Cyber Exposure in Europe’s Global Supply Chains

By Annika Nevaste

Cyber attackers increasingly exploit supply chains as the weak underbelly of European business. Securing supply chain resilience is now critical.

Mercurial world leaders, geopolitical tensions and growing reliance on non-EU technology providers are pushing digital sovereignty to the top of the agenda for the EU and European business leaders.

The EU relies on non-EU countries for over 80% of digital products, services, infrastructure, and intellectual property. Excessive dependencies on non-EU actors in critical technologies pose risks to European sovereignty and resilience.[i] The EU has already taken steps to strengthen cyber security regulations, but supply chains still represent a poorly understood source of vulnerability.

While digital sovereignty has risen up the policy agenda, the greatest and least understood threat lies in the cybersecurity risks embedded in global supply chains. These are risks that cannot be addressed through regulation alone. And for many organizations, those risks sit just out of sight, buried deep within supply chains they assume are secure.

Securing EU sovereignty

In recognition of growing risks to EU sovereignty, the block has set a clear objective to strengthen capacity, resilience and security by reducing strategic dependencies, preventing reliance on foreign actors and single service providers, and safeguarding critical technologies and infrastructure[ii].

However, the most critical vulnerabilities do not sit inside European systems. They sit within the supply chains those systems rely on.

The EU has taken steps to strengthen cybersecurity through frameworks such as the NIS2 Directive and the Digital Operational Resilience Act (DORA), which impose stricter requirements for supply chain security and third‑party risk management, including the assessment of supplier vulnerabilities and the mitigation of risks associated with providers in high‑risk third countries. Complementing these measures, the Cyber Resilience Act aims to enhance the baseline security of digital products placed on the EU market.

Although these regulations have not yet been fully implemented at the national level, they have already driven increased investment in cyber security and elevated it from an IT issue to a board-level priority. However, these measures do not address the fundamental challenge: critical dependencies sit outside the direct control of European organizations.

Growing cyber risks

A report from the European Union Agency for Cybersecurity (ENISA)[iii] shows that cybercriminals are increasingly targeted third-party providers and exploiting the digital supply chain. Recent incidents include a high-profile supply chain attack on airports in London, Brussels, Berlin, Dublin and Cork in September 2025. Hackers targeted Collins Aerospace’s MUSE software, used for check-in and boarding by multiple airlines. The incident illustrates the vulnerability of a single vendor being used by many airports.

In June 2024 in the UK, a significant ransomware attack targeting the pathology service supplier Synnovis tragically contributed to the death of a patient and led to the cancellation of more than 800 planned operations and 700 outpatient appointments in South-East London.

A similar pattern can be seen in the energy sector where a ransomware attack in 2024 on PSI Software, forced a German supplier of control and management systems for energy utilities to shut down its systems.

Supply chains: the weak underbelly

For many businesses, supply chains represent a poorly understood source of vulnerability. Recent research in the Nordics by DNV Cyber[iv] among critical infrastructure professionals and members of the public reveals a critical gap: while many executives express confidence in their own cyber resilience, far fewer trust their suppliers, despite widespread dependence on partners in countries where geopolitical tensions are rising. Only 39% of Nordic critical infrastructure professionals have confidence in their immediate supply chain and their lower-tier operators such as fourth or fifth tier parties.

The volume of cyber-attacks is growing with 58% of critical infrastructure professionals currently dealing with constant low-level attacks on their systems from foreign state-sponsored powers. Sixty-five percent of the executives asked believe the collapse of supply chains servicing a compromised organization is likely in the year ahead.

Supply chains have long been an attractive target for hackers, providing a potential single-entry point to multiple organizations and systems.

As organizations become more digitally interconnected, dependencies on third, fourth and even fifth party suppliers have multiplied, often without a corresponding increase in visibility or control. This creates blind spots where weaknesses outside an organization’s direct control can expose critical systems to attack.

These challenges are particularly visible in strategically important sectors, such as energy. Denmark is an offshore wind leader in Europe, and arguably globally, but the providers of the physical assets, components, and equipment to the offshore wind sector come from other geographies. Many of these assets incorporate embedded digital systems, potentially creating information and control dependencies that extend beyond national borders.

Most European organizations are heavily reliant on software and digital solutions from outside the continent.

This greater focus on digital sovereignty is driving consideration of ‘friend-shoring’. Nearly half of critical infrastructure professionals surveyed by DNV Cyber say they would consider moving manufacturing and third-party services for critical infrastructure to allied states.  But does relocating suppliers reduce risk, or simply move it somewhere else? Shifting suppliers geographically addresses who you depend on, but not how vulnerable that dependency is.

A more robust response is to build resilience through redundancy. Relying on a few vendors creates hidden single points of failure, raising governance questions around ownership of third-party cyber risk at the board level. Rather than concentrating risk in a single or smaller group of “trusted” suppliers, organizations should have a plan to diversify across multiple providers and geographies. By reducing reliance on any single supplier, they can ensure that if one provider is compromised or becomes unavailable for geopolitical reasons, operations can continue.

This approach needs to be complemented by stronger governance of supplier risk. Organizations should set cybersecurity requirements for suppliers based on their company’s risk profile, embedding these in procurement processes, supplier contracts, and the design of processes and assets. The actual implementation of these requirements should also be checked and tested to improve detection and response capabilities together with suppliers.

Finally, technical controls play a critical role when suppliers are compromised. Defensive tactics such as zero trust principles and vulnerability detection can stop problems that occur at a supplier from spreading to the organization itself.

Businesses that own or use operational technology should be acutely aware of how and where they are connected, since suppliers often request ongoing connectivity for maintenance and updates. Companies can reduce the risk by enforcing precise, risk-adaptive access controls.

A persistently underestimated risk

From DNV Cyber’s perspective, supply chain risk is often underestimated because supplier risk can feel distant. Components, software libraries and service providers are often several steps removed from core operations, making it difficult for organizations to understand how quickly a weakness elsewhere in the chain could compromise systems closer to home.

You can’t secure what you don’t know

The hard truth is that you can’t secure what you don’t know, and in complex supply chains, organizations need to better understand the vulnerabilities in their supply chains, employing approaches that provide greater oversight of suppliers.

The challenge is not only to identify and mitigate risk, but to accept that some disruptions will remain unknowable in advance. For safety-critical systems, this shifts the emphasis from prevention to continuity, requiring the ability to maintain operations even when key dependencies fail.

While redundancy introduces cost and complexity, it is increasingly seen as necessary in contexts where service interruption carries unacceptable consequences.

Have you really checked your supply chain?

Where resilience is taken for granted, organizations must now actively manage supplier risk. This can include:

  • Reducing systemic dependencies by diversifying suppliers and technology providers.
  • Addressing cyber security requirements in procurement and supplier contracts
  • Tightly controlling and segmenting supplier access, limiting how far an attacker can move if a supplier is compromised.
  • Building deeper relationships with key suppliers and conducting joint testing and response.
  • Introducing redundancy across critical suppliers
  • Ensuring portability of data and services, to enable transition between providers or jurisdictions when required.

Conclusion

Recognition of supply chain vulnerabilities are accelerating Europe’s push for digital sovereignty. While regulations are putting focus at the Board level on cyber security, regulation alone cannot fully address risks embedded in complex, multi-tier supplier networks. Cyber attackers increasingly exploit supply chains, turning a single weak link into a systemic threat. To build true resilience, European organizations must map dependencies, strengthen supplier oversight, and plan for how to maintain operations if suppliers are breached. In an interconnected digital ecosystem, security depends not just on what you control, but on the parts you do not.

About the Author

Annika NevasteAnnika Nevaste is CEO of DNV Cyber, the cybersecurity business of Norwegian risk management and quality assurance company DNV. Nevaste joined DNV Cyber ​​from Google Cloud, where she led the Digital Natives business in the Nordics. Nevaste has over 20 years of international leadership experience in technology services including from Google and IBM. She is educated at Stanford University.

References:
[i] REPORT on European technological sovereignty and digital infrastructure | A10-0107/2025 | European Parliament
[ii] REPORT on European technological sovereignty and digital infrastructure | A10-0107/2025 | European Parliament
[iii] ENISA Threat Landscape 2025.pdf
[iv] DNV Cyber How cyber resilient are the Nordics?, 2026

LEAVE A REPLY

Please enter your comment!
Please enter your name here