“When we add a new supplier, what does it actually take to bring their signing into our governance?”
A client asked us this recently: “When we add a new supplier, what does it actually take to bring their signing into our governance?”
Insight
Commentary from our cryptographic and AI governance practitioners on the regulatory, sovereignty, and supply chain conditions shaping critical industries. Organised by theme, not by date.
Themes
Multi-supplier code environments, bespoke signing architecture, the economics of trust at scale.
A client asked us this recently: “When we add a new supplier, what does it actually take to bring their signing into our governance?”
NIS2, Cyber Resilience Act, UNECE WP.29, ISO/SAE 21434. What auditors are actually looking for.
We use an HSM" is the answer we hear most often when we ask an OEM's security team how they protect their signing keys. It is meant to close the question. In our experience, it opens a longer one.
The sovereignty conversation was a technical preference. NIS2 has made it a fiduciary obligation. A short note on what changed.
Featured
Supply chain integrity
Inside the model: how one bespoke signing service absorbed the enterprise cryptographic domain under the same governance framework built for the vehicle side. One team. One policy. One sovereign estate. The pattern we now bring to every new engagement.
Quarterly briefing
Four considered pieces per year. Written by the practitioners. No news-hook summaries, no vendor pitches.
One field. No phone. No job title. We respect the inbox.
Let's talk