The European Union wants to increase its „resilience, deterrence and defence“ in the area of cyber security. A new centre will coordinate research and training activities. However, the proposed regulation is not compatible with existing institutions and funding programmes.
The establishment of a European Competence Centre for Cyber Security (ECCC) continues to stagnate. MEPs and Member State governments had defined their positions in March and started negotiations on a regulation. However, an agreement was not reached as planned in the previous legislative period and is not foreseeable with the new EU Parliament.
More than a year ago, the EU Commission presented a regulation establishing an ECCC. It was based on conclusions, in which the Council two years ago called for more „resilience, deterrence and defence“ for cyber security. The ECCC, mentioned there for the first time, is intended to reduce the European Union’s dependence on “ depends on non-European cybersecurity providers“ and bundle efforts in the areas of industry, technology and research. This is intended to ensure the „smooth functioning of the internal market“.
National Coordination Centres and „Competence Community“
The core of the Regulation is the networking of National Coordination Centres in the Member States. It is also planned to set up a „Cybersecurity Competence Community“, in which representatives of industry, universities and non-profit research organisations as well as public institutions will participate.
From the outset, however, it has been controversial how the ECCC distinguishes itself from existing institutions. With the Agency for Cyber Security (ENISA), the European Union already maintains an institution with similar objectives.
The ECCC’s main task is to coordinate research and manage funding worth several billion euros. The relationship with the „Horizon Europe“ research programme, through which cyber-security projects are currently funded, must therefore be clarified. The new „Digital Europe“ programme will also allocate corresponding funds, for example for the development of high-performance computers and applications of artificial intelligence.
Dissent on legal form
It is envisaged that the expenditure of the two existing EU programmes will in future be coordinated by the ECCC. According to current plans, however, decisions on individual research projects would continue to be taken by the responsible bodies of „Horizont Europa“ and “ Digital Europe“; the ECCC would therefore only assume a steering function. However, the regulation for the ECCC discussed in the Council is not compatible with the regulations of the two programmes.
This is also criticised by the Commission’s Judicial Service. For example, in “ Horizon Europe „, co-financing of at least half of the funding is mandatory. However, many Member States do not want to co-finance the ECCC with additional funds.
The legal form of the ECCC also remains unclear. The Commission proposes to install it not as an agency but as a „common EU approach“. Such „institutionalised European partnerships“ and „structures“ are defined in Articles 173, 185 and 187 of the Treaty on the Functioning of the European Union (TFEU). They allow „joint activities“ of the Member States without compulsory co-financing, but only with voluntary contributions of their own for certain projects.
Governments fear Commission influence
If the ECCC were indeed to become an „institutionalised European partnership“ or „structure“ of the European Union, it would have to be managed by a Directorate-General of the Commission. However, this would automatically give the Commission at least 50% and a right of veto on the ECCC Governing Board. This increase in power is rejected by many Member States.
It would also be possible to delegate the management of the ECCC to the Joint EU Research Centre (JRC). In this case, however, „joint activities“ under Articles 185 and 187 TFEU would not be possible.
In addition, due to the still open legal form, the future tasks and composition of the Administrative Board are unclear. As an „institutionalised partnership“, for example, the Administrative Board would define the work programme of the ECCC. Without co-financing by the Member States, however, this would continue to be reserved for the bodies of “ Horizon Europe “ and “ Digital Europe „. One of the Council’s probably smaller problems is that the EU Parliament demands observer status on the Administrative Board.
Finally, the Commission proposes in its Regulation that the ECCC coordinate cooperation between civil and military research. The ECCC is proposed to create „synergies“ in „cyber defence“. Military cyber security projects will be financed through the controversial Defence Fund, which has not yet been decided.
These include „dual-use technologies and applications“, education, training and exercises.
The old EU Parliament has no fundamental problem with this civil-military cooperation, but called for a definition of the term „cyber defence“. MEPs gave the go-ahead for the use of the future defence fund for ECCC measures.
Numerous questions of detail unclear
It was envisaged that the ECCC would start work on 1 January 2021. Because of the many questions to be clarified, this will probably not happen. The location of the ECCC is also undecided. Some Member States have expressed interest in locating the Centre. However, the Commission intends to install it in Brussels in order to be able to draw on existing staff from the „Horizon Europe“ and „Digital Europe“ programmes.
At Member State level, the Regulation establishing an ECCC will be discussed in the Horizontal Working Party on Cyber Issues (HWP), and at a later stage the Working Party on Research will be involved. In Parliament, the dossier is dealt with by the Committee on Industry, Research and Energy (ITRE). The rapporteur was the Pirate Julia Reda, in the new EU Parliament the Green Rasmus Andresen takes over.
Should the governments and the Parliament reach an understanding on the ECCC, the tasks and competences of the National Coordination Centres will have to be determined. They could also be involved in the discussion of the annual work programme and be responsible for steering individual projects. To this end, however, it is necessary to define which requirements such a coordination centre must meet at all and how private companies may participate.