Software Supply Chain Regulations and Compliance Resources

Regulations Around the World

Click on a region of the map for an update on governance and regulations

What’s happening in the United States?

In May, 2024, CISA released its “Secure by Design Pledge,” a commitment from technology companies, including Sonatype, to build stronger cybersecurity measures into their software.
In March 2024, CISA and the Office of Management and Budget (OMB) unveiled the final version of the Secure Software Development Attestation Form.
Congress introduced two pieces of legislation in March 2023: The Securing Open Source Software Act of 2023 and AI for National Security Act.
Also in March 2023, the National Cybersecurity Strategy (NCS) is introduced and becomes a cornerstone for global cybersecurity. The implementation plan was released in July 2023.
March also saw the Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act go into effect
In July 2023, the Securities and Exchange Committee adopted new rules requiring organizations to disclose cybersecurity incidents and more.
September 2023, The Department of Defense declassified its Cyber Strategy, and CISA announced its Open Source Software Security Roadmap.

Further US analysis

What’s happening in the European Union

In January 2023, the European Commission unveiled the Digital Operational Resilience Act (DORA), which applies to the digital resilience of financial entities. DORA goes into effect starting January 17, 2025.
On January 16, 2023, the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union, is put into force with an October 17, 2024 deadline for members of the EU to have the directive implemented.
On the heels of the CRA, draft updates to the Product Liability Directive (PLD) include specific attention to increasing liability related to Open Source Software projects and have produced negative feedback from the OSS community in line with the CRA.
September 15, 2022, the first draft of the Cyber Resilience Act (CRA), which throughout 2023 has been widely criticized by the Open Source Software community as potentially restrictive and detrimental to the open source community in Europe and beyond.

Further EU analysis

What’s happening in Australia

Australia, together with the United States, Japan, and India, make up the Quad Cybersecurity Partnership. In May 2023, the group published Joint Principles for Secure Software, to set guidelines for strengthening software security, encourage the adoption of secure software practices, and establish guidelines for software procurement and usage within government.
In February 2017, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate launched its Strategies to Mitigate Cyber Security Incidents. Included in this is the Essential 8 Maturity Model, which outlines the minimum set of 8 preventative measures considered critical for organizations.
The Information Security Manual (ISM), also produced by the Australian Signals Directorate, outlines cybersecurity guidance for organizations to enforce to protect their systems from cyber threats.
In July 2019, the Australian Prudential Regulation Authority (APRA), which is responsible for protecting the country’s financial institutions, issued Prudential Standard CPS 234. This guidance applies to all APRA entities.
In July, 2013, the APRA issued Prudential Standard CPS 231, which outlines requirements for the oversight, due diligence, and ongoing monitoring of outsourced services of APRA entities to ensure they do not compromise the entity's ability to meet its obligations.

What’s happening in Canada

In April 2023, the Canadian Centre for Cyber Security (CCCS) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.
In February 2023, the Cyber Centre published “Protecting your organization from software supply chain threats,” offering guidance and best practices for securing software supply chains.
In October 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians.

Further Canada analysis

What’s happening in Germany

As a member of the European Union, Germany has until October 17, 2024 to adopt elements of the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the EU. In Germany, a law to implement NIS2 has been submitted and will likely result in revisions to the Act on the Federal Office for Information Security (BSI).
The EU Cyber Resilience Act is expected to be fully adopted in 2024, and most of its provisions will be enforced starting in 2027. Any company placing products in the market with digital elements will be required to comply with a minimum level of cybersecurity and reporting.
In April 2003, The German Federal Agency for Information Security released SBOM requirements to comply with the CRA.

More on the Shifting Balance of Cybersecurity Risk document.

What’s happening in India

Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, Japan, and Australia to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage in government.

What’s happening in Japan

Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, India, and Australia to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage in government.
Landmark legislation around supply chain stability and security for critical infrastructure from 2022, “Act on Promotion of Economic Security by Integrated Implementation of Economic Measures,” went into effect in February 2023.

What’s happening in New Zealand

In April 2023, New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.

More on the Shifting Balance of Cybersecurity Risk document

What’s happening in the United Kingdom

All UK organizations that do business in the EU have until October 17, 2024 to comply with the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union.
In April 2023, the United Kingdom’s National Cyber Security Centre (NCSC-UK) contributed to the publication of the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.
In February 2023, the UK government called for views on software resilience and security for businesses and organizations as a follow-up to the July 2022 proposed legislation on enhancing the country’s cyber resilience.
In December 2022, the UK government unveiled an update to its Government Cyber Security Strategy regarding supply chain vulnerabilities and assigned the Department for Digital, Culture, Media, and Sport (DCMS) to implement Network and Information Systems (NIS) regulations in collaboration with the National Cyber Security Centre.

More on the Shifting Balance of Cybersecurity Risk document