Annexes to COM(2023)209 - Measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)209 - Measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats ... |
|---|---|
| document | COM(2023)209  |
| date | April 18, 2023 |
All these assignments are estimated to about 7 FTEs from the existing resources of ENISA, building already on expertise and preparatory work that it is currently done by ENISA within the pilot of the emergency support for preparedness and incident response.
2. MANAGEMENT MEASURES
2.1. Monitoring and reporting rules
Specify frequency and conditions.
The Commission will monitor the implementation, the application and the compliance with these new provisions with a view to assessing their effectiveness. The Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council by four years after the date of its application.
2.2. Management and control system(s)
2.2.1. Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed
The Regulation introduces a framework for implementing EU funding with a view to increasing cybersecurity resilience through actions enhancing the detection, response and recovery capabilities in case of significant and large-scale cybersecurity incidents. The units within DG CNECT in charge of the policy field will manage the implementation of the Directive.
In order to face the new tasks, it is necessary to appropriately resource the Commission’s services. The enforcement of the new Regulation is estimated to require 6 FTEs (3 AD and 3 CA) to cover the following tasks:
- Determining preparedness actions according to risk assessments;
- Ensuring interoperability between Cross-border SOC platforms;
- Elaborating potential Implementing Acts (two for SOCs and two for the Cybersecurity Emergency Mechanism);
- Managing the Hosting and Usage Agreements for SOCs;
- Establishing and managing the EU Cybersecurity Reserve, directly or via a contribution agreement to ENISA. In case of contribution agreement to ENISA, elaborating and supervising the implementation of the contribution agreement for the tasks assigned to ENISA;
- Participating in the consultation groups convened by ENISA to review and assess significant and large-scale cybersecurity incidents and preparing the reports.
2.2.2. Information concerning the risks identified and the internal control system(s) set up to mitigate them
A risk identified for the European Cyber Shield is that Member States do not share a sufficient amount of relevant cyber threat information either within the Cross-border SOC platforms, or between Cross-border platforms and other relevant entities at EU level. In order to mitigate these risks, the allocation of funding will follow a call for expression of interest where Member States commit to sharing a certain amount of information with the EU level. This commitment will then be formalised in a hosting and usage agreement, which will give the ECCC the powers to conduct audits to ensure the jointly procured tools and infrastructure are being used in accordance with the agreement. Commitments to a high level of information sharing within the Cross-border SOCs will be formalised in a consortium agreement.
A risk identified for the Cyber Emergency Mechanism is that users participating in the mechanism do not take sufficient measures to ensure preparedness in the face of cyber attacks. For that reason, to be able to receive support from the EU Cybersecurity Reserve, users are obliged to take such preparedness measures. When submitting the requests for support to the EU Cybersercurity Reserve, users need to explain what measures have been taken already to respond to the incident, which will be taken into account during assessment of the requests to the EU Cybersecurity Reserve.
2.2.3. Estimation and justification of the cost-effectiveness of the controls (ratio of "control costs ÷ value of the related funds managed"), and assessment of the expected levels of risk of error (at payment & at closure)
As the rules for participation in the Digital Europe programme applicable to the support under the Cyber Solidarity Act are similar to those that the Commission will use in its work programmes, and with a population of beneficiaries with a similar risk profile to those of programmes under direct management, it can be expected that the error margin will be similar to that foreseen by the Commission for the Digital Europe programme, i.e. to give reasonable assurance that the risk of error over the course of the multiannual expenditure period is, on an annual basis, within a range of 2-5 %, with the ultimate aim to achieve a residual error rate as close as possible to 2 % at the closure of the multi-annual programmes, once the financial impact of all audits, correction and recofvery measures have been taken into account.
2.3. Measures to prevent fraud and irregularities
Specify existing or envisaged prevention and protection measures, e.g. from the Anti-Fraud Strategy.
In the case of the European Cyber Shield, the ECCC will have the power of audit, on the basis of access to information and on-the-spot checks, of the jointly procured tools and infrastructures, in accordance with the hosting and usage agreement to be signed between the hosting consortium and the ECCC.
The existing fraud prevention measures applicable to the Union institutions, bodies and agencies will cover the additional appropriations necessary for this Regulation.
3. ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE
3.1. Heading(s) of the multiannual financial framework and expenditure budget line(s) affected
- Existing budget lines
In order of multiannual financial framework headings and budget lines.
| Heading of multiannual financial framework | Budget line | Type of expenditure | Contribution | |||
| Number | Diff./Non-diff.0 | from EFTA countries0 | from candidate countries and potential candidates0 | fromother third countries | other assigned revenue | |
| 1 | 02 04 01 10 - Digital Europe programme - Cybersecurity | Diff. | YES | YES | NO | NO |
| 1 | 02 04 01 11 - Digital Europe programme - European Cybersecurity Industrial, Technology and Research Competence Centre | Diff | YES | YES | NO | NO |
| 1 | 02 04 03 - Digital Europe programme - Artificial intelligence | Diff | YES | YES | NO | NO |
| 1 | 02 04 04 - Digital Europe programme – Skills | Diff | YES | YES | NO | NO |
| 1 | 02 01 30 - Support expenditure for the Digital Europe programme | Non Diff | YES | YES | NO | NO |
3.2. Estimated financial impact of the proposal on appropriations
3.2.1. Summary of estimated impact on operational appropriations
- The proposal/initiative does not require the use of operational appropriations
- X The proposal/initiative requires the use of operational appropriations, as explained below:
EUR million (to three decimal places)
| Heading of multiannual financial framework | Number | 1 Single Market, Innovation and Digital |
The proposal will not increase the total level of commitments under the Digital Europe Programme. Indeed, the contribution to this initiative is a redistribution of the commitments coming from SO2 and SO4 to reinforce the budget of SO3 and ECCC. Any increase of commitments under the Digital Europe Programme stemming from a revision of the MFF could be used for the purpose of this initiative.
| DG CONNECT | Year 2025 | Year 2026 | Year 2027 | Year 2028+ | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL | ||||
| □ Operational appropriations | ||||||||||
| Budget line0 02.040110 (redistribution from 02.0403 and 02.0404) | Commitments | (1a) | 15,000 | 15,000 | 6,000 | p.m. | 36,000 | |||
| Payments | (2a) | 15,000 | 15,000 | 6,000 | 36,000 | |||||
| Budget line 02.040111.02 (redistribution from 02.0403 and 02.0404) | Commitments | (1b) | 13,000 | 23,000 | 28,000 | p.m. | 64,000 | |||
| Payments | (2b) | 8,450 | 18,200 | 25,250 | 12,100 | 64,000 | ||||
| Appropriations of an administrative nature financed from the envelope of specific programmes0 | ||||||||||
| Budget line 02.0130 | (3) | 0,150 | 0,150 | 0,150 | p.m. | 0,450 | ||||
| TOTAL appropriations for DG CONNECT | Commitments | =1a+1b +3 | 28,150 | 38,150 | 34,150 | p.m. | 100,450 | |||
| Payments | =2a+2b +3 | 23,600 | 33,350 | 31,400 | 12,100 | 100,450 |
| □ TOTAL operational appropriations | Commitments | (4) | 28,000 | 38,000 | 34,000 | p.m. | 100,000 | |||
| Payments | (5) | 23,450 | 33,200 | 31,250 | 12,100 | 100,000 | ||||
| □ TOTAL appropriations of an administrative nature financed from the envelope for specific programmes | (6) | 0,150 | 0,150 | 0,150 | p.m. | 0,450 | ||||
| TOTAL appropriations under HEADING 1 of the multiannual financial framework | Commitments | =4+ 6 | 28,150 | 38,150 | 34,150 | p.m. | 100,450 | |||
| Payments | =5+ 6 | 23,600 | 33,350 | 31,400 | 12,100 | 100,450 |
If more than one operational heading is affected by the proposal / initiative, repeat the section above:
| □ TOTAL operational appropriations (all operational headings) | Commitments | (4) | 28,000 | 38,000 | 34,000 | p.m. | 100,000 | |||
| Payments | (5) | 23,450 | 33,200 | 31,250 | 12,100 | 100,000 | ||||
| TOTAL appropriations of an administrative nature financed from the envelope for specific programmes (all operational headings) | (6) | 0,150 | 0,150 | 0,150 | 0,450 | |||||
| TOTAL appropriations under HEADINGS 1 to 6 of the multiannual financial framework (Reference amount) | Commitments | =4+ 6 | 28,150 | 38,150 | 34,150 | p.m. | 100,450 | |||
| Payments | =5+ 6 | 23,600 | 33,350 | 31,400 | 12,100 | 100,450 |
| Heading of multiannual financial framework | 7 | ‘Administrative expenditure’ |
This section should be filled in using the 'budget data of an administrative nature' to be firstly introduced in the Annex to the Legislative Financial Statement (Annex 5 to the Commission decision on the internal rules for the implementation of the Commission section of the general budget of the European Union), which is uploaded to DECIDE for interservice consultation purposes.
EUR million (to three decimal places)
| Year 2025 | Year 2026 | Year 2027 | Year 2028+ | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL | |||||
| DG: CONNECT | ||||||||||
| □ Human resources | 0,786 | 0,786 | 0,786 | p.m. | 2,358 | |||||
| □ Other administrative expenditure | 0,035 | 0,035 | 0,035 | p.m. | 0,105 | |||||
| TOTAL DG CONNECT | Appropriations | 0,821 | 0,821 | 0,821 | 2,463 |
| TOTAL appropriations under HEADING 7 of the multiannual financial framework | (Total commitments = Total payments) | 0,821 | 0,821 | 0,821 | 2,463 |
EUR million (to three decimal places)
| Year 2025 | Year 2026 | Year 2027 | Year 2028+ | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL | ||||
| TOTAL appropriations under HEADINGS 1 to 7 of the multiannual financial framework | Commitments | 28,971 | 38,971 | 34,971 | p.m. | 102,913 | |||
| Payments | 24,421 | 34,171 | 32,221 | 12,100 | 102,913 |
3.2.2. Estimated output funded with operational appropriations
Commitment appropriations in EUR million (to three decimal places)
| Indicate objectives and outputs | Year N | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL | ||||||||||||
| OUTPUTS | ||||||||||||||||||
| Type0 | Average cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | Total No | Total cost | |
| SPECIFIC OBJECTIVE No 10… | ||||||||||||||||||
| - Output | ||||||||||||||||||
| - Output | ||||||||||||||||||
| - Output | ||||||||||||||||||
| Subtotal for specific objective No 1 | ||||||||||||||||||
| SPECIFIC OBJECTIVE No 2 ... | ||||||||||||||||||
| - Output | ||||||||||||||||||
| Subtotal for specific objective No 2 | ||||||||||||||||||
| TOTALS |
3.2.3. Summary of estimated impact on administrative appropriations
- The proposal/initiative does not require the use of appropriations of an administrative nature
- X The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:
EUR million (to three decimal places)
| Year 2025 | Year r 2026 | Year 2027 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL |
| Outside HEADING 70 of the multiannual financial framework | ||||||||
| Human resources | ||||||||
| Other expenditure of an administrative nature | 0,150 | 0,150 | 0,150 | 0,450 | ||||
| Subtotal outside HEADING 7 of the multiannual financial framework | 0,150 | 0,150 | 0,150 | 0,450 |
| TOTAL | 0,971 | 0,971 | 0,971 | 2,913 |
The appropriations required for human resources and other expenditure of an administrative nature will be met by appropriations from the DG that are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
3.2.3.1. Estimated requirements of human resources
- The proposal/initiative does not require the use of human resources.
- X The proposal/initiative requires the use of human resources, as explained below:
Estimate to be expressed in full time equivalent units
| Year 2025 | Year 2026 | Year 2027 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | |||||
| □ Establishment plan posts (officials and temporary staff) | |||||||||
| 20 01 02 01 (Headquarters and Commission’s Representation Offices) | 3 | 3 | 3 | ||||||
| 20 01 02 03 (Delegations) | |||||||||
| 01 01 01 01 (Indirect research) | |||||||||
| 01 01 01 11 (Direct research) | |||||||||
| Other budget lines (specify) | |||||||||
| □ External staff (in Full Time Equivalent unit: FTE)0 | |||||||||
| 20 02 01 (AC, END, INT from the ‘global envelope’) | 3 | 3 | 3 | ||||||
| 20 02 03 (AC, AL, END, INT and JPD in the delegations) | |||||||||
| XX 01 xx yy zz 0 | - at Headquarters | ||||||||
| - in Delegations | |||||||||
| 01 01 01 02 (AC, END, INT - Indirect research) | |||||||||
| 01 01 01 12 (AC, END, INT - Direct research) | |||||||||
| Other budget lines (specify) | |||||||||
| TOTAL | 6 | 6 | 6 |
The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
Description of tasks to be carried out:
| Officials and temporary staff | - determining preparedness actions according to risk assessments (art 11) - Elaborating potential Implementing Acts (two for SOCs and two for the Cybersecurity Emergency Mechanism) - Managing the Hosting and Usage Agreements for SOCs; - Establishing and managing the EU Cybersecurity Reserve, directly or via a contribution agreement to ENISA. |
| External staff | Under the supervision of an official, - determining preparedness actions according to risk assessments (art 11) - Elaborating potential Implementing Acts (two for SOCs and two for the Cybersecurity Emergency Mechanism) - Managing the Hosting and Usage Agreements for SOCs; - Establishing and managing the EU Cybersecurity Reserve, directly or via a contribution agreement to ENISA. |
3.2.4. Compatibility with the current multiannual financial framework
The proposal/initiative:
- X can be fully financed through redeployment within the relevant heading of the Multiannual Financial Framework (MFF).
Explain what reprogramming is required, specifying the budget lines concerned and the corresponding amounts. Please provide an excel table in the case of major reprogramming.
- requires use of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation.
Explain what is required, specifying the headings and budget lines concerned, the corresponding amounts, and the instruments proposed to be used.
- requires a revision of the MFF.
Explain what is required, specifying the headings and budget lines concerned and the corresponding amounts.
3.2.5. Third-party contributions
The proposal/initiative:
- X does not provide for co-financing by third parties
- provides for the co-financing by third parties estimated below:
Appropriations in EUR million (to three decimal places)
| Year N0 | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | Total | |||
| Specify the co-financing body | ||||||||
| TOTAL appropriations co-financed |
3.3. Estimated impact on revenue
- X The proposal/initiative has no financial impact on revenue.
- The proposal/initiative has the following financial impact:
- on own resources
- on other revenue
- please indicate, if the revenue is assigned to expenditure lines ◻
EUR million (to three decimal places)
| Budget revenue line: | Appropriations available for the current financial year | Impact of the proposal/initiative0 | ||||||
| Year N | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | ||||
| Article …………. |
For assigned revenue, specify the budget expenditure line(s) affected.
[…]
Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).
[…]
1According to a report by Ponemon Institute and IBM Security, the average time to identify a breach in 2022 was 207 days, with an additional 70 days to contain. At the same time, in 2022, data breaches with a lifecycle of more than 200 days had an average cost of €4.86 million, compared to €3.74 million when under 200 day. (‘Cost of a data breach 2022”, https://www.ibm.com/reports/data-breach)
2Council conclusions on the development of the European Union's cyber posture approved by the Council at its meeting on 23 May 2022, (9364/22
3Joint Communication to the European Parliament and the Council, The EU's Cybersecurity Strategy for the Digital Decade, JOIN202018 final.
4 Joint Communication to the European Parliament and the Council, EU Policy on Cyber Defence, JOIN(2022) 49 final.
5 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
6 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
7 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.
8 Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, COM/2022/454 final.
9 Council Recommendation of 8 December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (Text with EEA relevance) 2023/C 20/01.
10 Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (Text with EEA relevance).
11Regulation (EU) 2021/836 of the European Parliament and of the Council of 20 May 2021 amending Decision No 1313/2013/EU on a Union Civil Protection Mechanism (Text with EEA relevance).
1Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union (OJ L 193, 30.7.2018, p. 1).
1OJ C […], […], p. […].
2OJ C , , p. .
3OJ C , , p. .
4https://futureu.europa.eu/en/
5Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (OJ L 333, 27.12.2022).
6Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
7Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (J L 218, 14.8.2013, p. 8).
8Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
9Council conclusions on the development of the European Union's cyber posture approved by the Council at its meeting on 23 May 2022, (9364/22)
10Join Communication to the European Parliament and the Council EU Policy on Cyber Defence JOIN/2022/49 final
11Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe Programme and repealing Decision (EU) 2015/2240 (OJ L 166, 11.5.2021, p. 1).
12Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
13Council Regulation (EU) 2021/1173 of 13 July 2021 on establishing the European High Performance Computing Joint Undertaking and repealing Regulation (EU) 2018/1488 (OJ L 256, 19.7.2021, p. 3).
14COUNCIL DECISION (CFSP) 2017/ 2315 - of 11 December 2017 - establishing permanent structured cooperation (PESCO) and determining the list of participating Member States.
15Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).
16Integrated Political Crisis Response arrangements (IPCR) and in accordance with Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises.
17Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
18Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94 28.3.2014, p. 65).
19Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).
20Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres, (OJ L 202, 8.6.2021, p. 1-31).
0As referred to in Article 58(2)(a) or (b) of the Financial Regulation.
0The actions in the Act should be supported by the next Multiannual Financial Framework.
0Details of budget implementation methods and references to the Financial Regulation may be found on the BUDGpedia site: https://myintracomm.ec.europa.eu/corp/budget/financial-rules/budget-implementation/Pages/implementation-methods.aspx
0Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.
0EFTA: European Free Trade Association.
0Candidate countries and, where applicable, potential candidate countries.
0According to the official budget nomenclature.
0Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
0Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).
0As described in point 1.4.2. ‘Specific objective(s)…’
0Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
0AC= Contract Staff; AL = Local Staff; END= Seconded National Expert; INT = agency staff; JPD= Junior Professionals in Delegations.
0Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).
0Year N is the year in which implementation of the proposal/initiative starts. Please replace "N" by the expected first year of implementation (for instance: 2021). The same for the following years.
0As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 20 % for collection costs.
EN EN