With supply chain attacks on the rise, organisations should review the recommendations set out in a new ENISA report and monitor potential changes to the incident threshold levels for cloud providers and other digital service providers under the UK’s NIS regime.

The recent attack on Florida software company Keseya highlights just how disruptive, and widespread, supply chain cyber-attacks can be. Through targeting Kesaya, the attackers were able to affect more than 200 companies in its global supply chain.  And supply chain attacks are on the rise. ENISA’s recent report Threat Landscape for Supply Chain Attacks estimates that “there will be four times more supply chain attacks in 2021 than 2020”.

EU: ENISA Report

The ENISA report, published on 29 July 2021, highlights that the stronger an organisation’s cyber security becomes, the more of a target their suppliers become. It is no longer enough for an organisation to have good cyber-attack defences but it must ensure its suppliers also apply good practices. ENISA therefore provides a list of recommendations for:

  • Customers:
    • On managing supply chain cybersecurity risk: e.g. defining risk criteria for different types of suppliers and services.
    • On managing relationship to suppliers; e.g. classifying assets and information shared with, or accessible by, suppliers and determining specific procedures for accessing and handling them. 
  • Suppliers:
    • On secure development of products and services; e.g. offering Conformance Statements to customers for known standards.
    • On implementing good practices for vulnerability management; e.g. monitoring security vulnerabilities reported by internal and external sources that includes used third party components. 

The recommendations for both will be of interest to customers, who may want to include protections (e.g. around standards) in their contracts with suppliers and should be monitoring beyond just the first tier of their supply chain (i.e. beyond the supplier itself and further down into their sub-contractors and beyond). 

UK: NIS Thresholds 

Closer to home, the UK Government is also concerned with supply chain risk. On 26 July 2021 the Department for Digital, Culture, Media and Sport (the DCMS) launched a Call for Views on its approach to fix a Brexit related deficiency in the NIS Regulations. This could help improve supply chain security for organisations who use relevant digital service providers - such as cloud providers. The proposals suggest lowering the incident reporting thresholds of these service providers, which could encourage them to improve their cyber security and provide more transparency and regulatory scrutiny when incidents do occur. 

NIS Background:
The NIS Regulations (which originally implemented the EU’s NIS Directive) are targeted at ensuring the security of network and information systems in critical sectors. Organisations within the scope of the NIS Regulations have a duty to report significant incidents that have an impact on the continuity of their services. The incident reporting thresholds for operators of essential services (OESs) like transport and energy suppliers are currently provided by ‘Competent Authorities’ (i.e. national regulators for the relevant sector) which means they can be set at the appropriate level for the UK market. But for digital services, which often transcend borders, the thresholds were originally set out at an EU level for the 28 Member States. 

Following Brexit the DCMS is proposing to reduce the digital services thresholds to a level proportionate to the smaller UK market. The DCMS proposes that the ICO (as the Competent Authority for digital services) will set these thresholds via issued guidance, which would be consistent with the approach for setting incident reporting thresholds for OESs. The DCMS is currently asking for views on this proposal. 

Potential implications:
By lowering these reporting thresholds, the incident reporting obligations may:

  1. become more demanding for relevant digital service providers who will now be subject to lower thresholds in the UK specifically; and 
  2. create difficulties for relevant digital service providers due to the discrepancy between the UK and EU regimes. 

However, as mentioned above, it may also benefit customers who use these service providers, for example by improving cyber security standards in the market, helping them further manage their supply chain risk. 

Next steps
The closing date for responses to the Call for Views is Friday 27 August 2021. Following this the government will conduct an analysis of the responses and provide feedback; only after this will an amendment to the NIS Regulations be issued.