Legal provisions of COM(2018)630 - European Cybersecurity Industrial, Technology and Research Competence Centre and National Coordination Centres - Contribution to the Leaders’ meeting, September 2018

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2018)630 - European Cybersecurity Industrial, Technology and Research Competence Centre and National Coordination Centres - ...
document COM(2018)630 EN
date May 20, 2021

Contents

CHAPTER I - General provisions and principles of the Competence Centre and the Network

Article 1 - Subject matter and scope

1. This Regulation establishes the European Cybersecurity Industrial, Technology and Research Competence Centre (the ‘Competence Centre’) and the Network of National Coordination Centres (the ‘Network’). It lays down rules for the nomination of national coordination centres as well as rules for the establishment of the Cybersecurity Competence Community (the ‘Community’).

2. The Competence Centre shall have an essential role in the implementation of the cybersecurity part of the Digital Europe Programme, in particular with regard to actions related to Article 6 of Regulation (EU) 2021/694, and shall contribute to the implementation of Horizon Europe, in particular with regard to Section 3.1.3 of Pillar II of Annex I to Council Decision (EU) 2021/764 (12).

3. Member States shall collectively contribute to the work of the Competence Centre and the Network.

4. This Regulation is without prejudice to the competences of the Member States regarding public security, defence, national security and the activities of the state in areas of criminal law.

Article 2 - Definitions

For the purpose of this Regulation, the following definitions apply:

(1)‘cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;

(2)‘network and information system’ means a network and information system as defined in point (1) of Article 4 of Directive (EU) 2016/1148;

(3)‘cybersecurity products, services and processes’ means commercial and non-commercial ICT products, services or processes with the specific purpose of protecting network and information systems or ensuring the confidentiality, integrity and accessibility of data that are processed or stored in network and information systems, as well as the cybersecurity of the users of such systems and other persons affected by cyber threats;

(4)‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;

(5)‘joint action’ means an action that is included in the annual work programme and that receives financial support from Horizon Europe, the Digital Europe Programme or other Union programmes as well as financial or in-kind support by one or more Member States, and which is implemented via projects involving beneficiaries that are established in and receive financial or in-kind support from those Member States;

(6)‘in-kind contribution’ means eligible costs incurred by national coordination centres and other public entities when they participate in projects funded through this Regulation, where those costs are not financed by a Union contribution or by financial contributions from Member States;

(7)‘European Digital Innovation Hub’ means a European Digital Innovation Hub as defined in point (e) of Article 2 of Regulation (EU) 2021/694;

(8)‘Agenda’ means a comprehensive and sustainable cybersecurity industrial, technology and research strategy which sets out strategic recommendations for the development and growth of the European cybersecurity industrial, technological and research sector and strategic priorities for the Competence Centre’s activities and is not binding with respect to decisions to be taken on the annual work programmes;

(9)‘technical assistance’ means assistance by the Competence Centre to the national coordination centres or the Community in the performance of theirs tasks by providing knowledge or facilitating access to expertise in the area of cybersecurity research, technology and industry, facilitating networking, raising awareness and promoting cooperation, or means assistance by the Competence Centre together with the national coordination centres to stakeholders with respect to the preparation of projects in relation to the mission of the Competence Centre and the Network and the objectives of the Competence Centre.

Article 3 - Mission of the Competence Centre and the Network

1. The mission of the Competence Centre and the Network is to help the Union to:

(a)strengthen its leadership and strategic autonomy in the area of cybersecurity by retaining and developing the Union’s research, academic, societal, technological and industrial cybersecurity capacities and capabilities necessary to enhance trust and security, including the confidentiality, integrity and accessibility of data, in the Digital Single Market;

(b)support Union technological capacities, capabilities and skills in relation to the resilience and reliability of the infrastructure of network and information systems, including critical infrastructure and commonly used hardware and software in the Union; and

(c)increase the global competitiveness of the Union’s cybersecurity industry, ensure high cybersecurity standards throughout the Union and turn cybersecurity into a competitive advantage for other Union industries.

2. The Competence Centre and the Network shall undertake their tasks in collaboration with ENISA and the Community, as appropriate.

3. The Competence Centre shall, in accordance with the legislative acts establishing the relevant programmes, in particular Horizon Europe and the Digital Europe Programme, use relevant Union financial resources in such a way as to contribute to the mission set out in paragraph 1.

Article 4 - Objectives of the Competence Centre

1. The Competence Centre shall have the overall objective of promoting research, innovation and deployment in the area of cybersecurity in order to fulfil the mission as set out in Article 3.

2. The Competence Centre shall have the following specific objectives:

(a)enhancing cybersecurity capacities, capabilities, knowledge and infrastructure for the benefit of industry, in particular SMEs, research communities, the public sector and civil society, as appropriate;

(b)promoting cybersecurity resilience, the uptake of cybersecurity best practices, the principle of security by design, and the certification of the security of digital products and services, in a manner that complements the efforts of other public entities;

(c)contributing to a strong European cybersecurity ecosystem which brings together all relevant stakeholders.

3. The Competence Centre shall implement the specific objectives referred to in paragraph 2 by:

(a)establishing strategic recommendations for research, innovation and deployment in cybersecurity in accordance with Union law and setting out strategic priorities for the Competence Centre’s activities;

(b)implementing actions under relevant Union funding programmes in accordance with the relevant work programmes and the Union legislative acts establishing those funding programmes;

(c)fostering cooperation and coordination among the national coordination centres and with and within the Community; and

(d)where relevant and appropriate, acquiring and operating ICT infrastructure and services where necessary to fulfil the tasks set out in Article 5 and in accordance with the respective work programmes set out in point (b) of Article 5(3).

Article 5 - Tasks of the Competence Centre

1. In order to fulfil its mission and objectives, the Competence Centre shall have the following tasks:

(a)strategic tasks; and

(b)implementation tasks.

2. The strategic tasks referred to in point (a) of paragraph 1 shall consist of:

(a)developing and monitoring the implementation of the Agenda;

(b)through the Agenda and the multiannual work programme, while avoiding any duplication of activities with ENISA and taking into account the need to create synergies between cybersecurity and other parts of Horizon Europe and the Digital Europe Programme:

(i)establishing priorities for the work of the Competence Centre in relation to:

(1)the enhancement of cybersecurity research and innovation, covering the entire innovation cycle, and the deployment of that research and innovation;

(2)the development of cybersecurity industrial, technological and research capacities, capabilities, and infrastructure;

(3)the reinforcement of cybersecurity and technology skills and competence in industry, technology and research and at all relevant educational levels, supporting gender balance;

(4)the deployment of cybersecurity products, services and processes;

(5)support for the uptake by the market of cybersecurity products, services and processes contributing to the mission set out in Article 3;

(6)support for the adoption and integration of state-of-the-art cybersecurity products, services and processes by public authorities at their request, by demand-side industries and by other users;

(ii)supporting the cybersecurity industry, in particular SMEs, with a view to strengthening Union excellence, capacity and competitiveness with regard to cybersecurity, including with a view to connecting to potential markets and deployment opportunities, and to attracting investment; and

(iii)providing support and technical assistance to cybersecurity start-ups, SMEs, microenterprises, associations, individual experts and civic technology projects;

(c)ensuring synergies between and cooperation with relevant Union institutions, bodies, offices and agencies, in particular ENISA, while avoiding any duplication of activities with those Union institutions, bodies, offices and agencies;

(d)coordinating national coordination centres through the Network and ensuring a regular exchange of expertise;

(e)providing expert cybersecurity industrial, technology and research advice to Member States at their request, including with regard to the procurement and deployment of technologies;

(f)facilitating collaboration and the sharing of expertise among all relevant stakeholders, in particular members of the Community;

(g)attending Union, national and international conferences, fairs and forums related to the mission, objectives and tasks of the Competence Centre with the aim of sharing views and exchanging relevant best practices with other participants;

(h)facilitating the use of results from research and innovation projects in actions related to the development of cybersecurity products, services and processes, while seeking to avoid the fragmentation and duplication of efforts and replicating good cybersecurity practices and cybersecurity products, services and processes, in particular those developed by SMEs and those using open source software.

3. The implementation tasks referred to in point (b) of paragraph 1 shall consist of:

(a)coordinating and administrating the work of the Network and the Community in order to fulfil the mission set out in Article 3, in particular by supporting cybersecurity start-ups, SMEs, microenterprises, associations and civic technology projects in the Union and facilitating their access to expertise, funding, investment and markets;

(b)establishing and implementing the annual work programme, in accordance with the Agenda and the multiannual work programme, for the cybersecurity parts of:

(i)the Digital Europe Programme, in particular actions related to Article 6 of Regulation (EU) 2021/694;

(ii)joint actions receiving support under the provisions that relate to cybersecurity in Horizon Europe, in particular with regard to Section 3.1.3 of Pillar II of Annex I to Decision (EU) 2021/764, in accordance with the multiannual work programme and the strategic planning process of Horizon Europe; and

(iii)other programmes where provided for in the relevant legislative acts of the Union;

(c)supporting, where appropriate, the achievement of Specific Objective 4 – ‘Advanced Digital Skills’ as set out in Article 7 of Regulation (EU) 2021/694, in cooperation with European Digital Innovation Hubs;

(d)providing expert advice on cybersecurity industry, technology and research to the Commission when the Commission prepares draft work programmes pursuant to Article 13 of Decision (EU) 2021/764;

(e)carrying out or enabling the deployment of ICT infrastructure and facilitating the acquisition of such infrastructure, for the benefit of society, industry and the public sector, at the request of Member States, research communities and operators of essential services, by means of, inter alia, contributions from Member States and Union funding for joint actions, in accordance with the Agenda, the annual work programme and the multiannual work programme;

(f)raising awareness of the mission of the Competence Centre and the Network and of the objectives and tasks of the Competence Centre;

(g)without prejudice to the civilian nature of projects to be financed from Horizon Europe, and in accordance with Regulations (EU) 2021/695 and (EU) 2021/694, enhancing synergies and coordination between the cybersecurity civilian and defence spheres, by facilitating the exchange of:

(i)knowledge and information with regard to dual-use technologies and applications;

(ii)results, requirements and best practices; and

(iii)information with regard to the priorities of relevant Union programmes.

4. The Competence Centre shall carry out the tasks set out in paragraph 1 in close cooperation with the Network.

5. In accordance with Article 6 of Regulation (EU) 2021/695 and subject to a contribution agreement as defined in point (18) of Article 2 of the Financial Regulation, the Competence Centre may be entrusted with the implementation of the cybersecurity parts under Horizon Europe that are not co-funded by the Member States, in particular with regard to Section 3.1.3 of Pillar II of Annex I to Decision (EU) 2021/764.

Article 6 - Nomination of national coordination centres

1. By 29 December 2021, each Member State shall nominate one entity which fulfils the criteria laid down in paragraph 5 to act as its national coordination centre for the purposes of this Regulation. Each Member State shall notify that entity to the Governing Board without delay. Such entity may be an entity already established in that Member State.

The deadline set out in the first subparagraph of this paragraph shall be extended for the period during which the Commission is to issue the opinion referred to in paragraph 2.

2. At any time, a Member State may ask the Commission for an opinion concerning whether the entity that the Member State has nominated or intends to nominate to act as its national coordination centre has the necessary capacity to manage funds to fulfil the mission and objectives laid down in this Regulation. The Commission shall issue its opinion to that Member State within three months of the Member State’s request.

3. On the basis of the notification by a Member State of an entity as referred to in paragraph 1, the Governing Board shall list that entity as a national coordination centre no later than three months after the notification. The Competence Centre shall publish the list of nominated national coordination centres.

4. A Member State may at any time nominate a new entity to act as its national coordination centre for the purposes of this Regulation. Paragraphs 1, 2 and 3 shall apply to the nomination of any new entity.

5. The national coordination centre shall be a public sector entity or an entity, a majority of which is owned by the Member State, which performs public administrative functions under national law, including by means of delegation, and having the capacity to support the Competence Centre and the Network in fulfilling their mission as set out in Article 3 of this Regulation. It shall either possess or have access to research and technological expertise in cybersecurity. It shall have the capacity to engage effectively and coordinate with industry, the public sector, the academic and research community and citizens, as well as with authorities designated pursuant to Directive (EU) 2016/1148.

6. At any time, a national coordination centre may request to be recognised as having the necessary capacity to manage funds to fulfil the mission and objectives laid down in this Regulation, in accordance with Regulations (EU) 2021/695 and (EU) 2021/694. Within three months of such a request, the Commission shall assess whether that national coordination centre has such capacity and shall issue a decision.

Where the Commission has provided a positive opinion to a Member State in accordance with the procedure laid down in paragraph 2, that opinion shall be deemed to be a decision recognising the relevant entity as having the necessary capacity for the purposes of this paragraph.

No later than 29 August 2021, after consulting the Governing Board, the Commission shall issue guidelines on the assessment referred to in the first subparagraph, including a specification of the conditions for recognition and how opinions and assessments are conducted.

Before issuing the opinion referred to in paragraph 2 and the decision referred to in the first subparagraph of this paragraph, the Commission shall take into account any information and documentation provided by the requesting national coordination centre.

Any decision not to recognise a national coordination centre as having the necessary capacity to manage funds to fulfil the mission and objectives laid down in this Regulation shall be duly reasoned, setting out the requirements the requesting national coordination centre has not yet fulfilled that justify the decision to withhold recognition. Any national coordination centre whose request for recognition has been rejected may resubmit its request with additional information at any time.

Member States shall inform the Commission in the event of changes to the national coordination centre, such as the composition of the national coordination centre, the legal form of the national coordination centre or other relevant aspects, that affect its capacity to manage funds to fulfil the mission and objectives laid down in this Regulation. On receiving such information the Commission may review a decision to grant or withhold recognition of the national coordination centre as having the necessary capacity to manage funds accordingly.

7. The Network shall be composed of all the national coordination centres that have been notified to the Governing Board by the Member States.

Article 7 - Tasks of the national coordination centres

1. The national coordination centres shall have the following tasks:

(a)acting as points of contact at national level for the Community to support the Competence Centre in fulfilling its mission and objectives, in particular in coordinating the Community through the coordination of Community members in their Member States;

(b)providing expertise and actively contributing to the strategic tasks set out in Article 5(2), taking into account relevant national and regional challenges for cybersecurity in different sectors;

(c)promoting, encouraging and facilitating the participation of civil society, industry, in particular start-ups and SMEs, the academic and research communities and other stakeholders at national level in cross-border projects and in cybersecurity actions funded by relevant Union programmes;

(d)providing technical assistance to stakeholders by supporting them in the application phase for projects managed by the Competence Centre in relation to its mission and objectives, and in full compliance with the rules of sound financial management, especially with regard to conflicts of interest;

(e)seeking to establish synergies with relevant activities at national, regional and local level, such as national policies on research, development and innovation in the area of cybersecurity, in particular those policies stated in the national cybersecurity strategies;

(f)implementing specific actions for which grants have been awarded by the Competence Centre, including through the provision of financial support to third parties in accordance with Article 204 of the Financial Regulation under conditions specified in the grant agreements concerned;

(g)without prejudice to the competences of Member States for education and taking into account the relevant tasks of ENISA, engaging with national authorities regarding possible contributions to promoting and disseminating cybersecurity educational programmes;

(h)promoting and disseminating the relevant outcomes of the work of the Network, the Community and the Competence Centre at national, regional or local level;

(i)assessing requests by entities established in the same Member State as the national coordination centre to become part of the Community;

(j)advocating and promoting the involvement of relevant entities in the activities arising from the Competence Centre, the Network and the Community, and monitoring, as appropriate, the level of engagement with and the amount of public financial support awarded for cybersecurity research, developments and deployments.

2. For the purposes of point (f) of paragraph 1 of this Article, the financial support to third parties may be provided in any of the forms of Union contribution specified in Article 125 of the Financial Regulation, including in the form of lump sums.

3. On the basis of a decision as referred to in Article 6(6) of this Regulation, national coordination centres may receive a grant from the Union in accordance with point (d) of the first paragraph of Article 195 of the Financial Regulation in relation to carrying out the tasks laid down in this Article.

4. National coordination centres shall, where relevant, cooperate through the Network.

Article 8 - The Cybersecurity Competence Community

1. The Community shall contribute to the mission of the Competence Centre and the Network set out in Article 3 and shall enhance, share and disseminate cybersecurity expertise across the Union.

2. The Community shall consist of industry, including SMEs, academic and research organisations, other relevant civil society associations as well as, as appropriate, relevant European Standardisation Organisations, public entities and other entities dealing with cybersecurity operational and technical matters and, where relevant, stakeholders in sectors that have an interest in cybersecurity and that face cybersecurity challenges. The Community shall bring together the main stakeholders with regard to cybersecurity technological, industrial, academic and research capacities in the Union. It shall involve national coordination centres, European Digital Innovation Hubs, where relevant, as well as Union institutions, bodies, offices and agencies with relevant expertise, such as ENISA.

3. Only entities which are established within the Member States shall be registered as members of the Community. They shall demonstrate that they are able to contribute to the mission and shall have cybersecurity expertise with regard to at least one of the following domains:

(a)academia, research or innovation;

(b)industrial or product development;

(c)training and education;

(d)information security or incident response operations;

(e)ethics;

(f)formal and technical standardisation and specifications.

4. The Competence Centre shall register entities, at their request, as members of the Community after an assessment made by the national coordination centre of the Member State in which those entities are established to confirm that those entities meet the criteria set out in paragraph 3 of this Article. That assessment shall also take into account any relevant national assessment on security grounds made by the national competent authorities. Such registrations shall not be limited in time but may be revoked by the Competence Centre at any time if the relevant national coordination centre considers that the entity concerned no longer fulfils the criteria set out in paragraph 3 of this Article or falls under Article 136 of the Financial Regulation, or on justified security grounds. Where membership in the Community is revoked on security grounds, the decision to revoke shall be proportional and reasoned. The national coordination centres shall aim to achieve a balanced representation of stakeholders in the Community and actively stimulate participation, in particular of SMEs.

5. National coordination centres shall be encouraged to cooperate through the Network in order to harmonise the way in which they apply the criteria set out in paragraph 3 and the procedures for assessing and registering entities referred to in paragraph 4.

6. The Competence Centre shall register relevant Union institutions, bodies, offices and agencies as members of the Community after carrying out an assessment to confirm that that Union institution, body, office or agency meets the criteria set out in paragraph 3 of this Article. Such registrations shall not be limited in time but may be revoked by the Competence Centre at any time if it considers that the Union institution, body, office or agency no longer fulfils the criteria set out in paragraph 3 of this Article or falls under Article 136 of the Financial Regulation.

7. Representatives of the Union institutions, bodies, offices and agencies may participate in the work of the Community.

8. An entity registered as a member of the Community shall designate its representatives to ensure an efficient dialogue. Those representatives shall have expertise with regard to cybersecurity research, technology or industry. The requirements may be further specified by the Governing Board, without unduly limiting the entities in the designation of their representatives.

9. The Community, through its working groups and in particular through the Strategic Advisory Group, shall provide the Executive Director and the Governing Board with strategic advice on the Agenda, the annual work programme and the multiannual work programme, in accordance with the rules of procedure of the Governing Board.

Article 9 - Tasks of the members of the Community

The members of the Community shall:

(a)support the Competence Centre in fulfilling its mission and objectives and, for that purpose, shall work closely with the Competence Centre and the national coordination centres;

(b)where relevant, participate in formal or informal activities and in the working groups referred to in point (n) of Article 13(3) to carry out specific activities as provided by the annual work programme; and

(c)where relevant, support the Competence Centre and the national coordination centres in promoting specific projects.

Article 10 - Cooperation of the Competence Centre with other Union institutions, bodies, offices and agencies and international organisations

1. To ensure consistency and complementarity while avoiding any duplication of effort, the Competence Centre shall cooperate with relevant Union institutions, bodies, offices and agencies, including ENISA, the European External Action Service, the Directorate-General Joint Research Centre of the Commission, the European Research Executive Agency, the European Research Council Executive Agency and the European Health and Digital Executive Agency established by Commission Implementing Decision (EU) 2021/173 (13), relevant European Digital Innovation Hubs, the European Cybercrime Centre at the European Union Agency for Law Enforcement Cooperation established by Regulation (EU) 2016/794 of the European Parliament and of the Council (14), the European Defence Agency in relation to the tasks set out in Article 5 of this Regulation and other relevant Union entities. The Competence Centre may also cooperate with international organisations, where relevant.

2. Cooperation as referred to in paragraph 1 of this Article may take place within the framework of working arrangements. Those arrangements shall be submitted for the approval of the Governing Board. Any sharing of classified information shall take place within the framework of administrative arrangements concluded in accordance with Article 36(3).

CHAPTER II - Organisation of the Competence Centre

Article 11 - Membership and structure

1. The members of the Competence Centre shall be the Union, represented by the Commission, and the Member States.

2. The structure of the Competence Centre shall ensure the achievement of the objectives set out in Article 4 and the tasks set out in Article 5, and shall comprise:

(a)a Governing Board;

(b)an Executive Director;

(c)a Strategic Advisory Group.

Section I - Governing Board


Article 12 - Composition of the Governing Board

1. The Governing Board shall be composed of one representative of each Member State and two representatives of the Commission who act on behalf of the Union.

2. Each member of the Governing Board shall have an alternate. That alternate shall represent the member in the member’s absence.

3. Members of the Governing Board appointed by Member States and their alternates shall be public sector staff in their respective Member State and shall be appointed on the basis of their knowledge in the area of cybersecurity research, technology and industry, their ability to ensure the coordination of actions and positions with their respective national coordination centre, or their relevant managerial, administrative and budgetary skills. The Commission shall appoint its members of the Governing Board and their alternates on the basis of their knowledge in the area of cybersecurity, technology, or their relevant managerial, administrative and budgetary skills and of their ability to ensure coordination, synergies and, as far as possible, joint initiatives between different sectoral or horizontal Union policies involving cybersecurity. The Commission and the Member States shall make efforts to limit the turnover of their representatives in the Governing Board, in order to ensure the continuity of the Governing Board’s work. The Commission and the Member States shall aim to achieve a balanced representation between men and women on the Governing Board.

4. The term of office of members of the Governing Board and of their alternates shall be four years. That term shall be renewable.

5. The members of the Governing Board shall ensure that the Competence Centre’s mission, objectives, identity and autonomy are safeguarded and that its actions are consistent with that mission and those objectives, in an independent and transparent way.

6. The Governing Board may invite observers to take part in its meetings as appropriate, including representatives of relevant Union institutions, bodies, offices and agencies, and the members of the Community.

7. A representative from ENISA shall be a permanent observer in the Governing Board. The Governing Board may invite a representative from the Strategic Advisory Group to attend its meetings.

8. The Executive Director shall take part in the meetings of the Governing Board but shall have no right to vote.

Article 13 - Tasks of the Governing Board

1. The Governing Board shall have the overall responsibility for the strategic orientation and the operations of the Competence Centre, shall supervise the implementation of its activities and shall be responsible for any task that is not specifically allocated to the Executive Director.

2. The Governing Board shall adopt its rules of procedure. Those rules of procedure shall include specific procedures for identifying and avoiding conflicts of interest and shall ensure the confidentiality of any sensitive information.

3. The Governing Board shall take necessary strategic decisions, in particular with regard to:

(a)the development and adoption of the Agenda and the monitoring of its implementation;

(b)reflecting the Union’s policy priorities and the Agenda, the adoption of the multiannual work programme containing common, industrial, technology and research priorities which are based on the needs identified by Member States in cooperation with the Community and which require the focus of Union financial support, including key technologies and domains for developing the Union’s own capabilities in cybersecurity;

(c)the adoption of the annual work programme for implementing the relevant Union funds, in particular the cybersecurity parts of Horizon Europe insofar as they are co-financed voluntarily by Member States and of the Digital Europe Programme, in accordance with the Competence Centre’s multiannual work programme and the strategic planning process of Horizon Europe;

(d)the adoption of the Competence Centre’s annual accounts, balance sheet and annual activity report, on the basis of a proposal from the Executive Director;

(e)the adoption of the specific financial rules of the Competence Centre in accordance with Article 70 of the Financial Regulation;

(f)as part of the annual work programme, the allocation of funds from the Union budget to topics for joint actions between the Union and Member States;

(g)as part of the annual work programme, and in accordance with the decisions referred to in point (f) of this subparagraph and in compliance with Regulations (EU) 2021/695 and (EU) 2021/694, the description of the joint actions referred to in point (f) of this subparagraph and the laying down of conditions for the implementation of such joint actions;

(h)the adoption of a procedure for appointing the Executive Director and the appointment, dismissal, extension of the term of office of, provision of guidance to and the monitoring of the performance of the Executive Director;

(i)the adoption of guidelines for assessing and registering entities as members of the Community;

(j)the adoption of the working arrangements referred to in Article 10(2);

(k)the appointment of the Accounting Officer;

(l)the adoption of the annual budget of the Competence Centre, including the corresponding establishment plan indicating the number of temporary posts by function group and by grade, with the number of contract staff and seconded national experts being expressed in full-time equivalents;

(m)the adoption of transparency rules for the Competence Centre and rules for the prevention and management of conflicts of interest, including in respect of the members of the Governing Board, in accordance with Article 42 of Delegated Regulation (EU) 2019/715;

(n)the establishment of working groups within the Community, where relevant taking into account advice provided by the Strategic Advisory Group;

(o)the appointment of members of the Strategic Advisory Group;

(p)the adoption of rules on the reimbursement of expenses for members for the Strategic Advisory Group;

(q)the setting up of a monitoring mechanism to ensure that the implementation of the respective funds managed by the Competence Centre is done in accordance with the Agenda, the mission, the multiannual work programme and the rules of the programmes that are the source of the relevant funding;

(r)the ensuring of a regular dialogue and the establishment of an effective cooperation mechanism with the Community;

(s)the establishment of the Competence Centre’s communications policy on the basis of a recommendation by the Executive Director;

(t)where appropriate, the establishment of rules implementing the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (15) (‘Staff Regulations’ and ‘Conditions of Employment’), in accordance with Article 30(3) of this Regulation;

(u)where appropriate, the laying down of rules on the secondment of national experts to the Competence Centre and on the use of trainees in accordance with Article 31(2);

(v)the adoption of security rules for the Competence Centre;

(w)the adoption of an anti-fraud and anti-corruption strategy that is proportionate to the fraud and corruption risks, as well as the adoption of comprehensive measures, in accordance with applicable Union legislation, to protect persons who report infringements of Union law, having regard to a cost-benefit analysis of the measures to be implemented;

(x)if necessary, the adoption of the methodology to calculate voluntary financial and in-kind contributions from contributing Member States in accordance with Regulations (EU) 2021/695 and (EU) 2021/694 or with any other applicable legislation;

(y)in the context of the annual work programme and the multiannual work programme, the ensuring of coherence and synergies with those parts of the Digital Europe Programme and Horizon Europe which are not managed by the Competence Centre, as well as with other Union programmes;

(z)the adoption of the annual report on the implementation of the Competence Centre’s strategic goals and priorities, if necessary with a recommendation for the better realisation of those goals and priorities.

Insofar the annual work programme contains joint actions, it shall contain information about Member States’ voluntary contributions to joint actions. Where appropriate, proposals, in particular the proposal for the annual work programme, shall assess the need to apply security rules as set out in Article 33 of this Regulation, including the security self-assessment procedure in accordance with Article 20 of Regulation (EU) 2021/695.

4. Regarding the decisions set out in points (a), (b) and (c) of paragraph 3, the Executive Director and the Governing Board shall take into account any relevant strategic advice and input provided by ENISA, in accordance with the rules of procedure of the Governing Board.

5. The Governing Board shall be responsible for ensuring that the recommendations contained in the implementation report and the evaluation referred to in Article 38(2) and (4) are adequately followed up.

Article 14 - Chairperson and meetings of the Governing Board

1. The Governing Board shall elect a Chairperson and a Deputy Chairperson from among its members, each for a period of three years. The mandate of the Chairperson and the Deputy Chairperson may be extended once by a decision by the Governing Board. If, however, the membership of the Governing Board of the Chairperson or Deputy Chairperson ends at any time during their terms of office, their terms of office shall automatically expire at that time. The Deputy Chairperson shall replace the Chairperson ex officio if the latter is unable to attend to his or her duties. The Chairperson shall take part in the voting.

2. The Governing Board shall hold ordinary meetings at least three times a year. It may hold extraordinary meetings at the request of the Commission, at the request of one third of all its members, at the request of the Chairperson, or at the request of the Executive Director in the fulfilment of his or her tasks.

3. The Executive Director shall take part in the deliberations of the Governing Board, unless decided otherwise by the Governing Board, but shall have no right to vote.

4. The Governing Board may invite other persons to attend its meetings as observers, on a case-by-case basis.

5. The Chairperson may invite representatives of the Community to take part in the meetings of the Governing Board, but they shall have no right to vote.

6. The members of the Governing Board and their alternates may be assisted at the meetings by advisers or experts, subject to the rules of procedure of the Governing Board.

7. The Competence Centre shall provide the secretariat for the Governing Board.

Article 15 - Voting rules of the Governing Board

1. The Governing Board shall use a consensual approach in its discussions. A vote shall be held if the members of the Governing Board fail to achieve consensus.

2. If the Governing Board fails to achieve consensus on a matter, it shall take its decisions by a majority of at least 75 % of the votes of all its members, the representatives of the Commission constituting a single member for that purpose. An absent member of the Governing Board may delegate his or her vote to his or her alternate or, in the absence of his or her alternate, to another member. No member of the Governing Board shall represent more than one other member.

3. Decisions of the Governing Board on the joint actions and their management as referred to in points (f) and (g) of Article 13(3) shall be taken as follows:

(a)decisions to allocate funds from the Union budget to joint actions as referred to in point (f) of Article 13(3) and decisions to include such joint actions in the annual work programme shall be taken in accordance with paragraph 2 of this Article;

(b)decisions relating to the description of joint actions and laying down conditions for their implementation referred in point (g) of Article 13(3) shall be taken by participating Members States and the Commission, subject to the right to vote of the members being proportional to their respective contributions to that joint action, calculated in accordance with the methodology adopted pursuant to point (x) of Article 13(3).

4. For decisions which are taken under points (b), (c), (d), (e), (f), (k), (l), (p), (q), (t), (u), (w), (x) and (y) of Article 13(3), the Commission shall have 26 % of the total votes within the Governing Board.

5. For decisions other than those referred to in point (b) of paragraph 3 and in paragraph 4, each Member State and the Union shall have one vote. The vote of the Union shall be cast jointly by the two representatives of the Commission.

6. The Chairperson shall take part in the voting.

Section II - Executive Director


Article 16 - Appointment, dismissal, and extension of the term of office, of the Executive Director

1. The Executive Director shall be a person with expertise and a strong reputation in the areas where the Competence Centre operates.

2. The Executive Director shall be engaged as a temporary agent of the Competence Centre under point (a) of Article 2 of the Conditions of Employment.

3. The Executive Director shall be appointed by the Governing Board from a list of candidates proposed by the Commission, following an open, transparent and non-discriminatory selection procedure.

4. For the purpose of concluding the contract of the Executive Director, the Competence Centre shall be represented by the Chairperson of the Governing Board.

5. The term of office of the Executive Director shall be four years. Before the end of that period, the Commission shall carry out an assessment which takes into account the evaluation of the performance of the Executive Director and the Competence Centre’s future tasks and challenges.

6. The Governing Board, acting on a proposal from the Commission which takes into account the assessment referred to in paragraph 5, may extend the term of office of the Executive Director once for no more than four years.

7. An Executive Director whose term of office has been extended shall not participate in another selection procedure for the same post.

8. The Executive Director shall be removed from office only by a decision of the Governing Board, acting on a proposal from the Commission or from at least 50 % of the Member States.

Article 17 - Tasks of the Executive Director

1. The Executive Director shall be responsible for operations and for the day-to-day management of the Competence Centre and shall be its legal representative. The Executive Director shall be accountable to the Governing Board and perform his or her duties with complete independence within the powers assigned to him or her. The Executive Director shall be supported by the staff of the Competence Centre.

2. The Executive Director shall carry out at least the following tasks in an independent manner:

(a)implement the decisions adopted by the Governing Board;

(b)support the Governing Board in its work, provide the secretariat for its meetings and supply all information necessary for the performance of its duties;

(c)after consulting the Governing Board and the Commission and taking into account the input of the national coordination centres and the Community, prepare and submit for adoption to the Governing Board the Agenda, as well as, in accordance with the Agenda, the draft annual work programme and the draft multiannual work programme of the Competence Centre, including the scope of the calls for proposals, calls for expressions of interest and calls for tenders needed to implement the annual work programme and the corresponding expenditure estimates as proposed by the Member States and the Commission;

(d)prepare and submit the draft annual budget to the Governing Board for adoption, including the corresponding establishment plan referred to in point (l) of Article 13(3), indicating the number of temporary posts in each grade and function group and the number of contract staff and seconded national experts, expressed in full-time equivalents;

(e)implement the annual work programme and the multiannual work programme and report to the Governing Board with regard thereto;

(f)prepare the draft annual activity report on the Competence Centre, including the information on corresponding expenditure and the implementation of the Agenda and the multiannual work programme; if necessary, that report shall be accompanied by proposals for the further improvement of the realisation or the reformulation of the strategic goals and priorities;

(g)ensure the implementation of effective monitoring and evaluation procedures in relation to the performance of the Competence Centre;

(h)prepare an action plan that follows up on the conclusions of the implementation report and the evaluation referred to in Article 38(2) and (4) and, every two years, submit reports on progress to the European Parliament and to the Commission;

(i)prepare and conclude agreements with the national coordination centres;

(j)be responsible for administrative, financial and staff matters, including the implementation of the Competence Centre’s budget, taking due account of advice received from the relevant internal audit function, in accordance with the decisions referred to in points (e), (l), (t), (u), (v) and (w) of Article 13(3);

(k)approve and manage the launch of calls for proposals, in accordance with the annual work programme, and administer the resulting grant agreements and decisions;

(l)approve the list of actions selected for funding on the basis of a ranking list established by a panel of independent experts;

(m)approve and manage the launch of calls for tenders, in accordance with the annual work programme, and administer the resulting contracts;

(n)approve the tenders selected for funding;

(o)submit the draft annual accounts and balance sheet to the relevant internal audit function, and subsequently to the Governing Board;

(p)ensure that risk assessments and risk management are performed;

(q)sign individual grant agreements, decisions and contracts;

(r)sign procurement contracts;

(s)prepare an action plan that follows up on the conclusions of internal or external audit reports, as well as investigations by the European Anti-Fraud Office (OLAF) established with Commission Decision 1999/352/EC, ECSC, Euratom (16) and report on progress twice a year to the Commission and regularly to the Governing Board;

(t)prepare draft financial rules applicable to the Competence Centre;

(u)establish and ensure the functioning of an effective and efficient internal control system and report any significant change to it to the Governing Board;

(v)ensure effective communication with the Union’s institutions and report, when invited, to the European Parliament and to the Council;

(w)take any other measures needed to assess the Competence Centre’s fulfilment of its mission and objectives;

(x)perform any other tasks entrusted or delegated to him or her by the Governing Board.

Section III - Strategic Advisory Group


Article 18 - Composition of the Strategic Advisory Group

1. The Strategic Advisory Group shall consist of no more than 20 members. The members shall be appointed by the Governing Board, acting on a proposal from the Executive Director, from among the representatives of the members of the Community other than representatives of Union institutions, bodies, offices and agencies. Only representatives of members which are not controlled by a third country or by an entity established in a third-country shall be eligible. The appointment shall be made in accordance with an open, transparent, and non-discriminatory procedure. The Governing Board shall aim for the composition of the Strategic Advisory Group to achieve a balanced representation of the Community between scientific, industrial and civil society entities, demand and supply-side industries, large enterprises and SMEs, as well as balanced representation in terms of geographical provenance and gender. It shall also aim to achieve an intra sectorial balance, having regard to the cohesion of the Union and all of the Member States in the area of cybersecurity research, industry and technology. The Strategic Advisory Group shall be composed so as to enable a comprehensive, ongoing and permanent dialogue between the Community and the Competence Centre.

2. Members of the Strategic Advisory Group shall have expertise with regard to cybersecurity research, industrial development, offering, implementing, or deploying professional services or products. The requirements for such expertise shall be further specified by the Governing Board.

3. Procedures concerning the appointment of the members of the Strategic Advisory Group and the operation of the Strategic Advisory Group shall be specified in the rules of procedure of the Governing Board and shall be made public.

4. The terms of office of members of the Strategic Advisory Group shall be two years. Those terms shall be renewable once.

5. Representatives of the Commission and of other Union institutions, bodies, offices and agencies, in particular ENISA, may be invited by the Strategic Advisory Group to participate in and support its work. The Strategic Advisory Group may invite additional representatives from the Community in the capacity of observer, adviser, or expert, as appropriate on a case-by-case basis, to take into account the dynamic of developments in the area of cybersecurity. Members of the Governing Board may participate as observers in the meetings of the Strategic Advisory Group.

Article 19 - Functioning of the Strategic Advisory Group

1. The Strategic Advisory Group shall meet at least three times a year.

2. The Strategic Advisory Group shall provide advice to the Governing Board on the establishment of working groups within the Community, in accordance with point (n) of Article 13(3) on specific issues relevant to the work of the Competence Centre, whenever those issues directly relate to the tasks and areas of competence set out in Article 20. Where necessary, such working groups shall be subject to the overall coordination of one or more members of the Strategic Advisory Group.

3. The Strategic Advisory Group shall elect its Chair by a simple majority of its members.

4. The secretariat of the Strategic Advisory Group shall be provided by the Executive Director and the staff of the Competence Centre, using existing resources, with due regard to the overall workload of the Competence Centre. The resources assigned to the support of the Strategic Advisory Group shall be indicated in the draft annual budget.

5. The Strategic Advisory Group shall adopt its rules of procedure by a simple majority of its members.

Article 20 - Tasks of the Strategic Advisory Group

The Strategic Advisory Group shall regularly advise the Competence Centre in respect of the performance of the Competence Centre’s activities and shall ensure communication with the Community and other relevant stakeholders. The Strategic Advisory Group shall also:

(a)taking into account contributions from the Community and the working groups referred to in point (n) of Article 13(3) where relevant, provide and update on an ongoing basis strategic advice and input to the Executive Director and the Governing Board with regard to the Agenda, the annual work programme and the multiannual work programme within the deadlines set by the Governing Board;

(b)advise the Governing Board on the establishment of working groups within the Community in accordance with point (n) of Article 13(3) on specific issues relevant to the work of the Competence Centre;

(c)subject to approval by the Governing Board, decide on and organise public consultations open to all public and private stakeholders who have an interest in the area of cybersecurity, in order to collect input for the strategic advice referred to in point (a).

CHAPTER III - Financial provisions

Article 21 - Union and Member States’ financial contributions

1. The Competence Centre shall be funded by the Union, while joint actions shall be funded by the Union and by voluntary contributions by the Member States.

2. The administrative and operational costs of joint actions shall be covered by the Union and by the Member States contributing to the joint actions, in accordance with Regulations (EU) 2021/695 and (EU) 2021/694.

3. The Union’s contribution to the Competence Centre to cover administrative costs and operational costs shall comprise the following:

(a)up to EUR 1 649 566 000 from the Digital Europe Programme, including up to EUR 32 000 000 for administrative costs;

(b)an amount from Horizon Europe, including for administrative costs, for joint actions, such amount being equal to the amount contributed by Member States pursuant to paragraph 7 of this Article but not exceeding the amount determined in the strategic planning process of Horizon Europe to be carried out pursuant to Article 6(6) of Regulation (EU) 2021/695, in the annual work programme or in the multiannual work programme;

(c)an amount from the other relevant Union programmes, as needed for the implementation of the tasks or the achievement of the objectives of the Competence Centre, subject to decisions taken in accordance with the legal acts of the Union establishing those programmes.

4. The maximum Union contribution shall be paid from the appropriations in the general budget of the Union allocated to Digital Europe Programme, the specific programme implementing Horizon Europe established by Decision (EU) 2021/764 and other programmes and projects falling within the scope of the Competence Centre or the Network.

5. The Competence Centre shall implement cybersecurity actions of the Digital Europe Programme and Horizon Europe in accordance with point (c)(iv) of the first subparagraph of Article 62(1) of the Financial Regulation.

6. Contributions from Union programmes other than those referred to in paragraphs 3 and 4 that are part of the Union co-financing to a programme implemented by one of the Member States shall not be accounted for in the calculation of the Union maximum financial contribution referred to in those paragraphs.

7. Member States shall voluntarily take part in joint actions by means of voluntary financial and/or in-kind contributions. If a Member State takes part in a joint action, the financial contribution by that Member State shall cover administrative costs in proportion to its contribution to that joint action. The administrative costs of joint actions shall be met by financial contributions. The operational costs of joint actions may be met by financial or in-kind contributions, as provided for by Horizon Europe and the Digital Europe Programme. Contributions from each Member State may take the form of support that the Member State provides in a joint action to beneficiaries established in that Member State. In-kind contributions by Member States consist of the eligible costs incurred by national coordination centres and other public entities when participating in projects funded through this Regulation, less any Union contribution to those costs. In the case of projects funded by Horizon Europe, eligible costs shall be calculated in accordance with Article 36 of Regulation (EU) 2021/695. In the case of projects funded by the Digital Europe Programme, eligible costs shall be calculated in accordance with the Financial Regulation.

The envisaged amount of total Member State voluntary contributions to joint actions under Horizon Europe, including financial contributions for administrative costs, shall be determined in order to be taken into account in the strategic planning process of Horizon Europe to be carried out pursuant to Article 6(6) of Regulation (EU) 2021/695, with input from the Governing Board. For actions under the Digital Europe Programme, notwithstanding Article 15 of Regulation (EU) 2021/694, the Member States may make a contribution to the costs of the Competence Centre that are co-financed from the Digital Europe Programme that is lower than the amounts specified in point (a) of paragraph 3 of this Article.

8. Member States’ national co-funding of actions supported by Union programmes other than Horizon Europe and the Digital Europe Programme shall be considered to be Member States’ national contributions insofar as those contributions are parts of joint actions and are included in the Competence Centre’s work programme.

9. For the purpose of assessing the contributions referred to in paragraph 3 of this Article and in point (b) of Article 22(2), costs shall be determined in accordance with the usual cost accounting practices of the Member State concerned, the applicable accounting standards of the Member State concerned, and the applicable international accounting standards and international financial reporting standards. Costs shall be certified by an independent external auditor appointed by the Member State concerned. The valuation method may be verified by the Competence Centre if there is any uncertainty arising from the certification.

10. If any Member State is in default of its commitments concerning its financial or in-kind contributions to joint actions, the Executive Director shall notify the Member State concerned thereof in writing and shall set a reasonable period within which such default is to be remedied. If the situation is not remedied within that period, the Executive Director shall convene a meeting of the Governing Board to decide whether the defaulting participating Member State’s right to vote is to be revoked or whether any other measures are to be taken until that Member State has met its obligations. The defaulting Member State’s right to vote concerning joint actions shall be suspended until the default of its commitments is remedied.

11. The Commission may terminate, proportionally reduce or suspend the Union’s financial contribution to joint actions if the contributing Member States do not contribute, contribute only partially or contribute late with regard to the contributions referred to in point (b) of paragraph 3. The termination, reduction or suspension of the Union’s financial contribution by the Commission shall be proportionate in amount and time to the Member State’s failure to contribute, partial contribution or late contribution.

12. The contributing Member States shall report by 31 January of each year to the Governing Board on the value of the contributions referred to in paragraph 7 for joint action with the Union made in each of the previous financial year.

Article 22 - Costs and resources of the Competence Centre

1. The administrative costs of the Competence Centre shall in principle be covered by means of financial contributions from the Union on an annual basis. Additional financial contributions shall be made by contributing Member States in proportion to their voluntary contributions to joint actions. If part of the contribution for administrative costs is not used, it may be made available to cover the operational costs of the Competence Centre.

2. The operational costs of the Competence Centre shall be covered by means of:

(a)the Union’s financial contribution;

(b)voluntary financial or in-kind contributions from the contributing Member States in the case of joint actions.

3. The resources of the Competence Centre entered into its budget shall be composed of the following contributions:

(a)the Union’s financial contributions to operational and administrative costs;

(b)contributing Member States’ voluntary financial contributions to administrative costs in the case of joint actions;

(c)contributing Member States’ voluntary financial contributions to operational costs in the case of joint actions;

(d)any revenue generated by the Competence Centre;

(e)any other financial contributions, resources or revenues.

4. Any interest yielded by the contributions paid to the Competence Centre by the contributing Member States shall be considered to be the revenue of the Competence Centre.

5. All resources of the Competence Centre and its activities shall be used to achieve its objectives.

6. The Competence Centre shall own all assets that are generated by it or are transferred to it for the fulfilment of its objectives. Without prejudice to the applicable rules of the relevant funding programme, the ownership of assets that are generated or acquired in joint actions shall be decided in accordance with point (b) of Article 15(3).

7. Except when the Competence Centre is wound up, any excess revenue over expenditure shall continue to be owned by the Competence Centre and shall not be paid to the contributing members of the Competence Centre.

8. The Competence Centre shall cooperate closely with other Union institutions, bodies, offices and agencies, with due regard to their respective mandates and without duplicating existing cooperation mechanisms, in order to benefit from synergies with them and, where possible and appropriate, in order to reduce administrative costs.

Article 23 - Financial commitments

The financial commitments of the Competence Centre shall not exceed the amount of financial resources available or committed to its budget by its members.

Article 24 - Financial year

The financial year shall run from 1 January to 31 December.

Article 25 - Establishment of the budget

1. Each year, the Executive Director shall draw up a draft statement of estimates of the Competence Centre’s revenue and expenditure for the following financial year and shall forward it to the Governing Board, together with the draft establishment plan referred to in point (l) of Article 13(3). Revenue and expenditure shall be in balance. The expenditure of the Competence Centre shall include the staff, administrative, infrastructure and operational expenses. Administrative expenses shall be kept to a minimum, including by means of redeployment of staff or posts.

2. Each year, the Governing Board shall, on the basis of the draft statement of estimates of revenue and expenditure referred to in paragraph 1, produce a statement of estimates of revenue and expenditure for the Competence Centre for the following financial year.

3. The Governing Board shall, by 31 January of each year, send the statement of estimates referred to in paragraph 2 of this Article, which shall be part of the draft single programming document referred to in Article 32(1) of Delegated Regulation (EU) 2019/715, to the Commission.

4. On the basis of the statement of estimates referred to in paragraph 2 of this Article, the Commission shall enter in the draft budget of the Union the estimates it deems to be necessary for the establishment plan referred to in point (l) of Article 13(3) of this Regulation and the amount of the contribution to be charged to the general budget, which it shall submit to the European Parliament and the Council in accordance with Articles 313 and 314 of the Treaty on the Functioning of the European Union (TFEU).

5. The European Parliament and the Council shall authorise the appropriations for the contribution to the Competence Centre.

6. The European Parliament and the Council shall adopt the establishment plan referred to in point (l) of Article 13(3).

7. Together with the annual work programme and the multiannual work programme, the Governing Board shall adopt the Competence Centre’s budget. It shall become final following the definitive adoption of the general budget of the Union. Where appropriate, the Governing Board shall adjust the Competence Centre’s budget and the annual work programme in accordance with the general budget of the Union.

Article 26 - Presentation of the Competence Centre’s accounts and discharge

The presentation of the Competence Centre’s provisional and final accounts and the discharge shall comply with the rules and timetable of the Financial Regulation and of the financial rules of the Competence Centre.

Article 27 - Operational and financial reporting

1. The Executive Director shall report annually to the Governing Board on the performance of his or her duties in accordance with the financial rules of the Competence Centre.

2. Within two months of the end of each financial year, the Executive Director shall submit to the Governing Board for approval an annual activity report on the progress made by the Competence Centre in the previous calendar year, in particular in relation to the annual work programme for that year and the fulfilment of its strategic goals and priorities. That report shall include information on the following matters:

(a)operational actions carried out and the corresponding expenditure;

(b)the actions submitted, including a breakdown by participant type, including SMEs, and by Member State;

(c)the actions selected for funding, including a breakdown by participant type, including SMEs, and by Member State and indicating the contribution of the Competence Centre to the individual participants and actions;

(d)the fulfilment of the mission and objectives laid down in this Regulation and proposals for further necessary work to fulfil that mission and those objectives;

(e)the consistency of the implementation tasks with the Agenda and the multiannual work programme.

3. Once approved by the Governing Board, the annual activity report shall be made publicly available.

Article 28 - Financial rules

The Competence Centre shall adopt its specific financial rules in accordance with Article 70 of the Financial Regulation.

Article 29 - Protection of financial interests of the Union

1. The Competence Centre shall take appropriate measures to ensure that, when actions financed under this Regulation are implemented, the financial interests of the Union are protected by the application of preventive measures against fraud, corruption and any other illegal activities, by regular and effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative penalties.

2. The Competence Centre shall grant Commission staff and other persons authorised by the Commission, as well as the Court of Auditors, access to the sites and premises of the Competence Centre and to all the information, including information in electronic format that is needed in order to conduct their audits.

3. OLAF may carry out investigations, including on-the-spot checks and inspections, in accordance with the provisions and procedures laid down in Council Regulation (Euratom, EC) No 2185/96 (17) and Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (18) with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant agreement or a contract funded, directly or indirectly, in accordance with this Regulation.

4. Without prejudice to paragraphs 1, 2 and 3, contracts and grant agreements resulting from the implementation of this Regulation shall contain provisions expressly empowering the Commission, the Competence Centre, the Court of Auditors and OLAF to conduct such audits and investigations in accordance with their respective competences. Where the implementation of an action is outsourced or sub-delegated, in whole or in part, or where it requires the award of a procurement contract or financial support to a third party, the contract or grant agreement shall include the contractor’s or beneficiary’s obligation to impose on any third party involved explicit acceptance of those powers of the Commission, the Competence Centre, the Court of Auditors and OLAF.

CHAPTER IV - Competence Centre staff

Article 30 - Staff

1. The Staff Regulations and Conditions of Employment and the rules adopted jointly by the institutions of the Union for the purpose of applying the Staff Regulations and Conditions of Employment shall apply to the staff of the Competence Centre.

2. The Governing Board shall exercise, with respect to the staff of the Competence Centre, the powers conferred by the Staff Regulations on the Appointing Authority and the powers conferred by the Conditions of Employment on the authority empowered to conclude contract (the ‘appointing authority powers’).

3. The Governing Board shall adopt, in accordance with Article 110 of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment delegating the relevant appointing authority powers to the Executive Director and defining the conditions under which that delegation may be suspended. The Executive Director is authorised to sub-delegate those powers.

4. Where exceptional circumstances so require, the Governing Board may, through a decision, temporarily suspend the delegation of the appointing authority powers to the Executive Director and any sub-delegation made by the latter. In such a case the Governing Board shall exercise itself the appointing authority powers or delegate them to one of its members or to a member of staff of the Competence Centre other than the Executive Director.

5. The Governing Board shall adopt implementing rules as regards the Staff Regulations and the Conditions of Employment in accordance with Article 110 of the Staff Regulations.

6. The staff resources shall be determined in the establishment plan referred to in point (l) of Article 13(3), indicating the number of temporary posts by function group and by grade and the number of contract staff expressed in full-time equivalents, in line with the annual budget of the Competence Centre.

7. The human resources required by the Competence Centre shall be met in the first instance by redeployment of staff or posts from Union institutions, bodies, offices and agencies, and additional human resources through recruitment. The staff of the Competence Centre may consist of temporary staff and contract staff.

8. All costs related to staff shall be borne by the Competence Centre.

Article 31 - Seconded national experts and other staff

1. The Competence Centre may make use of seconded national experts or other staff not employed by the Competence Centre.

2. The Governing Board shall adopt a decision laying down rules on the secondment of national experts to the Competence Centre, in agreement with the Commission.

Article 32 - Privileges and immunities

Protocol No 7 on the Privileges and Immunities of the European Union annexed to the TEU and to the TFEU shall apply to the Competence Centre and its staff.

CHAPTER V - Common provisions

Article 33 - Security rules

1. Article 12 Regulation (EU) 2021/694 shall apply to participation in all actions funded by the Competence Centre.

2. The following specific security rules shall apply to actions funded by Horizon Europe:

(a)for the purposes of Article 38(1) of Regulation (EU) 2021/695, when provided for in the annual work programme, the grant of non-exclusive licences may be limited to third parties that are established or deemed to be established in a Member State and are controlled by that Member State or by nationals of that Member State;

(b)for the purposes of point (b) of the first subparagraph of Article 40(4) of Regulation (EU) 2021/695, the transfer or license to a legal entity established in an associated country or established in the Union but controlled from third countries shall be grounds for objecting to transfers of ownership of results or to grants of an exclusive license regarding results;

(c)for the purposes of point (a) of the first subparagraph of Article 41(7) of Regulation (EU) 2021/695, when provided for in the annual work programme, the granting of access rights, as defined in point (9) of Article 2 of that Regulation, may be limited to a legal entity that is established or deemed to be established in a Member State and is controlled by that Member State or by nationals of that Member State.

Article 34 - Transparency

1. The Competence Centre shall carry out its activities with a high level of transparency.

2. The Competence Centre shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information in a timely manner, in particular with regard to the results of its work. It shall also make public the declarations of interest made in accordance with Article 43. Those requirements shall also apply to the national coordination centres, the Community and the Strategic Advisory Group in accordance with relevant law.

3. The Governing Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Competence Centre’s activities.

4. The Competence Centre shall lay down in the rules of procedure of the Governing Board of the Competence Centre and of the Strategic Advisory Group the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2 of this Article. For actions funded by Horizon Europe, those rules and arrangements shall take account of Regulation (EU) 2021/695.

Article 35 - Gender balance

In the implementation of this Regulation, when nominating candidates or proposing representatives, the Commission, Member States and other institutional and private sector stakeholders shall choose representatives from several candidates, where possible, and with the aim of ensuring gender balance.

Article 36 - Security rules on the protection of classified information and sensitive non-classified information

1. After approval by the Commission, the Governing Board shall adopt the security rules of the Competence Centre. Those security rules shall apply the security principles and rules laid down in Commission Decisions (EU, Euratom) 2015/443 (19) and (EU, Euratom) 2015/444 (20).

2. Members of the Governing Board, the Executive Director, external experts participating in ad hoc working groups, and members of the staff of the Competence Centre shall comply with the confidentiality requirements under Article 339 TFEU, even after their duties have ceased.

3. The Competence Centre may take the necessary measures to facilitate the exchange of information relevant to its tasks with the Commission and the Member States and, where appropriate, the relevant Union institutions, bodies, offices and agencies. Any administrative arrangements concluded to that end with regard to the sharing of EU classified information (EUCI) or, in the absence of such arrangements, any exceptional ad hoc release of EUCI, shall have received the Commission’s prior approval.

Article 37 - Access to documents

1. Regulation (EC) No 1049/2001 shall apply to documents held by the Competence Centre.

2. The Governing Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001 by 29 December 2021.

3. Decisions taken by the Competence Centre pursuant to Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint to the Ombudsman under Article 228 TFEU or of an action before the Court of Justice of the European Union under Article 263 TFEU.

Article 38 - Monitoring, evaluation and review

1. The Competence Centre shall ensure that its activities, including those managed through the national coordination centres and the Network, shall be subject to continuous and systematic monitoring and periodic evaluation. The Competence Centre shall ensure that the data for monitoring the implementation and results of the Union funding programmes referred to in point (b) of Article 4(3) are collected efficiently, effectively, and in a timely manner, and shall impose proportionate reporting requirements on recipients of Union funds and Member States. The conclusions of that evaluation shall be made public.

2. Once there is sufficient information available about the implementation of this Regulation, and in any event no later than 30 months after the date provided for in Article 46(4), the Commission shall prepare an implementation report on the activities of the Competence Centre, taking into account the preliminary input of the Governing Board, the national coordination centres and the Community. The Commission shall submit that implementation report to the European Parliament and to the Council by 30 June 2024. The Competence Centre and Member States shall provide the Commission with the information necessary for the preparation of that report.

3. The implementation report referred to in paragraph 2 shall include assessments of:

(a)the working capacity of the Competence Centre with regard to its mission, objectives, mandate and tasks and the cooperation and coordination with other stakeholders, in particular the national coordination centres, the Community and ENISA;

(b)the results achieved by the Competence Centre, having regard to its mission, objectives, mandate and tasks, and in particular the efficiency of the Competence Centre in coordinating Union funds and pooling expertise;

(c)the consistency of implementation tasks with the Agenda and the multiannual work programme;

(d)the coordination and cooperation of the Competence Centre with the Programme Committees of Horizon Europe and the Digital Europe Programme, in particular with a view to increasing consistency and synergies with the Agenda, the annual work programme, the multiannual work programme, Horizon Europe and the Digital Europe Programme;

(e)joint actions.

4. After submission of the implementation report referred to in paragraph 2 of this Article, the Commission shall carry out an evaluation of the Competence Centre, taking into account the preliminary input from the Governing Board, the national coordination centres and the Community. That evaluation shall refer to or update, as necessary, the assessments referred to in paragraph 3 of this Article and shall be carried out before expiry of the period specified in Article 47(1), in order to determine in a timely manner whether it is appropriate to extend the duration of the mandate of the Competence Centre beyond that period. That evaluation shall assess legal and administrative aspects regarding the mandate of the Competence Centre and the potential to create synergies and avoid fragmentation with other Union institutions, bodies, offices and agencies.

If the Commission considers that the continuation of the Competence Centre is justified with regard to its mission, objectives, mandate and tasks, it may make a legislative proposal to extend the duration of the mandate of the Competence Centre set out in Article 47.

5. On the basis of the conclusions of the implementation report referred to in paragraph 2, the Commission may take appropriate actions.

6. The monitoring, evaluation, phasing out and renewal of the contribution from Horizon Europe shall be carried out in accordance with Articles 10, 50 and 52 of Regulation (EU) 2021/695 and agreed implementation arrangements.

7. The monitoring, reporting and evaluation of the contribution from the Digital Europe Programme shall be carried out in accordance with Articles 24 and 25 of Regulation (EU) 2021/694.

8. In the event of a winding-up of the Competence Centre, the Commission shall conduct a final evaluation of the Competence Centre within six months of the winding-up of the Competence Centre, and in any event no later than two years after the triggering of the winding-up procedure referred to in Article 47. The results of that final evaluation shall be submitted to the European Parliament and to the Council.

Article 39 - Legal personality of the Competence Centre

1. The Competence Centre shall have legal personality.

2. In each Member State, the Competence Centre shall enjoy the most extensive legal capacity accorded to legal persons under the law of that Member State. It may, in particular, acquire or dispose of movable and immovable property and may be party to legal proceedings.

Article 40 - Liability of the Competence Centre

1. The contractual liability of the Competence Centre shall be governed by the law applicable to the agreement, decision or contract in question.

2. In the case of non-contractual liability, the Competence Centre shall make good any damage caused by its staff in the performance of their duties, in accordance with the general principles common to the laws of the Member States.

3. Any payment by the Competence Centre in respect of the liability referred to in paragraphs 1 and 2 and the costs and expenses incurred in connection therewith shall be considered to be expenditure of the Competence Centre and shall be covered by its resources.

4. The Competence Centre shall be solely responsible for meeting its obligations.

Article 41 - Jurisdiction of the Court of Justice of the European Union and applicable law

1. The Court of Justice of the European Union shall have jurisdiction:

(a)to give judgement pursuant to any arbitration clause contained in decisions adopted by, or agreements or contracts concluded by, the Competence Centre;

(b)in disputes related to compensation for damage caused by the staff of the Competence Centre in the performance of their duties;

(c)in any dispute between the Competence Centre and its staff within the limits of and under the conditions laid down in the Staff Regulations.

2. Regarding any matter not covered by this Regulation or by other legal acts of the Union, the law of the Member State where the seat of the Competence Centre is located shall apply.

Article 42 - Liability of the Union and the Member States and insurance

1. The financial liability of the Union and the Member States for the debts of the Competence Centre shall be limited to their contribution already made for the administrative costs.

2. The Competence Centre shall take out and maintain appropriate insurance.

Article 43 - Conflicts of interest

The Governing Board shall adopt rules for the prevention, identification and resolution of conflicts of interest in respect of its members, bodies and staff, including the Executive Director. Those rules shall contain the provisions intended to avoid a conflict of interest in respect of the representatives of the members serving in the Governing Board as well as the Strategic Advisory Group, in accordance with the Financial Regulation, including provisions on any declarations of interest. The national coordination centres shall be subject to national law with regard to conflicts of interest.

Article 44 - Protection of Personal Data

1. The processing of personal data by the Competence Centre shall be subject to Regulation (EU) 2018/1725.

2. The Governing Board shall adopt implementing measures as referred to in Article 45(3) of Regulation (EU) 2018/1725. The Governing Board may adopt additional measures necessary for the application of that Regulation by the Competence Centre.

Article 45 - Support from the host Member State

An administrative agreement may be concluded between the Competence Centre and the host Member State in which its seat is located concerning privileges and immunities and other support to be provided by that Member State to the Competence Centre.

CHAPTER VI - Final provisions

Article 46 - Initial actions

1. The Commission shall be responsible for the establishment and initial operation of the Competence Centre until it has the operational capacity to implement its own budget. The Commission shall carry out, in accordance with Union law, all necessary actions with the involvement of the competent bodies of the Competence Centre.

2. For the purpose of paragraph 1 of this Article, the Commission may designate an interim Executive Director until the Executive Director takes up his or her duties following his or her appointment by the Governing Board in accordance with Article 16. The interim Executive Director shall exercise the duties of the Executive Director and may be assisted by a limited number of members of staff of the Commission. The Commission may assign a limited number of its members of staff to the Competence Centre on an interim basis.

3. The interim Executive Director may authorise all payments covered by the appropriations provided in the annual budget of the Competence Centre once it has been adopted by the Governing Board and may conclude agreements and contracts, including staff contracts, and adopt decisions, following the adoption of the establishment plan referred to in point (l) of Article 13(3).

4. The interim Executive Director shall determine, in common accord with the Executive Director and subject to the approval of the Governing Board, the date from which the Competence Centre will have the capacity to implement its own budget. From that date onwards, the Commission shall abstain from making commitments and executing payments for the activities of the Competence Centre.

Article 47 - Duration

1. The Competence Centre shall be established for the period from 28 June 2021 to 31 December 2029.

2. Unless the mandate of the Competence Centre is extended in accordance with Article 38(4), the winding-up procedure shall be triggered automatically at the end of the period referred to in paragraph 1 of this Article.

3. For the purpose of conducting the proceedings to wind up the Competence Centre, the Governing Board shall appoint one or more liquidators, who shall comply with the decisions of the Governing Board.

4. When the Competence Centre is being wound up, its assets shall be used to cover its liabilities and the expenditure relating to its winding-up. Any surplus shall be distributed among the Union and the contributing Member States in proportion to their financial contribution to the Competence Centre. Any such surplus distributed to the Union shall be returned to the Union budget.

Article 48 - Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.