In recent years, regulators worldwide have recognized SBOMs as a key tool to strengthen software supply chain security. From the United States to Europe to Asia and beyond, governments and regulatory bodies now require SBOMs in certain industries to improve visibility and tackle software supply chain risks.
Among the latest SBOM compliance requirements is from SEBI, the Securities and Exchange Board of India. SEBI is India’s securities and commodities market regulator, overseeing stock exchanges, brokerages, mutual funds, depositories, and other financial market participants.
In August of 2024, SEBI introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) for all its regulated entities (REs). Among the CSCRF’s key elements is a requirement for organizations to obtain and maintain SBOMs for their critical software systems.
In this blog, we’ll break down SEBI’s SBOM rules, with a focus on technical details and strategies for managing compliance.
Scope of SEBI’s SBOM Requirement
Like we mentioned, SEBI’s Cybersecurity and Cyber Resilience Framework (which includes its SBOM requirement) applies to all regulated entities (REs). The “regulated entities” category is quite broad. It includes most:
- Banks
- Non-Banking Financial Company
- Mutual Funds
- RTAs (Registrar and Transfer Agents)
- Financial Institutions
- Custodians
- Clearing Corporations
- Public Financial Institutions
- State Finance Corporations
It’s important to note that while there are five different categories of REs (with varying requirements depending on factors like size and transaction volume), the SBOM requirement applies to all.
The only carveout is for specific types of financial entities with low trading volume and/or a small client base (such as certain stock brokers, financial analysts, invest advisors, and more). For an updated list of exempted entities, we recommend viewing SEBI’s April 2025 “Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)” document.
SEBI SBOM Requirement Timeline
In its August 2024 unveiling of the CSCRF, SEBI put forth two sets of dates for the regulation to take effect:
- REs previously governed by SEBI cybersecurity rules would be required to comply by Jan. 1, 2025.
- REs not previously subject to SEBI cybersecurity rules would have until April 1, 2025.
However, the timeline has changed since that initial announcement. In response to “multiple requests” for an extended implementation period, SEBI decided to provide most REs more time to comply. The current deadline is Aug. 31, 2025 for all REs except for Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs).
SEBI SBOM Requirement Technical Details
On the effective date, the covered regulated entities (REs) discussed in the previous section must obtain and maintain SBOMs for all “critical” IT systems.
SEBI has a relatively broad definition for what constitutes a critical system. It includes:
- Systems where failure could negatively impact core operations
- Systems that handle or transmit data
- Networks and devices through which critical systems are connected
- Internet-facing systems and client-facing systems
- Systems that facilitate access or communication with critical infrastructure
It’s important to note that the SBOM requirement applies to all types of software applications, including ones developed in-house, custom-developed software by a third-party, off-the-shelf products, open source, and SaaS applications.
In addition to obtaining an SBOM for all procurements of critical systems, REs must keep those SBOMs updated with every upgrade or change.
Of course, there is also the potential scenario where an RE needs an SBOM for an existing system — but, for whatever reason, is unable to obtain one. In that case, the RE’s leadership (the board, partners, or proprietors) are expected to apply a rationale and risk management approach for that system that’s consistent with the CSCRF’s higher-level objectives.
SEBI SBOM Properties
SEBI is prescriptive about what should be included in the SBOM itself. Although it doesn’t specify a required SBOM format (such as CycloneDX or SPDX), it does highlight a number of mandatory elements. These include:
- License information
- Supplier name
- Top-level components, plus transitive dependencies (including third-party dependencies) and the relationships between dependencies
- Encryption used
- Cryptographic hash
- Update frequency
- Known unknowns (the SBOM should communicate context in cases where it doesn’t include a complete dependency graph)
- Access control (SEBI isn’t prescriptive about this requirement, but our interpretation is that if the SBOM producer wants to limit access to the SBOM itself, terms of this access control must be provided)
- Accommodations for mistakes (SEBI is not prescriptive about this requirement either, but one good practice is to use some sort of SBOM ingestion tool to validate correctness and provide enrichment if need be)
Strategies for Managing SEBI SBOM Compliance
Although there are multiple ways for regulated entities to achieve compliance with SEBI’s SBOM requirements, a handful of core capabilities are likely to be part of the solution for most organizations.
SBOM Generation
REs will need a mechanism — we’d recommend an SBOM tool like FOSSA — to produce SBOMs for the software they develop. Of course, regardless of your generation method, it’s important to make sure you can produce SBOMs that do include all required data fields that we covered in the last section. It’s particularly important to ensure your SBOM generation tooling provides a full dependency graph that’s representative of your production asset.
Additionally, you will need to have a process for keeping your SBOM up to date when there’s a change to your application or its metadata, such as licenses and vulnerabilities. Tools like FOSSA that integrate with CI/CD pipelines can automate the update process.
Finally, it’s worth noting that, although SEBI’s SBOM requirement applies directly only to financial institutions, organizations that do business with SEBI-regulated entities will now face SBOM requests during procurement. As such, if your organization sells software to an RE, generating an SBOM will be a condition of doing business.
SBOM Ingestion
In theory, it’s possible for REs to obtain SBOMs as email attachments (or Google Drive files) and then package those documents in their original formats to fulfill SEBI requirements.
In practice, however, many REs will find it beneficial to have a tool that enables true SBOM ingestion. Although there’s no universal definition of SBOM ingestion, one view is that it entails using some sort of tooling that turns the static SBOM file into a living, breathing set of dependencies and metadata. The tool would then be able to monitor and report new vulnerabilities opened against the components in the SBOM to facilitate faster remediation.
In other words, the distinction between simply receiving an SBOM and ingesting it is the utility — ingestion makes it possible to automate the practice of using the SBOM to help manage supply chain risks.
SBOM ingestion also comes in handy for REs that purchase a software component from a supplier and that component is used as part of a broader system — say, a mobile banking app. In that scenario, the RE will need to produce a complete application-level that represents both the components:
- Developed in-house (and/or from open source libraries)
- Purchased from a third party
SBOM Sharing and Receiving
A related process is the ability to share and receive SBOMs on a continuous basis. The key factors in SBOM sharing and receiving as they relate to SEBI’s requirements are having at your disposal:
- A tool that enables secure, access-controlled SBOM sharing between software producer and consumer
- A tool that removes friction in the SBOM update process; remember, SEBI requires REs to not only obtain an SBOM during initial procurement, but also to keep that SBOM updated when the software changes
Using FOSSA for SEBI SBOM Compliance
Although getting the technology and processes in place to manage comprehensive SBOM requirements like SEBI’s can be difficult, a wide range of regulated organizations are successfully using FOSSA today to assist in compliance. From SBOM generation to ingestion, analysis, and sharing, FOSSA helps manage the end-to-end SBOM lifecycle. Please reach out to our team for more information on using FOSSA in your organization.