This article is written by Neeraj Jain, Siksha O Anusandhan National Institute of Law
Understanding the Nature of Supply Chain Attacks
An attack on the supply chain happens when a group of hackers strike one software company. This enables them to target thousands of its clients simultaneously. The most notable cases are the SolarWinds of 2020 and MOVEit breach of 2023. In SolarWind, Russian bad guys installed malware in updates. It damaged 18,000 organizations, such as the offices of the U.S government. Due to a vulnerability in the tool, MOVEit enabled hackers to steal data in hospitals and banks.
Such attacks demonstrate how a single bad vendor can bring tremendous problems to the entire community using their software. Strict rules have now been made by governments to prevent this. The companies have to test software against faults (also known as vulnerabilities). They are required to provide a “Software Bill of Materials” or SBOM. An SBOM is similar to a food label, it contains all the components in the software that you can quickly find any risk. Companies also need to audit suppliers i.e. thorough investigations on supplier safety
From Voluntary Security to Legal Obligation
These incidents prompted governments to reconsider the regulatory treatment of software supply chains. Cybersecurity is increasingly framed not as a matter of corporate discretion but as a statutory responsibility.
Organisations are now expected to conduct structured vulnerability testing before deploying or distributing software. Preventive security assessments are replacing reactive damage control. The regulatory objective is clear: identify weaknesses before attackers do.
A key instrument in this transition is the Software Bill of Materials (SBOM). An SBOM provides a detailed inventory of the components that make up a software product. It enables organisations to quickly determine whether a newly discovered vulnerability affects their systems. Without such transparency, businesses often remain unaware of hidden risks embedded within third-party code.
Supplier audits have also gained importance. Companies are required to examine whether vendors adhere to recognised security standards. Vendor due diligence is no longer confined to financial reliability; it now includes cybersecurity posture.
The United States: Executive Order 14028
In 2021, the United States formalised supply chain security reforms through Executive Order 14028. The order directs federal agencies and contractors to strengthen software supply chain practices.
It mandates greater adoption of SBOM documentation and draws upon technical frameworks developed by the National Institute of Standards and Technology (NIST). These guidelines provide standards for evaluating externally sourced software components.
The regulatory approach emphasises transparency, verification, and continuous risk assessment rather than mere contractual assurances.
The European Union: The Cyber Resilience Act
The European Cyber Resilience Act (CRA), scheduled for full application in 2027, establishes comprehensive obligations for digital product manufacturers within the European Union.
The Act requires ongoing vulnerability monitoring throughout a product’s lifecycle. Companies must report significant cybersecurity incidents within 24 hours and demonstrate that security safeguards remain effective over time. Non-compliance may result in fines of up to 2.5% of global annual turnover or €15 million.
The European model treats cybersecurity as a continuous compliance obligation rather than a one-time certification exercise.
India’s Regulatory Alignment
India has also moved toward strengthening supply chain accountability. The evolving CERT-In compliance framework for 2024–2025 enhances reporting requirements and risk disclosure standards.
These measures operate in conjunction with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. Together, they create a layered legal structure governing digital risk management.
High-risk entities may be required to maintain SBOM documentation and provide greater transparency regarding software security practices. The regulatory direction suggests an increasing emphasis on preventive compliance rather than post-breach liability.
Landmark Case: SolarWinds Breach (2020)
Failure of supply chains is exhibited in court cases. They get vendors to fix issues within a short time and distribute blame.
SolarWinds Hack (2020)
Malware was installed by Russian hackers in SolarWinds Orion updates. It hit 18,000 users like U.S. agencies. The SEC sued for hiding risks. This broke securities laws. SolarWinds paid $26 million. Weak warnings were paid to another company, Unisys, $4 million. This started EO 14028 rules.
MOVEit Breach (2023)
The hackers exploited an opening (CVE-2023-34362) in the MOVEit file tool. It released bank and government data. In 2025, an American court in re MOVEit Litigation (D. Mass.) allowed blame proceedings to proceed. According to the allegations of victims, Progress Software was aware of the flaws but it was very slow to rectify the errors. It broke sales promises.
Kaseya Attack (2021)
REvil ransomware entered into the remote tool of Kaseyas. It locked a million devices. A hacker got 13 years in jail. This reveals the chain’s risks of crimes.
Log4Shell (2021)
A massive vulnerability in the Apache Log4j struck billions of applications. FTC imposed fines to slow-fix companies in the laws of trade. Like Equifax’s $700M case before. It pushes quick patches.
India’s CoWIN Leaks (2022)
There are no big cases so far, but money is being awarded by the IT Act Section 43A as a result of bad data care. Weak third-party links were leaked in CoWIN. Big data handlers receive audits due to CERT-In 2025 regulations and DPDP Act. Fines up to ₹250 crore.
Key Takeaways from Precedents
These precedents support a high standard of scrutiny of third-party weaknesses and spread the risk of third-party failures up the chain through audit requirements and SBOM disclosure.
Conclusion
Software chains have new regulations which safeguard them. SBOMs, checks, and reports are required by the U.S., EU, and India. Failures lead to fines, suits, and jail such as the 26M SolarWinds one. Attacks rose 93% last year. More in 2026. Apply such tools as TPRM and powerful contracts. In India, adhere to CERT-In and DPDP.
Check vendors often. Ask for SBOMs. Train staff. This ensures the safety of data and business since hacks are increasing. Why These Rules Benefit common people. Think of software like a car. Parts come from many makers. When one of the braking components is faulty, then the entire vehicle crashes. SBOM lists parts. Audits check makers. Rules fix this. There is the use of third-party code by apps such as UPI or Aadhaar in India. A hack there hurts millions. According to the DPDP Act, bosses of data should audit. Fines are huge: ₹250 crore max. Below may provide some insight as to growing for a small business.
Steps for Small Businesses
- Get SBOM from vendors.
- Checks Use free tools such as Syft.
- Add contract lines: “Bug fix in 30 days or pay us.
- Train staff on phishing.
Frequently Asked Questions
What is an SBOM, and why is it mandated in supply chain regulations?
A Software Bill of Materials lists all components, dependencies, and vulnerabilities in software. It is mandated under EO 14028, CRA, and CERT-In guidelines to enable traceability and rapid remediation in third-party ecosystems.
What penalties apply for non-compliance with vendor audit mandates?
EU CRA fines reach €15M/2.5% turnover; U.S. SEC actions yield multimillion settlements; India DPDP imposes ₹250Cr max, plus IT Act compensation under Section 43A.
How do SolarWinds and MOVEit cases impact vendor liability?
They establish negligence for undisclosed vulnerabilities and delayed patching, extending tort/contract liability to upstream suppliers via class actions and regulatory probes.
Are Indian firms required to audit third-party software?
Yes, CSCRF mandates SBOMs and supply chain fortification for critical sectors; DPDP requires data auditors for fiduciaries handling personal data in logistics/supply chains.
What steps mitigate supply chain vulnerabilities?
Implement NIST/CERT-In frameworks, demand vendor attestations, conduct continuous scanning, and negotiate indemnity in contracts.
References
- EU Cyber Resilience Act (CRA)
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
(Official EU page; details 2027 rollout, 24-hour reporting, fines). - EO 14028 (U.S. Executive Order on Cybersecurity)
https://www.presidency.ucsb.edu/documents/executive-order-14028-improving-the-nations-cybersecurity - Sonatype State of the Software Supply Chain Report
https://www.sonatype.com/state-of-the-software-supply-chain
(Direct report page; 84% vuln stat and 93% attack surge). - SEC SolarWinds Complaint
https://www.sec.gov/news/press-release/2023-227
(SEC official release; $26M settlement, fraud charges). - MOVEit Breach Litigation
https://www.courtlistener.com/docket/67000000/in-re-moveit-customer-data-security-breach-litigation/ - EO 14028 (U.S. Cybersecurity Order – SBOM Requirements)
https://www.archives.gov/federal-register/cfr/2022/3/eo14028
(U.S. National Archives – full official text) - DPDP Act 2023 India (₹250Cr fines, audits)
https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
(PRS Legislative Research – official bill text)
