SBOM Credentials
Three tiers of software-supply-chain evidence — independently verifiable through the ECZ-ID Resolver. Choose the tier that matches your release cadence and buyer footprint, then move into the guided flow. Acquisition is handled in TrustOps. Verification is handled in Resolver. This site explains and routes.
What this is
SBOM — Software Bill of Materials — is the evidence chain that lets a buyer, auditor, or regulator independently confirm what a piece of software is built from. ECZ-ID SBOM credentials convert your SBOM data, vulnerability posture, product evidence record, and IoT device provenance into resolver-verifiable credentials that a counterparty can query directly — without you sending a spreadsheet or PDF.
The site explains what each tier covers and routes you to TrustOps to acquire it. Resolver is where the evidence is later Resolver-checked by counterparties. The site does not issue credentials, host checkout, or perform verification.
Choose a tier
SBOM Essentials
Software suppliers entering SBOM scope or supplying a small number of regulated or enterprise buyers.
Baseline SBOM-aligned evidence: software supply chain transparency, product evidence record, cyber posture, and IoT device provenance — independently queryable in Resolver.
Fits when: You need SBOM evidence in a form a buyer or auditor can verify without document exchange.
What is inside
- ·Software Supply Chain Passport™
- ·Product Passport™
- ·Cyber Resilience Passport™
- ·IoT Device Passport™
SBOM Managed
Software suppliers whose release cadence is outpacing manual SBOM evidence cycles.
Everything in Essentials, plus per-release SBOM refresh, vulnerability disclosure cadence, and component drift review support.
Fits when: Your SBOM is in resolver, but stale provenance between releases is becoming the operational risk.
What is inside
- ·SBOM Essentials baseline
- ·Per-release SBOM refresh
- ·Vulnerability disclosure cadence
- ·Component drift review support
SBOM Enterprise
Software vendors at portfolio scale where SBOM exposure is a board, audit-committee, insurer, and capital-provider concern.
Everything in Managed, plus portfolio-wide SBOM operations, critical-infrastructure software evidence record, board and capital disclosure, and Capital Access Overlay alignment.
Fits when: You need a single resolver entry covering portfolio SBOM posture for buyers, auditors, insurers, and capital providers.
What is inside
- ·SBOM Managed baseline
- ·Portfolio-wide SBOM operations
- ·Board and capital SBOM disclosure pack
- ·Critical-infrastructure software evidence record
- ·Capital Access Overlay alignment
How the flow works
- 1Explain. This page sets out what each SBOM tier covers and who it fits.
- 2Guided flow. Each tier has a short qualification and breakdown flow on this site.
- 3TrustOps midpoint. Halfway through the flow you are routed into TrustOps to acquire the tier.
- 4Return. When TrustOps completes acquisition it returns you to this site with continuation state, and the flow resumes from the post-acquisition step.
- 5Verification. Counterparties verify your SBOM posture independently at resolver.ecocitizenz.org. Verification is not performed on this site.
What this site does not claim
- · This site does not issue regulator certifications.
- · This site does not perform vulnerability disclosure evidence record.
- · This site does not host checkout or take payment for credentials.
- · This site does not verify credentials — Resolver does that, independently.
- · SBOM tiers describe ECZ-ID credential coverage, not regulator endorsement.
Formal governance and specifications are published at ecocitizenz.org. ECZ-ID provides resolver-verifiable software-supply-chain evidence, not regulatory authority or endorsement.
DORA scope as well?
If your ICT operating posture is also under DORA scope, the DORA + SBOM Enterprise Suite combines DORA Enterprise and SBOM Enterprise into a single resolver-backed programme.