduction of the Cyber Resilience Act (CRA) and the implementation of the NIS2 directive in the Dutch Cybersecurity Act (Cbw), the focus is shifting explicitly to demonstrable management of software risks. Organizations must not only develop and manage software securely, but also be able to substantiate which software components they use, how vulnerabilities are monitored, and how quickly updates are implemented.
That's why we're introducing a new administrative functionality within 2LRN4: the Software Bill of Materials (SBOM).
This is directly available via the administrative menu and is automatically updated after each platform update.
What is an SBOM?
A Software Bill of Materials is comparable to a software ingredient list. Just as the ingredients used in food products must be transparent, an SBOM provides transparency regarding the open-source libraries, frameworks, external packages, versions, and dependencies of an application. In modern SaaS environments, a large portion of the software consists of reusable building blocks. This is efficient and innovative, but it also entails dependencies. When a vulnerability is discovered in a commonly used library, organizations must be able to quickly determine:
- Are we using this component?
- What version is it in?
- Has it already been patched?
- What is the risk to our services?
- A current SBOM provides an immediate answer.
Why is this important under the CRA?
The Cyber Resilience Act imposes stricter requirements on manufacturers of digital products and software. Suppliers must, among other things:
- Demonstrably establish secure development processes
- Actively monitor vulnerabilities
- Provide timely updates
- Be transparent about the components used
The SBOM is an essential tool in this regard. It verifies that we, as suppliers, have insight into our software supply chain and are systematically working on vulnerability management. For 2LRN4, this means that we not only aim for compliance but also anticipate what the market expects from a security platform: maximum transparency about our software architecture.
Relationship with the CBw / NIS2
- The NIS2 Directive/Cybersecurity Act emphasizes:
- risk-based security
- supply chain security
- demonstrable governance
- management responsibility
For our customers with increased duty of care, this means they must assess suppliers more critically for software security and supply chain risks.
With the integrated SBOM in 2LRN4, administrators can:
- gain direct insight into components in use
- substantiate how vulnerabilities are monitored
- demonstrate that updates have been implemented
- answer auditor questions more quickly
This supports not only technical teams but also CISOs, risk officers, and directors who are accountable.
Automatically updated after every update
The SBOM within 2LRN4 is automatically generated and updated after every release.
This means:
- no manual administration
- no outdated overviews
- always up-to-date component information
- direct connection to our patch and update process
This automation is crucial. A static SBOM quickly loses its value. By dynamically linking this to our release process, the information remains reliable and up-to-date.
Why this is important for 2LRN4
- As a security awareness platform, we are responsible for our clients' digital resilience. This means that our own software development must follow the same principles we advise our clients:
- security by design
- privacy by design
- transparency
- demonstrable control
With the SBOM, we demonstrate that we take our supply chain seriously. It is a concrete step towards structural compliance with European regulations and strengthens our confidence in the market. Furthermore, it supports our ambition to position 2LRN4 as a mature, future-proof SaaS platform that meets the requirements of ISO-based governance, NIS2, and the CRA.
Why this is important for our clients
For our clients, the SBOM means:
1. Reduced audit pressure
For questions about used software components, they can be referred directly to the current SBOM.
2. Faster risk analysis
When a new vulnerability is published, it can be quickly determined whether it is relevant.
3. Compliance Support
The SBOM helps demonstrate supplier control within NIS2, ISO 27001, or internal risk frameworks.
4. Enhanced Trust
Transparency increases trust between supplier and customer. You don't have to rely on statements; you can verify it yourself.
SBOM as Part of Digital Sovereignty
Digital resilience isn't just about technology; it's about control. Insight into software components means insight into dependencies. This is essential in a time when supply chain attacks are increasing and European regulations are emphasizing We are committed to digital autonomy.
With the introduction of the SBOM, we are taking the next step in strengthening this control.
The Software Bill of Materials within 2LRN4 is more than a technical addition to the management menu. It is a strategic step towards:
- European compliance (CRA and NIS2/CBW)
- Demonstrable supply chain security
- Transparent software development
- Strengthened trust in our services
In a time where regulations and threats are increasing simultaneously, we believe that transparency is no longer an option, but a basic requirement. With the SBOM, we make this concrete, automatic, up-to-date, and available to every manager.