ENISA publishes the first EU-wide SBOM Adoption State of Play — consumption lags generation

ENISA released its end-2025 SBOM adoption survey on 9 June — the first EU-wide empirical baseline (ENISA). The report confirms the CRA is the primary accelerant of SBOM adoption and that organisations are investing in SBOM generation and SDLC/CI-CD integration. The practical gap this creates — generation capability advancing faster than operational consumption (ingesting a vendor's SBOM into your own vulnerability-management workflow) — is the operational challenge it implies for Swiss/EU procurers; that framing is this brief's inference, not a stated headline of the report. It lands 94 days before the CRA's 11 September reporting-platform milestone. What to do differently: for public-sector procurement, demand SBOM deliverables in tenders now and verify your own consuming capability — generating SBOMs satisfies a producer obligation, but the defensive value (correlating known-bad components against CVE feeds) only materialises if you can ingest supplier SBOMs before the reporting obligation begins. This connects directly to § 6's "technology is the front line" synthesis.