Law and Security Merge as Supply Chain Regulations Multiply: RSA Panelists
Contract renewal timelines at large companies can run three years, making last-minute compliance impractical.
SAN FRANCISCO, March 26, 2026 — Software vulnerabilities, hardware blind spots, and an expanding web of global regulations are redefining how companies must manage their supply chains, legal and security executives told the RSA Conference here on Wednesday.
The attack surface
Supply chains are more digitalized and more complex than ever, expanding the attack surface and multiplying individual points of failure, said Cassie Crossley, chief executive of VulNow, a cybersecurity vulnerability detection startup.
Just this week, a software supply chain attack compromised Trivy, an open-source vulnerability scanning tool used in AI development pipelines, Crossley said. Developers have been compromised again, she said, and the full extent of what was stolen remains unknown.
Hardware presents an even harder visibility problem. Companies routinely send components to third-party manufacturers for assembly without knowing who touched them or what was embedded, Crossley said. A single product can contain multiple versions of the same open-source component, each from a different source.
The regulatory landscape
Regulators have long focused on whether vendors are protecting data, but the more pressing question is whether the systems and networks companies depend on will stay up and running, said Katherine McDaniel, director of cyber legal at T-Mobile, the major Bellevue, Wash.-based operator. T-Mobile is a division of German telecom giant Deutsche Telekom AG.
Three major trends are reshaping how regulators approach supply chain security, said Chris Hale, senior director for cyber and national security law at Cisco Systems. The first is a move toward requiring availability and resilience of systems, not just data protection, and it is happening faster outside the United States than within it.
The second is product security. The EU's Cyber Resilience Act bars non-compliant products from the EU market entirely, leading Hale to facetiously call it the Market Access Act. Multinational companies subject to the law will push those requirements down to their suppliers globally, said Crossley, who manages a portfolio of more than 54,000 suppliers at Schneider Electric.
The third trend is geopolitical. Countries are passing supply chain exclusionary laws, naming specific companies and nations as high-risk vendors. That pressure is now flowing in multiple directions, Hale said. What began as a U.S. and EU posture toward China is generating reciprocal measures elsewhere, such as India and Japan.
"The supply chain used to be a bunch of links," McDaniel added. "It's now a bowl of spaghetti."
Multinational companies subject to the law will push those requirements down to their suppliers globally, said Crossley, who manages a portfolio of more than 54,000 suppliers at Schneider Electric, the French energy management and industrial automation company.
Singapore recently updated its baseline cybersecurity act to treat cloud service providers as critical infrastructure, then clarified that hospitals and banks must contractually require their cloud providers to meet the same standards imposed on them directly, said Kate Growley, a partner at Crowell & Moring LLP, the Washington-based law and lobbying firm. Companies not directly regulated by a law may still find its requirements flowing to them through their customers, she said.
Managing the risk
Risk analysis must be based on impact, not spend, McDaniel said. A vendor representing a small licensing cost may sit at the center of an entire product line, and companies that do not map those dependencies will not know until something goes wrong.
Outsourced IT providers and managed service desks are frequent targets of manipulation schemes where attackers impersonate employees or executives to extract access credentials, McDaniel said, and a compromised help desk can cascade into a full security incident. Faulty software updates and routine IT failures increasingly produce the same result, Hale said.
Legal and security teams must work together earlier in the contract cycle, Hale said. Contract renewal timelines at large companies can run three years, making last-minute compliance updates impractical. Legal counsel can also use new regulatory requirements as leverage when suppliers push back on security demands.
No company can fully map every dependency at once, Crossley said. The answer is to start with the highest-impact suppliers and build from there.
The key regulations shaping supply chain security are the following:
- Executive Order 14028 (USA): Previously required federal agencies to demand that suppliers follow secure development practices and provide software bills of materials, a document listing every component in a piece of software. The Trump administration has since allowed agencies to take a risk-based approach instead.
- Executive Order 14017 (USA): Directs federal agencies to identify and reduce national security risks across technology supply chains, including software, hardware, and communications equipment.
- CMMC 2.0 (USA): Requires Defense Department contractors to meet and be independently assessed against federal cybersecurity controls before handling sensitive government information.
- DORA / NIS2 (EU): Require financial firms and critical infrastructure operators to manage third-party technology risk, maintain operational resilience, and report significant incidents to regulators.
- Cyber Resilience Act (EU): Requires manufacturers of connected digital products to build security in from the design stage, manage vulnerabilities throughout a product's life, and meet ongoing security obligations.
- Critical Cyber Systems Protection Act (Canada): Requires designated critical infrastructure operators to implement cybersecurity programs, manage supply chain risks, and report incidents to the government.
- CERT-In Directions (India): Require organizations to report cyber incidents within six hours, retain logs for 180 days, and store those logs within India.
Member discussion