Documents considered by the Committee on 12 December 2018 Contents

2Cybersecurity

Committee’s assessment

Politically important

Committee’s decision

Not cleared from scrutiny; further information requested

Document details

Proposal for a Regulation of the European Parliament and of the Council establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres

Legal base

Article 187 & 188 TFEU (research, technological development and demonstration programmes); Article 173 TFEU (industrial competitiveness); Ordinary Legislative Procedure; QMV

Department

Digital, Culture, Media and Sport

Document Number

(40070), 12104/18, COM(18) 630

Summary and Committee’s conclusions

2.1To improve the EU’s industrial competitiveness in the area of cybersecurity, the European Commission has brought forward a proposal for a Regulation which would establish a European Cybersecurity Industrial, Technology and Research Competence Centre supported by a network of National Coordination Centres.

2.2The Competence Centre would be the Union’s main instrument to pool investment in cybersecurity research, technology and industrial development. It would take the form of a European Partnership, as provided for in the proposed Horizon Europe Regulation,15 in order to facilitate joint investment by the Union, Member States and industry, and would scale-up the existing 2016 European contractual Public Private Partnership on cybersecurity (‘cPPP’).

2.3The Centre would be responsible for implementing the cyber security aspects of the Digital Europe16 and Horizon Europe17 Programmes of the European Union’s multiannual financial framework (proposed to be €2bn and €2.8bn, respectively) and would be tasked, more widely, with driving the cybersecurity technology agenda, supporting the deployment of innovative cybersecurity products, and coordinating the activities of the cyber security competence community—a diverse network of industry, academic and non-profit research organisations and associations accredited by the Member States.

2.4The membership of the Competence Centre would consist of the Union, represented by the Commission, and the Member States. The Centre’s governing board would consist of one representative per Member State and five Commission representatives, with ENISA (the EU cybersecurity agency) acting as an observer. The provisions of the Regulation on voting rights are somewhat convoluted. It appears that only those Member States which make an additional financial contribution to the Centre (separately from the Digital Europe and Horizon Europe programmes) have voting rights on the governing board. Commission representatives would hold 50per cent of the voting rights (in view of the Commission’s responsibility for the Union budget) and those Member States with voting rights would each hold one vote. Votes would follow a double majority principle requiring both 75 per cent of the financial contribution and 75per cent of the votes. However, the wording of the Regulation is not entirely clear on how the “financial contribution” would be calculated.

2.5The Regulation would also require Member States to nominate a National Coordination Centre, which would form part of a network of these coordination centres supported by the European Competence Centre. National centres would act as the national contact point and would help the Competence Centre to deliver its tasks at a national and regional level, and would receive funding from the Competence Centre which they could pass on.

2.6Member States would also be required to accredit organisations and associations to be part of the cybersecurity competence community.

2.7The Regulation anticipates that Member States would choose to make additional financial contributions to the project, and its preamble states that their financial participation “should be commensurate to the EU financial contribution to this initiative and is an indispensable element for its success”.

2.8The Centre is to be established for the period January 2021 to December 2029.

2.9In an explanatory memorandum submitted to Parliament,18 the Parliamentary Under Secretary of State at the Department of Digital, Culture, Media and Sport (Margot James) states that negotiation on the proposal are unlikely to conclude before the UK leaves the EU on the 29th March 2019, and that, as the UK will not be a Member State at the point at which this legislation comes into force it would not have a role on the Governing Board of the Competence Centre, nor would it be required to have a National Coordination Centre or be part of the Competence Community.

2.10The Minister’s reasoning regarding the non-applicability of the proposed Regulation to the UK is somewhat unclear. That negotiations are unlikely to conclude while the UK is a Member State is not obviously material, as under the implementation/transition period provided for in the Withdrawal Agreement,19 including the draft version which was available when the Explanatory Memorandum was drafted, “during the transition period, any reference to Member States in the Union law applicable pursuant to paragraph 1, including as implemented and applied by Member States, shall be understood as including the United Kingdom” (Article 127(6)).

2.11Although the Withdrawal Agreement provides that the UK should be treated as a Member State with respect to EU law during the transition period, there are exceptions to this, which are set out in Articles 7 and 8, which limit UK participation in the institutions, bodies, offices and agencies of the Union as well as networks, information systems and databases, and Article 132, which specifies a number of types of EU provision which will not apply to the UK during the implementation period, as well as areas from which the EU can limit UK involvement if it wishes to. It is unclear to what extent these provisions would apply to the proposed Regulation, although it is clear that (as the Minister states) the Government could not have a role on the Governing Board of the Competence Centre.

2.12If the regulation were to apply to the UK—whether during an extended implementation period or under any other circumstances—it appears that there would be a number of implications. UK stakeholders would have to exercise the functions designated in the Regulation and, the Minister notes, “would potentially incur a cost in order to undertake the proposed tasks and activities.” The Government would have to nominate a National Coordination Centre and accredit organisations and associations to be part of the cybersecurity competence community. Although the UK would not, as the proposal is drafted, be obligated to make an additional contribution to the Programme, it would presumably continue to make financial contributions to the Digital Europe and Horizon Europe programmes, which provide the funds which would be administered by the Centre.

2.13On subsidiarity, the Minister notes that the Commission argues that the subsidiarity principles are met because the nature and scale of technological challenge require expertise that cannot be provided individually by a Member State, and with reference to cross-border cyber incidents such as WannaCry and NonPetya; however, the Minister states that the draft Regulation does not provide sufficient detail to say whether the proposals would realise this benefit above what is provided by other EU cyber security tools and measures, and that the Government intends to review its position on subsidiarity during the negotiation process.

2.14The Minister adds that the Commission has indicated a preference for negotiations to conclude by the second quarter of 2019, with the preparatory phase taking place between 2019–2020, and full implementation from 2021.

2.15The proposed Regulation seeks to foster Europe’s industrial competitiveness and technological capabilities in cybersecurity through the more effective coordination of existing expertise, by establishing a European Cybersecurity Industrial, Technology and Research Competence supported by a network of National Coordination Centres and organisations, accredited by the Member States. The Centre has a broad range of tasks, in which it would be supported by the network. The Centre would implement the cybersecurity elements of the Digital Europe and Horizon Europe Regulations with Member States expected to contribute a commensurate amount of additional funding.

2.16We note that the Government is not yet persuaded by the Commission’s justification regarding the conformity of the proposal with the principal of subsidiarity, on the basis that the Regulation “does not provide a level of detail sufficient to say whether the proposals would realise this benefit above what is provided by other EU cyber security tools and measures.”

2.17Regarding the proposal, we ask the Government to clarify:

2.18On EU exit, we note the Minister’s assessment that negotiations on the proposed regulation are unlikely to conclude before the UK leaves the EU on the 29th March 2019 and that “if the UK is not a Member State at the point at which this legislation comes into force it would not have a role on the Governing Board of the Competence Centre, nor would it be required to have a National Coordination Centre or be part of the Competence Community”.

2.19We question the Government’s assessment that the proposed Regulation would not apply to the UK were it no longer a Member State when the Regulation entered into force. The current version of the Withdrawal Agreement20—like its predecessor,21 which was available at the time of the publication of the Government’s memorandum—states that “unless otherwise provided in this Agreement, Union law shall be applicable to and in the United Kingdom during the transition period”,22 meaning that much EU law will continue to apply directly to the UK during the transition period, when it has ceased to be a Member State. Although a number of exceptions to this are provided for in the Withdrawal Agreement, it is not clear to us whether any of these mean that the entirety of the Regulation would not apply to the UK. The addition in the latest version of the Withdrawal Agreement of the possibility to extend the implementation period for up to two years means that, unless such an exemption exists, the UK could potentially have to implement its provisions until the end of 2022.

2.20We therefore ask the Government, in its next update to the Committee, to clarify whether, on the basis of the Withdrawal Agreement recently agreed by UK and EU negotiators, it considers that the proposed Regulation would apply either in part or in whole to the UK during the implementation period, if it were extended until the end of 2022. We ask for the Government to provide as much detail as possible on this point.

2.21We retain the proposal under scrutiny. We ask for the Government to respond to these points in due course, and not later than 16 January 2019.

Full details of the documents:

2.22Proposal for a Regulation of the European Parliament and of the Council establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres: (40070), 12104/18, COM(18) 630.

Previous Committee Reports

None.


15 A ‘European Partnership’, as defined in the proposed Horizon Europe Regulation (EU) 2018/0224, means an initiative where the Union, together with private and/or public partners (such as industry, research organisations, bodies with a public service mission at local, regional, national or international level or civil society organisations including foundations), commit to jointly support the development and implementation of a programme of research and innovation activities, including those related to market, regulatory or policy uptake.

16 Proposal for a Regulation of the European Parliament and of the Council establishing the Digital Europe programme for the period 2021–2027 COM/2018/434 final.

17 Proposal for a Regulation of the European Parliament and of the Council establishing Horizon Europe—the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination COM/2018/435 final.

18 Explanatory Memorandum from the Minister of State at the Department of Digital, Culture, Media and Sport (2 October 2018).

19 HM Government, Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as endorsed by leaders at a special meeting of the European Council on 25 November 2018 (25 November 2018).

20 HM Government, Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as endorsed by leaders at a special meeting of the European Council on 25 November 2018 (25 November 2018).

21 European Commission, Draft Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community highlighting the progress made (coloured version) in the negotiation round with the UK of 16–19 March 2018 (19 March 2019).

22 Article 127(1) of the withdrawal agreement.




Published: 18 December 2018