Many Java teams already generate Software Bills of Materials (SBOMs). In isolation, that is not particularly difficult. What is more challenging, and increasingly important under the EU Cyber Resilience Act (CRA), is demonstrating that an SBOM accurately reflects what is actually running in production.
Ixchel Ruiz is a senior software developer with more than two decades of experience developing Java systems. At Open Community Experience 2026, she will bring that experience to a problem many Java teams underestimate: the gap between generating SBOMs and being able to prove they are correct.
One of the most common misconceptions is treating SBOMs as static artefacts. As Ruiz explains, “Generating something is very different from proving that whatever I’m generating actually matches the shipped product, is reproducible, and is complete.” In modern Java systems, this distinction matters. Teams rarely ship a single artefact. Shaded JARs, BOM-managed dependencies, container images, platform-specific runtimes, and additional assets all influence what ultimately executes in production.
This is why CRA is not merely a documentation exercise. It formalises a failure mode the industry has already experienced. During incidents such as Log4Shell, many teams struggled to answer a basic question: am I affected? Not because tooling was missing, but because there was uncertainty about what was running compared to what teams believed they had shipped.
OCX 2026: What senior Java engineers must deliver before 2027
In her session at OCX, “CRA, NIS2, DORA: What senior Java engineers must deliver before 2027,” she will be joined by Markus Schlichting, CEO of Karakun AG. Together, they will combine a developer’s perspective with governance and compliance experience, focusing on practical engineering decisions rather than abstract regulatory language.
This often exposes dependency sprawl and legacy practices that teams have learned to live with, but she also sees a clear upside. “The advantages are not only at the compliance level, they’re at the quality and security level.”
If you attend their session at OCX, you will get a clear overview of where your Java systems stand today, which practices and tools reduce CRA-related risk most effectively, and how to prioritise next steps without slowing development. The focus is not on adopting every available solution, but on understanding the gap between what your systems produce, what they run, and what regulators will expect you to prove.
Register for Open Community Experience 2026 and attend this session in person to gain practical guidance on making your Java systems SBOM-ready ahead of CRA enforcement.
