Is Your Supply Chain Ready for China's New Rules?

Be the smartest person in the room. 1440 navigates 100+ sources to deliver a comprehensive, unbiased news roundup — politics, business, culture, and more — in a quick, 5-minute read. Completely free, completely factual.

Sign up now!

China's State Council published the Regulations on Industrial and Supply Chain Security on April 7, effective immediately. The 18-article framework — China's first dedicated supply chain regulation — transforms supply chain protection into a national security priority with no grace period.

Article 15 authorizes investigation and countermeasures when foreign entities "interrupt normal transactions or adopt discriminatory measures" causing supply chain harm. Any export controls, sanctions compliance, or vendor restrictions touching Chinese supply chains could trigger formal investigation.

This lands alongside China's amended Cybersecurity Law (in force since January 1, 2026), which introduced penalties up to 10x purchase amounts for uncertified products and removed the mandatory warning-before-fine requirement.

Why it matters: Western sanctions and Chinese countermeasure authority now point in opposite directions. Your legal and procurement teams need to scenario-plan for conflicts between the two regimes.

Official source (State Council) | Analysis (Morgan Lewis)

All 23 NYCRR Part 500 covered entities must file their annual Certification of Material Compliance for CY2025 by April 15. NYDFS fined Healthplex $2M in August 2025 for MFA failures and — critically — falsely certifying compliance. If your filing isn't ready, escalate to your CISO today. NYDFS Cybersecurity Resource Center →

FedRAMP RFC-0031: 1-Hour Incident Reporting Window
FedRAMP proposes the most aggressive incident reporting timeline in any framework: 1 hour from identification, with daily updates. The RFC also expands the incident definition beyond federal customer data and shifts availability reporting to public status pages. Comment period closes May 12.
→ Review RFC-0031 and submit comments via FedRAMP GitHub by May 12.

NERC CIP-003-11: OT Security After Volt Typhoon (Effective May 26)
FERC Order No. 918 strengthens cybersecurity for low-impact BES systems — the exact OT networks targeted by Volt Typhoon. New requirements: remote user password protocols, authentication credential protection in transit, and malicious communications detection.
→ Map current controls against CIP-003-11 before May 26.

EU Cyber Resilience Act — Three Milestones in 6 Months
June 11: conformity assessment body designations. Sept 11: vulnerability & incident reporting begins (24-hour exploit disclosure to ENISA). October: harmonised standards for browsers, VPNs, SIEM. Separately, the proposed CSA2 would introduce fines up to 7% of global turnover.
→ Map connected products against CRA scope now.

Post-Quantum Crypto: Migration Deadlines Converging
NSA's CNSA 2.0 mandates quantum-safe algorithms for National Security Systems. NIST finalized three PQC standards (FIPS 203–205). The EU signals a Quantum Act in 2026. AWS, Google, and Cloudflare already offer quantum-safe TLS. The unified control framework flags PQC as the single requirement spanning every domain and jurisdiction.
→ Start with a cryptographic inventory and build a hybrid migration roadmap.

FedRAMP RFC-0031: 1 hour (proposed) · EU CRA: 24 hours (Sept 2026) · EU NIS2: 24 hours (in force) · UK CSR Bill: 24 + 72 hours (proposed) · US CIRCIA: 72 hours (delayed)

If you haven't stress-tested your IR playbook against a 24-hour (or 1-hour) clock, now is the time.

Check your NYDFS cybersecurity certification filing status. You have 48 hours. If it's submitted, confirm receipt. If it's not, this is a CISO-escalation conversation — today, not tomorrow.

Tomorrow's Focus: Privacy & Data Protection — COPPA compliance deadline hits April 22, EDPB 118th Plenary convenes April 15–16, and the Seventh Circuit's BIPA retroactivity ruling is reshaping biometric litigation economics.