EVENT HIGHLIGHTS | Building synergies and optimising cooperation: how far can the EU cyber capacity go?

At the end of April PubAffairs Bruxelles organised an evening of discussion on the upcoming set up of a European Cyber Competence Centre, its partner national network and their role in enhancing the EU cyber capacity with Ms Tamara Tafra, Counsellor for Cyber Issues, Croatian EU Presidency, Mr Miguel Gonzalez-Sancho, Head of Unit, Cybersecurity Technology and Capacity Building, European Commission, Mr Rasmus Andresen MEP (Greens/EFA,DE) and Mr Luigi Rebuffi, Secretary General European Cyber Security Organisation (ECSO).

The event was moderated by Ms Vesela Gladicheva, Senior Correspondent, MLex.

Vesela Gladicheva began by introducing the speakers and elaborating on the context of the debate. She highlighted that the EU is facing challenges in creating an ecosystem for cyber technologies and addressed the need for higher cooperation between EU member states. The moderator subsequently pointed at the role the European Cybersecurity Competence Centre (hereinafter, Cyber Centre or Competence Centre) can play in strengthening the EU’s cyber capacities in the future. Vesela Gladicheva opened the discussion by asking the panellists for their views on the direction the EU is taking regarding cyber security, the creation of jobs as well as capacity building in the sector.

Ms Tamara Tafra started her remarks by reflecting on the current Covid crisis and how it has brought cybersecurity into the focus of the EU institutions, regarding both the current critical situation and the way out of the crisis. The speaker stated that since the adoption of the first cyber security strategy in 2013, a series of positive policy developments have emerged from both EU policymaking and the cybersecurity sector at large. The speaker noted that the collaboration between member states, European institutions and stakeholders alike, resulted in eminent progress in forward thinking in this domain, such as in the case of the Cybersecurity Act. She consequently referred to the timely implementation of this piece of legislation as the first regulatory action in a sector which, at the EU level, has already shown significant progress, particularly in the field of certification. Ms Tafra concluded her remarks by reiterating the importance for policymakers to keep up with the pace of technological innovations and emphasised the setup of the European Cybersecurity Competence Centre as a crucial step for improving the EU’s cybersecurity capacity.

Mr Rasmus Andresen replied to the question of the moderator, namely if the EU is on the right path regarding cybersecurity-related policies, by expressing the need for further and enhanced engagement. Although he agreed with the fact that the EU has made progress in several areas, the MEP stated that the EU is also facing great challenges with special regard to the question of global competition. In order to cope with the pace of developments in the global tech industry, the speaker advocated for a dual EU approach that aims for cyber security rules, on the one hand, and the support of innovation, research and development of partnerships, on the other. Mr Andresen MEP concluded his speech by summoning the European Commission to come up with legislative proposals that promote the issue of cybersecurity as a common European effort.

Mr Miguel Gonzalez-Sancho entered the discussion by reflecting on the matter of cybersecurity cooperation within the EU. He explained that the advance of digitalisation in the economy and society requires further policy efforts to keep pace with technological developments, as underlined by the two other speakers. The representative of the Commission then agreed with Ms Tafra that EU cybersecurity policy cooperation has gained momentum. In addition, Mr Gonzalez-Sancho stated that the Covid-19 pandemic made ever clearer our dependency on digital technology, and technology is a key part to the response to the economic impact of the crisis. In addition, Mr Gonzalez-Sancho stressed other ongoing challenges in the digital world, particularly cyber threats, which become more acute in the current crisis context. Mr Gonzalez-Sancho also pointed out that public authorities sometimes lack sufficient tools to cope with the evolution of cybersecurity challenges. As a result, he stressed, EU member states have realised that further cooperation is necessary to deal with those challenges. Further on, Mr Gonzalez-Sancho argued that cyber security is a very demanding area for European cooperation, as it is at the crossroads between national security and the single market. He continued by explaining that external shocks have the capacity to put the European project at risk, but can also be an opportunity for Europe to further advance in its path towards deeper integration. The speaker subsequently elaborated on the response to the current crisis, with special regard to the Digital Single Market, as well as on the necessity of combining both ecologically and socially sustainable measures. He concluded his remarks by highlighting the importance of EU cyber capacity as a strategic domain for coping with both the current and a possible future crisis.

Mr Luigi Rebuffi started his answer by introducing the European Cyber Security Organisation (ECSO), which was created, upon request of the European Commission, as its contractual counterpart for the implementation of Europe’s 1st Public-Private Partnership in cybersecurity. The speaker stated that ECSO has developed into a partnership of several important stakeholders of the European cyber security sector. In order to emphasise the importance of cybersecurity in our societies, he elaborated on the global debate on the alleged interference in election processes and how this resulted in an ongoing discussion about cyber threats for democracies. The speaker continued by referring to the fruitful dialogue that was created in the sector at the EU level, including between actual or possible competitors and to how this dialogue is contributing to the progress in building cyber security capacities. He stated that the setup of the European Cyber Competence Centre should follow clear policy/strategic objectives, while a vision for the future path of cybersecurity in Europe is needed in order to attract industry stakeholders. Elaborating on this consideration, Mr Rebuffi highlighted that this vision needs to show a clear direction for Europe, by fostering a cooperative approach and compliance with the European values, in order to find both competitive and sustainable solutions. In concluding his intercession, Mr Rebuffi underlined that both the industry and policymakers need to have a shared vision on the question of Europe’s competitiveness and the upholding of European values. Indeed, it is a likely scenario, the speaker remarked, that the EU private cybersecurity sector will have more resources at its disposal than the public sector in the foreseeable future. 

Vesela Gladicheva enquired about the state of the legislative procedure for the setup of the European Cybersecurity Competence Centre, its possible impact on the cyber industry and whether there is a need for further regulation.

Ms Tafra began her intervention by emphasizing her current efforts as Chair of the Council Horizontal Working Party on Cyber Issues, which is dealing with the open matters regarding the European Cybersecurity Competence Centre. She highlighted the aim of the working party to timely finalise the legislative proposals in cooperation with the European Parliament and the European Commission, despite the unexpected emergence of the Covid-19 crisis. The speaker elaborated on the current stage of the legislative processes, with special regard to the finalising of the last versions of the proposal and the integration of the opinion of member states regarding the Competence Centre. She furthermore expressed her optimism about starting the ongoing institutional work with the Parliament during the Croatian Presidency of the Council of the EU, mandate which finishes by the end of June. Subsequently, Ms Tafra warned against expectations of the Competence Centre to solve all the current problems regarding cyber capacities, as its main aim is to create synergies between research and industry. Indeed, she pointed out that the Centre is meant to provide financial resources for research on cyber security and to create incentives for the industry, as well as small and medium sized enterprises (SMEs) while also fostering cooperation and investment. The speaker continued her statement by contextualising the issue of funding for the Competence Centre provided by the Digital Europe programme and the Horizon Europe programme. She noted that the level of funding will be determined by the outcome of the ongoing negotiations on the Multiannual Financial Framework (MFF) and how cybersecurity is going to be prioritised by the concerned parties. In addition, Ms Tafra highlighted that both the uptake of digital technologies and the trust in the Digital Single Market are dependent on cybersecurity. Regarding the question of further regulation, Ms Tafra stated that the reaction of the EU to the swift developments in the cyber security area was reasonably timely. She explained that, with the revision of the EU Cyber Security Strategy in 2017 and its complements in the Digital package of February 2020, the EU showed its capability to react to threats and new developments. The speaker highlighted the valuable work on the NIS Directive which has developed a solid network of experts. She consequently mentioned the Internet of Things (IoT) as an area which will require further regulation in the future and concluded by expressing satisfaction on the standards set by the EU regarding both certification and 5G-related issues.

Mr Andresen MEP started his remarks by stressing the stance of the European Parliament on the setup of the European Cyber Competence Centre, which was put forward in the last legislature, as the proposal on the Cybersecurity Centre could not be finalised in time before the European elections. The MEP expressed his concern as rapporteur for the European Parliament, that governance issues may take more attention in the Council than questions about the actual response of the legislative proposal to the EU cybersecurity capacity question. In this connection, he advocated for facilitating strong cyber security capabilities at a European level and the creation of partnerships between the EU, its member states and the industry, as well as European civil society. The speaker also highlighted the need for non-commercial projects, such as the development of open source software, in order to create a new and innovative European model rather than to try and adapt non-European blueprints to the old continent. Progressing from this suggestion, he underscored that the only way the Cyber Competence Centre can create European added value is to ensure that European institutions are willing to create a new innovative model.

Mr Rebuffi answered the question of the moderator by expressing the urgency for the clarification of the role of the European Cyber Competence Centre. Indeed, he conveyed the message that the industry needs guidance in order to direct investments, especially in the face of the current crisis. The speaker explained that while there was a rise in cyber-attacks on certain critical infrastructure during the Covid-19 crisis, the character of cyber security itself has not changed. He consequently raised the question of how Europe will be able to provide solutions for economic recovery and national security, in terms of digital capacities. Mr Rebuffi continued by recommending a cooperative effort of all stakeholders to define the domains on which the Competence Centre is going to work, while highlighting that the question of its governance structure should be treated as secondary. In addition, he explained that, depending on the subject matter, the state of play of the industry stances is varied as some European firms are aiming for more regulation in order for them to be able to compete with non-EU players. Other operators are looking for more market freedom in order to apply new solutions, while another different set of players are aiming to find a middle road between regulation and market freedom. Mr Rebuffi concluded his speech by advocating for a new NIS Directive which will foster closer cooperation with the public sector, with special regard to critical services in order to facilitate the work of EU companies.

Mr Gonzalez-Sancho began by pointing out how crucial it is to find a consensus in the current negotiations on cybersecurity-related questions. He elaborated on the role the European Cyber Competence Centre is going to play as an instrument of joint decision-making on investment priorities in the field of cyber capacities. For this reason, he noted, the Competence Centre needs to be built on a broad basis of agreement among all stakeholders. The speaker furthermore went into detail about the structure of institutional cyber security cooperation in the EU. He mentioned the NIS Directive, which defines the approach for this cooperation, while underlining that the Cyber Security Act has strengthened the role of the European Agency for cybersecurity (ENISA) and set up the cyber security framework for certification. He subsequently pointed at the challenges of European cooperation on cyber security, namely the high number of different stakeholders and national interests. He continued by asserting that, even though the Covid-19 crisis has led to a delay in some cybersecurity files, all stakeholders will continue working on this domain as there is no time to loose. With regard to the issue of regulation, the speaker referred to the upcoming revision of the NIS Directive, which he described as the baseline in the field of cyber security regulation. Mr Gonzalez-Sancho stated that, even though the directive was adopted in 2016, its revision is needed due to the rapid evolution of the Digital Single Market and the continuous emergence of new cyber threats, which makes it necessary for authorities to keep pace with these developments. Mr Gonzalez-Sancho elaborated on the NIS Directive potential to further contribute to EU cybersecurity capacity, and concluded his answer by highlighting the development signalled by the adoption of the Cyber Security Act in 2019.

The moderator then asked about the possibility for like-minded third countries and their private sectors to join the European Cyber Competence Centre, how to increase the EU’s global competitiveness and whether digital technologies should be considered as critical infrastructure. 

Mr Gonzalez-Sancho started his reply by excluding a possible membership of non-EU countries at the European Cyber Competence Centre, as it is going to be an EU body, like ENISA is. With regard to EU’s competitiveness he emphasised the relevance of digitalisation for all sectors of industry, as well as for society. He continued by elaborating on the most recent initiatives of the European Commission on digitalisation policy, namely the Digital Package including the White paper on Artificial Intelligence and the European Strategy for Data, as well as the European Commission Digital Strategy and the New Industrial Strategy for Europe. He subsequently added that Artificial Intelligence and Data are essential areas of investment for the future and have potential for increasing Europe’s competitiveness. With reference to Mr Andresen’s MEP stance, the speaker stated that human rights and ethical implications should also be considered in the area of Artificial Intelligence. He added that the decision-making of algorithms and machines may imply risks and ethical challenges that regulators must address. The speaker referred to the open consultation on the White Paper on Artificial Intelligence and the importance of considering public opinion on such sensitive topics. He continued by stating that the example of GDPR shows how Europe can make a difference on the global stage and acquire a status as a role model. Mr Gonzalez-Sancho ended his intervention by stating that the way technological developments are approached always have larger political implications and that the EU has the advantage of adopting a values-based approach.  

Mr Rebuffi explained that the EU has to find ways to cooperate with non-EU countries in order to provide cyber security solutions which are part of Europe’s current capacities. However, he warned of the risk in using products and services from third countries without sufficient certification to cope with the economic consequences of the Covid-19 crisis. He subsequently pointed at the importance of global competitiveness for European industry and added that Europe does not have the financial capacities to enhance investment in every single industrial sector. He noted that a permanent flow of investment is crucial to guarantee competitiveness. The speaker consequently elaborated on the idea of strategic investments in selected areas, an approach which, according to Mr Rebuffi, offers the best chance for global leadership. These areas have to be chosen according to widely agreed priorities and in coordination with stakeholders. To his end, Mr Rebuffi named the European Cyber Competence Centre as an opportunity to bring together the necessary competences and resources for this process. He subsequently recommended the change from a public security approach to a wider security perception that includes the whole market, in order to shift from national sovereignty to European sovereignty. The speaker continued by pointing at the important role a qualified workforce in research institutions, universities and SMEs plays for global competitiveness. In this connection, he mentioned the example of an initiative of ECSO, that enables investors and banks to make targeted investments in European SMEs in order to create incentives for them to remain based in the EU. He concluded his remarks by reiterating that investment and political efforts are crucial components for increasing Europe’s competitiveness.

Mr Andresen started his statement by advocating for an increased European competence on the matter of cybersecurity, on the one hand, and by acknowledging the need for cooperation based on European standards on the other. He stated that cybersecurity as a global issue cannot be approached unilaterally and that the EU has to develop its own capacities in order to have enough leverage when cooperating with other parts of the world. The speaker continued by calling for the availability of sufficient funding for this domain. He continued by stating that due to his role as a member of the parliamentary committee on the budget and as part of the Parliament’s negotiation team for the MFF, he is aware of the different priorities raised during the current budget negotiations. The speaker indicated that the negotiations have not focused on enhanced financial means for digitalisation so far, as it is not a priority for member states at this very moment. Furthermore, he pointed at the need for higher investment in the economy due to the Covid-19 crisis, which makes increased spending on cybersecurity more unlikely. Mr Andresen expressed his concern that programs such as Digital Europe and Horizon Europe may not be supported enough by member states resulting in insufficient funding for research and digitalisation. Nonetheless, the speaker showed optimism about Europe’s ability to compete on a global level. Indeed, he recommended to couple cybersecurity efforts with sectors in which Europe is already a global leader, such as mobility or the green economy to foster common development. Mr Andresen remarked that Europe should provide innovative solutions that are not prioritised by its global competitors in order to acquire an exceptional position in these sectors. He concluded by asserting that the idea of coupled development will also help to increase Europe’s crisis resilience in the future.

Ms Tafra started her response by stating that the current crisis shows how dependent society is on digital infrastructure. She elaborated on the need for critical sectors, such as health care and research, to increase their resilience against cyber-attacks. The speaker subsequently emphasised the need to take all sectors into consideration when it comes to financing cyber security measures, as any sector may be of critical relevance in future crisis situations. Ms Tafra continued by highlighting the importance of creativity and innovation in enhancing crisis resilience and added that the Covid-19 crisis unveiled the weaknesses in the EU’s capacity to offer its own solutions in the cyber security sector. She continued by referring to the European way of standard setting as a core capacity, as exemplified by the GDPR, the 5G toolbox, as well as by certification schemes. However, the speaker also underlined Europe’s ability to create innovative solutions due to its excellent research capabilities and creative approaches in problem solving.

The moderator continued by asking about Europe’ s role as a global leader, the efforts of the member states in capacity building and education as well as how cyber threats are prioritised by the EU. 

Mr Rebuffi began by commenting on Mr Andresen’s assessment of the current budget negotiations. He argued that digitalisation and cyber security are applied throughout all sectors of the industry and for this reason they have to be treated as essential for the preservation of any industrial area. He subsequently warned of the dependency on non-European suppliers that may occur in case of insufficient funding of European capacities. The speaker advised to use the current crisis as a chance to develop a solid vision for the future. In order to create value, Mr Rebuffi explained that it is crucial to develop concepts that don’t treat technologies as single vertical entities but enable synergies between different areas. He then elaborated on the example of cloud technology and pointed out that it is likely that in the future data will be stored close to the application it is assigned to. This technology setting will be enabled by 5G or 6G technologies and supported by Artificial Intelligence to provide data for IoT applications. Within this context, Europe can become a global leader if a vision which takes into account future developments is considered. Regarding the question of education and skills development, he mentioned an ECSO initiative named “Youth for Cyber”, which gives an outlook on career opportunities in the cyber sector. He then explained and referred to the initiative Women for Cyber” that aims for a higher share of women in cyber security jobs. He consequently noted that even though member states have the exclusive competence to decide over their educational systems, ECSO’s aim is to create common European standards in cyber security education.

Ms Tafra answered this question by referring to her experiences from the Working Party on cyber issues which have demonstrated to her that there is indeed a prioritisation of digital and cyber security issues. Nonetheless, she confirmed the difficulties arising from the negotiations on the current MFF and explained that many interests have to be taken into consideration while forming a negotiation position of the Council. The speaker added that the cross sectorial nature of the cyber security topic is of high complexity, as the questions of how to manage the EU internal market, cyber diplomacy, as well as Europe’s external action have to be considered. She noted that the Competence Centre is going to deal with the cyber security related components of the Digital Europe and the Horizon Europe programmes and expressed her optimism about an increase in research activities, especially in the context of the Digital Europe Programme. She consequently stressed that synergies between research and industry are allowing Europe to compensate the fragmentation resulting from the cross sectorial utilisation of cyber security solutions. Additionally, Ms Tafra recommended that the Council and the Commission use the dedicated funds cautiously, as they are limited and consequently advised to direct the resources to areas that can add value to Europe’s role as a global leader in the field of cyber security.

Mr Andresen started his intervention by agreeing with Ms Tafra about the ongoing efforts made in the Council in terms of fostering cyber security and its funding. However, he expressed his regret that some member states are not willing to contribute more to the European budget. The speaker therefore advocated for the enabling of sufficient funding in the next MFF for research programmes in the digital field. He continued by agreeing with the position of Mr Rebuffi on the question of education. Even though he noted that there are attempts in cyber security education in some EU member states, he expressed his concern that those efforts may not be sufficient. The speaker recommended that the Competence Centre may offer funding for an educational pilot project initiated by the European Parliament, that could serve as role model for future initiatives throughout the member states.

Mr Gonzales-Sancho answered by elaborating on the assessment of cyber risks. He explained, that the first step has to be an evaluation of the assets that require protection. The speaker argued that the Covid-19 crisis has unveiled the importance of digital infrastructure, such as data platforms and networks and brought attention to the most basic human needs such as health, the safety of life and food supply. Mr Gonzalez-Sancho continued by highlighting that cyber security capacities have to be embedded in the essential sectors of human activity to protect critical infrastructure, in line with the NIS Directive. He concluded his remarks by advising a collective approach for defining priority assets and common efforts to protect those assets against constantly evolving cyber threats.

The Q&A session covered the following issues: The ongoing migration of qualified job seekers to more attractive markets, the ethical implications of Artificial Intelligence, considerations of updating the Cyber Security Strategy in the light of the Covid-19 crisis and which role the European Cyber Competence Centre can play in the case of major crises.

Want to know more about the issues discussed in this debate? Then, take a look at the selected sources provided below!

Programme, Croatian Presidency of the EU, January-June 2020

European Cybersecurity Industrial, Technology and Research Competence Centre, European Commission

Proposal for a European Cybersecurity Competence Network and Centre, European Commission

Proposal for a regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre, Legislative schedule, European Parliament

Cyber Security Competence survey, European Commission

The new European cybersecurity competence centre and network, European Parliament Think-Tank

European Cyber Security Organisation (ECSO) Market Radar

European Cyber Security Organisation (ECSO)

Data Privacy & Security: News & Analysis, MLex