mehl.mx/content/blog/2026-01-fosdem-supply-chain-strategy/index.md

title, date, categories, tags, headerimage, video, slides, event, mastodon_toot_url

title	date	categories	tags	headerimage	video	slides	event	mastodon_toot_url
Software Supply Chain Strategy at Deutsche Bahn	2026-01-31	english presentation	OSPO SupplyChain Security DeutscheBahn	src alt processes fosdem-2026-sbom-cra.jpg Max Mehl giving the presentation at FOSDEM 2026. The image contains the title slide in large, and a small picture of Max Mehl in the corner. fill 1000x440 bottom webp	https://video.fosdem.org/2026/ua2114/ZSWH3N-deutsche-bahn-supply-chain-cra-strategy.av1.webm	https://fosdem.org/2026/events/attachments/ZSWH3N-deutsche-bahn-supply-chain-cra-strategy/slides/266949/2026-01-3_7kstxwl.pdf	name href FOSDEM 2026 https://fosdem.org/2026/schedule/event/ZSWH3N-deutsche-bahn-supply-chain-cra-strategy/	https://mastodon.social/@mxmehl/116160561981890042

At FOSDEM 2026, I presented Deutsche Bahn's software supply chain strategy in the context of the EU Cyber Resilience Act (CRA), but made clear from the start that CRA was the context, not the trigger. We didn't adopt SBOMs because of regulation – regulation validated the direction we were already taking based on operational needs. The presentation positioned our work at the intersection of CRA compliance requirements, IT operation best practices, and the practical realities of running IT infrastructure for an organization with 220,000+ employees, 7,000+ IT applications, and 100,000+ Open Source components.

I outlined how we understand CRA as consisting of four activity areas: general principles of secure software (which we already do), professional handling of vulnerabilities (also already doing), transparency of software supply chains with SBOMs (the new challenge and focus of this talk), and information to users plus conformity assessments (out of scope but interesting). Deutsche Bahn's challenge is particularly complex because we take on different roles – customer, manufacturer, and indirectly even steward – across our diverse operations. We build software for ourselves and external customers (ranging from operating systems in train displays to mobile apps), we buy software (local, on-premise, SaaS, bundled in hardware like trains), and we operate everything across multiple environments (on-premise, cloud, edge/embedded).

The strategy presentation emphasized how we created an SBOM architecture from scratch to handle this complexity. Working with a small interdisciplinary volunteer group, we focused on iterating quickly, gathering continuous feedback, and thinking in capabilities rather than specific tools. Our technical principles centered on modularity, open standards and interfaces, central SBOM storage with decentral sourcing and analysis – providing the flexibility needed to adapt to varying stakeholder needs and evolving regulations. The key message was that at DB's scale and diversity, you cannot implement a one-size-fits-all solution overnight. Instead, we prioritize based on identified risks and external requirements, document everything publicly, and connect the concrete CRA compliance requirements with our broader effort to bring transparency to software supply chains. This transparency forms the basis not just for regulatory compliance, but for security processes, license compliance, and proactively shaping the Open Source ecosystems we depend on.

The day after, I gave a [follow-up presentation on our large-scale SBOM collection and use]({{< relref "2026-02-fosdem-sbom-collection" >}}), which dove deeper into the technical architecture and practical lessons learned from our initial implementation. The two talks together provided a comprehensive overview of how Deutsche Bahn is approaching software supply chain strategy in the context of CRA and beyond.