Cybersecurity and cyber-resilience has been an overarching priority of EU financial services policymakers and an area that the European Commission has been seeking to improve for all market participants in the EU’s Single Market. This issue has increased in priority in line with the exponential growth in cyber-incidents and threats, including throughout the COVID-19 pandemic. The cost of not doing enough has been highlighted as a call to action, given the economic impact of cybercrime, which is expected to rise to more than €5 trillion by 2021, with 43% of cyber-incidents targeting small businesses that have few resources to invest in cybersecurity.
A number of existing national and EU-level structures exist in this area, notably the European Union Agency for Network and Information Security (ENISA), the EU’s official cybersecurity agency based in Greece, which will continue to set standards and which is empowered with a stronger mandate following the EU’s Cybersecurity Act (Regulation 2019/881). On December 16, 2020, the European Commission presented its new Cybersecurity Strategy and the revised Network Information Security Directive (NISD2) and the EU Critical Infrastructures Directive, which collectively aim to bolster the EU’s collective resilience against cyber-threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools across the EU’s Single Market. The ECCC serves to support those efforts and this Client Alert looks at the opportunities offered by the ECCC for the EU and further afield.
Following political agreement amongst the Member States of the EU-27 on December 9, 2020, the EU on January 7, 2021, published Decision (EU) 2021/4. This Decision confirmed Bucharest, Romania, as the new site of the ECCC, officially also known as the “European Cybersecurity Industrial, Technology and Research Competence Center”. Bucharest is already home to a deeply active and rapidly growing IT sector with a number of cybersecurity firms in the city’s digital ecosystem. The ECCC is expected to boost Bucharest and Romania generally as a center for cybersecurity companies. Once physical meetings return following COVID-19, the ECCC will also serve as a central meeting point for EU cyber policymakers and industry officials and thus boost Bucharest’s economy.
While not a formal EU agency or authority, the ECCC will work closely with ENISA but fill a different purpose, namely it will be tasked with:
- Funding new cybersecurity research, providing financial support and technical assistance to cybersecurity start-ups and European small- and medium-sized enterprises, as well as promoting cybersecurity standards not only in technology and systems but skills development;
- Improving the coordination of research and innovation in cybersecurity and cyber-threat intelligence across the EU and will head up a network of “national coordination centers” (Cyber-NCCs) and will also support the EU’s digital operational resilience efforts for traditional financial services and crypto-asset services providers. Cyber-NCCs will also be responsible for allocating grants and carrying out procurement requests in order to nurture a pan-European “cybersecurity community”.
When taken together, these new structures aim to increase the EU’s “strategic autonomy” in the area of cybersecurity, support the EU’s Digital Single Market efforts in areas ranging from e-commerce to smart mobility and the Internet of Things. The ECCC and Cyber-NCCs will pool resources from the EU, its Member States and the industry. By managing the cybersecurity funds under the next long-term EU budget, the ECCC will source funding from the ca. €2 billion Digital Europe Program and Horizon Europe funding programs, as well as contributions from Member States matching EU Commission funding.
It is expected that the ECCC and the wider Cyber-NCCs will be launching a range of large-scale cybersecurity projects and reform efforts. These range from improving cyber-threat intelligence, cyber-secured hardware and operating system standards and more harmonized security certifications, while facilitating relevant research and industrial communities to collaborate with public authority stakeholders in a pooled manner, thereby leveraging off joint efforts where Member States and national authorities have not been able to advance reforms individually.
How the ECCC will operate
The ECCC, which is expected to grow from an initial staff of 30 to 70 to 80 in the near future, will have an EU-27 wide governance structure. The ECCC’s principal decision-making body will be its Governing Board, in which all EU Member States take part but only those which participate financially have voting rights. The voting mechanism in the Governing Board is proposed as a double majority principle, requiring 75% of the financial contribution and 75% of the votes. In view of its responsibility for the Union budget, the European Commission holds 50% of the votes. The Governing Board will be assisted by an Industrial and Scientific Advisory Board (ISAB) to ensure regular dialogue with the private sector, consumers’ organizations and other relevant stakeholders.
The ECCC’s priorities on which projects it and Cyber-NCCs will provide financing for is based on the advice the ECCC’s Governing Board receives from the ISAB. The bulk of funding channels will follow established EU-27 procurement processes and thus requests for proposals and calls for tenders that the ECCC will manage and disburse to recipients – i.e. academic and research institutions, private sector market participants and/or public authorities. The individual Cyber-NCCs may also be able to financially support operations in their own “national ecosystems” by using cascading grants.
- Overview of efforts is available here and in respect of the EU Cybersecurity Act, available here.↩
- See details in the following press release from December 9, 2020 here. ↩
- Available here.↩
- Having won the bid process against Brussels (Belgium), which went head-to-head with Bucharest in a 15-12 final vote, Munich (Germany), Leon (Spain), Vilnius (Lithuania), Warsaw (Poland) and Luxembourg. Bucharest also convinced the panel due to Romania having been denied the possibility to host any EU agency/authority or hub since having joined the EU-27 in 2007. ↩
- A further factor that favored Bucharest was the fact that most recent figures showed that Romania ranks third in EU statistics on female employees in Information and Communication Technology (ICT) and 24 percent of ICT graduates in Romania are female. ↩
- As set out in its initial EU webpage presence available here.↩
- See coverage from our Eurozone Hub on the EU’s Digital Operational Resilience Act (DORA) available here as well as the EU’s TIBER framework on ethical hacking and our Eurozone Hub’s existing coverage on:
a. "Setting the controllers' conduct expectations during cyber-resilience exercises", June 14, 2019; b. "New Cyber-resilience Oversight Expectations may carry compliance challenges", December 2018; c. "ECB releases procurement guidelines for selecting service providers in cyber-resilience testing", September 2018; and d. "Central Bank of Cyber? ECB releases first new framework on testing cyber-resilience and combatting digital financial crime", July 2018. ↩
- This issue was highlighted in the draft legislation preceding the establishment of the ECCC and the Cyber-NCCs in stating: “At the moment, the Union depends on non-European cybersecurity providers. However, it is in the Union’s strategic interest to ensure that it retains and develops essential cybersecurity technological capacities to secure its Digital Single Market, and in particular to protect critical networks and information systems and to provide key cybersecurity services.”↩
- Details available here. ↩
- Details available here.↩
- Including interoperation with the work of the European Cybersecurity Certification Group and the Certification Framework, details available here and here. ↩