Problem statement:

European companies need to fulfill first parts of the cyber resilience act, starting 12th Sept 2026. They have an obligation to report vulnerabilities and security incidents, including vulnerabilities relevant in their used software (e.g. libraries or used tools as part of a docker image).

Details:

https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html

All products sold in the EU that contain ‘digital elements’ must fulfill the essential requirements of the CRA. This includes low-cost consumer products as well as B2B software and complex high-end industrial systems. ‘Products with digital elements’ are defined in the CRA as products inlcuding their respective remote data processing solutions that can be directly or indirectly connected to a device or a network. Consequently the CRA applies to both connected hardware products (e.g. smartphones, laptops, smart home products, smart watches, internet connected toys, but also microprocessors, firewalls and smart meter gateways within smart metering systems) as well as software products (e.g. accounting software, computer games, mobile apps).

and

The CRA requires manufacturers to create a SBOM with the aim of using it in vulnerability handling

CRA is about reliably matching vulnerabilities to used components.
Companies relying on nixpkgs for a commercial product can not use nixpkgs after 12th Sept 2026, If they can not reliably associate vulnerabilities to their used libraries / tools. Most of the package vendors in nixpkgs either do not request a CPE (formal process) or they do not have a CPE set in nixpkgs meta.

State of today IMHO: It is either required to push software vendors to use CPE (unrealistic) or use a valid-by-design approach such as package URL's. Package URL's can even get matched to CVE's: https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0
Disclaimer: there is even SWID which may be a solution as well.

Once such a tool - without match identification possibilities - is in the dependency tree, the european company is not allowed to use nixpkgs anymore.

Possible impact:

IF nixpkgs is not able to incorporate sufficient informations to reliably produce a SBOM. it will lose companies using nixpkgs.

Possible opportunities

IF nixpkgs is able to provide data for a full SBOM with accurate data, it will drive nix / nixpkgs adoption. There are not much tools compared to nixpkgs, which have sufficient level of data out of the box