Regulations and Compliance Resources for Software Supply Chains

Navigating new regulations with key resources and guidance for staying informed and compliant.

Regulations Around the World

Click on a region of the map for an update on governance and regulations

flag-USA

What’s happening in the United States?

Further US analysis

flag-EU

What’s happening in the European Union

  • In January 2023, the European Commission unveiled the Digital Operational Resilience Act (DORA), which applies to the digital resilience of financial entities. DORA goes into effect starting January 17, 2025.
  • On January 16, 2023, the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union, is put into force with an October 17, 2024 deadline for members of the EU to have the directive implemented.
  • On the heels of the CRA, draft updates to the Product Liability Directive (PLD) include specific attention to increasing liability related to Open Source Software projects and have produced negative feedback from the OSS community in line with the CRA.
  • September 15, 2022, the first draft of the Cyber Resilience Act (CRA), which throughout 2023 has been widely criticized by the Open Source Software community as potentially restrictive and detrimental to the open source community in Europe and beyond.

Further EU analysis

flag-Australia

What’s happening in Australia

  • Australia, together with the United States, Japan, and India, make up the Quad Cybersecurity Partnership. In May 2023, the group published Joint Principles for Secure Software, to set guidelines for strengthening software security, encourage the adoption of secure software practices, and establish guidelines for software procurement and usage within government.
  • In February 2017, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate launched its Strategies to Mitigate Cyber Security Incidents. Included in this is the Essential 8 Maturity Model, which outlines the minimum set of 8 preventative measures considered critical for organizations.
  • The Information Security Manual (ISM), also produced by the Australian Signals Directorate, outlines cybersecurity guidance for organizations to enforce to protect their systems from cyber threats.
  • In July 2019, the Australian Prudential Regulation Authority (APRA), which is responsible for protecting the country’s financial institutions, issued Prudential Standard CPS 234. This guidance applies to all APRA entities.
  • In July, 2013, the APRA issued Prudential Standard CPS 231, which outlines requirements for the oversight, due diligence, and ongoing monitoring of outsourced services of APRA entities to ensure they do not compromise the entity's ability to meet its obligations.

Read more on the Quad Cyber Security Partnership

flag-Canada

What’s happening in Canada

  • In April 2023, the Canadian Centre for Cyber Security (CCCS) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.
  • In February 2023, the Cyber Centre published “Protecting your organization from software supply chain threats,” offering guidance and best practices for securing software supply chains. 
  • In October 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians.

Further Canada analysis

flag-Germany

What’s happening in Germany

  • As a member of the European Union, Germany has until October 17, 2024 to adopt elements of the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the EU. In Germany, a law to implement NIS2 has been submitted and will likely result in revisions to the Act on the Federal Office for Information Security (BSI).
  • The EU Cyber Resilience Act is expected to be fully adopted in 2024, and most of its provisions will be enforced starting in 2027. Any company placing products in the market with digital elements will be required to comply with a minimum level of cybersecurity and reporting.
  • In April 2003, The German Federal Agency for Information Security released SBOM requirements to comply with the CRA.
More on the Shifting Balance of Cybersecurity Risk document.
flag-India

What’s happening in India

Read more on the Quad Cyber Security Partnership

flag-Japan

What’s happening in Japan

Read more on the Quad Cyber Security Partnership

flag-New Zealand

What’s happening in New Zealand

  • In April 2023, New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.

More on the Shifting Balance of Cybersecurity Risk document

flag-UK

What’s happening in the United Kingdom

  • All UK organizations that do business in the EU have until October 17, 2024 to comply with the Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union.
  • In April 2023, the United Kingdom’s National Cyber Security Centre (NCSC-UK) contributed to the publication of the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.
  • In February 2023, the UK government called for views on software resilience and security for businesses and organizations as a follow-up to the July 2022 proposed legislation on enhancing the country’s cyber resilience.
  • In December 2022, the UK government unveiled an update to its Government Cyber Security Strategy regarding supply chain vulnerabilities and assigned the Department for Digital, Culture, Media, and Sport (DCMS) to implement Network and Information Systems (NIS) regulations in collaboration with the National Cyber Security Centre.

More on the Shifting Balance of Cybersecurity Risk document

76% of U.S. enterprises have adopted a software bill of materials (SBOM) since the introduction of Executive Order 14028.

Simplify SBOM compliance and security monitoring