Directive (EU) 2022/2555 (the NIS2 directive) 1 requires Member States to ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, which those entities use in the provision of their services. Supply chain cybersecurity is considered an integral part of the cybersecurity risk management measures under Article 21(2) of the NIS2 directive.
This new ENISA report provides an overview of the current supply chain cybersecurity practices followed by essential and important entities in the EU, based on the results of a 2022 ENISA study which focused on investments of cybersecurity budgets among organisations in the EU.
Among the findings the following points are observed:
• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
The report also gathers good practices on supply chain cybersecurity derived from European and international standards. It focuses primarily on the supply chains of ICT or OT. Good practices are provided and can be implemented by customers (such as organisations identified as essential and important entities under the NIS2 directive) or their respective suppliers and providers. The good practices cover five areas, namely:
• strategic corporate approach;
• supply chain risk management;
• supplier relationship management;
• vulnerability handling;
• quality of products and practices for suppliers and service providers.
Finally, the report concludes the following.
• There is confusion with respect to terminology around the ICT/OT supply chain.
• Organisations should establish a corporate-wide supply chain management system based on third party risk management (TRM) and covering risk assessment, supplier relationship management, vulnerability management and quality of products.
• Good practices should cover all various entities which play a role in the supply chain of ICT/OT products and services, from production to consumption.
• Not all sectors demonstrate the same capabilities concerning ICT/OT supply chain management.
• The interplay between the NIS2 directive and the proposal for a cyber resilience act or other legislation, sectorial or not, which provides cybersecurity requirements for products and services, should be further examined.