New research agency in Bucharest aims to help EU fend off cyber threats

Details of the European Union’s new cybersecurity research centre have begun to emerge, after the Commission on Wednesday announced a broad strategy to reduce dependence on cyber and wireless communications technologies from outside the continent.

The European Cybersecurity Industrial, Technology and Research Competence Centre, based in Bucharest, will be set up in 2021 as part of a broader push by the EU to build its own digital infrastructures and achieve technology sovereignty in what is a critical area for both competitiveness and security.

The centre in Bucharest will play a double role, acting as a funding agency and also coordinating 27 national cybersecurity centres, which are to be established over the next six months.

“Cyberattacks are part of our reality,” said Thierry Breton, EU commissioner for the internal market. The Bucharest centre will help the EU better organise its research efforts in the field. While member states continue their national programmes, the new centre will work with national research institutes and funding schemes to avoid duplication of research.

“We have to make sure that we're much better organised, better structured: things are too fragmented at the moment,” said Breton at the launch of the EU cybersecurity strategy on Wednesday.

The bulk of the budget for the centre will come from Digital Europe, which has about €1.7 billion earmarked for cybersecurity. Additional money will be routed through the EU research programme Horizon Europe.

Romania won against bids from Belgium, Germany, Lithuania, Luxembourg, Poland and Spain. The selection procedure was launched in October and the choice was made through a vote by all member states on 9 December.

The centre will be co-governed by member states, with inputs from industry and academia. The European Commission aims to use the EU funds to leverage further investments in cybersecurity research from member states which, in turn, would be matched by industry.

Together with a network of national coordination centres, it will promote deployment of cybersecurity solutions, and coordinate research, technology, and industrial development at least until 31 December 2029. The Commission will also fund a cybersecurity masters’ course at the centre.

In addition, the Commission will, together with the EU’s intellectual property office at Europol, the European Union Agency for Cybersecurity, member states and the private sector, develop guidelines to help companies defend themselves against hacking and intellectual property theft.

Growing number of threats

Josep Borell, the Commission’s high representative for foreign affairs, said the digital world offers great opportunities, but also a stage for governments, companies and individuals to break the law. “The threat is real and evolves constantly,” Borell said.

In 2019 alone, the Commission identified 450 cybersecurity incidents threatening critical infrastructures across the EU. Borrell said the coronavirus pandemic increased the occurrence of attacks in 2020.

Just last week, the European Medicines Agency was the victim of a cyberattack, with Pfizer and German biotech BioNTech saying they have been informed by the agency that some documents relating to the regulatory submission for their COVID-19 vaccine, stored on an EMA server, had been unlawfully accessed.

In September, a ransomware attack infected servers at the Duesseldorf University Hospital. The hack crashed the hospital’s systems, forcing doctors to turn away emergency cases.

“Europe is a prime target,” said Borrell. “We are preparing ourselves to cope with this fact.”

According to recent study by the Commission’s in-house science service, the Joint Research Centre, Europe’s cybersecurity research funding needs better coordination to make sure focus areas are properly addressed and not fragmented across many different research projects.

Boosting cybersecurity capabilities “is essential in order to protect our hospitals and critical public services,” said Breton. “[The centre] will enhance our strategic autonomy at a time when cybersecurity is more needed than ever.”

Alexandru Nazare, Romania’s envoy for cybersecurity in Brussels said the centre is designed to help member states better coordinate research efforts in the field. “Funding cybersecurity projects will be more coherent and will no longer be split in two, three different programmes,” Nazare told Radio Free Europe in Romania.

First EU agency in Romania

Thirteen years after Romania joined the EU in 2007, the research centre will be the first EU agency to be based in the country. Romania’s negotiating team worked closely with local cybersecurity experts to prepare the bid. “We received support from private companies in the field and universities,” said Nazare.

According to Nazare, the Bucharest facility will ensure cybersecurity research funding is allocated according to EU’s broader goals in technological sovereignty.

The EU has been planning the creation of this centre for some time, having funded four pilot projects with €63.5 million from the Horizon 2020 research programme since 2016.

The projects aimed to retain and develop the EU cybersecurity capacity needed to secure the digital single market. Researchers working for over 160 partners from 25 EU member states were involved in cybersecurity demonstrations and tests in digital health, finance, telecommunications, smart cities and transport.

This was against the backdrop of cybercriminals getting better organised and this type of crime becoming more widespread. It is expected the economic impact of cybercrime will rise to more than €5 trillion by 2021, with researchers advising the EU to do more in terms of investment and to overcome the fragmentation of capabilities across the EU, given 43% of cyberattacks target small businesses that have little resource to invest in cybersecurity.