Written by Hattie Irving – Cyber Security Consultant – Cyberfort
Within all modern organisations there is a technical supply chain which underpins how that organisation not only functions, but also how it protects itself. Recognising the importance of IT supply chains and minimising disruptions and vulnerabilities should be an ongoing focus for all organisations. Protection of IT supply chains is becoming increasingly important for small and medium-sized enterprises (SME’s) which are increasingly becoming targeted for supply chain attacks due to their less rigorous security risk-management measures.
The EU ICT supply chain security toolbox seeks to provide member states with a common and structured approach to securing their supply chains. Its key objectives are:
- Create and foster a common understanding of supply chain security risks
- Identify potential threats, vulnerabilities and risks within the supply chain through a scenario-based methodology
- Provide recommendations to secure the ICT supply chain
The ultimate objective of the EU supply chain toolbox is to provide guidance on effective measures for managing security risks at each stage of the services lifecycle across hardware, software and managed security services. The IT supply chain toolbox is technology agnostic and aims to focus on the assessment of supply chain risk rather than targeting specific technologies.
This toolbox aims to not only educate organisations around how they can better manage their security risk and technology but to provide them with the examples to empower them to manage their security.
Three things the toolbox does
1. It makes risk scenarios real and actionable
Abstract risk language can be confusing when it comes to effective security governance. Telling a board that ‘supply chain threats are increasing’ generates concern but without the right business context – how it will affect business KPI’s, and KBI’s it rarely generates action. The EU ICT Supply Chain Security Toolbox aims to replace theoretical risk with real quantifiable risk aligned to an organisation’s goals and objectives.
It identifies risk scenarios across three categories:
- Deliberate threats such as ransomware attacks against managed service providers and the insertion of counterfeit hardware components
- Unintended threats including faulty software updates cascading across dependent systems
- External events such as supplier lock-in and geopolitical disruptions that could constrain an organisation’s ability to operate with a vendor they have relied upon for years
These scenarios are not hypothetical. They are drawn from documented incident patterns, ENISA threat intelligence, and the collective experience of national cyber security authorities. For IT teams, they provide a structured way for assessing supply chain exposure, not in the abstract, but against specific, realistic threat pathways.
2. It gives organisations a structured mitigation framework
The toolbox does not stop at identifying risks. It provides seven recommendations grouped across four strategic pillars, giving organisations a clear action framework rather than a list of concerns.
The first pillar demands a robust framework for ICT supply chain risk management, moving beyond point-in-time assessments to establish structured, repeatable processes that cover the full supplier ecosystem, including the tier-two and tier-three dependencies that most organisations currently have limited visibility into.
The second pillar addresses supply chain resilience through diversity, the toolbox highlights that single-vendor dependency is a strategic vulnerability, and that multi-vendor strategies are not just commercially sensible but a security ‘must have’.
When it comes to the third pillar it focuses on situational awareness and operational cooperation, the kind of structured information sharing between organisations and sectors that transforms isolated security teams into a networked defence community.
The fourth pillar looks to the longer term – building a resilient, trusted, and transparent industrial base through standards alignment, security certification, and an interoperable ecosystem where Software Bills of Materials (SBOMs) and cryptographic attestation become baseline procurement expectations.
Each of these pillars has immediate operational implications for IT teams. They are not aspirational; they are the measures against which your supply chain security programme will increasingly be assessed.
3. Extended scope to critical sectors through dedicated risk assessments
The toolbox is accompanied by two Union-level coordinated risk assessments that signal where the EU considers the supply chain threat to be most acute right now.
The first focuses on connected and automated vehicles, a sector where the convergence of hardware complexity, software dependency, and remote update capability creates a large supply chain attack surface. The NIS Cooperation Group recommends that the Commission and Member States identify proportionate measures to de-risk EU supply chains from high-risk suppliers, particularly in processing and decision-making systems and vehicle control components capable of receiving remote updates.
The second focuses on detection equipment used at borders and customs, infrastructure that sits at the intersection of physical and digital security, and where supply chain compromise could have consequences that extend well beyond the cyber domain.
For IT teams operating in or as part of these sectors, these assessments are not background reading. They are a direct signal of where regulatory scrutiny will intensify.
The competitive dimension IT Departments are missing
From our discussions with several customers over recent months at Cyberfort we know that supply chain security conversations are not happening in enough boardrooms. Instead of supply chain security being seen as another compliance task to complete it should be treated as a competitive differentiator.
Organisations that can demonstrate structured, auditable supply chain risk management will increasingly win procurement decisions, particularly in public sector and regulated industries where NIS2 and DORA compliance is a requirement for suppliers. Organisations that cannot demonstrate this will find themselves excluded from opportunities, regardless of how competitive their core offering is.
The EU ICT Supply Chain Security Toolbox provides the framework to build that capability credibly and systematically. IT teams who engage with it proactively, embedding its risk scenarios into their vendor assessment processes, aligning their procurement governance with its recommendations, and investing in the information sharing infrastructure it calls for, will be ahead of the curve when national authorities begin enforcement.
Those who wait for enforcement to begin will be playing catch-up in a regulatory environment that has less tolerance for delay.
So what does this look like in practice?
An example scenario for an organisation to consider from the EU ICT supply chain toolbox which would apply to most organisations is;
A Cloud service provider has a datacentre outage due to human error which prevents access to millions of domains including your organisations. This disruption to your web application has its root cause traced back to an air vent being mistakenly closed in the datacentre which although simple to remediate has left many organisations’ online services down or working at limited capacity after they failed services over to other datacentres. This extended period of downtime raises concerns around the resilience of hosting vital organisational infrastructure in the cloud.
How would the analysis of this look?
Type of incident: Service outage
Root cause: Human error
Supply chain: Cloud computing provider, organisational users of the cloud computing provider
Threat actor who could use this scenario to their advantage: Advanced persistent threats, Organised crime groups, Insiders in the supply chain
Vulnerability: Poor practices by cloud computing provider, poor supply chain management by the end user organisation
Impact: Reputational damage, service disruptions (availability and integrity)
For organisations these types of incidents and risks should be considered as part of their operations. They need to consider how they would they recover if something like this were to happen and do they have any measures in place to minimise the damage it would cause to their operations.
Without a business continuity/disaster recovery plan in place an organisation may struggle how to prioritise remediation and get their operations up and running again.
Where to start with developing a business continuity plan
Firstly, identify your most critical and time sensitive operations and the impact that disruption to any of these operations would have. Measure the impact and likelihood of these operations being disrupted and attribute a timescale as to how long your organisation would continue with these services deprecated.
Plan your response strategy – having processes in place to not only identify issues as they arise, but also how technical support are contacted in case of an emergency and what the roles look like for the involved teams will be a first step in bringing the organisation back to its full operations.
Consider the recovery – define the steps which would be required in a variety of scenarios which would need to be completed in order to recover these critical services. That could be server failover to a new region or removal of malware from a server depending on which risks you have defined. Create a team which know how to start recovery and who know where to find the necessary materials to begin the recovery process
Train around your key risk scenarios – you may have plans written but do you know these plans work in practice, consider running tabletop exercises to train staff around how they might work in a real-world situation. This will identify key areas of weakness which can be considered and remediated before a real-world situation occurs.
Ensure communication channels are detailed within the organisation – In case of X happening this is the go-to team and people we need to help resolve it should be defined in the business continuity plan. Understanding who needs to be involved will speed up the time to recover rather than having people searching for the right teams when they’re under high time pressure.
Disaster could strike at any time day or night and the last thing you want is to be trying to work out who you need to call at 3am. Have plans for any regulatory or external comms you might need to make in case of a breach in GDPR or cases where your organisations attack is one with wide external consequences. This might be informing your suppliers, the ICO, customers or industry of what has happened and the steps you are taking to remediate.
Four top recommendations for effective incident response include:
- Partners – know your supporting partners and contact details/process – Cyber Incident Response (CIR), Insurance, Legal
- Decision process – Board responsibilities – have clear and known Board level decision and escalation processes
- Empowering decision makers – rehearse and engage with Board stakeholders, educate any that are not Cyber aware
- Exercising and planning, prioritise information sharing (reporting) etc
Disaster recovery planning
Disaster recovery plans go into greater depth than the business continuity plan defining the recovery objectives and how systems and data needs to be protected during an outage. The recovery time objective determines the maximum acceptable time the system or component can be down before it starts causing unacceptable damage to the organisation. This will be individual to the specific component of the organisation and will be based around the result of the business impact assessment (BIA).
As part of this process there will also be the need to define a recovery point objective (RPO) to answer the question. How much data can we afford to lose in case of a disaster? If the answer to the question is we cannot afford to lose any of this data – you may need to consider how you can improve your security posture to best protect this data as any and all systems can be compromised.
For data which your organisation feels they could afford to lose, build your disaster recovery plans accordingly.
How do business continuity and disaster recovery plans benefit the organisations who have invested in them?
Reduced downtime – keeping any security incident based downtime to a minimum is key to maintaining a good relationship with stakeholders. If your organisation find itself unable to recover previous customers may start to move to competitors who have been able to maintain operations during any cyber attacks or incidents.
Lower financial risk – the average cost of a data breach has been increasing year on year up until last year where it fell by 9% to $4.4 million due to improved speed of identification and containment as organisations have become more aware of their general risk landscape.
Reduction in penalty risk – having a plan to mitigate data loss will reduce the overall security risk around your organisations data. Without appropriate measures in place to start data or system recovery the organisation can be left open to high penalties for losing sensitive customer information. This is most prevalent in healthcare, finance and government environments. Having plans and steps in place to recover your system should the worst happen might be the key to keeping your organisation functional during a cyber security incident – without them your organisation may be unable to fully recover.
Three immediate actions organisations should undertake following the release of the EU Supply Chain security toolbox
Now we have been through a practical example, what are the key actions IT and Cyber Security leaders should undertake to ensure they have a resilient supply chain and are implementing the right measures from the EU supply chain security toolbox?
It is clear that the toolbox is thorough in its recommendations for organisations. Implementing everything it recommends will take time – after all there is no ‘silver bullet’ to supply chain security. It requires technical, business and risk understanding and appropriate actions to take place on a regular basis not a ‘point in time’ exercise.
From our experience at Cyberfort if an organisation is serious about improving supply chain security they should start with the following three things:
1. Conduct a supply chain inventory that goes beyond tier one suppliers. Map your critical IT dependencies, services, systems, hardware, and software, including the vendors your vendors depend on. If you cannot name your tier-two suppliers for your most critical systems, you have a visibility gap that the toolbox is specifically designed to address.
2. Assess your vendor relationships against the toolbox’s high-risk supplier criteria. This includes not just technical security posture, but non-technical factors: geopolitical context, legal jurisdiction, foreign ownership structures, and the potential for state-compelled access.
3. Bring procurement and legal into the supply chain security conversation. Supply chain security cannot be managed by the IT or Cyber Security function alone. The toolbox’s recommendations on multi-vendor strategies, contractual security requirements, and incident notification SLA’s require procurement governance changes that IT teams cannot make unilaterally. The organisations that move fastest will be those whose IT teams have already built the cross-functional relationships to drive those changes.
If your organisation is looking to start or improve environment hardening through the use of the EU supply chain security toolbox, business continuity planning or disaster recover, contact us at [email protected] and one of our experts will be in touch to support you with your journey.
