Replacing a fragmented network of players with an EU digital sovereignty ecosystem
As we now rely on digital services for almost every activity in our daily lives, they need to be available, dependable and secure. But can the EU collectively achieve some level of cybersecurity autonomy, or is it destined to tailgate US and Asia?
After an extended period of fragmentation, the EU is now coming together and raising its game in cybersecurity technology development and digital sovereignty, while attempting to preserve its intrinsic diversity.
Back in 2019, in a briefing paper, the European Court of Auditors warned of fragmentation and a lack of coordination in cybersecurity. This message echoed that of the Commission proposal for a regulation in 2018, which reported the existence of more than 660 centres of expertise in cybersecurity across the EU. These players work at national and European levels frequently developing activity in an uncoordinated way. According to the same paper, this fragmentation in skills, capacity and investment is also cluttered by the absence of a dedicated budget to fund cybersecurity in the EU, and the inability of most member states to identify their own cybersecurity funding.
In summary, there is a large set of uncoordinated players in the EU cybersecurity field, including the Commission’s multiple agencies (e.g, DG CONNECT, DH HOME, DG DIGIT, REA), ENISA, EC3, CERT-EU, EEAS, EDA, and Member States (who due to the subsidiarity principle on security, conduct their own, often isolated, agendas on cybersecurity) and a huge set of private organisations from industry and academia. The challenge today is how to use all these resources in a strategic way to propel EU leadership in cybersecurity towards digital sovereignty.
Leveraging the European digital cybersecurity ecosystem
Leveraging the H2020 programme, the EU has provided a total of €64 million in funding to the projects CONCORDIA, ECHO, CyberSec4Europe and SPARTA (of which INESC is part of the Strategic Direction Board) as pilots for a European Cybersecurity Competence Network. Each one has a different, but complementary, approach to developing the technological and industrial cybersecurity research and innovation capacities of the EU.
On December 16th 2020, the Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new Cybersecurity Strategy. Positioning the EU to “lead in securing a global and open Internet”, the strategy recognises the dependence of the EU on the cybersecurity of its increasingly digital infrastructures, and the wide and diverse threat landscape.
The EU will support this strategy by quadrupling previous levels of investment, stating that “cybersecurity must be integrated into all these digital investments”. The Commission is willing to commit more than €300 million, while at the same time encouraging member states to co-invest, and support public-private and cross border cooperation of the Security Operation Centres, thereby contributing to the EU cybersecurity shield.
The Centre and the Network
In December, a political agreement was reached between the Council and the Parliament, regarding the proposed regulation for establishing the European Cybersecurity Industrial, Technology and Research Competence Centre (the Centre) and the Network of National Coordination Centres (the Network) and identifying a Cybersecurity Competence Community (the Community), all of which are set to enter into force in the next couple of months.
A brand new European body being rolled out in 2021 located in Bucharest, the Centre will be responsible for setting up and helping to coordinate the Network and the Community, and “implementing cybersecurity-related financial support from Horizon Europe and Digital Europe Programmes”. The Centre aims to carry out, or support, procurement of state-of-the-art cybersecurity technology, support research and innovation, and foster synergies with the European Defence Fund. This means the Centre will coordinate the use of funds foreseen for the cybersecurity field, including those under Digital Europe and Horizon Europe programmes, making it a central player in the cybersecurity research and innovation landscape in the European Union. For example, under the Digital Europe programme, €2 billion will be invested in financing cybersecurity.
Each member state is asked to appoint a National Coordination Centre (NCC), which will be part of the Network. Considering the diverse ways in which each member state deals with cybersecurity, this will be a challenge by itself, but it is an ongoing task. Each NCC will foster national capacity building and assure links with other existing initiatives; it will be the member state contact point for the Centre, and it may receive funding, as well as pass on financial support.
The regulation refers to the Community as a broad group of stakeholders which include industry, academia, research organizations, and associations, as well as public entities which will support the Centre in achieving its mission and objectives. Members of the Community will be registered by the Centre after being assessed by the NCC of the member state where the entity is established.
Regulation and funding synergies
European Digital Innovation Hubs (EDIH) are set to play a central role in the Digital Europe Programme financing the Cybersecurity domain with about €100 million per year, mainly focused on fostering innovation for SMEs and the European public sector, and triggering a similar amount of investment by the member states in which the Centre and the Network are foreseen to play a key role. There are currently more than 240 DIH with competences on cybersecurity, which is more than the number of EDIH that are likely to be financed across all domains (cybersecurity is only one of the priorities). Most member states have already finished the national selection stage, while the call for proposals at European level is set to open anytime soon.
The complementarity between NCC and EDIHs, particularly in the cases where the NCC is not an EDIH, does not seems to be clear yet, but will differ from member state to member state, due to specificities in each organization on how cybersecurity is tackled. This complementarity must be clarified soon to avoid wasting resources and worsen the existing fragmentation.
As the Centre, the Network, the Community and the EDIHs will became operational during this year, we seem to be progressing towards a more collective and coordinated approach. Moreover, the amount of funding directly going to cybersecurity has increased significantly. But it is still not totally clear how all these initiatives will effectively operate together, nor how this will be aligned with the €134 billion from the Recovery and Resilience Facility to foster the Digital Transition.
In Portugal, INESC is part of the DIH proposal presented by the National Cybersecurity Centre for the national stage: it participates in one of the four pilots, in a dozen H2020-funded projects on cybersecurity and aims to actively contribute to this new ecosystem, at both national and European level.