Software supply chain security: what NIS 2 and DORA now require

The acceleration of automated attacks against GitHub, PyPI, and software vendor Instructure in mid-May 2026 marks a systemic turning point for enterprise security. Simple contractual validation of third-party suppliers is now obsolete: European directives NIS 2 and DORA mandate a shift towards absolute technical traceability to ensure digital resilience.

‍

‍

The End of the Watertight Perimeter: Why the Software Supply Chain Is Becoming the Target

‍

‍

This profound transformation in offensive strategies shows that cybercriminals are abandoning direct attacks to target the very foundations of technological ecosystems. By corrupting trusted tools used daily by developers, this systemic approach threatens the integrity of thousands of organizations simultaneously. An organization's security no longer depends on its own perimeter defenses, but on the overall robustness of its technical supply chain.

‍

‍

Anatomy of Software Supply Chain Attacks

‍

‍

GitHub and PyPI: Automated Injection of Invisible Flaws

‍

A critical alert issued by Google's research teams has mapped the extent of this new threat. Attackers are now leveraging advanced automated tools to design and inject complex vulnerabilities into essential collaborative platforms like GitHub and PyPI.

‍

The danger of this method lies in the undetectable nature of the flaws created. Unlike the crude malicious code lines of the past, these alterations blend seamlessly into the architecture of legitimate projects. They bypass standard security audits and static code analysis, inserting themselves directly into the production flow of software that companies then confidently deploy on their servers.

‍

RubyGems: Saturation and Freezing of Open Source Registries

‍

The tangible impact of these automated attacks resulted in a major crisis for the Ruby developer community. Faced with a massive and coordinated upload of malicious packages, the administrators of the public RubyGems registry had to make a radical decision by temporarily suspending all new registrations on their platform.

‍

This technical freeze illustrates the fragility of open-source code repositories, which have become primary targets for typosquatting and dependency confusion tactics. By saturating registries with corrupted packages bearing names almost identical to official tools, cybercriminals are industrializing hacking. A simple lapse in vigilance during a software update is enough to open a major breach within a corporate infrastructure.

‍

Instructure: The Domino Effect on Global Data

‍

The consequences of these technical compromises extend far beyond mere computer code, directly impacting user data. Instructure, the company that manages the Canvas educational platform, found itself embroiled in critical negotiations following a major intrusion.

‍

The attackers orchestrated a massive data breach, threatening to disclose over three terabytes of confidential data belonging to thousands of universities worldwide. This incident highlights the domino effect inherent in supply chain attacks. By targeting a single centralized service provider, attackers instantly gain access to a massive volume of sensitive information related to a multitude of third-party entities, who nonetheless believed their internal perimeter to be secure.

‍

‍

NIS 2 and DORA: From Contractual Validation to Absolute Traceability

‍

‍

These cascading vulnerabilities fundamentally change the operational understanding of NIS 2 and DORA directives. For security and compliance officers, simple administrative or contractual validation of third-party suppliers has become obsolete. Package saturation attacks and automated injection attacks prove that a signature at the bottom of a contract does not protect source code.

‍

Audits now demand absolute software traceability, compelling critical entities to implement continuous software component inventories. This real-time monitoring makes it possible to know exactly which external code blocks comprise the information system and to act immediately in case of an alert on a public repository.

‍

‍

NIS 2, DORA, GDPR: The Interoperability of Compliance Obligations

‍

‍

The interoperability of regulatory obligations becomes evident here. The security data required by NIS 2 for mapping software dependencies provides the essential technical documentation to validate Article 32 of the GDPR regarding processing security. Effective governance uses the same technical mapping to meet both infrastructure resilience requirements and personal data protection requirements.

‍

Compliance transforms into a shared engineering exercise where digital risk governance must integrate directly into IT teams' production workflows. Protecting the modern enterprise requires a transition to strict validation models, based on the Zero Trust principle applied to development. Systematic verification of code provenance and continuous dependency control are the only effective bulwarks against this widespread offensive.

‍

‍

FAQ - Software Supply Chain, NIS 2, and DORA

‍

‍

What is a software supply chain attack?

It's an attack that no longer directly targets a company, but rather the trusted tools used by its developers. By corrupting collaborative platforms like GitHub or PyPI, cybercriminals inject vulnerabilities into legitimate projects and simultaneously threaten the integrity of thousands of organizations.

‍

Why is contractual vendor validation no longer sufficient?

Because a signature at the bottom of a contract does not protect the source code. Automated injection and packet flooding attacks blend into the architecture of legitimate projects and bypass standard audits; only technical traceability can detect them.

‍

What do NIS 2 and DORA require regarding software traceability?

Audits now demand absolute software traceability. Essential entities must implement continuous software component inventories to know exactly which external code components comprise their information system and to act immediately if an alert is raised on a public repository.

‍

What is the link between NIS 2, DORA, and Article 32 of the GDPR?

The security data required by NIS 2 for mapping software dependencies provides the necessary technical documentation to validate Article 32 of the GDPR, which pertains to processing security. The same technical mapping addresses both infrastructure resilience requirements and personal data protection requirements.

‍

What are typosquatting and dependency confusion?

These tactics involve flooding open-source registries with corrupted packages that bear names almost identical to official tools. A simple lack of vigilance during a software update can then be enough to open a major breach in a company's infrastructure.

‍

How to protect your software supply chain?

Protection involves strict validation models based on the Zero Trust principle applied to development: systematic verification of code origin and continuous dependency control, integrated directly into IT teams' production workflows.