Navigating the nexus of Policy, Digital Technologies, and Futures (S1/E4)
S1/E4: The European Cybersecurity Competence Centre and the Network of National Coordination Centres
As a continuation of our series about EU policies and regulations that heavily impact the art of software design and the businesses of software development and deployment, today we’re going to read about the European Cybersecurity Competence Centre.
As a matter of fact, among the many policy initiatives in the area of digital technologies and markets that the European Union adopted in recent years, the establishment of the European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC) counts among those whose objectives were most unclear for its stakeholders. This legislation has been in application since June 2021, but the community is still wondering what the ECCC functions will be. And it doesn’t help that its very Executive Director, who is supposed to be the ECCC’s legal representative and the person responsible for day-to-day management, hasn’t been appointed yet, and we are in May 2023.
Therefore, we at SWForum.eu thought that writing a blog post presenting the ECCC’s main characteristics would be welcome.
So, the Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 established the European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC) and the Network of National Coordination Centres. It provided for the creation of a Competence Centre, which will be the Union's main instrument to pool investment in cybersecurity research, technology and industrial development. It will also deliver cybersecurity-related financial support from Horizon Europe and Digital Europe programmes. The regulation also provided for the setting up of the Network of National Coordination Centres and a Cybersecurity Competence Community.
The Competence Centre is located in Bucharest and has a web site (https://cybersecurity-centre.europa.eu/index_en) and a Twitter account (@Cybersec_ECCC). In a nutshell, the ECCC will:
- be co-governed by the Member States and the Commission, and the aim would be to
- ensure stronger coordination between research and innovation as well as deployment strategies at the EU and national level;
- enable the Member States to take decisions related to their financial contribution to joint actions.
- in accordance with the above-mentioned governance (i.e. Commission and Member States), implement research and innovation actions (supported by Horizon Europe Programme) as well as capacity building actions (supported by Digital Europe Programme).
- together with Member States, support the build-up and procurement of advanced cybersecurity equipment, tools and data infrastructures in the EU and ensure a wide deployment of the latest cybersecurity solutions across the economy (as also indicated in the Digital Europe Programme). To this end, the Competence Centre would also be able to facilitate the shared acquisition of capacities on behalf of Member States.
The regulation establishes that the ECCC should help advance and disseminate the latest cybersecurity products and solutions. At the same time, the ECCC and the Network of National Coordination Centres should promote the cybersecurity capability of the demand side industry, in particular by supporting developers and operators in sectors such as transport, energy, health, finance, government, telecom, manufacturing, and space to help them solve their cybersecurity challenges, for example in order to achieve security-by-design and to seek the certification of the security of digital products and services.
Since I’ve worked at the European Commission, I often manage to read between the lines of such legislative acts. In this case, my educated guess is that the legislation establishing the ECCC, the Network of National Coordination Centres, and a Cybersecurity Competence Community, was just a grandstanding manner to create a Public-Private Partnership (PPP) that will be in charge of spending funds from EU Research and Innovation Programmes, like, currently, Horizon Europe and Digital Europe.
The tricky part, in this case, was its cybersecurity scope, which is tightly connected to national security and therefore requires a shared governance with the Member States of the European Union, making the ECCC more complex and more ambitious than standard Horizon Europe PPPs. This is one of the reasons why the European Commission decided, in 2018, to fund four pilot projects under H2020, to explore, among several other things, governance models that could apply to the ECCC, to the Network of National Coordination Centres, and to the Cybersecurity Competence Community. Such pilots were very large, being composed of more than 160 partners in total, for a global budget of circa 64 Million Euros from H2020.
I had the privilege to lead my lab in our participation in the CyberSec4Europe pilot, where we had a specific Work Package on Governance, but also another one on Building the Community, on top of several technical ones, plus Education and Dissemination. As a matter of history, it was really a pity that the European Commission actually proposed the corresponding regulation several months prior to launching the pilots, which was then approved by the European Parliament and the Council before any of the pilots had the time to produce meaningful, let alone final, recommendations. Indeed, the pilots ran roughly from beginning 2019 until end of 2022, whereas the regulation was published in May 2021.
Because of this bad timing, many of the pilots’ recommendations are confined to their deliverables, in spite of recurrent focus groups meetings between them and the European Commission services during their funding phase. Worse of all, though, is that the large cybersecurity communities that were established and thrived within the pilots are no longer sustained once the funding ended. Fortunately, as a reaction to such a dismissal, and to keep active the research community stemming from the pilots, the EU-CHECK International Research Network was launched by the CNRS (the French Centre National de la Recherche Scientifique, which is, among other attributes, the first beneficiary of H2020 and Horizon Europe). The project’s acronym stands for European Community Hub of Expertise of Cybersecurity Knowledge and I am its coordinator. Some information about the project can be found at https://cybersec4europe.eu/event/eu-check-2023/.
This story highlights the importance of “timing” in policy making. And it may give the readers a hint why, after spending six years working at the European Commission, I decided to focus my research activities and area of expertise on the “nexus” of digital technologies, policy making, and futures. As you know, technologies and policies have different trajectories, with different timelines, only to eventually meet in future. In my view, communities in both sides must be fully aware of what the other is doing, so that policies are meaningful and technologies can be compliant by design.
This is it for today. And in case you’re still confused about the activities around the establishment of the European Cybersecurity Industrial, Technology and Research Competence Centre, I can only say that I do sympathise. 😊
Keep an eye at this space! S1/E5 will arrive soon!
[This blog series is inspired by research work that is or was partially supported by the European research projects CyberSec4Europe (H2020 GA 830929), LeADS (H2020 GA 956562), and DUCA (Horizon Europe GA 101086308), and the CNRS International Research Network EU-CHECK.]
CNRS - France
Digital Skippers Europe (DS-Europe)