한국어
The Importance of Software Supply Chain Security: Global Regulatory Trends
Korea University Center for Software Security & Assurance (“CSSA”)
As we enter the era of digital transformation (DX), artificial intelligence and cloud technologies are interconnecting diverse industries in which ever-connected devices are becoming part of our everyday lives. In other words, software has become the basis of our industries as well as our daily lives.
However, as they say “There is no good without evil”, there lies a rapidly growing shadow behind this process. We are facing cyber threats where a single vulnerable component compromising an entire system resulting from inevitable structure of modern software being composed of countless open-source and commercial components.
To prevent and minimize these risks, governments worldwide are building legally enforceable regulatory frameworks that address software supply chain security from end-to-end. Below is an overview of regulatory trends by region.
1. South Korea
• In May 2024, the Ministry of Science and ICT, the Ministry of National Defense, the National Intelligence Service, and the Presidential Committee on the Digital Platform Government jointly published “SW Supply Chain Security Guidelines V1.0” to help organizations adopt modern supply chain management practices.
• On September 9, 2025, the National Intelligence Service officially released version 1.0 of the National Network Security Framework (N2SF) at Cyber Summit Korea (CSK 2025). N2SF classifies government IT systems into three tiers based on criticality — Classified (C), Sensitive (S), and Open (O) — and prescribes differentiated security measures for each tier.
• The Ministry of Food and Drug Safety (MFDS) enacted the Digital Medical Device Act on January 23, 2024, which took effect on January 24, 2025. An implementing guideline (administrative notice) — the “Security Guidance for Electronic Threats to Digital Medical Devices” — includes Article 16, which refers to SBOM management activities.
※ This does not yet make SBOM submission mandatory for medical device approval, but SBOMs are likely to become an important consideration in future approvals.
2. United States — Strong SBOM Mandates Originating from Executive Action
The U.S. has steered supply chain security through executive orders and follow-on policies.
• Executive Order (EO) 14028 and follow-ups
In May 2021, President Biden issued EO 14028 to strengthen federal cybersecurity, with a strong emphasis on software supply chain security. The EO effectively requires vendors supplying software to the federal government to provide SBOMs. While some provisions were later revised, the overall emphasis on supply chain hardening — including NIST guidance updates — has persisted.
• NIST (National Institute of Standards and Technology)
NIST produced concrete guidance such as the Secure Software Development Framework (SSDF). In particular, NIST SP 800-218 (SSDF) offers recommendations to mitigate software vulnerabilities and encourages secure development practices.
• CISA (Cybersecurity and Infrastructure Security Agency)
CISA is advancing technical approaches that link SBOMs with VEX (Vulnerability Exploitability eXchange) to improve vulnerability management across the supply chain, and in September 2024 published “Establishing a Common Software Bill of Materials (SBOM).”
• FDA (U.S. Food and Drug Administration)
Under Section 3305 of the 2023 Omnibus Appropriations Act (which added Section 524B to the FD&C Act), starting March 29, 2023, manufacturers of internet-connected “cyber devices” must submit SBOMs during premarket review. In addition, manufacturers are required to provide:
- A post-market cybersecurity vulnerability management plan, and
- Evidence of secure processes for design, development, and maintenance across the product lifecycle.
The FDA published final guidance on June 27, 2025, clarifying and detailing these requirements.
※ The three principal requirements under Section 524B are:
(1) Postmarket vulnerability management plan
(2) Design and maintenance of secure lifecycle processes
(3) SBOM submission
• IMDRF (International Medical Device Regulators Forum)
In April 2023, IMDRF published guidance (IMDRF/CYBER WG/N73) on SBOM principles and application. The guidance defines core SBOM elements and provides a lifecycle model for manufacturers to create, update, and distribute SBOMs across the medical device software development lifecycle (SDLC).
• U.S. Army — Supply Chain Security (Security of the Army)
In February 2025, the U.S. Army introduced a broad security framework to protect information, systems, operations, and personnel — accelerating moves to a zero-trust architecture and mandating SBOM submissions to strengthen supply chain security.
3. European Union (EU) — Raising the Market Entry Bar with Comprehensive Law
The EU is introducing stringent, wide-ranging cybersecurity rules through the Cyber Resilience Act (CRA).
• Key points of the Cyber Resilience Act (CRA)
Adopted in December 2024 and planned to apply from December 2027, the CRA is a Regulation, meaning it is directly binding across all EU member states without separate national legislation. It covers manufacturers, importers, and distributors of products containing digital elements.
• Major obligations:
o Security by design and by default: Manufacturers must meet cybersecurity requirements across design, development, and production stages.
o SBOM requirement: Manufacturers must prepare an SBOM that at least lists top-level dependencies and include it in technical documentation; authorities may request the SBOM.
o Vulnerability management: Manufacturers must manage vulnerabilities and provide security updates for the expected lifetime of the product — or for at least five years.
o CE marking: Products must meet these requirements and bear the CE mark to enter EU markets.
• NIS2 Directive (Network and Information Security 2 Directive)
While the CRA focuses on the security of individual products in the supply chain, NIS2 emphasizes the supply chain security of service operators. NIS2 (adopted Nov 2022, in force Jan 2023) strengthens the original NIS1 directive and sets incident-reporting, resilience, and supply chain requirements. Notably, it imposes fines for breaches of incident-reporting duties (up to €15 million or 2% of annual global turnover, whichever is higher).
• Medical Device Regulation (MDR)
The MDR’s implementation timetable was adjusted due to industry preparedness and COVID-19. High-risk device transitions were extended to the end of 2027, with medium and low-risk devices extended to the end of 2028. MDR does not explicitly require SBOMs, but guidance documents (e.g., MDCG-2019-16 rev.1) and the CRA suggest SBOMs may be required for devices exported to the EU. MDCG-2019-16 rev.1 (section 4.2) notes that certain security information may be shared outside the user manual (for example, via separate technical documentation), and explicitly lists SBOM as an example.
Implications from EU trends:
o The EU frames cybersecurity obligations as mandatory compliance, not merely “best efforts.”
o Companies targeted by cyber incidents may hesitate to report due to reputational concerns; thus, mandatory, time-bound reporting to competent authorities is necessary.
o The EU is enabling conformity assessment and labeling schemes to enforce minimum cybersecurity standards and to exclude insecure products from the market.
4. Other Major countries
Following the U.S. and EU lead, several countries are accelerating efforts to strengthen software supply chain security.
• Japan — Issued ICT supply chain security guidance and plans to operate JC-STAR, a security conformity assessment and labeling scheme for IoT devices starting in 2025.
• United Kingdom — Enforced the Product Security and Telecommunications Infrastructure (PSTI) Act from April 2024, requiring baseline security measures for internet-connected consumer products (e.g., banning weak default passwords and mandating vulnerability disclosure procedures).
• Netherlands — Published guidance based on SBOM practices and international standards (e.g., ISO/IEC 5962).
• Germany — Through national guidance (BSI TR-03183 (2023)), Germany defines an SBOM as a machine-processable document and recognizes it as a standard document for CRA compliance.
5. Shared Core Concepts and Response Strategies
Across jurisdictions, SBOMs (Software Bill of Materials) have emerged as a central tool. SBOMs increase transparency into software components and are essential for identifying and managing supply chain risks.
Mechanisms like VEX (Vulnerability Exploitability eXchange) are becoming important for conveying whether a vulnerability is exploitable in a specific context and for prioritizing response. Organizations are increasingly expected to embed security early in development (shift-left security) and to maintain transparency across the supply chain.
Recommended technical and managerial measures include:
- Static and dynamic source code analysis, and build process verification;
- Open-source compliance and vulnerability management;
- Applying frameworks such as SLSA (Supply-chain Levels for Software Artifacts);
- Implementing SDLC controls that document secure design, development, and maintenance procedures.
Security of the AI supply chain is also rising on the agenda: from data collection to model deployment, potential vulnerabilities must be mitigated. Key AI supply chain challenges include model opacity, unpredictable behavior changes, and a lack of tooling for patching models. Regulators are likely to define minimum security assessment requirements for AI supply chains and to push for standardization of AI BOMs (AIBOMs).
Conclusion
Software supply chain security is no longer optional — it has become a regulatory and business imperative. With the U.S. and EU setting aggressive standards, other nations are following their leads. Companies should incorporate obligations to adapt to these evolving rules and embed robust supply chain security practices to protect their products and customers.
