In this post, I’ll dig into some of the key EU regulations that are directly shaping supply chain security and discuss practical steps you can take to build a more resilient supply chain. When we talk about supply chain attacks, we’re not just referring to the direct targets, but to the entire ecosystem. Attackers often exploit the weakest point in the chain—perhaps an unpatched vulnerability in a third-party component or even malicious code that has been slipped into a software update. This makes supply chain security not just an IT issue, but a critical business concern.

A significant risk comes from the potential for backdoors to be introduced into widely-used software libraries. One notable example is the backdoor found in XZ Utils, a compression library used in many Linux distributions. This incident revealed how even seemingly trusted and ubiquitous software components could be compromised, providing attackers with hidden access.

EU Regulations Shaping Supply Chain Security

NIS2 Directive

The NIS2 Directive is one of the key regulations directly targeting supply chain security. It places obligations on “essential” and “important” sectors to actively manage their supply chain risks as part of their overall cybersecurity strategies. This means that organizations can’t just focus on securing their own systems—they need to also assess and manage the risks associated with their suppliers and service providers. In other words, if you’re relying on third-party software, you’re responsible for its security too.

Digital Operational Resilience Act (DORA)

DORA focuses on the financial sector and aims to ensure that financial institutions can withstand ICT-related disruptions, including supply chain incidents. A significant part of DORA’s requirements revolves around third-party risk management. Financial entities are required to monitor and manage risks stemming from their ICT service providers continuously. I find this particularly interesting because it reflects how the financial sector is being pushed to develop more rigorous and transparent supply chain security practices.

Cyber Resilience Act (Proposed)

The Cyber Resilience Act is an upcoming regulation that explicitly addresses software supply chain risks. It aims to impose mandatory cybersecurity requirements for software products, including the need to manage vulnerabilities throughout the software lifecycle. Although it’s still in the proposal stage, this act signals the EU’s intention to address software security from the development phase through to deployment, emphasizing that security isn’t just a one-time effort but a continuous responsibility.

Practical Steps for Building a Secure Supply Chain

With this evolving regulatory landscape in mind, how can businesses actually address these supply chain security concerns? Here are some practical steps:

1. Create and Use an SBOM (Software Bill of Materials) for Supply Chain Visibility

Building an SBOM (e.g., in formats like CycloneDX or SPDX) is one of the most effective ways to gain visibility into your software’s supply chain. Think of an SBOM as an ingredient list that provides detailed information about every component and dependency, including their versions and origins. By maintaining an SBOM and mapping your entire supply chain, you make it easier to identify affected components quickly when new vulnerabilities, like Log4Shell, are disclosed. It also enables you to scrutinize any changes or new additions that might introduce new risks, such as a backdoor in a dependency. Having this level of insight is crucial for addressing both security threats and regulatory requirements around supply chain transparency.

2. Regularly Assess Your Suppliers

Relying solely on certifications isn’t enough. Regular assessments of your suppliers are vital in maintaining a secure supply chain. This might involve reviewing their security practices, examining their own use of SBOMs, and conducting periodic audits. Keep an eye out for signs of compromise, such as unusual changes in the software packages they provide. By continuously evaluating your suppliers’ security measures, you reduce the risk of supply chain attacks and ensure that your suppliers are maintaining a security posture that aligns with your standards.

3. Adopt a Zero-Trust Approach

Implementing a zero-trust model in your supply chain management is an effective way to minimize the potential impact of a supplier breach. This approach assumes that no supplier is fully secure and therefore segments access to your network. By limiting the access that suppliers and third-party components have, you can contain the potential damage if one of them is compromised. This mindset not only mitigates risks but also supports a more robust, layered defense strategy that aligns well with the evolving landscape of supply chain security.

Conclusion

Supply chain security is no longer just an optional extra—it’s an essential part of any robust cybersecurity strategy, especially as the EU continues to tighten its regulatory requirements. Regulations like the NIS2 Directive and DORA directly call for organizations to address supply chain risks actively. Meanwhile, the proposed Cyber Resilience Act signals the EU’s growing focus on software security throughout its lifecycle.

While compliance is important, practical measures like using an SBOM and adopting a zero-trust mindset will go a long way in building a more resilient supply chain. Don’t overlook the risk of backdoors and malicious code in your dependencies. Supply chain security isn’t just about patching vulnerabilities; it’s about ensuring the integrity of every component in your software.

References

1. NIS2 Directive
2. Digital Operational Resilience Act (DORA)
3. Cyber Resilience Act (Proposal)

The thing about the internet today is that everything is links, and many sites such as twitter and bit.ly use link shortening to track usage and hide the original address. This makes it hard to know beforehand if the link is legit, and thus might increase the risk, but the impact will be the same. Here are four risks that I see when clicking a link.

1. The most obvious risk is phishing. An attacker can create a serious looking website with the aim to trick a victim to enter sensitive information such as passwords or credit card information. This would allow the attacker to use the stolen information to either sign into the compromised account, or pay with the credit card. However, these attacks are not performed when you click the link, but rather when you enter the information on the site, meaning that this does not qualify as a risk of clicking a link.
2. There are a few different attacks, for example clickjacking or cross-site request forgery, that targets a website through a victim browsing a third-party website. These attacks allow the culprit to perform actions as a victim on the target site. Instead of infecting the computer of the victim these attacks exploit a vulnerability in the target site to perform actions as the victim.
3. A reflected Cross-Site Scripting attack, also known as an XSS would exploit a vulnerability in a website to perform actions against that website as a victim. The impact is about the same as explained in 2, but the difference is that a legitimate URL to the target site is sent to the victim. To detect this risk, look for html tags such as <script> in the URL. Like the previous attacks, these attacks cannot infect the computer of the victim, but instead performs actions on the target site.
4. The most serious risk discussed is vulnerabilities found in the victim’s web browser. These can allow an attacker to compromise the computer to install malicious software such as spy- or ransomware. The best way to protect oneself from vulnerabilities in the browser is to keep it up to date. Most modern browsers are good at fixing bugs as fast as they become known. There is still a small risk that an unknown (aka 0-day) bug is used. However, these bugs are often used in attacks against high profile targets by well-funded hackers.

In conclusion, there are still risks with clicking links, but they are not as severe for your computer as they once were. I would say that today it is more important to ensure that your software is updated, that you do not enter information to sites you do not trust, and that you use long and unique passwords for accounts. Lastly, if you notice any strange behaviour on an account on a website you use, change your password and notify the owner of the site.