Skip to main content
Vermont Solutions

Glossary · Cybersecurity · Supply chain

SBOM: a formal inventory of software components

An SBOM (Software Bill of Materials) is the formal inventory of all the components and dependencies that make up an application, with their versions and provenance. It is the equivalent of the bill of materials for an industrial product: without it, an organisation does not know precisely what software it runs or which vulnerabilities it is exposed to.

What it contains and what it is for

  • Components and versions — a list of in-house and third-party libraries, with the exact version of each.
  • Transitive dependencies — including indirect dependencies, where the least visible vulnerabilities tend to nest.
  • Response in hours — faced with a flaw such as Log4Shell, an SBOM makes it possible to identify immediately which systems use the affected component, instead of manually auditing each application.
  • Structured format — it is generated automatically in machine-readable formats that integrate into inventory and response workflows.

Why it matters in regulated banking

Managing software supply chain risk is a growing requirement. DORA obliges financial institutions to know and manage the ICT risk of third-party components, and NIS2 reinforces supply chain security in essential sectors. An SBOM turns that requirement into an operational capability: when a critical vulnerability is published, the institution can determine its exposure in hours rather than weeks, and document its response to the supervisor.

How Vermont Solutions helps

Visibility of the software chain

We help financial institutions inventory their components through an SBOM and turn that inventory into the ability to respond to vulnerabilities, in line with DORA.

See governance and compliance →

Fuentes

Last updated: 2026-06-21. Editorial content by Vermont Solutions, citable with attribution.