A6. SBOM (Software/ML Bill of Materials) Complete dependency inventory for each build: all software libraries, ML framework versions, pre-trained model components (base models, embedding models, tokenisers), and external API dependencies, each with licence terms. Generated in SPDX or CycloneDX standard formats. Auto-generated as part of the CI pipeline using Syft, CycloneDX CLI, or SPDX tools. Attached to the container image as a cosign attestation. Responsible party: CI/CD pipeline generates per build. Conformity Assessment Coordinator stores the SBOM in the evidence register. Regulations addressed: Annex IV(2)(b) (system composition); Article 15 (cybersecurity); CRA Article 12 (software transparency); DORA Article 28 (ICT third-party risk). Key outputs

• Per-build SPDX or CycloneDX inventory
• ML-specific component catalogue with licences