Call for Feedback: Advancing Software Supply Chain Security together!

Back to News

News Item Dec 17,2025

ENISA invites industry stakeholders and interested parties to provide their feedback on the draft SBOM Landscape Analysis and the Technical Advisory for Secure Use of Package Managers.

ENISA works to strengthen cybersecurity by promoting cybersecurity-by-design and cybersecurity-by-default in the EU market. The EU is prioritising the security of all digital products and the protection of end-users, safeguarding our shared connected ecosystem. Through the launch of the two new public consultations, the Agency aims to engage with professionals working in product security and development to provide meaningful guidance and support in advancing cybersecurity across the ecosystem.

SBOM Landscape Analysis: Towards an Implementation Guide

Software Bills of Materials (SBOM) implementation is a significant step for organisations to enhance management, transparency and resilience of their systems. ENISA has compiled a draft report of comprehensive yet practical guidance for implementing Software Bill of Materials practices within organisations of varying sizes and capabilities. 

You may provide your feedback by 23 January 2025 at 23:59 CET by taking part in the survey: https://ec.europa.eu/eusurvey/runner/SBOM_Analysis_Implementation_Guide 

Additionally,the baseline survey to assess the state of Software Bills of Materials (SBOMs) across Europe is still open and running until the 19 December 2025. Provide your input here: https://ec.europa.eu/eusurvey/runner/enisa-sbom-study2025 

ENISA Technical Advisory for Secure Use of Package Managers

ENISA will publish regular technical advisories on product security from 2026 onwards. The first of these technical advisories covers the use of package managers. Software development is largely driven by the use of package managers. Packages and package managers offer major benefits for software development, improving collaboration, efficiency, and consistency. Yet their interconnected nature and security risks can create a ripple effect across the software supply chain, affecting hundreds of thousands of dependent projects.

This draft document aims to support software developers in the software development lifecycle and particularly in the secure use of package managers. In particular, this document outlines common risks involved in the use of third-party packages, presents secure practices for selecting, integrating, and monitoring packages and how to address vulnerabilities found in dependencies. 

You may take part in the consultation for the Technical Advisory by 23 January 2025, 23:59 CET through the following link: https://ec.europa.eu/eusurvey/runner/ENISA-TG-2025-01 

Following the analysis of the public consultations, the final publications will be available on ENISA website in Q2 2026.

Map of Europe with coloured padlocks highlighting software supply chain security, alongside text 'Advancing Software Supply Chain Security' and a call for feedback. ENISA logo in top-left corner.

Contact

For press questions and interviews, please contact:
press@enisa.europa.eu.

Access to the press office

Related topics

Content written for: National / EU authorities | Private Sector

Related content

Voices of EU Cybersecurity Certification - Magazine cover by ENISA

Voices of EU Cybersecurity Certification

A special publication by ENISA that incorporates feedback from stakeholders involved in building, maintaining, operating, and applying the first EU cybersecurity certification schemes.

Managed Security Services Analysis cover featuring an illistration of a woman working on different screens with statistics

Managed Security Services Market Analysis

This report addresses the market for Managed Security Services (MSS) on both the demand and the supply side.

Public_Consultation_on_Specifications_for_EUICC_Certification.png

Public Consultation on Specifications for EUICC Certification under the EUCC scheme

ENISA has published specifications for the evaluation and certification of embedded Universal Integrated Circuit Cards (eUICCs) under the European Common Criteria-based cybersecurity certification scheme (EUCC).

Market of Cybersecurity Assessments

This Report aims at presenting the current state of play of cybersecurity assessments of ICT products and cloud services.

BROWSE ALL PUBLICATIONS

2023 Cybersecurity Certification Conference

2023 May 25

Cybersecurity Certification Conference 2024

2024 Apr 18

Webinar - Certification of Cloud Services

2021 Jan 11

2025 European Cybersecurity Certification Conference

2025 Mar 12

BROWSE ALL EVENTS

EU Managed Security Services Certification to drive the cybersecurity market

Press Release

Following the request of the European Commission for the development of a candidate certification scheme for Managed Security Services, the EU Agency for Cybersecurity (ENISA) launches a call for expression of interest to participate in the relevant Ad

European Cybersecurity Certification: Celebrating achievements and exploring future horizons

Press Release

At the eighth edition of the certification conference, the European Union Agency for Cybersecurity celebrates the first accredited Conformity Assessment Bodies for the EU Cybersecurity Certification scheme on Common Criteria (EUCC) .

ENISA Cybersecurity Resilience and Market Conference: Joining forces for a cyber-secure and resilient digital single market

Press Release

The central theme of the conference was the expansion of synergies in the field to achieve the shared goal of safeguarding the digital single market and its economy through a robust EU Cybersecurity Regulatory Framework.

Call for Experts: Join the ENISA Ad Hoc Working Group on EU Digital Identity Wallets Cybersecurity Certification

Press Release

The European Union Agency for Cybersecurity (ENISA) launches a call for expression of interest to create an Ad Hoc Working Group on the certification of EU Digital Identity Wallets.

BROWSE ALL NEWS