Introduction

This week, the EU Member States approved the conclusions of the Council of the EU to strengthen the overall resilience and (cyber)security of ICT supply chains. The security of ICT supply chains is a key element of ensuring nation-wide cybersecurity. Ensuring the safety of ICT products and services from the source would greatly help reducing vulnerabilities at consumer, company and providers' levels. This urgent call for action is driven by the current geopolitical circumstances, the damaging nature of supply chain attacks and the ever-increasing dependence of our society on digital technologies. The EU Member States must work towards avoiding situations of unwanted strategic external dependencies in relation to ICT products and services similar to the EU energy market's dependency on Russian fossil fuels and draw conclusions from disruptions in supply chains during the COVID-19 pandemics.

Against the background of future supply chain cyberattacks, which targets a third party with access to an organization's system as exemplified by the SolarWinds hack of 2020, the EU Council acknowledges the need to maximise and streamline the use of existing and future EU instruments to achieve these objectives as well as the need to continually adapt to the changing cyber threat landscape by introducing additional suitable measures and mechanisms.

Horizontal strengthening of ICT supply chain security aspects in EU instruments

The upcoming revision of the NIS Directive ("NIS 2.0"), which intends to boost the overall level of cybersecurity in the EU by ensuring the EU Member States' preparedness, contains several provisions on supply chains. It not only obliges the EU Member States to adopt related supply chain policies, but also addresses minimum risk management measures related to supply chains, and EU coordinated risk assessments of critical supply chains. The supply chain risk assessments would consider both technical factors (hardware- or software-related) and, where relevant, non-technical factors (such as suppliers being subject to interference by a non-EU country or state-backed players). This approach largely builds on the previous work of the European Commission and the NIS Cooperation Group on the security of 5G networks.

5G networks underpinning Internet-of-Things (IoT) backed products and services are at risk of increasing attacks due to more potential entry points and software reliance. Aspects of liability will be addressed on a horizontal level in the upcoming AI Liability Directive and revision of the Product Liability Directive by the insertion of a horizontal duty of care principle and the confirmation of horizontal concepts such as economic operators. With respect to damage caused by AI systems, the AI Liability Directive aims to provide an effective basis for claiming compensation in connection with the fault consisting in the lack of compliance with a duty of care under Union or national law. In our opinion, the former principle of duty of care will become the cornerstone in the assessment of cybersecurity levels taken by the economic operator in the ICT supply chain since it is referenced to in the 2nd EU Cybersecurity strategy and in the upcoming NIS 2.0 Directive.

The implementation of coordinated risk assessments of critical supply chains under the NIS 2.0 Directive will be facilitated by the creation of anICT Supply Chain Toolbox to help reduce ICT supply chain risks. This toolbox should build upon strategic threat scenarios identified for ICT supply chains and provide measures for responding to these scenarios leveraging experiences from the 5G Toolbox and those gained at national level. It would offer generic measures for reducing risks that can be adjusted for specific ICT services, systems, or products in a scalable way, based on the risks identified in the individual coordinated supply chain risk assessments. To ensure that entities comply with their obligations addressing ICT supply chain security, the NIS 2.0 Directive would enable EU Member States to require essential and important entities to certify specific ICT products, services and processes under the EU Cybersecurity Act. In this context, the draft directive would empower the European Commission to lay down which categories of essential entities (due to their criticality) would be required to obtain certification.

New EU cybersecurity rules would complement the NIS 2.0 framework by ensuring baseline standards for all connected devices and stricter conformity assessment procedures for critical products. The Commission's proposal for a new Cyber Resilience Act (CRA) is trying to address the widespread vulnerabilities in the booming IoT sector, where even the hacking of a single device, the so-called 'weakest link', could lead to major spill-over effects to the entire organisation or supply chain. At the same time, users are not provided with sufficient information on the cybersecurity features of a connected device to make an informed choice when buying it. The proposal aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products. They would continue to monitor and address vulnerabilities during its whole life cycle via automatic updates free of charge.

For more information on the NIS 2.0 Directive, please see the contribution of Steven De Schrijver and Jan Van Loon on The Upcoming Changes To The EU's Cybersecurity Framework - Security - European Union (mondaq.com)

Supporting mechanisms

Besides the need to streamline existing and forthcoming supply chain cybersecurity requirements under different legislative instruments, a particular emphasis is put on public procurement. The European Commission is invited by the EU Council to develop methodological guidelines to encourage the contracting authorities to put appropriate focus on the cybersecurity practices of tenderers and their subcontractors and assess or revise if needed relevant public procurement legislation. Diversification of critical ICT suppliers must avoid or limit the creation of major dependencies on single suppliers, and in particular high-risk suppliers, as it increases the exposure to the consequences of potential disruptions. Foreign direct investment screening frameworks must enable Member States to better assess the possible threats and eliminate high-risk investments that may affect such security and resilience of ICT supply chains.

For more information on the Future FDI Screening Mechanism In Belgium, please see the contribution of Steven De Schrijver and Jan Van Loon on https://www.mondaq.com/inward-foreign-investment/1200150/the-future-fdi-screening-mechanism-in-belgium-current-outlook

Conclusion

The European Union is making Europe fit for the green and responsible digital age by adapting the cybersecurity and product liability frameworks to the digital age, circular economy, and the impact of global value chains. EU Member States must build an EU-wide horizontal defence shield to avoid situations of unwanted strategic external dependencies in relation to ICT products and services and ensure nation-wide cybersecurity at consumer, company and providers' levels. The upcoming NIS 2.0, Cyber Resilience Act, and AI & Product Liability Directives are the first parts of this shield.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. For more information, please contact Steven De Schrijver.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.