Regulations and Compliance Resources for Software Supply Chains
Navigating new regulations with key resources and guidance for staying informed and compliant.
Featured Resources
Watch On Demand
Explore Summary
Regulations Around the World
Click on a region of the map for an update on governance and regulations
What’s happening in the United States?
- In May, 2024, CISA released its “Secure by Design Pledge,” a commitment from technology companies, including Sonatype, to build stronger cybersecurity measures into their software.
- In March 2024, CISA and the Office of Management and Budget (OMB) unveiled the final version of the Secure Software Development Attestation Form.
- Congress introduced two pieces of legislation in March 2023: The Securing Open Source Software Act of 2023 and AI for National Security Act.
- Also in March 2023, the National Cybersecurity Strategy (NCS) is introduced and becomes a cornerstone for global cybersecurity. The implementation plan was released in July 2023.
- March also saw the Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act go into effect
- In July 2023, the Securities and Exchange Committee adopted new rules requiring organizations to disclose cybersecurity incidents and more.
- September 2023, The Department of Defense declassified its Cyber Strategy, and CISA announced its Open Source Software Security Roadmap.
What’s happening in the European Union
- In January 2023, the European Commission unveiled the Digital Operational Resilience Act (DORA), which applies to the digital resilience of financial entities. DORA goes into effect starting January 17, 2025.
- On January 16, 2023, the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union, is put into force with an October 17, 2024 deadline for members of the EU to have the directive implemented.
- On the heels of the CRA, draft updates to the Product Liability Directive (PLD) include specific attention to increasing liability related to Open Source Software projects and have produced negative feedback from the OSS community in line with the CRA.
- September 15, 2022, the first draft of the Cyber Resilience Act (CRA), which throughout 2023 has been widely criticized by the Open Source Software community as potentially restrictive and detrimental to the open source community in Europe and beyond.
What’s happening in Australia
- Australia, together with the United States, Japan, and India, make up the Quad Cybersecurity Partnership. In May 2023, the group published Joint Principles for Secure Software, to set guidelines for strengthening software security, encourage the adoption of secure software practices, and establish guidelines for software procurement and usage within government.
- In February 2017, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate launched its Strategies to Mitigate Cyber Security Incidents. Included in this is the Essential 8 Maturity Model, which outlines the minimum set of 8 preventative measures considered critical for organizations.
- The Information Security Manual (ISM), also produced by the Australian Signals Directorate, outlines cybersecurity guidance for organizations to enforce to protect their systems from cyber threats.
- In July 2019, the Australian Prudential Regulation Authority (APRA), which is responsible for protecting the country’s financial institutions, issued Prudential Standard CPS 234. This guidance applies to all APRA entities.
- In July, 2013, the APRA issued Prudential Standard CPS 231, which outlines requirements for the oversight, due diligence, and ongoing monitoring of outsourced services of APRA entities to ensure they do not compromise the entity's ability to meet its obligations.
What’s happening in Canada
- In April 2023, the Canadian Centre for Cyber Security (CCCS) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.
- In February 2023, the Cyber Centre published “Protecting your organization from software supply chain threats,” offering guidance and best practices for securing software supply chains.
- In October 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians.
What’s happening in Germany
- As a member of the European Union, Germany has until October 17, 2024 to adopt elements of the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the EU. In Germany, a law to implement NIS2 has been submitted and will likely result in revisions to the Act on the Federal Office for Information Security (BSI).
- The EU Cyber Resilience Act is expected to be fully adopted in 2024, and most of its provisions will be enforced starting in 2027. Any company placing products in the market with digital elements will be required to comply with a minimum level of cybersecurity and reporting.
- In April 2003, The German Federal Agency for Information Security released SBOM requirements to comply with the CRA.
What’s happening in India
- Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, Japan, and Australia to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage in government.
What’s happening in Japan
- Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, India, and Australia to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage in government.
- Landmark legislation around supply chain stability and security for critical infrastructure from 2022, “Act on Promotion of Economic Security by Integrated Implementation of Economic Measures,” went into effect in February 2023.
What’s happening in New Zealand
- In April 2023, New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.
What’s happening in the United Kingdom
- All UK organizations that do business in the EU have until October 17, 2024 to comply with the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union.
- In April 2023, the United Kingdom’s National Cyber Security Centre (NCSC-UK) contributed to the publication of the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.
- In February 2023, the UK government called for views on software resilience and security for businesses and organizations as a follow-up to the July 2022 proposed legislation on enhancing the country’s cyber resilience.
- In December 2022, the UK government unveiled an update to its Government Cyber Security Strategy regarding supply chain vulnerabilities and assigned the Department for Digital, Culture, Media, and Sport (DCMS) to implement Network and Information Systems (NIS) regulations in collaboration with the National Cyber Security Centre.
Blog Posts
76% of U.S. enterprises have adopted a software bill of materials (SBOM) since the introduction of Executive Order 14028.
Whitepapers
Read Report
Whitepaper
Download Whitepaper
Government intervention, the rise of SBOMs and the evolution of software supply chain security
Go to Report
Download Whitepaper
Guides
Guide
Download Checklist
CRA Compliance Checklist
Download Checklist
Download the Guide
Explore Summary
Simplify SBOM compliance and security monitoring
Webinars
Watch On Demand
Watch On Demand
Watch On Demand
Videos
Watch Now