Features Hub

Regulations set to cyber-secure the supply chain

Wed 27 Mar 2024 | Finbarr Toesland

No industries have been spared from supply chain attacks and weaknesses in recent years. According to analysis firm Gartner, almost half (45%) of organisations are expected to have experienced an attack on their software supply chain by 2025, illustrating the widespread impact of cyber attacks. 

There is no shortage of regulations and Government initiatives that seek to improve the cybersecurity of supply chains. Yet, companies will need to ensure that their supply chain security strategy includes recommendations set out by regulatory bodies and tracks nascent threats.

NIS2 Directive Impact

On the European level, standards set out by the NIS2 Directive are some of the most relevant and important factors for businesses to assess. New responsibilities are included in this directive, including three mechanisms that all companies covered by these obligations need to address. 

A coordinated risk assessment to assess supply chain risk on a European level is the first procedure, followed by a national risk assessment that each member state may use to extend the scope of the Directive. Finally, an internal risk assessment is aimed at essential organisations to ensure they have adopted the appropriate approach to supply chain security.

Set to come into effect in October 2024, NIS2 is an all-encompassing Directive that covers everything from incident management, training, reporting obligations, and business continuity issues.

In practice, a large majority of businesses impacted by the Directive will need to strengthen their cybersecurity measures and undertake comprehensive risk analyses, potentially necessitating hiring more skilled IT staff to meet these requirements.

Falling foul of this Directive has major company costs, depending on their size. Large organisations in critical sectors that fail to meet the reporting and duty of care requirements face a maximum fine of £8.5 million ($10.8 million) or a minimum fine of 2% of global annual revenue.

Complex Ecosystem

The administrative burden of dealing with complex regulations can be significant for larger companies. In the UK, several important regulations have been introduced around supply chain security, alongside new guidelines.

Last year, the National Cyber Security Centre (NCSC) released new guidelines for businesses to ensure the cybersecurity of their supply chains. The first step is to understand the current threat assessment and ensure any new cybersecurity processes are implemented as soon as possible, starting with new suppliers.

In May 2021, the UK Government called for views on supply chain cybersecurity and in January 2022 launched a consultation on proposals for legislation in this area. Now the consultation has finished, it is expected that new regulations will be implemented later this year.

At the end of the consultation, Minister for Media, Data, and Digital Infrastructure, Julia Lopez, reaffirmed the Government’s commitment to ensuring supply chains are secure.

“Today we are taking the next steps in our mission to help firms strengthen their cybersecurity and encouraging firms across the UK to follow the advice and guidance from the NCSC to secure their businessesdigital footprint and protect their sensitive data,” said Lopez.

While the exact regulation is unknown, the Government offered seven proposals in two pillars, one set focusing on digital service providers (DSP) and the second on how to update current cybersecurity supply chain regulations.

Of the proposals, many businesses will be most impacted by the ability for current reporting duties to be expanded to include events that do not disrupt service but may pose a significant risk, as well as the proposal to expand recovery costs.

In the past, physical supply chain security was the foremost concern, however, it has become increasingly clear that cyber threats represent the predominant threat to companies.

Even well-intentioned policies can have negative impacts on supply chain security. The UK Online Safety Bill has faced scrutiny from critics who say it forces firms to introduce a back door for Government agencies into end-to-end encryption schemes, with the appropriate authorisation.

For Gareth Williams, Chief Product and Technology Officer at global procurement and supply chain consultancy, Efficio, there are risks to meeting this UK Online Safety Bill requirement.

Almost all mathematicians, scientists, and engineers who understand how internet-based encryption works say it is impossible to put in a back door that preserves full security, whilst also allowing some authorised bodies to access the messages,” said Williams.

Due to this backdoor requirement, several high-profile firms have threatened to leave the UK if the Bill becomes law, including Meta and Signal. There is also the potential for this backdoor to be exploited by cybercriminals and wreak havoc on digital service firms.

The implications for supply chains are that, if cyber bills such as this do come into force across the world, and end-to-end encryption is weakened, supply chain security, especially for high-value, strategic IP-based goods such as semiconductors, will increase risk,” added Williams.

Hungry for more tech news?

Sign up for your weekly tech briefings!

Experts featured:

Finbarr Toesland

Features Writer

Send us a correction Send us a news tip