Cybersecurity in the supply chain: legal issues and compliance stragegies

According to the latest ‘Cyber Threat Landscape’ report published by ANSSI¹, since the late 2010s, companies have been facing an intensification of attacks targeting their ‘Supply Chain’. It is necessary to regulate and prevent these new cyber risks in a context where dependence on third parties and the increasing interconnection of systems make the entire supply chain more vulnerable to cyber threats.

Definition: The supply chain is a term that encompasses all the tools (software, equipment) and stakeholders involved in the production, transformation, and distribution of a product or service, linking suppliers, manufacturers, distributors (hereinafter referred to as ‘partners’) and customers through interconnected physical, informational, and financial flows.

1. What are the cybersecurity challenges related to the supply chain?

Beyond the usual consequences such as business interruptions, data breaches, or reputational damage, ensuring the cybersecurity of the supply chain presents specific and complex challenges for companies. The proliferation of technological and commercial interdependencies within supply chains creates specific vulnerabilities, requiring tailored vigilance.

An increasing systemic vulnerability of supply chains to cyberattacks

The supply chain has become one of the prime targets for cyber attackers, who exploit the technical and commercial links between a company and its partners. This type of cyberattack has a multiplier effect on the operational resilience of businesses: by compromising a single link, the attack spreads exponentially while remaining relatively discreet to the final target.

For example, the Kaseya incident² of summer 2021 is a significant precedent: the VSA software, a tool widely used by managed service providers to remotely manage updates and maintenance of their clients’ systems, was compromised by the REvil cybercriminal group. The attackers modified the software’s source code to introduce a malicious feature that allowed the deployment of ransomware. The criminal group thus succeeded in infecting thousands of computers belonging to the clients of providers using the Kaseya VSA solution.

This cascading attack perfectly illustrates the digital contagion generated by a supply chain attack: by compromising a single IT service provider, the cybercriminals were able to reach dozens of managed service providers, and then, by extension, more than a thousand end clients. This incident demonstrates how the security of a single provider can impact a vast ecosystem, or even multiple sectors simultaneously.

The economic impact of cyberattacks on logistical performance can be considerable: prolonged delays, operational disruptions, and major financial losses, forcing companies to redouble their vigilance in managing cyber risks.

The main cyberattacks targeting the supply chain 

The main cyberattacks targeting the supply chain manifest primarily in two ways:

Attacks by compromising software or equipment in the supply chain

Supply chain solutions and software, designed to control logistical and operational flows, must incorporate a rigorous cybersecurity approach from their inception to avoid data breaches or large-scale compromises.

In these scenarios, the attacker compromises a software or computer component to affect all end users. Recent incidents such as the compromise of the 3CX Desktop App (2023)³ or the X_TRADER⁴ financial software demonstrate that a vendor can serve as a vector for large-scale attacks.

The insertion of malicious code into open-source projects (such as the attack targeting the XZ Utils project⁵, used in many Linux operating systems) also illustrates the inherent complexity of securing the software supply chain, particularly when the attacker manages to infiltrate the project’s maintenance team. It is therefore imperative to ensure that the tools integrated into the company are secure, regularly updated, and designed according to security-by-design principles. If open-source solutions are used, developers must conduct a thorough security review of these software programs..

Cyberattacks via partners

This method involves compromising a subcontractor with privileged access to the target company’s information system. The attacker then exploits the potentially less robust security level of a partner to move, almost undetectably, toward the targeted company.

For example: an IT service provider working for several large companies experiences a major breach in its systems. The attackers then use the provider’s legitimate and privileged access to infiltrate the information systems of its clients. These accesses, being authorized and used daily, do not trigger any security alerts on the client’s system. Cybercriminals can then freely navigate the networks of client companies, view confidential information, and extract sensitive data without being detected for weeks or even months.

Therefore, it is not enough to secure only one’s own information system without managing the risks associated with partners: it is also necessary to audit the systems of one’s own service providers.

The regulatory framework and legal obligations to comply with

In a context of increasing cyberattacks, several European and national regulations require companies to strengthen their cybersecurity, which has direct implications for their supply chain.

The regulatory framework for cybersecurity is based, in particular, on the following texts:

• The NIS2 directive (Directive (EU) 2022/2555), which applies to ‘essential’ or ‘important’ entities (transport, energy, banking, health, digital infrastructures, etc.) designated by each EU Member State;
• The DORA Regulation (Digital Operational Resilience Act — Regulation (EU) 2022/2554), which concerns financial actors (credit institutions, insurance companies, payment service providers) and their critical suppliers;
• The GDPR (Regulation (EU) 2016/679), applicable to any organization processing personal data of EU residents;
• The CER Directive (Critical Entities Resilience — Directive (EU) 2022/2557), which targets critical entities (energy, transport, health, water, digital infrastructures, etc.) designated by each Member State;
• The CRA Regulation (Cyber Resilience Act — Regulation (EU) 2024/2847), which concerns entities that place products with digital elements on the market; 
• The Cybersecurity Act (Regulation (EU) 2019/881), which aims to establish sectoral certification schemes for cybersecurity for manufacturers and providers of products, services, and processes in information and communication technologies;
• The Military Programming Law (Law No. 2023-703 of August 1, 2023), which concerns, in particular, operators of vital importance (OIV) and certain sectors essential to French defense and national security.

These regulations generally provide security obligations that naturally extend to various service providers and subcontractors involved in the supply chain. They may require the implementation of structured processes for detecting and managing data breaches or security incidents, notifying competent authorities⁶, regularly assessing cyber risks⁷, implementing appropriate protective measures⁸, and contractually specifying cybersecurity requirements with partners⁹.

This general regulatory framework is complemented by sectoral provisions imposing specific cybersecurity requirements for certain products and services. Among these are the regulation on artificial intelligence (Regulation (EU) 2024/1689), which establishes obligations for high-risk AI systems in terms of cybersecurity¹⁰, and the Data Governance Act (Regulation (EU) 2022/868), which requires data intermediation service providers to ensure an appropriate level of security¹¹.

Non-compliance with these obligations can result in particularly severe penalties for the entities concerned. For example, under NIS 2, competent authorities can impose administrative fines of up to €10 million or 2% of the entity’s total annual worldwide turnover (whichever is higher)¹².

These prospects of sanctions reinforce the need for companies and their partners to fully integrate cybersecurity requirements into their processes and contracts.

Protecting data throughout the supply chain is a major legal responsibility, particularly under the GDPR, which imposes extensive obligations on all links in the supply chain. To accurately assess your compliance and anticipate any risks, conduct a comprehensive GDPR audit with our experts today.

2. How to ensure IT security in the supply chain?

To effectively manage cybersecurity risks in the supply chain, it is first necessary to implement applicable legal and regulatory obligations, and then establish a level of security appropriate to the criticality of the data handled and the actions performed by service providers.

The necessary consideration of security levels from the selection of partners

Managing cyber risks associated with partners and their solutions requires a rigorous selection of partners based on their regulatory compliance, level of cybersecurity, and the guarantees they provide in terms of IT security. The guarantees offered by these providers should be analyzed in light of the criticality of the services concerned, particularly in relation to the sensitivity of the data processed, the level of access to the information system, and strategic dependence.

Moreover, it is imperative to establish a comprehensive map of suppliers and subcontractors to clearly identify critical dependencies and potential vulnerabilities. For certain activities deemed critical, a minimum level of security must be defined and imposed on all service providers.

Various approaches can be adopted to assess their cyber resilience:

• Search for previous incidents and data breaches associated with the prospective provider;
• Have dedicated security questionnaires completed;
• Utilize external scoring tools (BitSight, SecurityScorecard, RiskRecon) to assess the provider’s risk exposure;
• Require recognized certifications or labels (ISO/IEC 27001, SecNumCloud, PCI-DSS depending on the industry, etc.);
• Conduct in-depth analysis of the partner’s internal documents (security policies, incident logs, penetration test reports, etc.);
• Perform on-site or remote audit operations.

This initial approach to evaluating the IT security of partners must be regularly updated to incorporate changes in the cyber context and significant changes among providers (new subcontractors, expansion of contractual scopes, etc.), to prevent any emerging risks and ensure proactive management of potential vulnerabilities.

For effective cyber crisis management in the supply chain, it is useful to establish dynamic maps of technical and organizational interdependencies, as well as regular crisis scenarios.

Thoroughly securing your supply chain can also involve better addressing the risks associated with the cybersecurity of connected devices, which are often exploited as entry points by cybercriminals.

Contractual management of cyber risks in the supply chain

The step of formalizing cybersecurity requirements in contracts is crucial for structuring the relationship with the service provider, demanding an appropriate level of security for the risks involved, and being able to hold them accountable in case of failure. This involves specifying:

• Security requirements:
  • Precisely define the required protective measures (encryption, strong authentication, regular patches, etc.);
  • Include an extended audit right, which can be exercised by the company or a trusted third party, to regularly verify the proper implementation of agreed measures;
  • Include cybersecurity performance indicators, requiring the partner to provide periodic reports on their compliance level, security updates, and improvement plans.
• Incident or vulnerability notification procedure:
  • Require prompt alerts (within 24 or 72 hours, depending on the context) in case of a security incident, with a clear crisis management protocol (responsible party, communication channel, reporting, remediation plan);
  • Maintain active monitoring of security alerts by relying on recognized databases (CERT, vendors, SBOM – Software Bill of Materials) and apply rigorous management of patches, systematically testing their compatibility before deployment.
• Management of cascading subcontracting:
  • Require the partner to impose at least equivalent requirements on their own subcontractors as those contractually agreed upon;
  • Demand increased transparency (contract excerpts, security documentation) regarding the provider’s subcontractors to avoid undetected vulnerabilities within the chain.

Internal governance and cyber risk management for enhanced operational resilience

The cyber resilience of the supply chain is not limited to establishing contractual obligations; it also requires coherent internal governance of cybersecurity and proactive risk management, where legal and procurement departments work in synergy. Depending on the criticality of activities, it is relevant to implement:

• An ad hoc committee (or coordination unit) responsible for managing the risks associated with outsourcing, setting priorities, and defining the monitoring strategy;
• Supervision and control processes, with periodic reviews of security levels, regular audits, and crisis management exercises to test the responsiveness of each stakeholder;
• Proactive vulnerability management, through a precise inventory of technical components, monitoring of alerts (vendors, CERT, etc.), and a patch management procedure, including integration tests and rapid deployment of security updates;
• A clear incident management policy to escalate alerts and incidents related to service providers to management: the faster information circulates, the more likely the response to the incident will be effective;
• The establishment of indicators (mean time to detection, correction times, number of incidents) to quantify the state of IT security and gradually improve cyber maturity.

When a critical supplier plays an essential role (access to privileged areas, sensitive data, critical dependence), setting up a collaborative approach with this supplier can be productive, for example through periodic follow-up committees, joint security reviews and sharing of emerging threat or vulnerability information. Critical partners can also be involved in cyber incident simulation exercises and crisis management, to ensure their ability to respond effectively in the event of an attack or compromise.

This collaborative approach allows for building a resilient and secure supply chain against cyber threats, where each actor feels both responsible and accountable for protecting the assets and data of the entire ecosystem.

Operational resilience against cyber threats becomes a key principle in partnership design: joint audits, common cybersecurity exercises, resource sharing and proactive collaboration within the ecosystem.

3. How to manage the inherent cyber risks in a Supply Chain?

Cybersecurity no longer only involves protecting the internal perimeter of a company. In the era of digital interconnection, it is crucial to manage risks that come from outside, whether they are software vendors, IT service providers or any other partner in the supply chain. The main legal obligations (NIS 2, DORA, GDPR, CER, LPM, etc.) remind us that vigilance must be constant, accompanied by rigorous reporting and permanent adaptability. 

The implementation of internal processes for the selection and monitoring of partners, close collaboration between legal, IT and procurement departments, and the establishment of follow-up committees or feedback mechanisms are just a few levers to strengthen collective resilience. 

At Aumans Avocats, our cybersecurity support covers all critical steps in this process: 

• Development and updating of essential internal documents (security policies, impact analyses, IT charter, etc.) ; 
• Negotiation of IT contracts ; 
• Implementation and monitoring of regulatory cyber obligations in contractual relationships with your suppliers and subcontractors (compliance with NIS 2, DORA, GDPR, CER, LPM, etc.); 
• Dedicated trainings to sensitize teams to good cybersecurity practices and strengthened data protection in an increasingly AI-driven context.

Do you want to legally secure your supply chain and ensure its full regulatory compliance? Contact our law firm for a personalized first exchange with our specialized lawyers..

Sources :

• Panorama de la menace informatique 2024 – Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), publié début 2025 ;
• Livre blanc – Risque cyber lié aux fournisseurs : prévenir et gérer les risques cyber de la supply chain – Board of Cyber, Novembre 2023 ;
• Good Practices for Supply Chain Cybersecurity – European Union Agency for Cybersecurity (ENISA), June 2023 ;
• Supply Chain Cybersecurity: Information Bulletin – Cybersecurity and Infrastructure Security Agency (CISA), 2024;
• Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations – National Institute of Standards and Technology (NIST), Special Publication 800-161 Revision 1, 2023 ;
• Directive (UE) 2022/2555 du Parlement européen et du Conseil du 14 décembre 2022 concernant des mesures destinées à assurer un niveau élevé commun de cybersécurité dans l’ensemble de l’Union (Directive NIS 2) ;
• Règlement (UE) 2022/2554 du Parlement européen et du Conseil du 14 décembre 2022 sur la résilience opérationnelle numérique du secteur financier (Digital Operational Resilience Act – DORA) ;
• Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données (Règlement Général sur la Protection des Données – RGPD) ;
• Directive (UE) 2022/2557 du Parlement européen et du Conseil du 14 décembre 2022 relative à la résilience des entités critiques (Critical Entities Resilience – CER) ;
• Loi n° 2023-703 du 1er août 2023 relative à la programmation militaire pour les années 2024 à 2030 et portant diverses dispositions intéressant la défense (LPM 2024-2030) ;
• Règlement (UE) 2022/868 du Parlement européen et du Conseil du 30 mai 2022 portant sur la gouvernance des données (Data Governance Act – DGA) ;​
• Règlement (UE) 2024/1689 du Parlement européen et du Conseil du 13 juin 2024 établissant des règles harmonisées concernant l’intelligence artificielle (Artificial Intelligence Act – AI Act) ;
• Règlement (UE) 2023/2584 du Parlement européen et du Conseil du 13 décembre 2023 concernant des règles harmonisées sur l’accès équitable aux données et leur utilisation (Data Act) ;​
• Règlement (UE) 2019/881 du Parlement européen et du Conseil du 17 avril 2019 relatif à l’ENISA et à la certification en cybersécurité (Cybersecurity Act).

1. Panorama de la menace informatique 2024 – Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), édition 2025 ↩︎
2. https://www.latribune.fr/technos-medias/informatique/cyberattaque-kaseya-le-coup-de-poker-manque-du-fbi-contre-le-terrible-gang-revil-892876.html ↩︎
3. https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-003/ ↩︎
4. https://www.security.com/threat-intelligence/xtrader-3cx-supply-chain ↩︎
5. https://www.informatiquenews.fr/lecons-a-tirer-de-la-cyber-attaque-xz-utils-thomas-segura-gitguardian-99125 ↩︎
6. Par exemple, la directive NIS 2, article 23, prévoit une obligation de notification des incidents significatifs dans les 24 heures pour l’alerte précoce et 72 heures pour la notification formelle. ↩︎
7. Par exemple, le règlement DORA, article 8, impose aux entités financières de mettre en place des dispositifs de gestion des risques liés aux technologies de l’information et de la communication, incluant des évaluations régulières. ↩︎
8. Par exemple, la directive NIS 2, article 21, exige la mise en place de mesures techniques et organisationnelles appropriées pour gérer les risques identifiés. ↩︎
9. Par exemple, la directive NIS 2, article 24, prévoit que les entités doivent gérer les risques liés à la chaîne d’approvisionnement, y compris en imposant des exigences de sécurité aux fournisseurs.
   Également, le RGPD, article 28, prévoit que les responsables de traitement doivent faire appel à des sous-traitants qui présentent des garanties suffisantes quant à la mise en œuvre de mesures techniques et organisationnelles appropriées pour répondre aux exigences du règlement. ↩︎
10. AI Act, article 15 : «1. La conception et le développement des systèmes d’IA à haut risque sont tels qu’ils leur permettent d’atteindre un niveau approprié d’exactitude, de robustesse et de cybersécurité, et de fonctionner de façon constante à cet égard tout au long de leur cycle de vie ». ↩︎
11. DGA, article 12 « le prestataire de services d’intermédiation de données prend les mesures nécessaires pour garantir un niveau de sécurité approprié pour le stockage, le traitement et la transmission de données à caractère non personnel, et le prestataire de services d’intermédiation de données garantit également le niveau de sécurité le plus élevé pour le stockage et la transmission d’informations sensibles sous l’angle de la concurrence ; ». ↩︎
12. NIS 2, art.34 4. ↩︎