India Joins the Global SBOM Push

From Washington to Brussels to Tokyo, software regulation is entering a new era defined by visibility, traceability, and accountability. Governments and regulators are converging on SBOMs as a foundation for secure digital supply chains. In the United States, Executive Order 14028 and related OMB mandates, the EU’s Cyber Resilience Act, and even private-sector buyers are treating SBOMs as standard due diligence.

Amid this global backdrop, India has emerged as a notable early mover. In October 2024, the Indian Computer Emergency Response Team (CERT-In) issued its first formal technical guidance on SBOMs. While not legally binding, these guidelines are already influencing how Indian firms approach software transparency.

The strategic importance of this move should not be underestimated. India is one of the world’s largest exporters of software and IT services. As overseas clients tighten their requirements, Indian vendors who proactively implement SBOM practices gain a competitive edge. CERT-In’s guidance encourages not just compliance with international formats like CycloneDX and SPDX, but integration of SBOMs across the entire software lifecycle.

In the financial sector, this aligns neatly with SEBI’s existing mandate for SBOMs under its Cybersecurity and Cyber Resilience Framework. For pharma and laboratory environments, it supports traceability, GxP compliance, and data integrity—issues that are increasingly under the microscope from both domestic and international regulators.

Yet, the real opportunity lies in going beyond surface-level compliance. Traditional SBOM tools often focus only on declared components. But in practice, the real risks frequently stem from undeclared, reused code snippets.

This is where SCANOSS changes the game. By analysing raw source code rather than manifests alone, SCANOSS uncovers undeclared and misattributed components, bringing previously hidden software elements to light. It also offers geo-provenance data—critical for identifying whether code originates from jurisdictions under export restrictions or sanctions. This added intelligence transforms SBOMs from a list into a risk-aware map of your software’s true origins.

India’s proactive approach offers a roadmap, both for its domestic industries and for international observers looking for scalable models. With CERT-In setting the tone and tools like SCANOSS enabling practical implementation, the opportunity is clear.