Understanding India’s SBOM requirements:

What CERT-In and SEBI Expect

As software supply chain risks escalate globally, India has moved decisively to strengthen its regulatory posture. In recent years, two major regulatory bodies the Indian Computer Emergency Response Team (CERT-In) and the Securities and Exchange Board of India (SEBI) have issued guidelines that place the Software Bill of Materials (SBOM) at the heart of cybersecurity governance, particularly in the financial and public sectors. Together, these mandates represent a paradigm shift in how organizations must track, secure, and manage their software assets.

SBOMs: A Strategic Tool for Cybersecurity and Compliance

A Software Bill of Materials (SBOM) is a detailed inventory of all components—open source, third-party, and proprietary that constitute a software system. SBOMs provide visibility into the software supply chain, making it possible to identify vulnerabilities, manage licenses, and respond rapidly to security incidents. With modern software often assembled from hundreds of libraries and packages, the SBOM becomes essential for both operational resilience and regulatory compliance.

CERT-In’s guidance underscores this by describing the SBOM as a “crucial instrument in contemporary cybersecurity procedures.” For developers, integrators, and consumers of software, the SBOM enables effective risk management across the entire software lifecycle—from design and development to deployment and runtime.

CERT-In Guidelines: SBOM as a National Standard

In its July 2025 guidance (v2.0), CERT-In formalized a comprehensive SBOM framework applicable to government departments, essential service providers, software exporters, and the broader software services industry. These guidelines emphasize that organizations must generate, maintain, and update SBOMs as a mandatory standard practice in all software procurement and development workflows.

The CERT-In framework encourages organizations to treat SBOMs not merely as static artifacts, but as living documents that evolve with every patch, upgrade, or configuration change. It introduces six SBOM classifications aligned with different stages of the SDLC—Design, Source, Build, Analyzed, Deployed, and Runtime—and defines multiple SBOM types such as top-level, transitive, delivery, and complete SBOMs.

Phased Implementation Roadmap and Operational Requirements

CERT-In also introduces a phased implementation roadmap—START, PROGRESS, and ADVANCE—guiding organizations from foundational practices to mature, automated SBOM ecosystems. The framework covers everything from secure SBOM storage and ingestion to vulnerability correlation and license compliance. Unique identifiers (such as Package URLs) are encouraged for improved traceability and interoperability.

For sectors such as banking and fintech, CERT-In makes clear that SBOMs must support proactive vulnerability management, vendor risk evaluation, and incident response capabilities. The guidance also requires software consumers to demand SBOMs from vendors during procurement, and it directs developers to deliver accurate and complete SBOMs alongside their software products.

SEBI’s SBOM Mandate for Financial Institutions

Running parallel to CERT-In’s technical recommendations is a regulatory requirement from SEBI, India’s capital markets regulator. In its Cybersecurity and Cyber Resilience Framework (CSCRF), updated in 2024 and clarified in 2025, SEBI mandates SBOM generation and maintenance for all regulated financial entities (REs), including banks, NBFCs, mutual funds, RTAs, custodians, and clearing corporations.

SEBI’s requirement applies to all critical IT systems, broadly defined to include internet-facing apps, client services, core backend systems, and systems with access to sensitive infrastructure. Regulated entities must not only obtain an SBOM during software procurement, but also ensure it is kept up to date with every software release, upgrade, or configuration change.

Mandatory SBOM Fields and Ingestion Expectations

While SEBI does not prescribe a specific SBOM format (such as SPDX or CycloneDX), it mandates inclusion of key fields such as license information, supplier names, dependency graphs (including transitive dependencies), cryptographic hashes, encryption status, update frequency, and known unknowns. The regulation also implicitly requires SBOM ingestion capabilities, enabling REs to monitor vulnerabilities and track risks across their application stack.

Entities failing to obtain SBOMs for legacy systems are required to apply risk management justifications at the leadership level. In effect, this means that maintaining accurate SBOMs has become not just a technical requirement but a board-level responsibility. SEBI initially announced the Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024, setting compliance deadlines of January 1, 2025 for regulated entities (REs) already subject to earlier SEBI cybersecurity circulars, and April 1, 2025 for REs newly covered by the framework.

However, in response to multiple requests from the industry for more time, SEBI has revised the timeline. As of the latest update, most REs now have until August 31, 2025 to meet the CSCRF requirements, including Software Bill of Materials (SBOM) obligations. The only exceptions to this extension are Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs), who must still comply by the original deadlines.

Aligning Practice with Policy

Together, the CERT-In and SEBI frameworks place India in line with international efforts—such as the U.S. Executive Order 14028, the EU Cyber Resilience Act to institutionalize SBOMs as a key supply chain security tool. Both agencies underscore that compliance is not the end goal; rather, SBOMs are a strategic capability that enhance visibility, security, and trust across digital systems.

At Bitsea, we recognize that generating and maintaining high-quality SBOMs across a fragmented codebase can be resource-intensive—especially in organizations managing hybrid environments with open source, commercial, and custom software. Our tools and workflows automate SBOM creation, support license and vulnerability curation, and deliver audit-ready insights across the software lifecycle.