Explanatory Memorandum to COM(2018)630 - European Cybersecurity Industrial, Technology and Research Competence Centre and National Coordination Centres - Contribution to the Leaders’ meeting, September 2018

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

As daily lives and economies become increasingly dependent on digital technologies, citizens become more and more exposed to serious cyber incidents. Future security depends on enhancing the ability to protect the Union against cyber threats, as both civilian infrastructure and military capacities rely on secure digital systems.

In order to address the growing challenges, the Union has steadily increased its activities in the area, building on the 2013 Cybersecurity Strategy 1 and its goals and principles to foster a reliable, safe, and open cyber ecosystem. In 2016 the Union adopted its first measures in the area of cybersecurity through Directive (EU) 2016/1148 of the European Parliament and of the Council 2 on security of network and information systems.

In view of the fast evolving cybersecurity landscape in September 2017, the Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a Joint Communication 3 on 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU' to further reinforce the Union’s resilience, deterrence and response to cyber-attacks. The Joint Communication, building also on previous initiatives, outlined a set of proposed actions including, among others, reinforcing the European Union Agency for Network and Information Security (ENISA), creating a voluntary Union-wide cybersecurity certification framework to increase the cybersecurity of products and services in the digital world as well as a blueprint for quick, coordinated response to large scale cybersecurity incidents and crises.

In the Joint Communication, it was recognised that it is also in the Union's strategic interest to ensure that it retains and develops essential cybersecurity technological capacities to secure its Digital Single Market, and in particular to protect critical networks and information systems and to provide key cybersecurity services. The Union must be in a position to autonomously secure its digital assets and to compete on global cybersecurity market.

At the moment, the Union is a net importer of cybersecurity products and solutions and largely depends on non-European providers. 4 The cybersecurity market is globally a 600 billion EUR market that is expected to grow in the next five years on average by approximately 17% in terms of sales, number of companies and employment. However, in the top 20 of the leading cybersecurity countries from a market perspective, there are only 6 Member States 5 .

At the same time, in the Union a wealth of expertise and experience in cybersecurity exists - more than 660 organisations from across the EU registered to the recent mapping of cybersecurity centres of expertise conducted by the Commission. 6 This expertise, if transformed into marketable products and solutions could allow the Union to cover the whole cybersecurity value-chain. Yet, the efforts of research and industrial communities are fragmented, lacking alignment, and a common mission, which hinders EU's competitiveness in this domain as well as its ability to secure its digital assets. The relevant cybersecurity sectors (e.g. energy, space, defence transport) and sub-domains are today insufficiently supported. 7 Synergies between the civilian and defence cybersecurity sectors are not fully exploited in Europe either.

The creation in 2016 of the Public-Private Partnership (‘cPPP’) on cybersecurity in the Union was a solid first step bringing together the research, industry and public sector communities to facilitate research and innovation in cybersecurity and within the limits of the 2014-2020 financial framework should result in good, more focused outcomes in research and innovation. The cPPP allowed industrial partners to express commitment about their individual spending on areas defined in the partnership's Strategic Research and Innovation Agenda.

However, the Union can pursue a much larger scale investment and needs a more effective mechanism which would build lasting capacities, pool efforts, competences and stimulate the development of innovative solutions responding to cybersecurity industrial challenges in the field of new multi-purpose technologies (e.g. artificial intelligence, quantum computing, blockchain and secure digital identities) as well as in critical sectors (e.g. transport, energy, health, financial, government, telecom, manufacturing, defence, space).

The Joint Communication considered the possibility of reinforcing Union cybersecurity capability through a network of cybersecurity competence centres with a European Cybersecurity Competence Centre at its heart. This would seek to complement the existing capacity building efforts in this area at Union and national level. The Joint Communication expressed the Commission's intention to launch an impact assessment in 2018 to examine the available options with a view to set up the structure. As a first step and to inform future thinking, the Commission launched a pilot phase under Horizon 2020 to help bring national centres together into a network to create a new momentum in cybersecurity competence and technology development.

The Heads of State and Government at the Tallinn Digital Summit, in September 2017, called for the Union to become 'a global leader in cyber-security by 2025, in order to ensure trust, confidence and protection of our citizens, consumers and enterprises online and to enable a free and law-governed internet.'

The Council Conclusions 8 adopted in November 2017, called on the Commission to provide rapidly an impact assessment on the possible options and propose by mid-2018 the relevant legal instrument for the implementation of the initiative.

The Digital Europe Programme proposed by the Commission in June 2018 9 seeks to enlarge and maximise the benefits of digital transformation for European citizens and businesses in all relevant EU policy areas, reinforcing the policies and supporting the ambitions of the Digital Single Market. The programme proposes a coherent and overarching approach to ensuring the best use of advanced technologies and the right combination of technical capacity and human competence for the digital transformation – not only in the area of cybersecurity, but also as regards to smart data infrastructure, artificial intelligence, advanced skills and applications in industry and in areas of public interest. These elements are interdependent, mutually reinforcing and, when fostered simultaneously, can achieve the scale necessary to allow a data economy to thrive. 10 The Horizon Europe Programme 11 .- the next EU R&I Framework programme also puts cybersecurity among its priorities.

In this context the present Regulation proposes the set-up of a European Cybersecurity Industrial, Technology and Research Competence with a network of National Coordination Centres. This made-for-purpose cooperation model should work as follows in order to stimulate the European cybersecurity technological and industrial ecosystem: The Competence Centre will facilitate and help coordinate the work of the Network and nurture the Cybersecurity Competence Community, driving the cybersecurity technological agenda and facilitating access to the expertise so gathered. The Competence Centre will in particular do so by implementing relevant parts of the Digital Europe and Horizon Europe programmes by allocating grants and carrying out procurements. In view of the considerable investments in cybersecurity made in other parts of the world and of the need to coordinate and pool relevant resources in Europe, the Competence Centre is proposed as a European Partnership 12 , thus facilitating joint investment by the Union, Member States and/or industry. Therefore the proposal requires Member States to contribute a commensurate amount to the actions of the Competence Centre and Network. The principal decision-making body is the Governing Board, in which all Member States take part but only those Member States which participate financially have voting rights. The voting mechanism in the Governing Board follows a double majority principle requiring 75 % of the financial contribution and 75 % of the votes. In view of its responsibility for the Union budget, the Commission holds 50 % of the votes. For its work on the Governing Board, the Commission will avail itself, wherever appropriate, of the expertise of the European External Action Service. The Governing Board is assisted by an Industrial and Scientific Advisory Board to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders.

Working closely with the Network of National Coordination Centres and cybersecurity competence community (involving a large and diverse group of actors involved in cybersecurity technology development such as research entities, supply-side industries, demand side industries, and the public sector) established by this Regulation, the European Cybersecurity Industrial, Technology and Research Competence Centre would be the main implementation body for EU financial resources dedicated to cybersecurity under the proposed Digital Europe Programmeand Horizon Europe Programme

Such a comprehensive approach would allow supporting cybersecurity across the entire value chain, from research to supporting the deployment and uptake of key technologies. The Member States' financial participation should be commensurate to the EU financial contribution to this initiative and is an indispensable element for its success.

In view of its particular expertise and broad and relevant stakeholder representation, the European Cybersecurity Organisation, which is the Commission's counterpart to the contractual public-private partnership on cybersecurity under Horizon 2020, should be invited to contribute to the work of the Centre and the network.

In addition, the European Cybersecurity Industrial, Technology and Research Competence Centre should also seek to enhance synergies between the civilian and defence dimensions of cybersecurity. It should give support to Member States and other relevant actors by providing advice, sharing expertise and facilitating collaboration with regard to project and actions. When requested by Member States it could also act as a project manager notably in relation to the European Defence Fund. The present initiative aims to contribute to tackling the following problems:

·Insufficient cooperation between cybersecurity demand and supply industries. The European businesses face the challenge of both remaining secure and offering secure products and services to their clients. Yet, often they are not able to appropriately secure their existing products, services and assets or to design secure innovative products and services. Key cybersecurity assets are often too costly to be developed and set up by individual players, whose core business activity is not related to cybersecurity. At the same time, the links between the demand and supply side of the cybersecurity market are not sufficiently well developed resulting in sub-optimal supply of European products and solutions adapted to different sectors' needs, as well as in insufficient levels of trust among market players.

·Lack of an efficient cooperation mechanism among Member States for industrial capacity building. At the moment, there is also no efficient cooperation mechanism for Member States to work together towards building necessary capabilities supporting cybersecurity innovation across industrial sectors and deployment of cutting-edge European cybersecurity solutions. The existing cooperation mechanisms for Member States in the field of cybersecurity under Directive (EU) 2016/1148 do not envisage this type of activities in their mandate.

·Insufficient cooperation within and between research and industrial communities. Despite Europe's theoretical capacity to cover the full cybersecurity value chain, there are relevant cybersecurity sectors (e.g. energy, space, defence, transport) and sub-domains that are today poorly supported by the research community, or supported only by a limited number of centres (e.g. post-quantum and quantum cryptography, trust and cybersecurity in AI). While this collaboration obviously exists, it is very often a short-term, consultancy-type of arrangement, which does not allow engaging in long-term research plans to solve cybersecurity industrial challenges.

·Insufficient cooperation between civilian and defence cybersecurity research and innovation communities. The problem of insufficient levels of cooperation also concerns the civilian and defence communities. The existing synergies are not used to the full extent due to lack of efficient mechanisms allowing these communities to cooperate efficiently and build trust, which, even more than in other fields, is a prerequisite for successful cooperation. This is coupled with limited financial capabilities in the EU cybersecurity market, including insufficient funds to support innovation.

·Consistency with existing policy provisions in the policy area

The Cybersecurity competence network and the European Cybersecurity Industrial, Technology and Research Competence Centre will act as an additional support to existing cybersecurity policy provisions and actors. The mandate of the European Cybersecurity Industrial, Technology and Research Competence Centre will be complementary to ENISA’s efforts but has a different focus and requires a different set of skills. While ENISA's mandate envisages an advising role on cybersecurity research and innovation in the EU, its proposed mandate focuses first and foremost on other tasks crucial for strengthening cybersecurity resilience in the EU. In addition, ENISA's mandate does not envisage the types of activities, which would be the Centre and Network's core tasks - to stimulate the development and deployment of technology in cybersecurity and complement the capacity building efforts in this area at EU and national level.

The European Cybersecurity Industrial, Technology and Research Competence Centre, together with the Cybersecurity competence network will also work towards supporting research to facilitate and accelerate standardisation and certification processes, in particular those related to cybersecurity certification schemes in the meaning of the proposed Cybersecurity Act 13 14 .

The present initiative is de facto scaling up the Public-Private Partnership on Cybersecurity (cPPP), which was the first EU-wide attempt to bring together the cybersecurity industry, the demand side (buyers of cybersecurity products and solutions, including public administration and critical sectors such as e.g. transport, health, energy, financial) and the research community to build the platform of sustainable dialogue and create conditions for voluntary co-investment. The cPPP was created in 2016 and has triggered up to EUR 1.8 billion of investment by 2020. However, the scale of the investment under way in other parts of the world (e.g. the US invested 19 billion dollars in cybersecurity in 2017 alone) shows that the EU needs to do more to achieve a critical mass of investment, and to overcome the fragmentation of capacities spread across the EU.

·Consistency with other Union policies

The European Cybersecurity Industrial, Technology and Research Competence Centre will act as a single implementation body for various Union programmes supporting cybersecurity (Digital Europe Programme and Horizon Europe) and enhance coherence and synergies between them.

This initiative will also allow to complement the efforts of the Member States by providing appropriate input to education policy makers in order to enhance cybersecurity skills (e.g. by developing cybersecurity curricula in civilian and military educational systems) to help develop a qualified EU cybersecurity workforce – a key asset for cybersecurity companies as well as other industries with a stake in cybersecurity. As to cyber defence education and training, this initiative will be consistent with the ongoing work of the cyber defence education, training and exercises platform established under the European Security and Defence College.

This initiative will be complementary with and support the efforts of the Digital Innovation Hubs under Digital Europe Programme. Digital Innovation Hubs are non-for-profit organisations helping companies – especially Start-ups, SMEs, and mid-caps to become more competitive by improving their business/production processes as well as products and services through smart innovation enabled by digital technology. Digital Innovation Hubs provide business-oriented, innovation services, such as market intelligence, financing advice, access to relevant testing and experimentation facilities, training and skills development, to help new products or services to successfully reach the market, or to introduce better production processes. Some Digital Innovation Hubs, with specific cybersecurity expertise, could be directly involved in cybersecurity competence community established by this initiative. In most cases, however, Digital Innovation Hubs, which do not have specific cybersecurity profile, would facilitate access of its constituency to the cybersecurity expertise, knowledge and capacities available with the cybersecurity competence community by cooperating closely with the Network of National Coordination Centres and the European Cybersecurity Industrial, Technology and Research Competence Centre. Digital Innovation Hubs would also support the deployment of innovative cybersecurity products and solutions corresponding to the needs of the companies and other end-users they serve. Last but not least, sector specific Digital Innovation Hubs could share their knowledge of real-life sectorial needs with the Network and the Centre to feed the reflection on the research and innovation agenda responding to industrial requirements.

Synergies with relevant Knowledge and Innovation Communities of the European Institute of Innovation & Technology, and, in particular, with EIT Digital will be sought.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The Competence Centre should be established on a double legal basis due to its nature and specific objectives. Article 187 TFEU, setting up the structures needed for the efficient execution of Union research, technological development and demonstration programmes, allows the Competence Centre to create synergies and pool resources to invest in necessary capacities at the Member States’ level and develop European shared assets (e.g. by jointly procuring necessary cybersecurity testing and experimentation infrastructure). The first paragraph of Article 188 provides for the adoption of such measures. Nonetheless, the first subparagraph of Article 188 as a sole legal basis would not allow for the activities to go beyond the sphere of research and development as needed to fulfil all the objectives of the Competence Centre set out in this Regulation supporting the market deployment of cybersecurity products and solutions, helping the European cybersecurity industry to become more competitive and increase their market share and adding value to the national efforts of addressing cybersecurity skills gap. Therefore in order to achieve these objectives it is necessary to add Article 173 i as a legal basis which allows the Union to provide for measures to support the competitiveness of the industry.

Justification for proposal in terms of subsidiarity and proportionality principles

Cybersecurity is an issue of common interest of the Union, as confirmed by the Council Conclusions mentioned above. The scale and cross-border character of incidents such as WannaCry or NonPetya are a point in case. The nature and scale of the cybersecurity technological challenges, as well as insufficient coordination of efforts within and across the industry, public sector and research communities require the EU to further support coordination efforts both to pool a critical mass of resources and ensure better knowledge and assets management. This is needed in view of the resource requirements related to certain capabilities for cybersecurity research, development and deployment; the need to provide access to interdisciplinary cybersecurity know-how across different disciplines (often only partially available at the national level); the global nature of industrial value chains, as well as the activity of global competitors working across the markets.

This requires resources and expertise at a scale that can be hardly matched by the individual action of any Member State. For example, a pan-European quantum communication network could require EU investment of approximately EUR 900 million, depending on the investments by Member States (to be interconnected/complemented) and to what extent the technology will allow the reuse of existing infrastructures. The initiative will be instrumental in pooling financing and allowing this type of investment to happen in the Union.

The objectives of this initiative cannot be fully achieved by the Member States alone. As shown above they can be better achieved at the Union level by pooling efforts and avoiding their unnecessary duplication, helping to achieve critical mass of investment and ensuring that public financing is used in an optimal way. At the same time, in accordance with the principle of proportionality, this Regulation does not go beyond what is necessary in order to achieve that objective. EU action is therefore justified on grounds of subsidiarity and proportionality.

This instrument does not foresee any new regulatory obligations for businesses. At the same time, businesses and especially SMEs are likely to reduce the costs related to their efforts in designing innovative cyber secure products as the initiative allows pooling resources to invest in necessary capacities at the Member States' level or develop European shared assets (e.g. by jointly procuring necessary cybersecurity testing and experimentation infrastructure). These assets could be used by industries and SMEs across different sectors to ensure that their products are cybersecure and turn cybersecurity into their competitive advantage.

Choice of the instrument

The proposed instrument establishes a body dedicated to implementing cybersecurity actions under Digital Europe Programme and Horizon Europe Programme. It outlines its mandate, tasks as well as governance structure. Setting up such a Union body requires the adoption of a Regulation.

3. STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

The proposal to create a Cybersecurity competence network with a European Cybersecurity Industrial, Technology and Research Competence Centre is a new initiative. It acts as a continuation and scaling up of the contractual Public Private Partnership on cybersecurity created in 2016.

Stakeholder consultations

Cybersecurity is a broad, cross-sectoral topic. The Commission used different consultation methods in order to make sure that the Union's general public interest – as opposed to special interests of a narrow range of stakeholder groups – is well reflected in this initiative. This method ensures transparency and accountability in the Commission's work. While no open public consultation was conducted specifically for this initiative given its target audience (industrial and research community and Member States), the thematic was already covered by several other open public consultations:

·A general open public consultation carried out in 2018 on the topic of investment, research & innovation, SMEs and the single market.

·A 12-week online public consultation launched in 2017 to seek views of the wider public (approx. 90 respondents) on ENISA evaluation and review.

·A 12-week online public consultation that was carried out in 2016 at the occasion of the launch of the contractual public-private partnership on cybersecurity (approx. 240 respondents).

The Commission also organised targeted consultations on this initiative including workshops, meetings and targeted requests for input (from ENISA and European Defence Agency). The consultation period spanned over 6 months, starting in November 2017 until March 2018. The Commission also conducted a mapping of centres of expertise, which allowed to gather input from 665 cybersecurity expertise centres on their know-how, activity, working fields, international cooperation. The survey was launched in January and surveys submitted until 08 March 2018 were taken into consideration for the report analysis.

Stakeholders from the industrial and research communities considered that the Competence Centre and the Network could add value to the current efforts on the national level by helping create a Europe-wide cybersecurity ecosystem allowing better cooperation between the research and industry communities. They also considered it necessary that the EU and Member States take a proactive, longer-term and strategic perspective to cybersecurity industrial policy going beyond research and innovation only. Stakeholders expressed the need to gain access to key capabilities such as testing and experimentation facilities and to be more ambitious in closing the cybersecurity skills gap e.g. through large-scale European projects attracting the best talents. All of the above was also seen as necessary for Union to be recognised globally as a leader in cybersecurity.

Member States, in the framework of the consultation activities undertaken since last September 15 as well as in dedicated Council Conclusions 16 welcomed the intention to set up a Cybersecurity competence network to stimulate the development and deployment of cybersecurity technologies, stressing the need to be inclusive towards all Member States and their existing centres of excellence and competence and to pay special attention to complementarity. Specifically with regard to the future Competence Centre, Member States stressed the importance of its coordinating role in the support of the network. In particular with regard to national activities and needs in cyber defence, the mapping exercise on Member States’ cyber defence needs conducted by the European External Action Service in March 2018, demonstrated that most of the Member States see the added value in EU support for cyber training and education as well as in supporting industry through research and development. 17 The initiative would indeed be implemented together with Member States or entities supported by them. Collaborations between the industry, research and/or public sector communities would bring together and strengthen existing entities and efforts at not create new ones. Member States would also be involved in defining specific actions targeting the public sector as a direct user of cybersecurity technology and know-how.

Impact assessment

An Impact Assessment supporting this initiative was submitted to the Regulatory Scrutiny Board on 11 April 2017 and received a positive opinion with reservations. The Impact Assessment was subsequently reviewed in light of the Board's comments. The Opinion of the Board and the Annex explaining how the Board's comments were addressed is published along with this proposal.

1.

A number of policy options have been considered in the Impact Assessment, both legislative and non-legislative. The following options were retained for an in-depth assessment:


·Baseline scenario - Collaborative Option - assumes the continuation of the current approach to building cybersecurity industrial and technological capacities in the EU through supporting research and innovation and related collaboration mechanisms under FP9.

·Option 1: Cybersecurity competence network with a European Cybersecurity Industrial, Technology and Research Competence Centre with a dual mandate to pursue measures in support of industrial technologies as well as in the domain of research and innovation.

·Option 2: Cybersecurity competence network with a European Cybersecurity Research and Competence Centre focused on research and innovation activities

The options discarded at an early stage included 1) the option of no action at all, 2) the option of creating the cybersecurity competence network only, 3) the option of creating a centralised structure only as well as 4) the option of using an existing agency (European Union Agency for Network and Information Security – (ENISA), Research Executive Agency (REA) or Innovations and Networks Executive Agency (INEA).

The analysis concluded that Option 1 is best suited to achieve the goals of the initiative while offering the highest economic, societal, and environmental impact and safeguarding the Union’s interests. The main arguments in favour of this option included the ability to create a real cybersecurity industrial policy by supporting activities related not only to research and development but also to market deployment; the flexibility to allow different cooperation models with the network of competence centres to optimise the use of existing knowledge and resources; ability to structure cooperation and joint commitments of the public and private stakeholders coming from all relevant sectors, including defence;. Last but not least, Option 1 allows as well increasing synergies and can act as an implementation mechanism for two different EU cybersecurity funding streams under the next Multi-annual financial framework (Digital Europe Program, Horizon Europe).

Fundamental rights

This initiative will allow public authorities and industries across Member States to more effectively prevent and respond to cyber threats by offering and equipping itself with more secure products and solutions. This is in particular relevant for the protection of access to essential services (e.g. transport, health, banking and financial services).

Increased capacity of the European Union to autonomously secure its products and services is also likely to help citizens enjoy their democratic rights and values (e.g. better protect their information-related rights enshrined in the Charter of Fundamental Rights, particularly the right to the protection of personal data and private life) and consequently increase their trust in the digital society and economy.

4. BUDGETARY IMPLICATIONS

The European Cybersecurity Industrial, Technology and Research Competence Centre, in cooperation with the cybersecurity competence network, will be the main implementation body for EU financial resources dedicated to cybersecurity under Digital Europe and Horizon Europe.

The budgetary implications related to the implementation of Digital Europe are listed in detail in the Legislative Financial Statement annexed to this proposal. The contribution from the financial envelope of the cluster Inclusive and Secure Society of Pillar II Global Challenges and Industrial Competitiveness of Horizon Europe (total envelope EUR 2 800 000 000) referred to in Article 21 i (b) will be proposed by the Commission during the legislative process and in any case before a political agreement is reached. The proposal will be based on the outcome of the strategic planning process as defined in Article 6 i of Regulation XXX [Horizon Europe framework programme].

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

An explicit evaluation clause, by which the Commission will conduct an independent evaluation, is foreseen in this proposal (Article 38). The Commission will subsequently report to the European Parliament and the Council on its evaluation accompanied where appropriate by a proposal for its review, in order to measure the impact of the instrument and its added value. The Commission Better Regulation methodology on evaluation will be applied.

The Executive Director should present to the Governing Board an ex-post evaluation of the European Cybersecurity Industrial, Technology and Research Competence Centre's and the Network's activities every two years as set out in Article 17 of this proposal. The Executive Director should also prepare a follow-up action plan regarding the conclusions of retrospective evaluations and report on progress every two years to the Commission. The Governing Board should be responsible to monitor the adequate follow-up of such conclusions, as set out by Article 16 of this proposal.

Alleged instances of maladministration in the activities of the legal body may be subject to inquiries by the European Ombudsman in accordance with the provisions of Article 228 of the Treaty.