I am using this page to store information and great articles on how Cybersecurity is or is not working in Supply chains.

This page is split into three sections

1. Guidance and Standards impacting NIS2, DORA and Supply Chains from a Cybersecurity and compliance perspective
2. Research from various sources on NIS2, DORA and Supply Chains from a Cybersecurity and compliance perspective
3. Articles and publications on NIS2, DORA and Supply Chains from a Cybersecurity and compliance perspective

Guidance and Standards

UK NCSC Guidance

• Cybersecurity considerations 2025: Government & public sector
• Supply Chain page on the NCSC website updates 12/10/2023
• How to assess and gain confidence in your supply chain cyber security. Practical steps to help medium to large organisations gain assurance about the cyber security of their organisation’s supply chain.
• Supply chain security guidance. Proposing a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.
• Mapping your supply chain. How organisations can map their supply chain dependencies so that risks in the supply chain can be better understood and managed.

Standards

• UK ICO Guidance – Supply chain attacks
• Implementing and delegated acts – DORA
• dora-regulation-rts–2024-1532_en.pdf – European Commission
• Digital Operational Resilience Act (DORA)
• DORA raises the stakes for cloud use in financial services
• Navigating DORA: A comprehensive overview of the Digital Operational Resilience Act – CapGemini
• The Digital Operational Resilience Act: the next step in a connected digital world
• SR: Supply Chain Risk Management
• ENISA – Good Practices for Supply Chain Cybersecurity
• US NIST DFARS Update 23/4/23 – 252.239-7018 Supply Chain Risk
• The Supply Chain Integrity, Transparency and Trust (SCITT)
• The NIS2 Directive: A high common level of cybersecurity in the EU
• NPSA Supply Chain Guidance
• Australian Government Cyber Supply Chains
• USA EPA Supply Chain Guidance
• USA CISA – Information and communications Technology Supply Chain Risk Management Guidance
• USA – ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers
• ENISA – NIS2 – the full document
• ENISA – NIS Directive tool
• ENISA – NIS Investments Report 2020
• ENISA – NIS Investments Report 2021
• ENISA – NIS – Minimum Security Measures for Operators of Essentials Services
• ENISA – NIS – Interdependencies between essential and important entities
• NIST – Cybersecurity Supply Chain Risk Management
• NIST SP 800-161 Rev. 1 – Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• NIST IR 8276 – Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
• Securing the software Supply Chain – recommended practices guide for developers
• OpenSSF – The Open Source Security Foundation’s SLSA v1.0

Research

• Bitsight – Bitsight reveals global surge in exposed, unsecured security cameras in manufacturing, healthcare
• Bitsight – New Bitsight TRACE Research Reveals Hidden Cyber Risks in Global Supply Chains
• Thales – 2024 Data Threat Report
• ISAGCA – New ISAGCA whitepaper addresses zero trust outcomes using ISA/IEC 62443 standards
• CISCO – New Cisco State of Industrial Networking Report Reveals OT Security Now a Top Priority for CIOs
• Okta – 5 key DORA requirements
• InformationWeek – Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023
• MasterCard – Balancing Third-Party Risk. How good is the company you keep?
• Allianz – Allianz Risk Barometer 2023: Cyber and business interruption top threats as economic and energy risks rise
• Coalition – Cyber Insurance – 2022 Cyber Claims Report: Mid-year Update
• JupiterONE – The 2023 State of Cyber Assets Report
• RiskLedger 2023 – The State of Cyber Security in the Supply Chain
• Sonataype – The state of the software supply chain
• Gartner – Gartner Says Cybersecurity Risk Set to Be a Primary Buying Consideration for Chief Supply Chain Officers
• Companies vulnerable to cyber-attack via suppliers – research
• Public Sector Supply Chain Cyber Risk Management (UK Edition) Registration required
• IDC – Digital-First Supply Chains – Resilient Supply Chain Report – IDC

Articles

• Six months into DORA, most financial firms are still not ready
• NATO warns ports vulnerable to ‘unprecedented’ cyber threats
• Industrial cybersecurity redefined by regulatory pressure demanding visibility, governance and harmonisation
• The Hype Machine: Unpacking Claims of Physical Consequences in Cyberattacks
• Manufacturing’s supply chain challenge: A deep dive into vulnerabilities and solutions
• A Decade of Digital Resilience – NIS2 in Practice Across the CEE Region
• The EU’s Cybersecurity Blueprint and the Future of Cyber Crisis Management
• How can businesses prepare for the UK’s Cyber Security and Resilience Bill?
• NIS 2 and Gambling – A Strategic Imperative for Gaming Operators and their Suppliers
• Supply Chain Attack Targets GitHub Repositories and Secrets
• NIS2: Understanding Cybersecurity Incident Notifications
• European Union: Who does NIS2 apply to and what are the key obligations?
• It’s time to secure the extended digital supply chain
• Cyber: The rise in third-party risks calls for greater transparency
• Third-party vulnerabilities plague the insurance industry as 59% of breaches involve external partners
• Third-Party Cyber Risk Management: Taking a Strategic Approach
• Third Parties Became the Biggest Threat to Cybersecurity in 2024
• Is a lack of supply chain visibility undermining board-level confidence in cyber security programs?
• Helping the financial sector deliver secure and modern infrastructure through regulation
• Directors ‘unaware’ of their personal liability under EU’s new cyber directive
• Regulation watch: How to get ready for NIS2
• Final countdown to NIS2: How ISO 27001 accreditation can be a key ally in achieving compliance
• Majority of Companies will Miss Looming NIS2 Deadline as New European Union Cybersecurity Directive Goes into Effect
• The UK Cybersecurity and Resilience Bill – a different approach to NIS2 or a British sister act?
• NIS2 Deadline Fast Approaching: Insurers Need to Prep Now
• DORA – ESAs Publish Draft Technical Standards on ICT Subcontracting
• How UK firms can get ready for the implementation of NIS2
• NIS2 Unleashed: Rewriting the Rules of EU Cybersecurity
• Enhancing national infrastructure security by harmonization of Cybersecurity standards in OT/ICS environments
• The NIS2 Directive: Implications for Your Organization
• King’s Speech: new cyber resilience laws planned in the UK
• Decoding NIS2 to Secure Your Supply Chain
• NIS2 cybersecurity standards proposed for digital providers
• NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical & Methodological Requirements And Significant Incidents
• BT – What companies need to know about the NIS2 Directive
• How to Prepare for the EU’s NIS2 Directive
• Preparing For DORA: A Guide For Financial Institutions
• Strengthening Infrastructure Security: Convergence in Utilities Industry
• Registration requirements under NIS2
• What DORA & NIS2 means for financial institutions
• The European NIS-2 Directive: Does It Apply to You?
• Watch: How Do You Get Started on Your Supply Chain Risk-Management Journey?
• Why NIS2 is set to become a ‘cornerstone’ of cybersecurity
• Supply chain: a cyber vulnerability blind spot
• Breaking Down the Strategic Guidance and National Priorities for U.S Critical Infrastructure
• The EU’s NIS2 Directive: Covered Entities, Compliance Monitoring, Risk Management, Incident Reporting, And Penalties
• Third-party vendors pose serious cybersecurity threat to national security
• Regulatory Changes Are on the Horizon. Are Companies Ready?
• Third-Party Oversight Is Needed to Stop Systemic Risk
• Preparing for NIS2 compliance
• IT resilience thanks to EU DORA and NIS2 – concept, context and history
• Robust Incident Management for Critical Infrastructure
• Getting ready for NIS2 with strong identity controls
• Supply Chain, Cloud Compromise Worries Growing in Healthcare
• NCSC Blog – Mastering your supply chain
• Cuba ransomware group exploits Veeam to hit critical infrastructure
• Ahead of DORA Deadline, Insurance Firms Must Fix Cybersecurity Measures as 1 in 4 Have a ‘C’ Rating
• A CISO’s Guide to Paying Down Software Supply Chain Security Debt
• How the NIS2 Directive Will Impact You
• A Software Bill of Materials Helps Secure Your Supply Chain
• Dora ‘critical tech vendor’ designation could cast a wide net
• Securing the Supply Chain of the 5G Network Is Critical to Its Success
• Get Started with SOC 2 for Vendor Risk Management
• DORA raises the stakes for cloud use in financial services
• NIS2 directive: cybersecurity is a joint responsibility
• CRESTCon: Jon Geaber Discusses Latest Supply Chain Security Best Practices
• Software Supply Chain Attacks Hit 61% of Firms
• 5 SBOM tools to start securing the software supply chain
• Mitigating cybersecurity threats in water and wastewater
• German Supply Chain Due Diligence Act
• How DevSecOps Addresses Supply Chain Security
• 3CX data breach shows organizations can’t afford to overlook software supply chain attacks
• Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware
• Don’t Trust the Security of the Software Supply Chain
• Charity data stolen in ransomware attack on supplier
• Supply chain firms to base more business decisions on cyber risk
• How to take control of supply chains to weather a ‘perfect storm’ of disruption
• Governance of Zero Trust in manufacturing
• SBOMs should be a security staple in the software supply chain
• IBM Contributes Supply Chain Security Tools to OWASP
• UK expands scope of NIS Regulations
• What Is “Upstream” and “Downstream” in Supply Chain Management?
• The NIS2 Directive: Towards a Firmer EU-wide Cybersecurity ‎Framework
• H&M, Zara, Fast Fashion Turn to Artificial Intelligence to Transform the Supply Chain
• Disruptions from Ransomware and Cyberattacks on Supply Chains and Critical Infrastructure Sharpen Focus on OT 2023
• Supply Chains Need The Protection Of Unified Multifunctional Cybersecurity
• A Breach Is Coming for Your Supply Chain
• Software supply chain attacks are on the rise — are you at risk? 
• How to Ensure Security for IoT Edge Device Processors
• The battle for data security now falls on developers; here’s how they can win
• Why is first-party compliance control a growing concern for companies?
• NIS cyber fines risk is real, warns expert