Supply chain security addresses the risks introduced by third-party components: open-source libraries, pre-trained models, commercial APIs, and cloud infrastructure services. SBOM management generates and maintains software bills of materials in CycloneDX or SPDX format with ML-specific component metadata. Dependency management enforces version pinning, signature verification, and continuous vulnerability scanning.

Third-party model provider assessment applies the AI Act’s model origin risk framework alongside DORA’s third-party risk requirements. The DORA third-party register maintains the structured register of ICT third-party service providers required for financial services deployers.

Note:

This section corresponds to the Supply Chain Security section and feeds primarily into AISDP Module 9 (Robustness and Cybersecurity).