This post is part of our CRA Mondays series. It captures a recent session featuring Samina Husain (Ecma International), Steve Spring (Chair of Ecma TC54), and Philippe Ombredanne (AboutCode), exploring the ongoing work in Ecma’s TC54 committee and its alignment with the EU’s Cyber Resilience Act (CRA).

Spotlight on Ecma TC54

The session opened with Samina Husain, Secretary General of Ecma International, introducing the history and role of Ecma in standardisation and its recent focus on the CRA. She explained how Ecma collaborated with OWASP to publish the CycloneDX specification as Ecma-424, highlighting the speed and efficiency of their process:

“We came together, did strong due diligence, and produced the CycloneDX standard very quickly.”

Samina emphasised the importance of ESBOMs (extended software bill of materials) for transparency and compliance and outlined how Ecma continues to expand work in areas such as package URLs, lifecycle events, and sustainability specifications.

Software and System Transparency

Steve Spring provided a deep dive into TC54’s current and future initiatives. He described how TC54 draws inspiration from the success of TC-39 (the JavaScript standards committee), but applies it to transparency and supply chain security:

“TC54 is capable of delivering international standards with the rigor you’d expect — but at a much higher velocity.”

Steve explained the broad scope of CycloneDX, including upcoming 1.7 and 2.0 versions, which expand into sustainability, threat modeling, and behavior analysis. He highlighted the importance of preparing for future regulatory needs:

Package URL and Version Ranges

Philippe Ombredanne focused on the Package URL (purl) and version range (vers) specifications, which are critical for accurately identifying and tracking software across ecosystems. He noted that adoption is accelerating:

“Support for PURL is being merged into the CVE schema at the same level as CPEs — this is huge for making vulnerabilities more actionable.”

Philippe also stressed the need for reliable tools and benchmarks to validate SBOMs and prevent inaccurate data from undermining supply chain security.

Why This Matters for CRA

The discussion reinforced how Ecma TC54’s work connects directly to CRA compliance. ESBOMs, lifecycle event tracking, and transparency APIs all help organisations meet regulatory requirements while fostering best practices in security and software development. As one participant put it:

“Transparency isn’t just about meeting regulations — it’s about building trust and resilience into the digital supply chain.”

This presentation is valuable for anyone involved in compliance, open source governance, or cybersecurity. It illustrates how industry collaboration is shaping practical tools to meet the CRA’s ambitious goals.

See below for the video. Learn more about ORC and join the conversation: orcwg.org.

Watch the Video