Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 173(3) and the first paragraph of Article 188 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) The majority of the population of the Union is connected to the internet. The daily lives of people and economies are becoming increasingly dependent on digital technologies. Citizens and businesses are becoming increasingly exposed to serious cybersecurity incidents and many businesses in the Union experience at least one cybersecurity incident every year. This highlights the need for resilience, for enhancing technological and industrial capabilities and for the use of high cybersecurity standards and holistic cybersecurity solutions which involve people, products, processes and technology in the Union, as well as the need for Union leadership in the areas of cybersecurity and digital autonomy. Cybersecurity can also be improved by raising the awareness of cybersecurity threats and by developing competencies, capacities and capabilities throughout the Union, while thoroughly taking into account societal and ethical implications and concerns.

(2) The Union has steadily increased its activities to address growing cybersecurity challenges following the cybersecurity strategy put forward by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy (High Representative) in their Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 7 February 2013 entitled ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’ (the ‘2013 Cybersecurity Strategy’). The 2013 Cybersecurity Strategy aimed to foster a reliable, safe, and open cyber ecosystem. In 2016, the Union adopted the first measures in the area of cybersecurity with Directive (EU) 2016/1148 of the European Parliament and of the Council (3) on security of network and information systems.

(3) In September 2017, the Commission and the High Representative presented a Joint communication to the European Parliament and the Council entitled ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’ to further reinforce the Union’s resilience, deterrence and response to cyber-attacks.

(4) The Heads of State and Government at the Tallinn Digital Summit, in September 2017, called for the Union to become a global leader in cyber-security by 2025, in order to ensure trust, confidence and protection of citizens, consumers and enterprises online and to enable a free, safer and law-governed internet and declared their intention to make more use of open source solutions and open standards when (re)building Information and Communication Technology (ICT) systems and solutions, in particular avoiding vendor lock-ins, including those developed or promoted by Union programmes for interoperability and standardisation, such as ISA2.

(5) The European Cybersecurity Industrial, Technology and Research Competence Centre (the ‘Competence Centre’) established in this Regulation should help to increase the security of network and information systems, including the internet and other infrastructures which are critical for the functioning of society, such as transport, health, energy, digital infrastructure, water, the financial markets and the banking systems.

(6) The substantial disruption of network and information systems can affect individual Member States and the Union as a whole. A high level of security of network and information systems throughout the Union is therefore essential for society and the economy alike. At the moment, the Union depends on non-European cybersecurity providers. However, it is in the Union’s strategic interest to ensure that it retains and develops essential cybersecurity research and technological capacities to secure the network and information systems of citizens and businesses, and in particular to protect critical network and information systems and provide key cybersecurity services.

(7) A wealth of expertise and experience in cybersecurity research, technology and industrial development exists in the Union, but the efforts of industrial and research communities are fragmented, lacking alignment and a common mission, which hinders competitiveness and the effective protection of networks and systems in that domain. Such efforts and expertise need to be pooled, networked and used in an efficient manner to reinforce and complement existing research, technology and industrial capacities and skills at Union and national level. Although the ICT sector faces important challenges, such as fulfilling its demand for skilled workers, it can benefit from representing the diversity of society at large, achieving a balanced representation of genders, ethnic diversity, and non-discrimination against persons with disabilities, as well as facilitating access to knowledge and training for future cybersecurity experts, including the education of such experts in non-formal contexts, for example in free and open source software projects, civic technology projects, start-ups and microenterprises.

(8) Small and medium-sized enterprises (SMEs) are crucial stakeholders in the Union’s cybersecurity sector and can provide cutting-edge solutions due to their agility. However, SMEs that are not specialised in cybersecurity are also prone to be more vulnerable to cybersecurity incidents due to high investment and knowledge requirements for the establishment of effective cybersecurity solutions. It is therefore necessary that the Competence Centre and the Network of National Coordination Centres (the ‘Network’) provide support for SMEs by facilitating the access of SMEs to knowledge and tailoring access to the results of research and development, in order to allow SMEs to make themselves sufficiently secure and to allow SMEs that are active in cybersecurity to be competitive and contribute to the Union’s leadership in the area of cybersecurity.

(9) Expertise exists outside industrial and research contexts. Non-commercial and pre-commercial projects, referred to as ‘civic tech’ projects, make use of open standards, open data, and free and open source software, in the interest of society and the public good.

(10) The area of cybersecurity is diverse. Relevant stakeholders include stakeholders from public entities, Member States and the Union, as well as from industry, civil society, such as trade unions, consumer associations, the free and open source software community and the academic and research community, and other entities.

(11) The Council Conclusions adopted in November 2017 called on the Commission to provide rapidly an impact assessment on the possible options to create a network of cybersecurity competence centres and a European cybersecurity research and competence centre, and to propose by mid-2018 the relevant legal instrument for the creation of such a network and such a centre.

(12) The Union still lacks sufficient technological and industrial capacities and capabilities to autonomously make its economy and critical infrastructures secure and become a global leader in the area of cybersecurity. There is an insufficient level of strategic and sustainable coordination and cooperation between industries, cybersecurity research communities and governments. The Union suffers from insufficient investment and limited access to cybersecurity knowhow, skills and facilities, and few Union cybersecurity research and innovation outcomes are translated into marketable solutions or widely deployed across the economy.

(13) Establishing the Competence Centre and the Νetwork, with a mandate to pursue measures in support of industrial technologies and in the domain of research and innovation, is the best way to fulfil the objectives of this Regulation while offering the highest economic, societal and environmental impact and safeguarding the Union’s interests.

(14) The Competence Centre should be the Union’s main instrument to pool investment in cybersecurity research, technology and industrial development and to implement relevant projects and initiatives together with the Network. The Competence Centre should manage cybersecurity-related financial support from Horizon Europe – the Framework Programme for Research and Innovation (Horizon Europe) established by Regulation (EU) 2021/695 of the European Parliament and of the Council (4) and the Digital Europe Programme established by Regulation (EU) 2021/694 of the European Parliament and of the Council (5) and should be open to other programmes where appropriate. This approach should contribute to creating synergies and coordinating financial support related to Union initiatives in the area of cybersecurity research and development, innovation, technology and industrial development and should avoid unnecessary duplication.

(15) It is important to ensure respect for fundamental rights and ethical conduct in cybersecurity research projects supported by the Competence Centre.

(16) The Competence Centre should not carry out operational cybersecurity tasks, such as tasks associated with Computer Security Incident Response Teams (CSIRTs), including the monitoring and handling of cybersecurity incidents. However, the Competence Centre should be able to facilitate the development of ICT infrastructures at the service of industries, in particular SMEs, research communities, civil society and the public sector, consistently with the mission and objectives laid down in this Regulation. Where CSIRTs and other stakeholders seek to promote the reporting and disclosing of vulnerabilities, the Competence Centre and members of the Cybersecurity Competence Community (the ‘Community’) should be able to support those stakeholders at their request within the limits of their respective tasks and while avoiding any duplication with the European Union Agency for Cybersecurity (ENISA) as established by Regulation (EU) 2019/881 of the European Parliament and of the Council (6).

(17) The Competence Centre, the Community and the Network are intended to benefit from the experience and the broad representation of relevant stakeholders built through the contractual public-private partnership on cybersecurity between the Commission and the European Cyber Security Organisation (ECSO) for the duration of Horizon 2020 – the Framework Programme for Research and Innovation (2014-2020) established by Regulation (EU) No 1291/2013 of the European Parliament and of the Council (7), from the lessons learnt from four pilot projects launched in early 2019 under Horizon 2020, namely CONCORDIA, ECHO, SPARTA and CyberSec4Europe, and from the pilot project and the preparatory action on Free and Open Source Software Audits (EU FOSSA), for the management of the Community and the representation of the Community in the Competence Centre.

(18) In view of the extent of the challenge posed by cybersecurity and in view of the investments made in cybersecurity capacities and capabilities in other parts of the world, the Union and the Member States should be encouraged to step up their financial support to research, development and deployment in this area. In order to realise economies of scale and achieve a comparable level of protection across the Union, the Member States should put their efforts into a Union framework by actively contributing to the work of the Competence Centre and the Network.

(19) In order to foster the Union’s competitiveness and high cybersecurity standards internationally, the Competence Centre and the Community should seek the exchange of developments in cybersecurity, including in products and processes, in standards and in technical standards, with the international community, where relevant to the Competence Centre’s mission, objectives and tasks. Relevant technical standards could include, for the purpose of this Regulation, the creation of reference implementations, including those published under open standard licences.

(20) The seat of the Competence Centre is in Bucharest.

(21) When preparing its annual work programme (annual work programme), the Competence Centre should inform the Commission of its co-funding needs on the basis of the Member States’ planned co-funding contributions to joint actions, so that the Commission is able to take into account the matching Union contribution in the preparation of the draft general budget of the Union for the following year.

(22) Where the Commission prepares the work programme of Horizon Europe for matters related to cybersecurity, including in the context of its stakeholder consultation process, and especially before the adoption of that work programme, the Commission should take into account the input of the Competence Centre and should share that input with the Programme Committee of Horizon Europe.

(23) In order to enable the Competence Centre to perform its role in the area of cybersecurity, to facilitate the involvement of the Network and to provide a strong governance role for the Member States, the Competence Centre should be established as a Union body with legal personality to which Commission Delegated Regulation (EU) 2019/715 (8) is to apply. The Competence Centre should perform a dual role, undertaking specific tasks in the area of cybersecurity industry, technology and research as laid down in this Regulation and managing cybersecurity-related funding from several programmes at the same time, in particular from Horizon Europe and the Digital Europe Programme, and possibly also from other Union programmes. Such management would have to be in accordance with the rules applicable to those programmes. Nevertheless, considering that the funding for the functioning of the Competence Centre would originate primarily from Horizon Europe and the Digital Europe Programme, it is necessary that the Competence Centre be considered as a partnership for the purpose of budget implementation, including during the programming phase.

(24) As a result of Union contribution, access to the results of the Competence Centre’s activities and projects is to be as open as possible and as closed as necessary, and re-use of such results is to be possible where appropriate.

(25) The Competence Centre should facilitate and coordinate the work of the Network. The Network should be made up of one national coordination centre from each Member State. National coordination centres which have been recognised by the Commission as having the necessary capacity to manage funds to fulfil the mission and objectives laid down in this Regulation should receive direct Union financial support, including grants awarded without a call for proposals, in order to carry out their activities in relation to this Regulation.

(26) National coordination centres should be public sector entities, or entities with a majority of public participation, performing public administrative functions under national law, including by means of delegation, and they should be selected by Member States. It should be possible for the functions of a national coordination centre in a given Member State to be carried out by an entity that carries out other functions arising under Union law, such as those of a national competent authority, a single point of contact within the meaning of Directive (EU) 2016/1148 or any other Union Regulation, or a digital innovation hub within the meaning of Regulation (EU) 2021/694. Other public sector entities or entities performing public administrative functions in a Member State should be able to assist the national coordination centre in that Member State in carrying out its functions.

(27) National coordination centres should have the necessary administrative capacity, should possess or have access to cybersecurity industrial, technological and research expertise and should be in a position to effectively engage and coordinate with the industry, the public sector and the research community.

(28) Education in the Member States should reflect the importance of having adequate cybersecurity awareness and skills. To that end, taking into account the role of ENISA and without prejudice to the competences of Member States in education, the national coordination centres, alongside relevant public authorities and stakeholders, should contribute to promoting and disseminating cybersecurity educational programmes.

(29) National coordination centres should be able to receive grants from the Competence Centre in order to provide financial support to third parties in the form of grants. The direct cost incurred by the national coordination centres for the provision and administration of financial support to third parties should be eligible for funding under the relevant programmes.

(30) The Competence Centre, the Network and the Community should help advance and disseminate the latest cybersecurity products, services and processes. At the same time, the Competence Centre and the Network should promote the cybersecurity capabilities of the demand-side industry, in particular by supporting developers and operators in sectors such as transport, energy, health, finance, government, telecommunications, manufacturing and space, in order to help such developers and operators solve their cybersecurity challenges, such as by implementing security by \design. The Competence Centre and the Network should also support the standardisation and deployment of cybersecurity products, services and processes while promoting, where possible, the implementation of the European cybersecurity certification framework as established by Regulation (EU) 2019/881.

(31) Due to the fast-changing nature of cyber threats and cybersecurity, the Union needs to be able to adapt quickly and continuously to new developments in the area. Hence, the Competence Centre, the Network and the Community should be flexible enough to ensure the required ability to respond to such developments. They should facilitate projects that help entities to be able to constantly build capabilities to enhance their own and the Union’s resilience.

(32) The Competence Centre should support the Community. The Competence Centre should implement cybersecurity relevant parts of Horizon Europe and the Digital Europe Programme in accordance with the multiannual work programme of the Competence Centre (multiannual work programme), the annual work programme and the strategic planning process of Horizon Europe by allocating grants and other forms of funding, primarily following a competitive call for proposals. The Competence Centre should also facilitate the transfer of expertise in the Network and the Community and should support joint investment by the Union, Member States or industry. It should pay particular attention to supporting SMEs in the area of cybersecurity, as well as to actions that help overcome the skills gap.

(33) Technical assistance for project preparation should be done in a fully objective and transparent way that ensures that all potential beneficiaries receive the same information and is to avoid conflicts of interest.