The majority of the population of the Union is connected to the internet. The daily lives of people and economies are becoming increasingly dependent on digital technologies. Citizens and businesses are becoming increasingly exposed to serious cybersecurity incidents and many businesses in the Union experience at least one cybersecurity incident every year. This highlights the need for resilience, for enhancing technological and industrial capabilities and for the use of high cybersecurity standards and holistic cybersecurity solutions which involve people, products, processes and technology in the Union, as well as the need for Union leadership in the areas of cybersecurity and digital autonomy. Cybersecurity can also be improved by raising the awareness of cybersecurity threats and by developing competencies, capacities and capabilities throughout the Union, while thoroughly taking into account societal and ethical implications and concerns.
(2)
The Union has steadily increased its activities to address growing cybersecurity challenges following the cybersecurity strategy put forward by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy (High Representative) in their Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 7 February 2013 entitled ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’ (the ‘2013 Cybersecurity Strategy’). The 2013 Cybersecurity Strategy aimed to foster a reliable, safe, and open cyber ecosystem. In 2016, the Union adopted the first measures in the area of cybersecurity with Directive (EU) 2016/1148 of the European Parliament and of the Council (3) on security of network and information systems.
(3)
In September 2017, the Commission and the High Representative presented a Joint communication to the European Parliament and the Council entitled ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’ to further reinforce the Union’s resilience, deterrence and response to cyber-attacks.
(4)
The Heads of State and Government at the Tallinn Digital Summit, in September 2017, called for the Union to become a global leader in cyber-security by 2025, in order to ensure trust, confidence and protection of citizens, consumers and enterprises online and to enable a free, safer and law-governed internet and declared their intention to make more use of open source solutions and open standards when (re)building Information and Communication Technology (ICT) systems and solutions, in particular avoiding vendor lock-ins, including those developed or promoted by Union programmes for interoperability and standardisation, such as ISA2.
(5)
The European Cybersecurity Industrial, Technology and Research Competence Centre (the ‘Competence Centre’) established in this Regulation should help to increase the security of network and information systems, including the internet and other infrastructures which are critical for the functioning of society, such as transport, health, energy, digital infrastructure, water, the financial markets and the banking systems.
(6)
The substantial disruption of network and information systems can affect individual Member States and the Union as a whole. A high level of security of network and information systems throughout the Union is therefore essential for society and the economy alike. At the moment, the Union depends on non-European cybersecurity providers. However, it is in the Union’s strategic interest to ensure that it retains and develops essential cybersecurity research and technological capacities to secure the network and information systems of citizens and businesses, and in particular to protect critical network and information systems and provide key cybersecurity services.
(7)
A wealth of expertise and experience in cybersecurity research, technology and industrial development exists in the Union, but the efforts of industrial and research communities are fragmented, lacking alignment and a common mission, which hinders competitiveness and the effective protection of networks and systems in that domain. Such efforts and expertise need to be pooled, networked and used in an efficient manner to reinforce and complement existing research, technology and industrial capacities and skills at Union and national level. Although the ICT sector faces important challenges, such as fulfilling its demand for skilled workers, it can benefit from representing the diversity of society at large, achieving a balanced representation of genders, ethnic diversity, and non-discrimination against persons with disabilities, as well as facilitating access to knowledge and training for future cybersecurity experts, including the education of such experts in non-formal contexts, for example in free and open source software projects, civic technology projects, start-ups and microenterprises.
(8)
Small and medium-sized enterprises (SMEs) are crucial stakeholders in the Union’s cybersecurity sector and can provide cutting-edge solutions due to their agility. However, SMEs that are not specialised in cybersecurity are also prone to be more vulnerable to cybersecurity incidents due to high investment and knowledge requirements for the establishment of effective cybersecurity solutions. It is therefore necessary that the Competence Centre and the Network of National Coordination Centres (the ‘Network’) provide support for SMEs by facilitating the access of SMEs to knowledge and tailoring access to the results of research and development, in order to allow SMEs to make themselves sufficiently secure and to allow SMEs that are active in cybersecurity to be competitive and contribute to the Union’s leadership in the area of cybersecurity.
(9)
Expertise exists outside industrial and research contexts. Non-commercial and pre-commercial projects, referred to as ‘civic tech’ projects, make use of open standards, open data, and free and open source software, in the interest of society and the public good.
(10)
The area of cybersecurity is diverse. Relevant stakeholders include stakeholders from public entities, Member States and the Union, as well as from industry, civil society, such as trade unions, consumer associations, the free and open source software community and the academic and research community, and other entities.
(11)
The Council Conclusions adopted in November 2017 called on the Commission to provide rapidly an impact assessment on the possible options to create a network of cybersecurity competence centres and a European cybersecurity research and competence centre, and to propose by mid-2018 the relevant legal instrument for the creation of such a network and such a centre.
(12)
The Union still lacks sufficient technological and industrial capacities and capabilities to autonomously make its economy and critical infrastructures secure and become a global leader in the area of cybersecurity. There is an insufficient level of strategic and sustainable coordination and cooperation between industries, cybersecurity research communities and governments. The Union suffers from insufficient investment and limited access to cybersecurity knowhow, skills and facilities, and few Union cybersecurity research and innovation outcomes are translated into marketable solutions or widely deployed across the economy.
(13)
Establishing the Competence Centre and the Νetwork, with a mandate to pursue measures in support of industrial technologies and in the domain of research and innovation, is the best way to fulfil the objectives of this Regulation while offering the highest economic, societal and environmental impact and safeguarding the Union’s interests.
(14)
The Competence Centre should be the Union’s main instrument to pool investment in cybersecurity research, technology and industrial development and to implement relevant projects and initiatives together with the Network. The Competence Centre should manage cybersecurity-related financial support from Horizon Europe – the Framework Programme for Research and Innovation (Horizon Europe) established by Regulation (EU) 2021/695 of the European Parliament and of the Council (4) and the Digital Europe Programme established by Regulation (EU) 2021/694 of the European Parliament and of the Council (5) and should be open to other programmes where appropriate. This approach should contribute to creating synergies and coordinating financial support related to Union initiatives in the area of cybersecurity research and development, innovation, technology and industrial development and should avoid unnecessary duplication.
(15)
It is important to ensure respect for fundamental rights and ethical conduct in cybersecurity research projects supported by the Competence Centre.
(16)
The Competence Centre should not carry out operational cybersecurity tasks, such as tasks associated with Computer Security Incident Response Teams (CSIRTs), including the monitoring and handling of cybersecurity incidents. However, the Competence Centre should be able to facilitate the development of ICT infrastructures at the service of industries, in particular SMEs, research communities, civil society and the public sector, consistently with the mission and objectives laid down in this Regulation. Where CSIRTs and other stakeholders seek to promote the reporting and disclosing of vulnerabilities, the Competence Centre and members of the Cybersecurity Competence Community (the ‘Community’) should be able to support those stakeholders at their request within the limits of their respective tasks and while avoiding any duplication with the European Union Agency for Cybersecurity (ENISA) as established by Regulation (EU) 2019/881 of the European Parliament and of the Council (6).
(17)
The Competence Centre, the Community and the Network are intended to benefit from the experience and the broad representation of relevant stakeholders built through the contractual public-private partnership on cybersecurity between the Commission and the European Cyber Security Organisation (ECSO) for the duration of Horizon 2020 – the Framework Programme for Research and Innovation (2014-2020) established by Regulation (EU) No 1291/2013 of the European Parliament and of the Council (7), from the lessons learnt from four pilot projects launched in early 2019 under Horizon 2020, namely CONCORDIA, ECHO, SPARTA and CyberSec4Europe, and from the pilot project and the preparatory action on Free and Open Source Software Audits (EU FOSSA), for the management of the Community and the representation of the Community in the Competence Centre.
(18)
In view of the extent of the challenge posed by cybersecurity and in view of the investments made in cybersecurity capacities and capabilities in other parts of the world, the Union and the Member States should be encouraged to step up their financial support to research, development and deployment in this area. In order to realise economies of scale and achieve a comparable level of protection across the Union, the Member States should put their efforts into a Union framework by actively contributing to the work of the Competence Centre and the Network.
(19)
In order to foster the Union’s competitiveness and high cybersecurity standards internationally, the Competence Centre and the Community should seek the exchange of developments in cybersecurity, including in products and processes, in standards and in technical standards, with the international community, where relevant to the Competence Centre’s mission, objectives and tasks. Relevant technical standards could include, for the purpose of this Regulation, the creation of reference implementations, including those published under open standard licences.
(20)
The seat of the Competence Centre is in Bucharest.
(21)
When preparing its annual work programme (annual work programme), the Competence Centre should inform the Commission of its co-funding needs on the basis of the Member States’ planned co-funding contributions to joint actions, so that the Commission is able to take into account the matching Union contribution in the preparation of the draft general budget of the Union for the following year.
(22)
Where the Commission prepares the work programme of Horizon Europe for matters related to cybersecurity, including in the context of its stakeholder consultation process, and especially before the adoption of that work programme, the Commission should take into account the input of the Competence Centre and should share that input with the Programme Committee of Horizon Europe.
(23)
In order to enable the Competence Centre to perform its role in the area of cybersecurity, to facilitate the involvement of the Network and to provide a strong governance role for the Member States, the Competence Centre should be established as a Union body with legal personality to which Commission Delegated Regulation (EU) 2019/715 (8) is to apply. The Competence Centre should perform a dual role, undertaking specific tasks in the area of cybersecurity industry, technology and research as laid down in this Regulation and managing cybersecurity-related funding from several programmes at the same time, in particular from Horizon Europe and the Digital Europe Programme, and possibly also from other Union programmes. Such management would have to be in accordance with the rules applicable to those programmes. Nevertheless, considering that the funding for the functioning of the Competence Centre would originate primarily from Horizon Europe and the Digital Europe Programme, it is necessary that the Competence Centre be considered as a partnership for the purpose of budget implementation, including during the programming phase.
(24)
As a result of Union contribution, access to the results of the Competence Centre’s activities and projects is to be as open as possible and as closed as necessary, and re-use of such results is to be possible where appropriate.
(25)
The Competence Centre should facilitate and coordinate the work of the Network. The Network should be made up of one national coordination centre from each Member State. National coordination centres which have been recognised by the Commission as having the necessary capacity to manage funds to fulfil the mission and objectives laid down in this Regulation should receive direct Union financial support, including grants awarded without a call for proposals, in order to carry out their activities in relation to this Regulation.
(26)
National coordination centres should be public sector entities, or entities with a majority of public participation, performing public administrative functions under national law, including by means of delegation, and they should be selected by Member States. It should be possible for the functions of a national coordination centre in a given Member State to be carried out by an entity that carries out other functions arising under Union law, such as those of a national competent authority, a single point of contact within the meaning of Directive (EU) 2016/1148 or any other Union Regulation, or a digital innovation hub within the meaning of Regulation (EU) 2021/694. Other public sector entities or entities performing public administrative functions in a Member State should be able to assist the national coordination centre in that Member State in carrying out its functions.
(27)
National coordination centres should have the necessary administrative capacity, should possess or have access to cybersecurity industrial, technological and research expertise and should be in a position to effectively engage and coordinate with the industry, the public sector and the research community.
(28)
Education in the Member States should reflect the importance of having adequate cybersecurity awareness and skills. To that end, taking into account the role of ENISA and without prejudice to the competences of Member States in education, the national coordination centres, alongside relevant public authorities and stakeholders, should contribute to promoting and disseminating cybersecurity educational programmes.
(29)
National coordination centres should be able to receive grants from the Competence Centre in order to provide financial support to third parties in the form of grants. The direct cost incurred by the national coordination centres for the provision and administration of financial support to third parties should be eligible for funding under the relevant programmes.
(30)
The Competence Centre, the Network and the Community should help advance and disseminate the latest cybersecurity products, services and processes. At the same time, the Competence Centre and the Network should promote the cybersecurity capabilities of the demand-side industry, in particular by supporting developers and operators in sectors such as transport, energy, health, finance, government, telecommunications, manufacturing and space, in order to help such developers and operators solve their cybersecurity challenges, such as by implementing security by \design. The Competence Centre and the Network should also support the standardisation and deployment of cybersecurity products, services and processes while promoting, where possible, the implementation of the European cybersecurity certification framework as established by Regulation (EU) 2019/881.
(31)
Due to the fast-changing nature of cyber threats and cybersecurity, the Union needs to be able to adapt quickly and continuously to new developments in the area. Hence, the Competence Centre, the Network and the Community should be flexible enough to ensure the required ability to respond to such developments. They should facilitate projects that help entities to be able to constantly build capabilities to enhance their own and the Union’s resilience.
(32)
The Competence Centre should support the Community. The Competence Centre should implement cybersecurity relevant parts of Horizon Europe and the Digital Europe Programme in accordance with the multiannual work programme of the Competence Centre (multiannual work programme), the annual work programme and the strategic planning process of Horizon Europe by allocating grants and other forms of funding, primarily following a competitive call for proposals. The Competence Centre should also facilitate the transfer of expertise in the Network and the Community and should support joint investment by the Union, Member States or industry. It should pay particular attention to supporting SMEs in the area of cybersecurity, as well as to actions that help overcome the skills gap.
(33)
Technical assistance for project preparation should be done in a fully objective and transparent way that ensures that all potential beneficiaries receive the same information and is to avoid conflicts of interest.
(34)
The Competence Centre should stimulate and support the long-term strategic cooperation and coordination of the activities of the Community, which would involve a large, open, interdisciplinary and diverse group of European stakeholders involved in cybersecurity technology. The Community should include research entities, industries and the public sector. The Community should provide input to the activities of the Competence Centre, to the multiannual work programme and to the annual work programme, in particular through the Strategic Advisory Group. The Community should also benefit from the community-building activities of the Competence Centre and the Network, but otherwise should not be privileged with regard to calls for proposals or calls for tender. The Community should be made up of collective bodies and organisations. At the same time, in order to benefit from all the cybersecurity expertise in the Union, the Competence Centre and its bodies should also be able to call upon the expertise of natural persons as ad-hoc experts.
(35)
The Competence Centre should cooperate and ensure synergies with ENISA and should receive relevant input from ENISA when defining funding priorities.
(36)
In order to respond to the needs of both the demand and supply sides of cybersecurity, the Competence Centre’s task of providing cybersecurity knowledge and technical assistance to industries should refer to both ICT products, processes and services and to all other technological products and processes in which cybersecurity is to be embedded. Where it so requests, the public sector could also benefit from support from the Competence Centre.
(37)
In order to establish a sustainable cybersecurity environment, it is important that security by design is used as a principle in the process of developing, maintaining, operating and updating infrastructures, products and services, in particular by supporting state-of-the-art secure development methods, adequate security testing and security audits, by making available updates remedying known vulnerabilities or threats without delay and, where possible, by enabling third parties to create and provide updates beyond the respective end-of-service of products. Security by design should be ensured throughout the lifetime of ICT products, services or process and by the development processes that constantly evolve to reduce the risk of harm from malicious exploitation.
(38)
Whereas the Competence Centre and the Network should strive to enhance synergies and coordination between the cybersecurity civilian and defence spheres, projects under this Regulation that are financed by Horizon Europe should be implemented in accordance with Regulation (EU) 2021/695, which provides that research and innovation activities carried out under Horizon Europe are to have an exclusive focus on civil applications.
(39)
This Regulation applies primarily to civilian matters, but Member States’ activities under this Regulation may reflect specificities of Member States in cases when cybersecurity policy is pursued by authorities carrying out both civilian and military tasks, should strive for complementarity and should avoid overlap with defence-related funding instruments.
(40)
This Regulation should ensure the liability and transparency of the Competence Centre and those undertakings receiving funding, in line with the relevant programme Regulations.
(41)
The implementation of deployment projects, in particular deployment projects that relate to infrastructures and capabilities deployed at Union level or through joint procurement, could be divided into different phases of implementation, such as separate tenders for the design of hardware and software architecture, their production and their operation and maintenance, whereas businesses could participate only in one of the phases each and, where appropriate, could require that the beneficiaries in one or several of those phases meet certain conditions in terms of European ownership or control.
(42)
In view of its expertise in cybersecurity and its mandate as a reference point for advice and expertise on cybersecurity for Union institutions, bodies, offices and agencies as well as for relevant Union stakeholders, and in view of its collection of input through its tasks, ENISA should play an active part in the activities of the Competence Centre, including the development of the Agenda, avoiding any duplication of their tasks, in particular through its role as permanent observer in the Governing Board of the Competence Centre. Regarding the drafting of the Agenda, the annual work programme and the multiannual work programme, the Executive Director of the Competence Centre and the Governing Board should take into account any relevant strategic advice and input provided by ENISA, in accordance with the rules of procedure of the Governing Board.
(43)
Where they receive a financial contribution from the general budget of the Union, the national coordination centres and the entities which are part of the Community should publicise the fact that their respective activities are undertaken in the context of this Regulation.
(44)
The costs arising from the establishment of the Competence Centre and from the administrative and coordination activities of the Competence Centre should be financed by the Union and by the Member States, in proportion to the voluntary contributions from the Member States to joint actions. In order to avoid double funding, those activities should not benefit simultaneously from a contribution from other Union programmes.
(45)
The Governing Board, which should be composed of representatives from the Member States and the Commission, should define the general direction of the Competence Centre’s operations and should ensure that the Competence Centre carries out its tasks in accordance with this Regulation. The Governing Board should adopt the Agenda.
(46)
The Governing Board should be entrusted with the powers necessary to establish the budget of the Competence Centre. It should verify the execution of the budget, should adopt appropriate financial rules, and should establish transparent working procedures for the Competence Centre’s decision-making, including for the adoption, reflecting the Agenda, of the annual work programme and the multiannual work programme. The Governing Board should also adopt its rules of procedure, should appoint the Executive Director and should decide on any extension or termination of the Executive Director’s term of office.
(47)
The Governing Board should have oversight of the strategic and implementation activities of the Competence Centre and should ensure that those activities are aligned. In its annual report, the Competence Centre should put special emphasis on the strategic goals that it has achieved and, if necessary, propose actions for further improvement of the achievement of those strategic goals.
(48)
In order for the Competence Centre to function properly and effectively, the Commission and the Member States should ensure that the persons to be appointed to the Governing Board have appropriate professional expertise and experience in functional areas. The Commission and the Member States should also make efforts to limit the turnover of their respective representatives on the Governing Board in order to ensure the continuity of its work.
(49)
In view of the Competence Centre’s specific status and its responsibility for the implementation of Union funds, in particular those from Horizon Europe and the Digital Europe Programme, the Commission should have 26 % of the total votes in the Governing Board in respect of decisions involving Union funds, in order to maximise the Union value added of those decisions, while ensuring that those decisions are legal and are aligned with Union priorities.
(50)
The smooth functioning of the Competence Centre requires that its Executive Director be appointed in a transparent manner, on the basis of merit, documented administrative and managerial skills and competence and experience relevant to cybersecurity, and that the duties of the Executive Director be carried out with complete independence.
(51)
The Competence Centre should have a Strategic Advisory Group as an advisory body. The Strategic Advisory Group should provide advice on the basis of a regular dialogue between the Competence Centre and the Community, which should be formed by the representatives of the private sector, consumers’ organisations, academia and other relevant stakeholders. The Strategic Advisory Group should focus on issues relevant to stakeholders and bring them to the attention of the Governing Board and the Executive Director. The tasks of the Strategic Advisory Group should include providing advice regarding the Agenda, the annual work programme and the multiannual work programme. The representation of the different stakeholders in the Strategic Advisory Group should be balanced, with particular attention paid to the representation of SMEs, in order to ensure that stakeholders are appropriately represented in the work of the Competence Centre.
(52)
Contributions of the Member States to the resources of the Competence Centre could be financial or in-kind. For example, such financial contributions could consist of a grant given by a Member State to a beneficiary in that Member State that complements Union financial support given to a project under the annual work programme. On the other hand, in-kind contributions would typically be made where a Member State entity is itself the beneficiary of Union financial support. For example, if the Union subsidises an activity of a national coordination centre at a financing rate of 50 %, the remaining costs of the activity would be accounted for as an in-kind contribution. In another example, if a Member State entity receives Union financial support for creating or upgrading infrastructure that is to be shared among stakeholders in line with the annual work programme, the related non-subsidised costs would be accounted for as in-kind contributions.
(53)
In accordance with the relevant provisions of Delegated Regulation (EU) 2019/715 on conflicts of interest, the Competence Centre should have in place rules regarding the prevention, identification and resolution and management of conflicts of interest in respect of its members, bodies and staff, the Governing Board, as well as the Strategic Advisory Group and the Community. Member States should ensure the prevention, identification, and resolution of conflicts of interest in respect of the national coordination centres in accordance with national law. The Competence Centre should also apply relevant Union law concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council (9). The processing of personal data by the Competence Centre should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council (10). The Competence Centre should comply with the provisions of Union law that apply to Union institutions, and with national law regarding the handling of information, in particular the handling of sensitive non-classified information and EU classified information.
(54)
The financial interests of the Union and of the Member States should be protected by proportionate measures throughout the expenditure cycle, including the prevention, detection and investigation of irregularities, the recovery of lost, wrongly paid or incorrectly used funds and, where appropriate, the application of administrative and financial penalties in accordance with Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (11) (the ‘Financial Regulation’).
(55)
The Competence Centre should operate in an open and transparent way. It should provide all relevant information in a timely manner and should promote its activities, including information and dissemination activities to the wider public. The rules of procedure of the Governing Board of the Competence Centre and of the Strategic Advisory Group should be made publicly available.
(56)
The Commission’s internal auditor should exercise the same powers over the Competence Centre as those exercised in respect of the Commission.
(57)
The Commission, the Court of Auditors and the European Anti-Fraud Office should get access to all necessary information and the premises of the Competence Centre to conduct audits and investigations on the grants, contracts and agreements signed by the Competence Centre.
(58)
Since the objectives of this Regulation, namely strengthening the Union’s competitiveness and capacities, retaining and developing Union’s cybersecurity research technological and industrial capacities, increasing the competitiveness of the Union’s cybersecurity industry and turning cybersecurity into a competitive advantage for other Union industries, cannot be sufficiently achieved by the Member States alone, due to the fact that existing, limited resources are dispersed and due to the scale of the investment necessary, but can rather, by reason of avoiding unnecessary duplication of those efforts, helping to achieve critical mass of investment, ensuring that public financing is used in an optimal way and ensuring that a high level of cybersecurity is promoted in all Member States, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives,