ICT supply chain security: EU adopts a toolbox to mitigate risks

The NIS Cooperation Group has adopted the EU ICT Supply Chain Security Toolbox, developed by Member States with the support of the Commission and the EU Agency for Cybersecurity (ENISA) as well as two risk assessments pertaining to connected and automated vehicles and detection equipment, respectively.

AdobeStock © WS Studio 1985

The EU ICT Supply Chain Security Toolbox provides a horizontal, common, and non-binding approach on how to identify, assess and mitigate cybersecurity risks of ICT supply chains. Following the EU Council Conclusions on ICT supply chain security from 2022, the toolbox was developed within the NIS Cooperation Group. It is based on an all-hazards approach and defines key concepts related to ICT supply chain security. Being strictly actor-agnostic, it outlines risk scenarios impacting the Union's digital ecosystem and recommends mitigation measures, including establishing a framework for assessment of critical suppliers, the promotion of multi-vendor strategies and overcoming the dependencies on high-risk suppliers.

In line with the NIS2 Directive, the ICT Supply Chain Security Toolbox contributes importantly to the framework for Union-level coordinated security risk assessments of critical ICT supply chains under Article 22 of the NIS2 Directive. It is designed not only to help Member States, but also to support public and private actors in evaluating and managing risks related to ICT services, ICT systems, and ICT products supply chains.

The Member States have now at their disposal a structured set of voluntary measures that can be adapted to their national contexts and priorities. As part of the next steps, the NIS Cooperation Group will conduct after one year a review of the application of the Toolbox. This will serve to assess progress, share best practices, identify challenges, and recommend adjustments as needed.

Furthermore, the NIS Cooperation Group has adopted the results of two Union-level coordinated security risk assessments, developed by Member States with the support of the Commission and the ENISA. The first assessment focuses on connected and automated vehicles (CAVs) and their supply chains, while the second examines cybersecurity risks related to detection equipment used by EU law enforcement and security operators at EU border crossing points.

The primary objective of both reports is to provide a comprehensive overview of the cybersecurity risks identified, their potential consequences, and the mitigating measures considered necessary to address them. The assessment on connected and automated vehicles demonstrates that CAVs, while bringing many potential benefits to safety and energy efficiency, introduce new and significant cybersecurity risks. CAVs process troves of personal and sensitive data and can, in some cases, be weaponised.

To address these risks, the NIS Cooperation Group recommends, amongst other cybersecurity enhancing measures, that the Commission, together with the Member States, identifies proportionate measures to de-risk EU supply chains from high-risk suppliers, especially where it pertains to processing and decision-making systems, communication and connectivity systems and vehicle control systems that can receive remote updates. The report also suggests follow-up research to assess the impact of cyberattacks on charging infrastructure on the wider energy grid.

The second coordinated risk assessment focuses on detection equipment. Its objective is to provide a comprehensive overview of the cybersecurity risks associated with detection equipment, broadly considered as part of the EU's critical infrastructure, and their consequences, as well as the mitigating measures necessary to address them, whether the detection equipment is used in a stand-alone context or within interconnected and interoperable environments.

Compromised detection equipment can be controlled remotely, exploited as an attack vector or neutralised to support malicious acts. Incidents can also result from human error, system failures or natural phenomena. Furthermore, the detection equipment market itself, dominated by a limited number of manufacturers of non-EU origin, has shown severe shortcomings and additional challenges for the EU security, particularly with regard to diversification of the market, availability of the equipment and equipment parts and securing critical infrastructures, etc.

For the effective management of those risks, a number of mitigating measures are identified in this assessment, such as the effective application of EU level measures for high-risk suppliers and enhancing procurement practices by imposing security requirements for EU funding. Other recommendations relate to maintenance practices and security protocols for the use and access to the equipment.

Related topics

Related content