# Signed CycloneDX SBOMs for CRA Compliance Available for Text Control Products

> Text Control is proud to announce that we now provide signed CycloneDX Software Bill of Materials (SBOMs) for our products, ensuring compliance with the Cyber Resilience Act (CRA) and enhancing transparency for our customers. This initiative reflects our commitment to security and compliance, allowing our customers to easily access detailed information about the components used in our software.

- **Author:** Bjoern Meyer
- **Published:** 2026-05-08
- **Modified:** 2026-05-08
- **Description:** Text Control is proud to announce that we now provide signed CycloneDX Software Bill of Materials (SBOMs) for our products, ensuring compliance with the Cyber Resilience Act (CRA) and enhancing transparency for our customers. This initiative reflects our commitment to security and compliance, allowing our customers to easily access detailed information about the components used in our software.
- **6 min read** (1115 words)
- **Tags:**
  - ASP.NET
  - ASP.NET Core
- **Web URL:** https://www.textcontrol.com/blog/2026/05/08/signed-cyclonedx-sboms-for-cra-compliance-available-for-text-control-products/
- **LLMs URL:** https://www.textcontrol.com/blog/2026/05/08/signed-cyclonedx-sboms-for-cra-compliance-available-for-text-control-products/llms.txt
- **LLMs-Full URL:** https://www.textcontrol.com/blog/2026/05/08/signed-cyclonedx-sboms-for-cra-compliance-available-for-text-control-products/llms-full.txt

---

We are pleased to announce the release of Software Bill of Materials (SBOM) files for all TX Text Control .NET NuGet packages starting with version 34.0, as well as for TX Spell .NET 11.0. These SBOMs are provided in the [CycloneDX JSON format](https://cyclonedx.org/) and are digitally signed with detached PKCS#7 signatures.

A SBOM is a machine-readable inventory of the software components, dependencies, versions, and cryptographic hashes used in a software product. SBOMs have recently become a key requirement in enterprise software procurement, software supply chain security, vulnerability management, and regulatory compliance initiatives, such as the European Union's [Cyber Resilience Act (CRA)](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act).

The CRA took effect in December 2024. Most obligations for manufacturers of products with digital elements will take effect in December 2027, while vulnerability reporting obligations will begin earlier, in September 2026. The regulation establishes software supply chain transparency and vulnerability management as mandatory requirements for vendors operating in the European market.

The provided SBOMs are generated in the CycloneDX format and align with the requirements of [BSI Technical Guideline TR-03183-2](https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html), published by the German Federal Office for Information Security (BSI). This guideline defines the detailed requirements for enterprise-grade SBOMs, including dependency relationships, cryptographic hashes, component provenance, licensing information, and metadata for deployable artifacts.

### What Do the Text Control SBOMs Contain?

Text Control's Software Bill of Materials (SBOM) provides a structured overview of the components and dependencies included in our distributed NuGet packages. Designed to support enterprise compliance, software supply chain transparency, and security scanning workflows, the SBOMs are provided in the industry-standard CycloneDX format.

> ***"TX Text Control is developed almost entirely in-house and only relies on a handful of external dependencies, resulting in compact and easy-to-review SBOMs."***

The SBOMs contain:

- package name and version information
- supplier and package metadata
- lists of first-party and third-party dependencies
- transitive dependencies included through referenced packages
- included third-party native libraries, including statically linked libraries where applicable
- package identifiers and licensing metadata
- a dependency graph for the package the SBOM describes
 
Fortunately, we develop almost the entire TX Text Control technology stack in-house, so we have very few external dependencies. This makes our SBOMs short and easy to review.

We provide SBOMs for our products to help our customers meet their compliance obligations under the CRA and other regulatory frameworks. This enhances the security and transparency of our software supply chain. We are dedicated to helping our customers navigate the ever-changing landscape of software supply chain security and compliance.

The following NuGet packages are currently covered:

- TXTextControl.TextControl.ASP.SDK
- TXTextControl.TextControl.Core.SDK
- TXTextControl.TextControl.WinForms.SDK
- TXTextControl.TextControl.WPF.SDK
 
- TXTextControl.Web
- TXTextControl.Web.DocumentEditor.Backend
- TXTextControl.Web.DocumentViewer
 
- TXTextControl.TXSpell.Core.SDK
- TXTextControl.TXSpell.WinForms.SDK
- TXTextControl.TXSpell.WPF.SDK
 
For every published package, the following files are available:

 | File | Description |
|---|---|
| `.cyclonedx.json` | The CycloneDX SBOM file in JSON format. |
| `.cyclonedx.json.p7s` | A detached PKCS#7 signature for the SBOM file, allowing users to verify the authenticity and integrity of the SBOM. |

### SBOMs in Enterprise Software Supply Chain Security and Compliance

Ensuring the security of the software supply chain has become one of the most important aspects of enterprise software development and procurement. Modern applications depend on a large number of direct and transitive dependencies. Without transparency into these dependencies, organizations cannot effectively:

- Identify affected components during security incidents
- Automate vulnerability scanning
- Assess software provenance
- Meet compliance requirements
- Implement secure software lifecycle processes
 
Modern enterprise environments are increasingly integrating SBOMs into critical security and compliance workflows. These workflows include CI/CD pipelines, vulnerability scanning platforms, container registries, procurement validation systems, SIEM and governance solutions, and automated VEX and CSAF processes.

SBOMs include detailed dependency relationships, deployable file hashes, exact binary versions, and digital signatures. These features allow SBOMs to be consumed directly by enterprise security tooling and software composition analysis (SCA) platforms. SBOMs support automated validation, vulnerability assessment, and software supply chain transparency.

### Integration Into Security Pipelines

SBOMs can be integrated into CI/CD pipelines to automate security checks and compliance validation. For instance, an SBOM can be generated and automatically scanned for known vulnerabilities using SCA tools during the build process. If critical vulnerabilities are detected, the build fails, which prevents vulnerable software from being deployed. Typical tools for this include:

- Dependency-Track
- OWASP Dependency-Check
- Anchore
- Snyk
- Black Duck
- GitHub Advanced Security
- Microsoft Defender for DevOps
- Container scanning and SCA platforms supporting CycloneDX
 
### Enterprise Focus and Transparency

At Text Control, we have always built our enterprise software development around long-term stability, deterministic behavior, compliance, and transparency. Our ongoing ISO/IEC 27001 efforts are an important part of this strategy. The publication of signed SBOMs is another significant step toward enhancing transparency and supply chain security for our customers.

However, transparency in the software supply chain goes beyond publishing technical metadata files.

When selecting software library vendors, organizations should evaluate not only whether SBOMs are available but also where the software is developed and who writes the code.

Transparency about dependencies is an important aspect of establishing trust in software. Transparency about software origin is equally important. Organizations should ask:

- In which countries is the software developed?
- Is development outsourced?
- Are subcontractors involved?
- Who has access to the source code?
- Which entities participate in the build and release process?
 
At Text Control, our engineering teams in Germany perform all core development, engineering, and product maintenance entirely in-house. We do not outsource core product development or rely on external subcontractors to implement our document processing engines and core technologies.

For enterprise customers operating in regulated industries such as government, healthcare, finance, legal technology, and other compliance-sensitive sectors, software provenance and engineering transparency are critical factors in vendor selection.

The availability of signed, standards-based SBOMs is an important part of our larger commitment to transparency, trust, and enterprise-grade software development.

### How to Access the SBOMs

Signed CycloneDX SBOM files are available for all supported TX Text Control and TX Spell .NET NuGet packages, starting with versions 34.0 and 11.0, respectively.

Customers with an active subscription can [contact our support and sales teams](https://www.textcontrol.com/contact/) to obtain the corresponding SBOM files and detached digital signatures for their licensed products.

If you have any questions about our SBOMs, software supply chain security, or compliance initiatives, please reach out to us. We are dedicated to helping our customers confidently and transparently navigate the complex landscape of software supply chain security and compliance.

---

## About Bjoern Meyer

As CEO, Bjoern is the visionary behind our strategic direction and business development, bridging the gap between our customers and engineering teams. His deep passion for coding and web technologies drives the creation of innovative products. If you're at a tech conference, be sure to stop by our booth - you'll most likely meet Bjoern in person. With an advanced graduate degree (Dipl. Inf.) in Computer Science, specializing in AI, from the University of Bremen, Bjoern brings significant expertise to his role. In his spare time, Bjoern enjoys running, paragliding, mountain biking, and playing the piano.

- [LinkedIn](https://www.linkedin.com/in/bjoernmeyer/)
- [X](https://x.com/txbjoern)
- [GitHub](https://github.com/bjoerntx)

---

## Related Posts

- [Introducing SignFabric: An Open Source, Enterprise-Ready E-Sign Platform Built with TX Text Control](https://www.textcontrol.com/blog/2026/05/06/introducing-signfabric-an-open-source-enterprise-ready-esign-platform-built-with-tx-text-control/llms.txt)
- [TX Text Control vs IronPDF for Enterprise PDF Workflows: Complete Comparison Guide](https://www.textcontrol.com/blog/2026/04/28/tx-text-control-vs-ironpdf-for-enterprise-pdf-workflows-complete-comparison-guide/llms.txt)
- [Building a Modern Track Changes Review Workflow in ASP.NET Core C#](https://www.textcontrol.com/blog/2026/04/28/building-a-modern-track-changes-review-workflow-in-aspnet-core-csharp/llms.txt)
- [Document Classification Without AI: Deterministic, Explainable, and Built for Production in C# .NET](https://www.textcontrol.com/blog/2026/04/23/document-classification-without-ai-deterministic-explainable-built-for-production-in-csharp-dot-net/llms.txt)
- [Using QR Codes in PDF Documents in C# .NET](https://www.textcontrol.com/blog/2026/04/21/using-qr-codes-in-pdf-documents-in-csharp-dotnet/llms.txt)
- [Sanitizing Data in Document Pipelines: A Practical Approach with TX Text Control in C# .NET](https://www.textcontrol.com/blog/2026/04/20/sanitizing-data-in-document-pipelines-a-practical-approach-with-tx-text-control-in-csharp-dotnet/llms.txt)
- [One More Stop on Our Conference Circus: code.talks 2026](https://www.textcontrol.com/blog/2026/04/17/one-more-stop-on-our-conference-circus-code-talks-2026/llms.txt)
- [Build Your Own MCP-Powered Document Processing Backend with TX Text Control](https://www.textcontrol.com/blog/2026/04/16/build-your-own-mcp-powered-document-processing-backend-with-tx-text-control/llms.txt)
- [TXTextControl.Markdown.Core 34.1.0-beta: Work with Full Documents, Selection, and SubTextParts](https://www.textcontrol.com/blog/2026/04/14/txtextcontrol-markdown-core-34-1-0-beta-work-with-full-documents-selection-and-subtextparts/llms.txt)
- [5 Layout Patterns for Integrating the TX Text Control Document Editor in ASP.NET Core C#](https://www.textcontrol.com/blog/2026/04/09/5-layout-patterns-for-integrating-the-tx-text-control-document-editor-in-aspnet-core-csharp/llms.txt)
- [Extracting Structured Table Data from DOCX Word Documents in C# .NET with Domain-Aware Table Detection](https://www.textcontrol.com/blog/2026/04/03/extracting-structured-table-data-from-docx-word-documents-in-csharp-dotnet-with-domain-aware-table-detection/llms.txt)
- [Introducing Text Control Agent Skills](https://www.textcontrol.com/blog/2026/03/27/introducing-text-control-agent-skills/llms.txt)
- [Deploying the TX Text Control Document Editor from the Private NuGet Feed to Azure App Services (Linux and Windows)](https://www.textcontrol.com/blog/2026/03/25/deploying-the-tx-text-control-document-editor-from-the-private-nuget-feed-to-azure-app-services-linux-and-windows/llms.txt)
- [Why Structured E-Invoices Still Need Tamper Protection using C# and .NET](https://www.textcontrol.com/blog/2026/03/24/why-structured-e-invoices-still-need-tamper-protection-using-csharp-and-dotnet/llms.txt)
- [AI Generated PDFs, PDF/UA, and Compliance Risk: Why Accessible Document Generation Must Be Built Into the Pipeline in C# .NET](https://www.textcontrol.com/blog/2026/03/23/ai-generated-pdfs-pdf-ua-and-compliance-risk-why-accessible-document-generation-must-be-built-into-the-pipeline-in-c-sharp-dot-net/llms.txt)
- [File Based Document Repository with Version Control in .NET with TX Text Control](https://www.textcontrol.com/blog/2026/03/20/file-based-document-repository-with-version-control-in-dotnet/llms.txt)
- [Create Fillable PDFs from HTML Forms in C# ASP.NET Core Using a WYSIWYG Template](https://www.textcontrol.com/blog/2026/03/17/create-fillable-pdfs-from-html-forms-in-csharp-aspnet-core-using-a-wysiwyg-template/llms.txt)
- [Why HTML to PDF Conversion is Often the Wrong Choice for Business Documents in C# .NET](https://www.textcontrol.com/blog/2026/03/13/why-html-to-pdf-conversion-is-often-the-wrong-choice-for-business-documents-in-csharp-dot-net/llms.txt)
- [Inspect and Process Track Changes in DOCX Documents with TX Text Control with .NET C#](https://www.textcontrol.com/blog/2026/03/10/inspect-and-process-track-changes-in-docx-documents-with-tx-text-control-with-dotnet-csharp/llms.txt)
- [Text Control at BASTA! Spring 2026 in Frankfurt](https://www.textcontrol.com/blog/2026/03/06/text-control-at-basta-spring-2026-in-frankfurt/llms.txt)
- [From Legacy Microsoft Office Automation to a Future-Ready Document Pipeline with C# .NET](https://www.textcontrol.com/blog/2026/03/02/from-legacy-microsoft-office-automation-to-a-future-ready-document-pipeline-with-csharp-dot-net/llms.txt)
- [We are Gold Partner at Techorama Belgium 2026](https://www.textcontrol.com/blog/2026/02/26/we-are-gold-partner-techorama-belgium-2026/llms.txt)
- [Text Control Sponsors & Exhibits at BASTA! Spring 2026 in Frankfurt](https://www.textcontrol.com/blog/2026/02/26/text-control-sponsors-exhibits-basta-spring-2026-frankfurt/llms.txt)
- [Azure DevOps with TX Text Control .NET Server 34.0: Private NuGet Feed and Azure Artifacts](https://www.textcontrol.com/blog/2026/02/25/azure-devops-with-tx-text-control-dotnet-server-34-0-private-nuget-feed-and-azure-artifacts/llms.txt)
- [TX Text Control 34.0 SP2 is Now Available: What's New in the Latest Version](https://www.textcontrol.com/blog/2026/02/18/tx-text-control-34-0-sp2-is-now-available/llms.txt)