Glossary term
Supply Chain Risk
Also: Software Supply Chain Risk
Risks from the software and hardware supply chain: compromised open-source packages, build-pipeline attacks, updates with backdoors, sub-suppliers without audit trail. Mandatory under NIS2 Art. 21 (d) and DORA Art. 28 (sub-outsourcing).
Known incidents: SolarWinds (2020 update compromise), Log4Shell (2021 CVE-2021-44228), 3CX (2023 double supply chain), XZ Utils (2024 backdoor in open-source library).
Standards and frameworks: NIST SSDF (Secure Software Development Framework), SLSA (Supply-chain Levels for Software Artifacts), OWASP SCVS, Cyber Resilience Act for hardware. SBOM and VEX are technical building blocks.
Audit cases: NIS2 explicitly requires supply-chain due diligence. DORA Art. 28 requires eligibility assessment including sub-suppliers before every ICT third-party contract. EU Cyber Resilience Act from 2027 obliges manufacturers to security requirements across the product lifecycle.
Related terms
SBOM
Machine-readable inventory of all components in a software incl. versions, licences and dependencies…
CVE
Global identifier for publicly known security vulnerabilities in software and hardware. Format CVE-Y…
TPRM
Discipline and tool category for governing risks from external providers (SaaS, cloud, outsourcing, …
SASE
Gartner architecture category combining network (SD-WAN) and security functions (SWG, CASB, ZTNA, FW…
Schrems II
CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Cont…
SIEM (Security Information and Event Management)
A platform that centralises security logs, enables long-term retention, runs correlation rules and s…
SOC 2 Type 2
Audit report by a US public accountant under AICPA SSAE 18 standard, confirming the operating effect…
Sovereign cloud
A cloud deployment model that guarantees operational, legal and technical control of data and worklo…