I’m not sure what definition of supply chain risk they’re working off of. For NATO to consider an organization to be a supply chain risk, it implies that usual controls (security clearances and the like) wouldn’t be sufficient to guarantee the integrity and security of the supply chain. If that’s the operating definition, I see the contradiction- it’s arguing that a company cannot be trusted to voluntarily work within supply chains but can be trusted enough to be compelled.

If they’re operating under a different definition of supply chain risk, I don’t have a clue.

The "supply chain risk" option is to remove that company from the supply chain all together. The 'risk' is because the company is compromised by a foreign entity.

It is not about disciplining them to get better.

1. So one option is about forcing them to produce something. You must build this for us.

2 The other option is saying they are compromised so stop using them all together. We will not use what you build for us at all because we don't trust it.

So . Contradictory.