|
[To Eurosmart members only]
EU Member States call for more security in the ICT supply chain
On 17 October, EU Member States published conclusions on ICT supply chain security. They give a series of recommendations to be followed by the European Commission, ENISA and the Member States themselves.
ICT supply chain secure by design
EU Member States emphasise that the EU and its Member States should consider the geopolitical environment not only when reacting to malicious cyber activities but also when building and maintaining the resilience of ICT. This topic is of particular relevance for the ICT supply chain.
Reducing strategic external dependencies
The EU should learn from the COVID-19 pandemic, the Member States underline. EU’s strategic dependencies got exposed, in particular in the field of pharmaceuticals and semiconductors. Member States must work towards “avoiding similar situations of unwanted strategic external dependencies in relation to ICT products and services”. Member States add that “achieving strategic autonomy while preserving an open economy is a key objective of the Union”.
The Member States must consider diversification of suppliers of critical ICT and avoid major dependencies on single suppliers, particularly high-risk ones. Member States encourage integrating aspects related to the prevention of vendor lock-in into EU legislation.
With regard to 5G networks, Member States recognise the potential benefits of Open RAN concept. However, they adopt a cautious approach by underlining that this concept is still under development and its security, transparency and standardisation is at an early maturity phase. Member States emphasise the importance of assessing risks before transitioning towards new standards or architectures.
Monitoring and risk assessment are key
Member States stress the importance of monitoring, analysing and assessing the supply chain threat landscape. They welcome ENISA’s work in this field, including its Report on the Threat Landscape for Supply Chain Attacks.
They further encourage ENISA to perform, jointly with the NIS Cooperation Group, a stock-taking of best practices for supply chain risk management and compile them into methodological guidelines. They also encourage ENISA to monitor investments in the ICT supply chain security of essential and important entities (NIS 2).
Member States invite the Commission to identify by Q2 2023 the specific ICT services, systems or products that might be subjected to the NIS 2 coordinated supply chain risk assessments with priority.
Existing measures in favour of supply chain security
The EU can already count on a set of measures that directly or indirectly address supply chain security, including NIS 2, as mentioned above.
In addition, the EU’s Foreign Direct Investment Screening mechanism can help safeguard the ICT supply chain security by eliminating high-risk investments.
Member States also mention the importance of raw materials and semiconductors, referred to as the “basic building blocks for ICT products”. In this respect, they encourage constructive negotiations on the Chips Act.
With regards to cybersecurity-related legislation, Member States welcome the proposal for a Cyber Resilience Act and call for a timely adoption. They also mention the Cybersecurity Act. Member States encourage all stakeholders to participate in the preparatory work on individual European certification schemes. They also call on the Commission to swiftly prepare implementing acts on the schemes, notably the EUCC scheme.
However, Member States recognise that additional measures and mechanisms might be needed.
Addressing public procurement
Public procurement procedures must adequately take the importance of ICT supply chain security into account. Where appropriate, those procedures must include risk-based selection criteria relating to the tenderers’ capability to ensure a high level of security.
Member States invite the Commission to develop methodological guidelines by Q3 2023. These guidelines should encourage contracting authorities to focus on the cybersecurity practices of tenderers and their subcontractors. The guidelines will make proposals to revise or complement relevant public procurement legislation if needed.
Leveraging the example of the 5G Toolbox
Member States mention several times the example of the EU Toolbox for 5G security. The text calls on Member States to further exchange information and apply the relevant restrictions on high-risk suppliers for key assets.
Member States see the 5G Toolbox as an inspiration for risk assessment and mitigation tools related to other vital sectors. They invite the NIS Cooperation Group to develop a toolbox of measures for reducing critical ICT supply chain risks (ICT Supply Chain Toolbox), leveraging the experience from the 5G Toolbox.
EU funding in cybersecurity and supply chain security
Member States want EU funding in cybersecurity to consider supply chain aspects. Member States call on the European Commission, the European Cybersecurity Competence Centre and relevant stakeholders to explore options for including ICT supply chain security aspects in the upcoming calls for proposals -as part of the Cybersecurity Work Programme.
Using state-of-the-art approaches and techniques
Member States acknowledge the need to explore relevant state-of-the-art approaches and techniques for achieving secure ICT supply chains. They recognise that special attention should be given to exploring systematic solutions, such as the zero-trust principles, software bill of materials and similar long-term solutions. The NIS Cooperation Group could explore these options.
Cooperating with third countries
Member States recommend using relevant partnerships to address the issue of ICT supply chain security. In this respect, the EU can rely on the EU-US Trade and Technology Council.
|
