How certifying the security of SCS brings confidence to global digital markets

Ensuring the secure provision of the Supply Chain Services (SCS) at national, European and even more importantly at international level is a great challenge. The European project CYRENE considers security certification of the SCS as a main mitigation measure and it proposes a cybersecurity scheme, a risk and conformity assessment methodology and a tool to realize the SCS certification process.

All critical sectors (e.g. transport, energy, health, financial) base their business activities on Supply Chain Services (SCS). Delivering goods (e.g. vehicles, pharmaceuticals, and people) is a typical SCS in all sectors. During the pandemic for example we realized how important was the secure, global distribution and delivery of the vaccines.

Common threats of the Supply Chain Services

The most common threats of the SCS are: theft, environmental damage, masquerading of identities, terrorism, physical damage, strikes, eavesdropping, interception of emissions or sensitive information, assets hijacking, traffic manipulation, data poisoning-data manipulation, social engineering, malware, identity or data privileges abuse, manipulation of information, or even geolocalisation signals spoofing or jamming, as well as failures and malfunctions of the cyber SCS assets.

Impact of exploiting the Supply Chain Services threats

The exploitation of these threats can lead to a variety of impacts, such as cargo and goods stealing, sensitive and critical data theft, illegal trafficking, systems damage or destruction, environmental disaster, or even human injuries or death. Additional impacts for the organisations include economic paralysis, financial loss and costs, kidnapping, fraud and money steal and more, making this a long list.

The 2021 ENISA report on Supply Chain attacks (ENISA 2021) has a list of various attacks. In this report it is also claimed that supply chain attacks are intentional incidents that affect the suppliers.

In CYRENE, we undertake a broader approach, claiming that any incident that causes damage, interruption or delay of the provision of the SCS is considered a threat.

Supply Chain Services under a European framework for digital security.

The new Digital Services Act Package and Digital Markets Act proposals will contribute towards safer SCS. In particular, the proposed Digital Services Act introduces a series of rules that, if applied, SCS will become resilient to any intentional or unintentional incidents. Among these new rules are:

    • removal of illegal goods, services or content online;
    • safeguarding users whose content has been erroneously deleted by platforms;
    • undertake risk-based action to prevent large scale platforms;
    • facilitating access by researchers to key platform data to better understand the operation of the large-scale platforms;
    • traceability of business users in online market places, to help track down sellers of illegal goods or services.

The European Chips Act aims to monitor the industrial supply chains, ensuring the resilience of the entire supply chain including design, production, packaging, equipment and suppliers such as producers of wafers. It will also support the development of European fabrication plants and energy-efficient semiconductors. If we adopt the CYRENE terminology, the European Chips Act will ensure the technical component perceptive of the SCS.

The proposed NIS2 obliges more entities and sectors to take cybersecurity measures; it addresses, for the first time, cybersecurity of the ICT supply chain (emphasizing the case of IoT) and the streamline reporting obligations. It introduces more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

CYRENE contributes in the implementation of the NIS2 for the case of the SCS: It proposes the establishment of an online collaborative Information Security Management System (ISMS) for the SCS, hosted and operated by the SCS-Provider where all business partners (e.g. suppliers, third parties, customers, consumers) can collaborate and share their cybersecurity intelligence, can perform the SCS-risk assessment, undertake measures and generate the protection profile (PP) of the SCS.

The European Parliament and the Council, Directive, Cybersecurity Act, promotes the cybersecurity certification for ICT products (software, hardware, processes, services) and scales up the response to cyber-attacks, promoting cyber resilience and trust for consumers within the EU. The European Cybersecurity Certification Scheme (EUCC) serves as a template in order to propose security certification schemas for ICT products.

CYRENE proposed a tailored and risk-based security and privacy certification scheme for the SCS based on the EUCC. In particular CYRENE developed a conformity assessment methodology where an assessor can assess the conformity of the PP of the SCS. The assessor can find all needed information and useful evidence in the SCS-ISMS.

The European Parliament and the Council, Directive, Liability of defective products includes all defective products. A SCS can be considered as a digital product and thus, it can fall under this Directive. We can translate defectiveness in the SCS content as an interrupted /damaged and thus not secure SCS.

So what do you think? Would your organization use the CYRENE ISMS? Reach out to us and share your views either by using our contact form or by following our social media accounts in Twitter and LinkedIn.

Don’t forget to subscribe to our Newsletter for regular updates!

This blog is signed by: the Focal Point team


Project Coordinator: Sofoklis Efremidis
Institution: Maggioli SPA
Email: info{at}
Start: 1-10-2020
Duration: 36 months
Participating organisations: 14
Number of countries: 10



EU flagThis project has received funding from the European Union’s Horizon 2020 Research and Innovation program under grant agreement No 952690. The website reflects only the view of the author(s) and the Commission is not responsible for any use that may be made of the information it contains.