.webp)
Every organisation running enterprise software is using cryptography. It is embedded in TLS libraries, code signing certificates, database encryption modules, VPN configurations, API authentication tokens, cloud storage encryption layers, and hundreds of third-party dependencies. The problem is that most organisations have no systematic view of what cryptographic assets they have, where they are, which algorithms they use, or which are already quantum vulnerable. The Cryptographic Bill of Materials (CBOM) was created to fix that. And in 2026, regulators are starting to require it.
A Cryptographic Bill of Materials (CBOM) is a structured, machine-readable inventory of every cryptographic asset in use across an organisation's software, hardware, and infrastructure. It is the cryptographic evolution of the Software Bill of Materials (SBOM), which catalogues software components and dependencies.
Where an SBOM tells you which libraries you use, a CBOM tells you how those libraries protect your data - which algorithms, which key lengths, which implementations, and which are vulnerable. IBM's CBOM specification, now included in the CycloneDX 1.6 standard, captures critical asset properties such as algorithm families and variants, enabling precise identification of vulnerabilities like weak algorithms, hardcoded keys, and deprecated implementations.[1]
A complete CBOM maps three dimensions across an organisation's entire digital estate: what cryptographic assets exist (algorithms, keys, certificates, protocols); where they are deployed (application, service, device, network layer); and what relationships exist between them (which asset signs which certificate, which key protects which database).
The EU Cyber Resilience Act entered into force on December 10, 2024. Its main obligations apply from December 11, 2027, with reporting obligations beginning September 11, 2026.[2] The CRA mandates a machine-readable Software Bill of Materials for every product with digital elements sold on the EU market - and the CBOM is the cryptographic layer that implements that requirement for cryptographic components. Manufacturers based outside the EU are in scope if their products reach the EU market.[3] Any hardware or software product that includes a data connection to a device or network is covered.
The NIS2 Directive, which repealed NIS1 on October 18, 2024, establishes a unified cybersecurity framework across 18 critical sectors in the EU. Its implementing regulation (2024/2690) requires covered entities to provide information describing the hardware and software components used in their systems.[4] In practical terms, this is a cryptographic inventory requirement by another name. The EU Commission proposed further NIS2 amendments in January 2026, tightening supply chain security requirements and expanding ENISA's coordinating role.[5]
Note: NIS2 does not mandate a CBOM by name. Its implementing regulation (2024/2690) requires covered entities to provide "information describing the hardware and software components used" in their systems - which in practice demands the same systematic cryptographic inventory that a CBOM delivers. The EU Cyber Resilience Act is the binding regulation that explicitly mandates machine-readable component inventories.
The EU's Coordinated Implementation Roadmap for the transition to post-quantum cryptography, released June 23, 2025, sets three binding milestones: all Member States begin PQC transitions including establishing cryptographic inventories by end of 2026; high-risk systems secured by end of 2030; full transition by end of 2035.[6] Critically, the roadmap explicitly states that organisations should maintain a cryptographic inventory using standardised formats such as the CBOM. This is one of the first policy-level endorsements of CBOM by name in binding regulatory guidance.
NIST SP 800-53 Rev 5 includes supply chain risk management controls that require cryptographic asset documentation for federal agencies and FISMA-regulated systems. NIST SP 800-171 Rev 3, which governs DoD contractors handling Controlled Unclassified Information (CUI), includes equivalent requirements.[4] The practical interpretation: if you sell to US federal, DoD, or EU markets in 2026 and beyond, a CBOM is not optional.
Automated scanning tools traverse networks, source code repositories, container images, cloud environments, and OT/IoT devices to identify cryptographic assets. Leading tools in 2026 include IBM Quantum Safe Explorer (for enterprise codebases and mainframe environments), SandboxAQ AQtive Guard (for large-scale AI-powered discovery), and Keyfactor Command Risk Intelligence (which acquired InfoSec Global in 2025 for CBOM-grade cryptographic inventory).[7] Discovery tools produce a raw inventory. This is the starting point, not the finish line.
Each cryptographic asset is classified by algorithm type, key length, deployment context, and quantum vulnerability. Assets using RSA-2048, ECDSA, and similar NIST-deprecated algorithms are flagged as high-priority. Assets protecting long-lived data (health records, financial transactions, classified communications) are prioritised for early migration regardless of algorithm. The EU's PQC Roadmap explicitly calls for prioritisation by asset sensitivity and lifespan.[6]
This is where most CBOM programmes stall. Discovery tools produce lists. Remediation requires an action layer: a system that can receive the CBOM output, prioritise which keys and algorithms to migrate, execute migration without service disruption, and maintain cryptographic agility for future algorithm changes. Without this layer, a CBOM is a very expensive spreadsheet.
Cryptographic posture is not a point-in-time measurement. New services deploy, new dependencies are introduced, certificates expire, and algorithms evolve. A mature CBOM programme requires continuous re-scanning, automated alerting on new vulnerabilities, and integration with the key lifecycle management system that governs remediation. The 2026 Cryptographic Cliff - the convergence of NIST deprecations, EU regulatory deadlines, and Harvest Now, Decrypt Later (HNDL) threats - makes continuous monitoring a survival requirement, not a best practice.[8]
IBM Quantum Safe Explorer, SandboxAQ, Keyfactor Command Risk Intelligence, and Encryption Consulting's CBOM Secure are all discovery-first platforms. They excel at finding and cataloguing cryptographic assets. What none of them provide natively is the quantum-safe key management layer that executes on what the CBOM discovers.
This is the gap KyntraQ QKMS closes. The CBOM identifies: Here are 47,000 RSA-2048 keys across your enterprise, distributed across these 12 application environments, protecting data with these sensitivity classifications. KyntraQ QKMS then executes: rotate those keys to ML-KEM-seeded replacements, in this priority order, with QRNG entropy at the root, across on-premise and hybrid environments, with full audit trail.
Discovery is step one. Key lifecycle management is step two. Most organisations have bought step one and assumed step two would follow automatically. It does not.
