FantasticSearch

(1) The majority of the population of the Union is connected to the internet. The daily lives of people and economies are becoming increasingly dependent on digital technologies. Citizens and businesses are becoming increasingly exposed to serious cybersecurity incidents and many businesses in the Union experience at least one cybersecurity incident every year. This highlights the need for resilience, for enhancing technological and industrial capabilities and for the use of high cybersecurity standards and holistic cybersecurity solutions which involve people, products, processes and technology in the Union, as well as the need for Union leadership in the areas of cybersecurity and digital autonomy. Cybersecurity can also be improved by raising the awareness of cybersecurity threats and by developing competencies, capacities and capabilities throughout the Union, while thoroughly taking into account societal and ethical implications and concerns.

(2) The Union has steadily increased its activities to address growing cybersecurity challenges following the cybersecurity strategy put forward by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy (High Representative) in their Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 7 February 2013 entitled ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’ (the ‘2013 Cybersecurity Strategy’). The 2013 Cybersecurity Strategy aimed to foster a reliable, safe, and open cyber ecosystem. In 2016, the Union adopted the first measures in the area of cybersecurity with Directive (EU) 2016/1148 of the European Parliament and of the Council on security of network and information systems.

(3) In September 2017, the Commission and the High Representative presented a Joint communication to the European Parliament and the Council entitled ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’ to further reinforce the Union’s resilience, deterrence and response to cyber-attacks.

(4) The Heads of State and Government at the Tallinn Digital Summit, in September 2017, called for the Union to become a global leader in cyber-security by 2025, in order to ensure trust, confidence and protection of citizens, consumers and enterprises online and to enable a free, safer and law-governed internet and declared their intention to make more use of open source solutions and open standards when (re)building Information and Communication Technology (ICT) systems and solutions, in particular avoiding vendor lock-ins, including those developed or promoted by Union programmes for interoperability and standardisation, such as ISA2.

(5) The European Cybersecurity Industrial, Technology and Research Competence Centre (the ‘Competence Centre’) established in this Regulation should help to increase the security of network and information systems, including the internet and other infrastructures which are critical for the functioning of society, such as transport, health, energy, digital infrastructure, water, the financial markets and the banking systems.

(6) The substantial disruption of network and information systems can affect individual Member States and the Union as a whole. A high level of security of network and information systems throughout the Union is therefore essential for society and the economy alike. At the moment, the Union depends on non-European cybersecurity providers. However, it is in the Union’s strategic interest to ensure that it retains and develops essential cybersecurity research and technological capacities to secure the network and information systems of citizens and businesses, and in particular to protect critical network and information systems and provide key cybersecurity services.

(7) A wealth of expertise and experience in cybersecurity research, technology and industrial development exists in the Union, but the efforts of industrial and research communities are fragmented, lacking alignment and a common mission, which hinders competitiveness and the effective protection of networks and systems in that domain. Such efforts and expertise need to be pooled, networked and used in an efficient manner to reinforce and complement existing research, technology and industrial capacities and skills at Union and national level. Although the ICT sector faces important challenges, such as fulfilling its demand for skilled workers, it can benefit from representing the diversity of society at large, achieving a balanced representation of genders, ethnic diversity, and non-discrimination against persons with disabilities, as well as facilitating access to knowledge and training for future cybersecurity experts, including the education of such experts in non-formal contexts, for example in free and open source software projects, civic technology projects, start-ups and microenterprises.

(8) Small and medium-sized enterprises (SMEs) are crucial stakeholders in the Union’s cybersecurity sector and can provide cutting-edge solutions due to their agility. However, SMEs that are not specialised in cybersecurity are also prone to be more vulnerable to cybersecurity incidents due to high investment and knowledge requirements for the establishment of effective cybersecurity solutions. It is therefore necessary that the Competence Centre and the Network of National Coordination Centres (the ‘Network’) provide support for SMEs by facilitating the access of SMEs to knowledge and tailoring access to the results of research and development, in order to allow SMEs to make themselves sufficiently secure and to allow SMEs that are active in cybersecurity to be competitive and contribute to the Union’s leadership in the area of cybersecurity.

(9) Expertise exists outside industrial and research contexts. Non-commercial and pre-commercial projects, referred to as ‘civic tech’ projects, make use of open standards, open data, and free and open source software, in the interest of society and the public good.

(10) The area of cybersecurity is diverse. Relevant stakeholders include stakeholders from public entities, Member States and the Union, as well as from industry, civil society, such as trade unions, consumer associations, the free and open source software community and the academic and research community, and other entities.

(11) The Council Conclusions adopted in November 2017 called on the Commission to provide rapidly an impact assessment on the possible options to create a network of cybersecurity competence centres and a European cybersecurity research and competence centre, and to propose by mid-2018 the relevant legal instrument for the creation of such a network and such a centre.

(12) The Union still lacks sufficient technological and industrial capacities and capabilities to autonomously make its economy and critical infrastructures secure and become a global leader in the area of cybersecurity. There is an insufficient level of strategic and sustainable coordination and cooperation between industries, cybersecurity research communities and governments. The Union suffers from insufficient investment and limited access to cybersecurity knowhow, skills and facilities, and few Union cybersecurity research and innovation outcomes are translated into marketable solutions or widely deployed across the economy.

(13) Establishing the Competence Centre and the Νetwork, with a mandate to pursue measures in support of industrial technologies and in the domain of research and innovation, is the best way to fulfil the objectives of this Regulation while offering the highest economic, societal and environmental impact and safeguarding the Union’s interests.

(14) The Competence Centre should be the Union’s main instrument to pool investment in cybersecurity research, technology and industrial development and to implement relevant projects and initiatives together with the Network. The Competence Centre should manage cybersecurity-related financial support from Horizon Europe – the Framework Programme for Research and Innovation (Horizon Europe) established by Regulation (EU) 2021/695 of the European Parliament and of the Council and the Digital Europe Programme established by Regulation (EU) 2021/694 of the European Parliament and of the Council and should be open to other programmes where appropriate. This approach should contribute to creating synergies and coordinating financial support related to Union initiatives in the area of cybersecurity research and development, innovation, technology and industrial development and should avoid unnecessary duplication.

(15) It is important to ensure respect for fundamental rights and ethical conduct in cybersecurity research projects supported by the Competence Centre.

(16) The Competence Centre should not carry out operational cybersecurity tasks, such as tasks associated with Computer Security Incident Response Teams (CSIRTs), including the monitoring and handling of cybersecurity incidents. However, the Competence Centre should be able to facilitate the development of ICT infrastructures at the service of industries, in particular SMEs, research communities, civil society and the public sector, consistently with the mission and objectives laid down in this Regulation. Where CSIRTs and other stakeholders seek to promote the reporting and disclosing of vulnerabilities, the Competence Centre and members of the Cybersecurity Competence Community (the ‘Community’) should be able to support those stakeholders at their request within the limits of their respective tasks and while avoiding any duplication with the European Union Agency for Cybersecurity (ENISA) as established by Regulation (EU) 2019/881 of the European Parliament and of the Council .