18.5.2021   

EN

Official Journal of the European Union

C 191/32

Statement of the Council’s reasons: Position (EU) No 18/2021 of the Council at first reading with a view to the adoption of a Regulation of the European Parliament and of the Council establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres

(2021/C 191/02)

I.   INTRODUCTION

1.

 On 12 September 2018, in the context of its Digital Single Market Strategy, the Commission adopted and transmitted to the Council and to the European Parliament the proposal (1) for a Regulation of the European Parliament and of the Council establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres, with Articles 173(3) and 188 TFEU as the legal basis.

2.

 The aim of the proposal is to help the EU retain and develop the cybersecurity technological and industrial capacities necessary to secure its Digital Single Market. The proposal provides for the creation of structures at three institutional levels: a Network of National Coordination Centres (national level), a Cybersecurity Competence Community (stakeholder level) and a European Cybersecurity Industrial, Technology and Research Competence Centre (EU level). The Competence Centre will manage cybersecurity-related financial support from the EU’s budget and facilitate joint investment by the EU, Member States and industry to boost the EU’s cybersecurity.

3.

 The Commission presented the proposal to the Horizontal Working Party on Cyber Issues (hereinafter ‘the Working Party’) on 17 September 2018; this was followed by an examination of the impact assessment in the Working Party on 28 September 2018. The discussion of the proposal itself in the Working Party started on 28 September 2018 under the Austrian Presidency and continued under the Romanian, Finnish, Croatian and German Presidencies.

4.

 The European Economic and Social Committee adopted its opinion (2) on this proposal on 23 January 2019. The EESC welcomed the Commission’s initiative, considering it an important step in developing an industrial strategy for cybersecurity and a strategic move to achieve robust and comprehensive digital autonomy.

5.

 Within the European Parliament, the file was assigned to the Committee on Industry, Research and Energy (ITRE) and Ms Julia REDA (ITRE, Greens/EFA) was appointed as rapporteur. The report was adopted on 19 February 2019 in the ITRE committee and approved by the Parliament during the March I 2019 plenary. On 17 April 2019 the Parliament adopted its position at first reading (3), with 112 amendments to the Commission proposal, by 489 votes to 73, with 56 abstentions. After the European elections Mr Rasmus ANDRESEN (ITRE, Greens/EFA) was appointed as the new rapporteur.

6.

 On 13 March 2019, Coreper gave a mandate (4) to start the negotiations with the European Parliament. Five trilogues have taken place since then: on 13 and 20 March 2019 under the Romanian Presidency, on 25 June 2020 under the Croatian Presidency and on 29 October and 11 December 2020 under the German Presidency.

7.

 The first trilogue was held on 13 March 2019 in Strasbourg and did not lead to any substantial discussions. Both parties presented their positions and the main changes proposed in their respective proposals and agreed on the next steps and timeline. The co-legislators confirmed their strong commitment to reach an agreement as soon as possible.

8.

 The second trilogue was held on 20 March 2019 in Brussels and the issues identified as political at the first technical meeting, mainly the mission and tasks of the Competence Centre, the financing and the Governing Board, were discussed. The Romanian Presidency based its approach on the mandate received for the first trilogue. The second trilogue revealed a positive attitude on both sides, as flexibility on several issues was demonstrated and guidance was given to the technical level in order to make further progress with the compromise text.

9.

 A revised mandate for negotiations with the European Parliament was endorsed by Coreper on 3 June 2020 (5). A third trilogue was held on 25 June 2020, at the end of the Croatian Presidency, with a view to informing the European Parliament about the main amendments in the Council’s new mandate with a focus on 1) the mission, objectives and tasks of the Competence Centre, 2) its structure, 3) the financial provisions and 4) the Cybersecurity Competence Community.

10.

 One pending Council position on the voting rights of the Centre’s Governing Board, was resolved within the Council under the German Presidency. On 22 July 2020, a revised mandate was adopted by Coreper, clarifying the scope of the Commission’s veto right.

11.

 Another pending issue on the seat of the Competence Centre was resolved in the margins of Coreper on 28 October 2020 by the representatives of the governments of the Member States who agreed on a procedure for selecting the seat of the Competence Centre (6). The decision on the seat was taken by the representatives of the governments of the Member States in the margins of Coreper on 9 December 2020. Bucharest (Romania) was selected as the seat.

12.

 The fourth trilogue, held on 29 October 2020, gave a broad mandate to the technical level to find compromises on the remaining open issues. In several technical meetings, compromises were found on most issues.

13.

 At the fifth and final trilogue, held on 11 December 2020, the Council and the European Parliament reached a provisional agreement in line with the mandate which was renewed by Coreper on 9 December 2020. On 18 December 2020, Coreper approved the final compromise text as agreed at the trilogue.

II.   OBJECTIVE

14.

 This proposal provides for the creation of a Competence Centre, which would be the EU’s main instrument to pool investment in cybersecurity research, technology and industrial development. It would also deliver cybersecurity-related financial support from the Horizon Europe and Digital Europe programmes. As stated above, the proposal also provides for the setting up of a Network of National Coordination Centres and a Cybersecurity Competence Community.

15.

 The Competence Centre would have a Governing Board, composed of representatives from the Member States and the Commission, which defines the general direction of the Centre’s operations and ensures that the Centre carries out its tasks in accordance with the Regulation. The aim of the Centre would be to ensure stronger coordination between research and innovation as well as deployment of strategies at EU and national level and to enable the Member States to take decisions related to their financial contributions to joint actions.

16.

 The Competence Centre would be able:

i)

to implement research and innovation actions (supported by Horizon Europe) as well as capacity-building actions (supported by Digital Europe), in accordance with the above-mentioned governance (i.e. the Commission and Member States).

ii)

together with the Member States, to support the build-up and procurement of advanced cybersecurity equipment, tools and data infrastructure in Europe and ensure wide deployment of the latest cybersecurity solutions across the economy; to this end, the Competence Centre would also be able to facilitate the shared acquisition of capacities on behalf of Member States.

III.   ANALYSIS OF THE COUNCIL’S POSITION AT FIRST READING

A.   PROCEDURAL CONTEXT

17.

 The European Parliament and the Council conducted negotiations with a view to concluding an agreement at the stage of the Council’s position at first reading (‘early second-reading agreement’). The text of the Council’s position at first reading reflects the compromise package agreed between the two co-legislators, with the support of the Commission.

B.   SUMMARY OF THE MAIN ISSUES

18.

 The main modifications compared to the initial Commission proposal which were agreed by both co-legislators are:

1)

compromise wording was introduced in various provisions to align the text with the provisions of the Digital Europe Regulation and the Horizon Europe Regulation, since the Competence Centre will manage cybersecurity-related financial support from the Horizon Europe and Digital Europe programmes;

2)

the reference to the seat of the Competence Centre in the legal provisions of the Regulation (Article 1) was deleted. Instead a new recital (20) was added;

3)

a number of concepts, with appropriate definitions, were added, such as ‘cyber threat’, ‘joint action’, ‘in-kind contribution’ and ‘European Digital Innovation Hub’;

4)

‘the Agenda’ was added, namely a comprehensive and sustainable cybersecurity industrial, technology and research strategy which sets out strategic recommendations for the development and growth of the European cybersecurity industrial, technological and research sector and strategic priorities for the Competence Centre’s activities;

5)

the tasks of the Competence Centre, which were originally set out in one article together with the objectives, are now set out in a dedicated article and a distinction is made between the strategic tasks and the implementation tasks of the Centre;

6)

the role of ENISA was strengthened. ENISA will be a permanent observer on the Governing Board of the Competence Centre and can provide advice and input on the drafting of the Agenda and the annual and multiannual work programmes;

7)

new provisions were introduced regarding the National Coordination Centres, in particular regarding the nomination of the centres and the Commission’s assessment,

8)

the tasks of the Governing Board were further elaborated, in particular with regard to the adoption of the Agenda and the annual and multiannual work programmes;

9)

the voting rules of the Governing Board of the Competence Centre were amended and the principle of ‘one member, one vote’ was established, instead of the original provision of the Commission proposal which mentioned that the EU should hold 50 % of the voting rights. However, for certain decisions linked to the implementation of the Union budget, as well as regarding the annual work programme, the multiannual work programme and the methodology for calculating Member States’ contributions, the Commission will have 26 % of the voting rights; The Governing Board shall take its decisions by a majority of at least 75% of all its members;

10)

the Industrial and Scientific Advisory Board was changed to the Strategic Advisory Group, which will provide advice on the basis of a regular dialogue between the Competence Centre and the Cybersecurity Competence Community;

11)

the Cybersecurity Competence Community will be made up of collective bodies/organisations and will not include individuals; as a compromise, the Competence Centre and its bodies will be able to resort to the expertise of individual and natural persons as ad-hoc experts;

12)

new articles were added on gender balance (Article 35) and on the legal personality of the Competence Centre (Article 39).

IV.   CONCLUSION

19.

 The Council’s position at first reading reflects the compromise package agreed between the Council and the European Parliament, with the support of the Commission.

20.

 The Council believes that its position at first reading represents a balanced package and that, once adopted, the new Regulation will play a key role in further developing the EU’s technological, industrial and research capacities in cybersecurity.

(1)  12104/18.

(2)  5898/19 (OJ C 159, 10.5.2019, p. 63).

(3)  OJ C 158, 30.4.2021, p. 850.

(4)  7583/19.

(5)  8315/20.

(6)  13405/20.