European Cybersecurity Competence Centre: MEPs vote in favour

On 19 May, the European Parliament adopted the regulation establishing the European Cybersecurity Competence Centre. The Competence Centre will manage the cybersecurity-related funds from Horizon Europe, Digital Europe, and other funds where appropriate. The ECCC will also gather the community of cybersecurity experts. It will be based in Bucharest, Romania.

It took two years and a half to finalise the legislative process. The Commission had proposed the Centre in September 2018. There were long negotiations between the Council and the European Parliament with diverging views, notably on the voting rights. An agreement was finally reached at the end of last year. This vote in the European Parliament follows a favourable vote from the Member States last month.

Please find below the links to the adopted text, the press release, and a summary of the main provisions.

Missions of the Competence Centre

The Competence Centre has three main tasks:

-strengthen the EU’s leadership and strategic autonomy in cybersecurity, notably by retaining and developing the EU’s research and industrial capacities and capabilities;

-support the EU’s technological capacities, capabilities, and skills in relation to the resilience and reliability of the infrastructure of network and information systems, including critical infrastructure and commonly used hardware and software in the EU;

-increase the global competitiveness of the EU’s cybersecurity industry, ensure high cybersecurity standards throughout the EU and turn cybersecurity into a competitive advantage for other EU industries.

The Competence Centre will not carry out operational cybersecurity tasks.

Security by design and open source

Among its duties, the Competence Centre shall promote the principle of security by design, in particular by supporting state-of-the-art secure development methods, adequate security testing and security audits. The Centre shall promote certification of the security of digital products and services.

The regulation also contains many references to the value of open-source software and “civic tech” projects. This point was particularly important for the pirate party MEP in charge of the file, Rasmus Andresen (Greens, Germany).

Coordination of the Network

The Competence Centre coordinates the Network of national coordination centres. The Network is made of one national coordination centre from each Member State. No later than 6 months after the entry into force of the regulation, Member States should have designated their national coordination centres.

National coordination centres are public sector entities or entities with a majority of public participation performing a public administrative function.

National coordination centres receive grants from the Competence Centre to provide financial support to third parties in the form of grants.

National coordination centres act as national contact points for the Cybersecurity Competence Community, in particular, to coordinate the Community through coordination between its members in their Member State.

Cybersecurity Competence Community

The Community contributes to the mission of the Competence Centre and the Network and enhances, shares and disseminates cybersecurity expertise across the EU.

The Community is composed of collective bodies/organisations and does not include individuals. The Competence Centre and its bodies can draw on the expertise of individuals and natural persons as ad hoc experts.

The Competence Centre registers entities, at their request, as members of the Community after an assessment made by the national coordination centre of the Member State in which those entities are established. Only entities which are established within the Member States can be registered as members of the Community.

The regulation states that the Competence Centre should build on the lessons learnt from the cPPP (ECSO), the four pilots and the preparatory action on Free and Open Source Software Audits (EU FOSSA).

Funding

Funding is provided by the EU (EU funding programmes) and – on a voluntary basis- by Member States for joint actions.

The Commission takes into account the input of the Competence Centre before adopting the work programmes of Horizon Europe and Digital Europe. Projects financed by Horizon Europe can only have an exclusive focus on civil applications.

Governing Board

The Competence Centre has a Governing Board composed of one representative per Member State and two representatives from the Commission. ENISA is a permanent observer on the Governing Board.

The Governing Board only votes if a consensus cannot be reached. The Governing Board adopts its decisions by a majority of at least 75% of the votes of all its members. The Commission has only one vote.

However, for certain decisions related to the implementation of the EU's budget, as well as for the annual work programme, the multi-annual work programme and the method of calculating Member States' contributions, the Commission has 26% of the voting rights.

Strategic Advisory Group

In addition, the Strategic Advisory Group - consisting of up to 20 members – provides advice based on a regular dialogue between the Competence Centre and the Community.

The members are appointed by the Governing Board, acting on a proposal from the Executive Director, from among the representatives of the members of the Community. Only representatives of members which are not controlled by a third country or by an entity established in a third-country are eligible.

The terms of office of members of the Strategic Advisory Group is two years (renewable once).

Next steps:

The proposal will be published in the Official Journal of the EU. The regulation will enter into force 20 days later.

If you have any questions on this topic, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com