In a landmark move to strengthen the nation’s digital resilience, CERT-In has introduced comprehensive ‘technical guidelines’ aimed at fortifying software supply chain security. First unveiled in October 2024 and subsequently expanded in July 2025, these guidelines mandate the adoption of Software Bill of Materials (SBOM) practices across critical digital sectors. The directives reflect India’s strategic determination to align with leading global cybersecurity frameworks, including the U.S. Executive Order 14028, the Cybersecurity and Infrastructure Security Agency (CISA) recommendations, and the European Union’s Cyber Resilience Act. By embedding SBOMs into regulatory requirements, India is not only reinforcing its domestic cybersecurity posture but also signaling a strong commitment to international standards of software assurance and supply chain security.
The regulatory momentum has been further amplified by sector-specific mandates. The Securities and Exchange Board of India (SEBI) has integrated SBOM requirements into its Cyber Security and Cyber Resilience Framework (CSCRF), ensuring that financial institutions adopt transparent and secure software practices. Similarly, the Reserve Bank of India (RBI) issued a circular in November 2024 compelling the inclusion of SBOMs for software products and components within the banking ecosystem. Together, these measures represent a coordinated regulatory effort that operationalises CERT-In’s broader vision, positioning India as a global leader in cybersecurity innovation and governance.
While current regulations focus on specific sectors such as banking, non-banking financial companies (NBFCs), and power, organisations should view SBOM adoption as more than a compliance exercise. A mature SBOM management framework can serve as a cornerstone of enterprise-wide cybersecurity strategy. Such a framework should progress through four critical stages: preparedness, where policies, governance structures, and tools are defined; generation, involving the systematic creation of SBOMs for all software assets; monitoring, which ensures continuous updates, vulnerability tracking, and proactive analysis; and integration, embedding SBOMs into broader security workflows such as incident response, risk management, and vendor assessments.
By advancing beyond regulatory minimums, organisations can achieve greater transparency into their software ecosystems, identify vulnerabilities more effectively, and respond to threats with agility. This proactive approach not only mitigates risks but also builds trust with regulators, customers, and partners. Ultimately, SBOM management is not just about compliance – it is about cultivating resilience, accountability, and confidence in an increasingly complex digital environment. This Point of View (PoV) underscores the importance of SBOM management in securing software products and provides a structured approach for organisations to comply with India’s evolving regulatory requirements while strengthening their overall cybersecurity capabilities.
