Analysis
What Is The NIS 2 Directive and What Does It Mean For You?
Amidst intensifying trade wars, protectionism and export controls measures, as well as sweeping sanction regimes, governments and businesses are increasingly under pressure to re-engineer their global supply chains.
While these moves might be justified on national security and resilience grounds, such upheavals are likely to amplify cyber-risks and expose organisations to a period of heightened supply chain cyber-insecurity, at least in the short- to medium-term.
The imposition of widespread US tariffs and the retaliatory responses by US allies and strategic competitors alike are forcing companies to de-risk, resulting in a scramble for alternative suppliers in different jurisdictions. The levying of tariffs on critical materials, such as semiconductors, rare earth metals and advanced electronics in particular, has already driven up costs and triggered urgent, sometimes hasty, procurement shifts. After the US imposed tariffs on Chinese networking equipment, for example, many American firms rapidly pivoted to suppliers in Southeast Asia and Eastern Europe in a rush to avoid financial penalties.
Sanctions, stringent new export controls and a variety of other restrictive regulatory and legal measures have compounded these pressures to revisit even long-standing supplier relationships. The US, EU, and UK have imposed broad restrictions on technology exports to Russia and China, as well as on entities linked to military or surveillance activities. A recent UK sanctions package, for instance, targeted dozens of entities and introduced new compliance requirements, compelling British firms to reassess every link in their supply chains for exposure to Russian or Chinese intermediaries.
As companies seek to comply with these new measures, designed to bolster national security and increase resilience, this often leaves little time for the comprehensive vetting of the new suppliers they switch to. This creates new opportunities for threat actors to exploit. The risk is especially acute in sectors like IT hardware, where counterfeit or tampered components can be introduced under the guise of cost-saving or expediency. Divergent trade and sanctions policies have also led to a patchwork of regional compliance regimes, complicating efforts to enforce consistent cyber-security standards across global operations.
The worsening geopolitical competition is also increasingly conducted in cyber-space. We have already been able to witness Chinese state-backed groups such as VOLT TYPHOON and SALT TYPHOON intensifying their cyber-espionage against critical infrastructure. Attackers are exploiting the chaos of shifting supply chains and targeting both new and legacy vendors, and as sanctions bite, there is a growing risk that adversaries will retaliate by targeting newly exposed or less secure suppliers with ransomware, data theft, or sabotage.
Moreover, supply chains are, by nature, intricate networks of interdependent actors. They include not only direct suppliers, but also the extensive network of software providers, producers, subcontractors, and other service partners on which those suppliers themselves depend. This complexity is compounded by the digital transformation, which introduces additional entry points for threat actors and increases reliance on cloud-based and remote management services.
The World Economic Forum identifies supply chain complexity and lack of visibility into suppliers’ security practices as the leading cyber-risk facing organisations today. The proliferation of new suppliers, therefore, each with unique cyber-maturity levels, regulatory obligations, and risk profiles, renders the security environment more unpredictable and difficult to govern.
The answer is nuanced. In theory, bringing supply chains closer to home should improve oversight, regulatory compliance, and control over critical processes. However, the transition itself is fraught with risk. Major changes to complex systems almost always introduce new vulnerabilities. As organisations rapidly onboard new regional suppliers and partners, this is bound to increase exposure to unforeseen risks.
Once the dust settles, some segments of the supply chain that can be effectively re-shored may indeed become more transparent and controllable. National regulations and standards can thus be more rigorously enforced, and the visibility of supplier practices can improve. However, this is only part of the picture.
For many industries, critical resources, technologies, or expertise remain concentrated in specific geographies. These dependencies are not easily unwound. In fact, as supply chains become more fragmented, some components may become more exposed to foreign interference or coercion. The illusion of control risks masking new vulnerabilities, particularly as adversaries adapt their tactics to exploit the shifting landscape.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
