The SBOMs, evidence, and audit trail standards ask for

SBOMs you can hand over

Generate a software bill of materials in CycloneDX or SPDX, with VEX so the list carries exploitability answers, not just components.

Vulnerability evidence, known and novel

Detect known issues from authoritative advisory data and novel ones no feed has listed, then filter by what is reachable in your code.

A remediation audit trail

Every block and every automated fix traces back to the finding, the decision, and the policy version that caused it. That trail is the evidence an auditor asks for.

Article 21(2)(d) requires supply-chain security, and 21(2)(e) requires vulnerability handling and disclosure in the acquisition, development, and maintenance of systems.

Verifi: Detection and registry blocking to vet components, plus automated vulnerability handling and remediation.

Annex I requires an SBOM in a commonly used, machine-readable format covering at least the top-level dependencies, plus vulnerability handling and security updates over the support period.

Verifi: Generates SBOMs in CycloneDX or SPDX, detects vulnerabilities, and drives the fixes. The strongest SBOM mandate of the set.

Article 32 requires appropriate, state-of-the-art technical measures to secure the processing of personal data. It does not name SBOMs.

Verifi: Dependency detection and blocking are part of those technical measures where a vulnerable component would put personal data at risk.

Directs secure development aligned with the NIST SSDF (SP 800-218), with SBOMs as preferred conformance evidence. As of 2026 the federal attestation and SBOM requirement is risk-based and at agency discretion, not a blanket mandate.

Verifi: SBOMs and detection aligned with SSDF practices. Positioned as aligned with the framework, not as meeting a hard mandate.

Manufacturers of cyber devices must provide an SBOM covering commercial, open-source, and off-the-shelf components, plus a plan to monitor and patch vulnerabilities.

Verifi: SBOM generation and ongoing vulnerability monitoring for the device software estate.

Annex A 8.8 covers management of technical vulnerabilities, and 8.28 covers secure coding, including the risk in third-party libraries.

Verifi: Continuous detection, a vulnerability inventory, and policy-based decisions on what to act on.

PW.4 vet and maintain third-party components, PS.3 provenance, RV.1 identify and analyse vulnerabilities, RV.2 remediate.

Verifi: Maps across the whole framework. The cleanest framework-level fit for Verifi.

RA-5 vulnerability scanning, and the Supply Chain Risk Management (SR) family for provenance and component authenticity.

Verifi: Detection, provenance signals, and registry blocking.

Top 10 A06:2021 Vulnerable and Outdated Components, and CycloneDX, the OWASP machine-readable SBOM standard.

Verifi: Detects vulnerable and outdated components and exports CycloneDX SBOMs.

16.4 maintain an inventory of third-party software components (a bill of materials), and 16.5 use trusted, up-to-date components.

Verifi: SBOMs, detection, and registry blocking of untrusted components.

CC7.1 detect and monitor vulnerabilities, and CC9.2 vendor and third-party risk. Auditors want evidence of management and remediation.

Verifi: Detection plus an audit trail that gives the auditor the evidence directly.

6.3.1 manage vulnerabilities including third-party and open-source, and 6.3.2 keep an inventory of custom and third-party components used to identify and address vulnerabilities. Mandatory since 31 March 2025.

Verifi: SBOMs, detection, and remediation tracking against the inventory.