Today saw the launch of the EU ICT Supply Chain Security Toolbox, a joint non-binding EU approach to assessing and mitigating cybersecurity risks in ICT supply chains. Building on all-risks approach, the strictly actor and technology-agnostic Toolbox identifies possible risk scenarios affecting ICT supply chains and, based on these, offers coordinated recommendations for risk assessment and mitigation. The recommendations concern, among other things, the promotion of multi-vendor strategies and reducing dependence on high-risk suppliers. The document also complements the implementation of Article 22 of the NIS2 Directive and can make it easier for Member States to harmonize their supply chain security management practices.
The toolbox and its recommendations are primarily designed for public institutions of member states, but can also be applied more broadly, by the private sector. EU Member States and the wider community thus gain a practical guide to a structured solution to a long-term security problem. The Toolbox was adopted by the Network and Information Security Cooperation Group, which consists of representatives of EU Member States, the European Commission, and the European Union Agency for Cybersecurity (ENISA).
"Secure ICT supply chains are one of the key conditions for ensuring our resilience, not only in cyberspace, as the National Cyber and Information Security Agency has been long pointing out. The need to adopt a common approach to this issue was agreed upon by EU member states during the Czech Presidency of the Council of the EU in 2022. The Toolbox is thus a concrete result, building on the pioneering efforts of the Czech Republic and NÚKIB experts. It was also largely developed over three years by a team of representatives from across the EU, co-led by the Czech Republic" said NÚKIB Director Lukáš Kintr.
Along with the Toolbox, the Cooperation Group also adopted two coordinated risk assessments that already build on the Toolbox framework approach for two product groups:
- Connected and autonomous vehicles (CAVs) – while connected and autonomous vehicles have security and energy advantages, they also pose a risk in terms of cybersecurity; the report therefore highlights the risks associated with connectivity, software updates, and the collection of large amounts of data (not only about the crew) in cloud systems. These vehicles and the data collected can then be misused by malicious actors.
- Detection equipment used at borders and airports – the analysis highlights, among other things, the current dominance of small number of non-EU suppliers leading to dependencies on one supplier and vendor lock-ins and the absence of competitive European ones.
The non-binding Toolbox is the result of long-term work within the EU, and member states are now invited to work on its application. An assessment of progress in its application, including lessons learned and challenges identified, will then take place next year.