21 October 2022


In response to cyber-attacks and a series of threats to information and communication technologies (ICT) supply chains, Member States on 17 October approved Council conclusions contributing to enhanced security of the EU’s ICT assets. The call for action was driven by the current geopolitical circumstances, the damaging nature of supply chain attacks and the ever-increasing dependence of society on digital technologies. The call aims at strengthening ICT supply chain security, and is also a first step to address threats of unwanted strategic dependencies in ICT supply chains.

The Council conclusions feature specific actions for strengthening ICT supply chain security aspects of existing instruments, such as public procurement or foreign direct investment screening frameworks. They also detail how existing and upcoming cyber-specific legislation can contribute to ICT supply chain security. The potential lies not only in the reviewed Network Information Security (NIS2) Directive or certification schemes issued within the framework set out by the Cybersecurity Act, but also in the recent Cyber Resilience Act proposal. The conclusions further suggest using supporting mechanisms for financing secure digital infrastructure building, enhancing common understanding and awareness, and deepening international cooperation to increase ICT supply chain security in the EU and beyond.

Member States suggest putting due emphasis on cybersecurity-related selection criteria in the public procurement processes and call for the creation of an ICT Supply Chain Toolbox that would consist of generic measures for reducing critical ICT supply chain risks and, with this, facilitate the implementation of coordinated risk assessments of critical supply chains under the NIS2 Directive. Possible financing allowing organisations to maintain a high level of cybersecurity in terms of the procurement of ICT products and services throughout the supply chain should also be explored.

Source: Council of the European Union