Brussels, 17 October 2022
In response to some of the most consequential cyber attacks to date and series of threats the information and communication technologies (ICT) supply chains are exposed to, Member States approved Council conclusions contributing to enhanced security of the EU’s ICT assets. This urgent call for action was driven by the current geopolitical circumstances, the damaging nature of supply chain attacks and the ever-increasing dependence of our society on digital technologies. The call aims at strengthening ICT supply chain security, and is also a first step to address threats of unwanted strategic dependencies in ICT supply chains.
Our recent experience shows how quickly can an external strategic dependence turn into a very real vulnerability. That is why we need to protect critical ICT supply chains, which are essential for the security of EU’s digital infrastructure – the backbone of our modern society and economy.
Ivan Bartoš, Czech Deputy Prime Minister for Digitalisation and Minister for Regional Development
The Council conclusions feature specific actions for strengthening ICT supply chain security aspects of existing instruments, such as public procurement or foreign direct investment screening frameworks. They also detail how existing and upcoming cyber-specific legislation can contribute to ICT supply chain security. The potential lies not only in the reviewed Network Information Security (NIS2) Directive or certification schemes issued within the framework set out by the Cybersecurity Act, but also in the recent Cyber Resilience Act proposal. The conclusions further suggest using supporting mechanisms for financing secure digital infrastructure building, enhancing common understanding and awareness, and deepening international cooperation to increase ICT supply chain security in the EU and beyond.
Member states suggest putting due emphasis on cybersecurity-related selection criteria in the public procurement processes and invite the Commission to issue methodological guidelines to encourage contracting authorities to put appropriate focus on the cybersecurity practices of tenderers and their subcontractors. Furthermore, member states call for the creation of an ICT Supply Chain Toolbox that would consist of generic measures for reducing critical ICT supply chain risks and, with this, facilitate the implementation of coordinated risk assessments of critical supply chains under the NIS2 Directive. Possible financing allowing organisations to maintain a high level of cybersecurity in terms of the procurement of ICT products and services throughout the supply chain should also be explored.
Source – EU Council