European cybersecurity network and competence centre

SUMMARY OF:

Regulation (EU) 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres

WHAT IS THE AIM OF THE REGULATION?

It sets up the European Cybersecurity Competence Centre (ECCC) and the Network of National Coordination Centres (the ‘network’).
It lays down rules for national coordination centres (NCCs) and for setting up the Cybersecurity Competence Community.

The ECCC has an essential role in the digital Europe programme (set up under Regulation (EU) 2021/694 — see summary) and contributes to Horizon Europe. It creates a framework for increasing and coordinating investments in cybersecurity between the European Union (EU), EU Member States and, indirectly, industry.

KEY POINTS

Mission

The mission of the ECCC and the network is to help the EU to:

strengthen EU leadership in cybersecurity* by enhancing trust and security, including the confidentiality, integrity and accessibility of data;
support network and information system resilience and reliability, including critical infrastructure and commonly used hardware and software; and
increase the global competitiveness and high standards of the EU’s cybersecurity industry, turning cybersecurity into a competitive advantage for EU industry.

Objectives

The ECCC’s specific objectives translate into strategic tasks and implementation tasks:

enhancing cybersecurity capacities, capabilities, knowledge and infrastructure;
promoting cybersecurity resilience, best practices, security by design and the security certification of digital products and services;
contributing to a strong European cybersecurity ecosystem and bringing stakeholders together.

These tasks are completed by:

setting strategic orientations for research, innovation and deployment, and setting out priorities;
implementing parts of the relevant EU funding programmes;
encouraging cooperation and coordination at the national and EU levels; and
facilitating joint investment.

National coordination centres (NCCs)

One NCC is nominated by each Member State and the European Commission is notified of the decision.
Each NCC must have access to cybersecurity research and technological expertise.
NCCs may, under certain conditions, receive direct EU grants and can provide financial support to third parties.

The key functions of NCCs include:

acting as points of contact at the national level;
providing expertise and contributing to strategic tasks;
facilitating participation in cross-border projects and EU-funded cybersecurity actions;
providing technical assistance to stakeholders in projects managed by the ECCC;
seeking synergies with activities at the national, regional and local levels, such as national policies on research, development and innovation;
implementing specific actions for which grants have been awarded by the ECCC;
contributing to educational programmes.

Cybersecurity Competence Community

Contributes to the ECCC and network missions, sharing and disseminating cybersecurity expertise.
Consists of industry, including small and medium-sized enterprises, academic and research organisations, civil-society associations, standards organisations, relevant public entities and stakeholders facing cybersecurity challenges.

ECCC structure

The ECCC administrative and governance structure includes:

a Governing Board that provides strategic orientation and oversees activities;
an executive director, the ECCC’s legal representative and the person responsible for day-to-day management; and
a Strategic Advisory Group that ensures dialogue between the Cybersecurity Competence Community and the ECCC.

Governing Board

A representative from each Member State and two from the Commission, with cybersecurity knowledge and managerial skills.
Observers, including as a permanent observer the European Union Agency for Cybersecurity set up under Regulation (EU) 2019/881.
Chairperson and deputy elected by Governing Board members.

The executive director takes part in meetings but cannot vote.

Strategic Advisory Group

Twenty members appointed by the Governing Board.
Meets at least three times per year.
Advises the Governing Board on establishing working groups.
Organises public consultations to collect input for the ECCC agenda and work programmes.

Funding

The ECCC is EU-funded, while joint actions are funded by the EU and voluntary Member State contributions:

up to €1,649,566,000 from the digital Europe programme, including up to €32,000,000 for administration;
an amount from Horizon Europe for joint actions, matching Member State contributions and in alignment with Horizon Europe planning;
an amount from the other EU programmes, as needed to implement ECCC objectives.

The regulation allows and encourages Member States to contribute with their own resources. If Member States contribute to the resources managed by the ECCC, they also have to contribute to the administrative costs.

FROM WHEN DOES THE REGULATION APPLY?

It has applied since 28 June 2021.

BACKGROUND

KEY TERMS

Cybersecurity: the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats*.

Cyber threat: any potential circumstance, event or action that could damage, disrupt or otherwise adversely affect network and information systems, the users of such systems and other persons.

MAIN DOCUMENT

Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (OJ L 202, 8.6.2021, pp. 1-31)