In a talk at QCon London 2026, Viktor Petersson argued that software teams are running out of time to adopt SBOMs (Software Bills of Materials) due to pending legislative changes in both the US and Eu

InfoQ is a leading online platform for software developers, architects, and technical leaders, providing news, articles, presentations, and interviews on a wide range of topics, including agile practices, DevOps, microservices, and emerging technologies. With a focus on quality content and expert insights, InfoQ helps professionals stay informed about the latest trends, best practices, and industry developments. Developers can learn from real-world experiences, gain  knowledge, and connect with peers in the global software community through InfoQ's diverse and engaging content.

InfoQ

Viktor Petersson's QCon London 2026 talk covers the growing legal pressure on software teams to adopt SBOMs, driven by the EU Cyber Resilience Act (enforcement starting September 2026), US Executive Order 14028, FDA requirements, and PCI-DSS 4.0. He explains the two dominant SBOM formats—SPDX and CycloneDX—and outlines a four-stage pipeline for high-quality SBOM generation: creation, augmentation, enrichment, and signing. Petersson warns against common mistakes like using generic scanners on large Docker images, skipping signing, and merging multi-ecosystem SBOMs. He also introduces the Transparency Exchange API (TEA), an OWASP/ECMA initiative for standardized SBOM distribution, and stresses that versioned SBOM lifecycle management is as critical as source code version control.

QCon London 2026: SBOMs Move From Best Practice to Legal Obligation as CRA Enforcement Looms