The European CYberSecurity cPPP ECYS Draft Proposal 12 April 2016 - - PowerPoint PPT Presentation

The European CYberSecurity cPPP ‐ ECYS

Draft Proposal 12 April 2016

The urgency to act

• We cannot miss the window opportunity for budgetary

reasons: create a synergy among the different EC budgets via the cPPP, already from 2017

• Europe's contribution to solutions is lagging behind in this

sector which is increasingly pervasive in all applications  Urgent need for industry in Europe to develop innovative solutions responding to competitive and societal issues, in a global strategy

• The political need to provide our users with trusted solutions

according to EU values, laws and procedures.

European Cybersecurity cPPP: The Challenges

• The ambitious timeline (building on previous work)
• The consensus building (several MS already contributed to Statutes and

Bylaws following the meeting of January 20th, further MS comments' are welcome ‐ until end of April as it would then be critical for the targeted timeline)

• The content (merging societal security with competitiveness)
• The positioning of the different Members:

– MS, (H2020) Associate Countries, Regions – Industry (large; SMEs; EU and "Non EU") – Associations / Clusters (EU, National, Local) – RTOs / Academia – Users / Operators (public and private)

• The budgetary commitment (leverage factor)

Consensus building

• Kick off cPPP: EC meeting with MS representatives (1 public + 1

private) + EU bodies on January 20th

• 5 coordinators of the work to define proposal for SRIA, Industry

Proposal, Association, Contract, Membership & Governance

• Work done in WGs, regular update to January 20th participants

and to all those who have requested to be informed

• Invitation to join the cPPP launched March 10th
• Main trends on the different documents provided to the

Commission

• "Stabilised" draft, to be distributed next week to bodies having

expressed interest

• Discussions in countries (public and private bodies): further

remarks to be considered possibly by end of April.

Cybersecurity: a different cPPP

• Leveraging upon H2020 rules
• Open to any entity eligible under H2020 rules
• Developing a SRIA and supporting its implementation and the H2020 projects defined

in the Work Programme

• The cPPP will focus on R&I, the Association will tackle other industry policy aspects

for the market and industrial / economic development

• Convergence of Secure Societies and LEIT ICT: societal and competitiveness issues
• Cybersecurity: a transversal issue, pervasive in all sector (economic, societal, …): large

number of stakeholders, of interests, of constraints…  Squaring the circle!

• Supporting the development of the cybersecurity industry in Europe and EU trusted

solutions, including cooperation with Third Countries.

• Security: a national prerogative. Stronger participation of representatives from the

national administrations

• Interest from national Public Administrations:

Representatives to the two PCs + Ministries (Interior, Economy, etc.) + Regulatory Bodies (and, of course, as users)

Cybersecurity cPPP strategic objectives (from the Industry Proposal)

The European Cybersecurity cPPP has three main strategic objectives:

• Security underlying the growth of the European Digital Single Market
• The creation of a strong European‐based offering and an equal level playing field to meet the

needs of the emerging digital market with trustworthy and privacy aware solutions

• The growth and the presence of Europe's cybersecurity industry, in the global market

To reach these objectives, the Cybersecurity cPPP should leverage complementary work:

• The coordination of R&I in the frame of H2020 characterized by a cross‐sectoral, technology‐

neutral, interoperable, and holistic approach

• The development of industrial policy activities to support the growth of the cybersecurity

industry in Europe and broadly deploy innovative solutions and services for the most economically important and growing end markets as well as for security sensitive applications To achieve maximum leverage for impact all proposed cPPP activities will :

• be designed and deployed to be technology‐neutral, interoperable and transparent
• combine security and privacy improvements – not only partially but with positive, measurable

impact for the system solution all along the value chain

• elaborate and indicate which is the addressed minimum (where applicable higher) level of

security and give a workable guideline for supportive policy activities such as certification and labelling

• provide evidence how the approach enhances trust and acceptance by citizens, consumers and

businesses

Hyperconnected (Critical) Infrastructures Vertical Domains

Industry 4.0 Energy Transport Finance Public Services / eGovernment Health Smart & Secure Cities Other

Built on top of

Secure ICT infrastruct ures IoT Mobile Embedded Network s / 5G Cloud/ web services Other

Relying on

Products& Services security and privacy by design Identity and access management Trust management Data security Network security systems security cloud security (device/endpoint) security Audit, compliance and certification Risk management Cyber security

• perations services

Security training

Research Areas/ Topics Technology Research

Link Applications (verticals) / ICT Infrastructure / Cybersecurity Products & Services

Mechanisms for SRIA implementation

Technical Priorities for the cPPP

We consider the following classification and grouping for the cybersecurity Products & Services:

 Fostering assurance and security and privacy by design  Identity, access and trust management (Identity and Access Management, Trust Management)  Data protection  Protecting the ICT Infrastructure (Cyber Threats Management, Network Security, System Security, Cloud Security, Trusted hardware/ end point security/ mobile security)  Security services (Auditing, compliance and certification, risk Management, cyber security operation, security training services)

Analysis and presentation (structure similar to WP)

• Scope
• Research challenges
• Expected outcome
• Time line

0.5 1 1.5 2 2.5 Protecting the ICT Infrastructure and enabling secure execution: Focus on data protection (including crypto) Fostering assurance and security and privacy by design #REF! Security Services

Area Prioritization

Identity, access and trust management

Relevant issues/activities to the cPPP

• Education, training, and skills development
• Fostering innovation in cyber security
• Develop a cyber security ecosystem
• Define the cyber security value chain
• Policy, regulation, standardisation and certification
• Standardisation (pre‐standardisation possibly in the cPPP)
• Regulation
• EU Cyber Security quality/ trust label
• Boosting SMEs
• Bottom‐up Fast Track for Cybersecurity Innovation
• Societal aspects

Industry Proposal*

Vision

• Scene Setter
• The nature of the cyber threat
• Overview of the current situation in Europe
• The strengths, weaknesses, opportunities

and threats

• Market Analysis
• Needs for action
• Overall long term vision of the PPP
• Strategic and specific Objectives of the PPP
• Added Value of actions at Union Level
• Added value of implementation via a

contractual PPP

• Actors behind this proposal

Research and Innovation Strategy (SRIA)

• Scope of R&D and Innovation Challenges
• Technical Priorities
• Technical priorities and vertical sectors
• Non‐Technical Priorities and Supporting Action
• Societal aspects
• Indicated timeline and estimated budget

Expected Impact

• Description of Industry commitment
• Expected impact on strategic objectives
• Impact of cybersecurity on strategic sectors: a

market analysis

• Ability to Leverage Additional Investments
• Monitoring: KPIs
• Proposed methodology for monitoring the

commitments

• Risks

Governance

• Overview of the governance model
• IPR Principles
• Association Statues and Modus Operandi of

the Association * According to article 25

Key Performance Indicators ‐ KPIs

Industrial Competitiveness KPI 1: MARKET DEVELOPMENT

• Evolution of cybersecurity revenues in the European and global market, including positioning and market share of

the EU industry KPI 2: FROM INNOVATION TO MARKET: STANDARDS, TESTING, CERTIFICATION AND TRUST LABELLING

• Contribution to standards, use of testing, validation, certification infrastructures as well as EU trust labelling

procedures, best practices and pilots for innovative elements of the supply chain KPI 3: USERS AND APPLICATIONS

• Increased use of cybersecurity solutions in the different markets / applications

KPI 4: PRODUCTS and SERVICES SUPPLY CHAIN

• Development of the cybersecurity industry in Europe.

KPI 5: SMEs

• Support the creation and development of start‐ups having products / services that effectively reach the market.

Socio‐Economic Security KPI 6: EMPLOYMENT

• Develop employment in cybersecurity sectors (supply and users / operators)

KPI 7: ECOSYSTEM: EDUCATION, TRAINING, EXERCISES

• Development of education, training and skills on cybersecurity products and safe use of IT tools in European

countries for citizens and professionals KPI 8: PRIVACY & SECURITY BY DESIGN

• Development and implementation of European approaches for cybersecurity, trust and privacy by design

KPI 9: DATA / INFORMATION EXCHANGE & RISK MANAGEMENT

• Facilitate process for information sharing between MS, CERTs and Users to increase monitoring and advising on

threats; better understanding risk management and metrics KPI 10: IMPLEMENTATION OF LEGISLATIONS

• Implementation of the NIS Directive and market driving Regulations / Guidelines

Key Performance Indicators ‐ KPIs

Implementation and operational aspects of the cPPP KPI 11: INVESTMENTS / LEVERAGE

• Investments (R&I, capability, competence and capacity building) in the cybersecurity sectors defined

by the cPPP objectives and strategy KPI 12: cPPP MONITORING

• Efficiency, openness and transparency of the PPP Consultation Process

KPI 13: COORDINATION WITH THE EU and THIRD COUNTRIES

• Coordination of the cPPP implementation with EU Member States, Regions and Third Countries

KPI 14: DISSEMINATION & AWARENESS

• Dissemination and Awareness making the cPPP action and results visible in Europe and

internationally, to a broad range of public and private stakeholders KPI 15: TECHNICAL KPIs

The Association: European CYberSecurity Alliance ‐ ECYSA

• Should facilitate realising the objectives of the European cybersecurity

(ECYS) contractual PPP (cPPP) include Research and Innovation (R&I).

• The cPPP will follow the legal base of H2020 which is open and

transparent, for its initial period 2016‐2020. For this reason, any Legal Body eligible in H2020 projects can be Member of the Association while any Legal Body eligible in H2020 projects can respond to future call for proposals irrespective of whether it is or not a member of the cPPP, as per H2020 legal base. For the same reason, any Member of the Association is eligible to take part at the Partnership Board without restriction.

• The main role of the Association will be to facilitate developing the

European cybersecurity Strategic Research and Innovation Agenda (SRIA) and its regular updates which will serve as essential input to define the technical priorities to be addressed under the cybersecurity cPPP, defining and monitoring the metrics of the cPPP

ECYSA Membership (from the draft Statutes)

To be admitted as a Member, the party should be: a) Legal Entity established at least in one ECYSA Country**, which legal entity shall have a significant footprint in this country (creation of jobs) in cybersecurity activities for research and development and / or manufacturing and / or providing services, as determined by the Board of Directors of ECYSA. b) a public body from an ECYSA Country **ECYSA Country: an EU Member State or an associated country as defined from time to time by the E. Commission and Switzerland (with entities from any industrialised third country not associated to Horizon 2020) CATEGORIES OF MEMBERS a) Large companies (directly represented): cybersecurity solutions / services providers; b) National and European Organisation / Associations (gathering large companies and SMEs) representing interests at national or European / International level. c) SME (as per E. Commission definition) solutions / services providers directly represented; Associations composed only by SME, Startups, Incubators, Accelerators. d) Users / Operators (where cybersecurity technology / solutions / services provision is not one their business activities): National public administrations or private companies (large or SMEs) directly represented. e) Regional / Local public administrations (with economic interests); Regional / Local Clusters of public / private Legal Entities with local economic / ecosystem development interests. f) Public Administrations at national level (national strategy / regulatory / policy issues, incl. R&I coordination). g) Research Centers (large and medium / small), Academies / Universities (directly represented, not via an associative body); Associations composed only by Research Centers, Academies or Universities. h) Others (financing bodies, insurances, consultants, etc.).

EoI PER COUNTRY EoI Member Likely Interested AT 4 7 BE 1 1 BG 1 CH 1 1 CY 3 CZ 1 DE 3 6 DK EE 3 1 EU ORG 6 2 FI 2 5 FR 20 3 GR 2 1 MT HU 1 1 IE 2 1 IT 6 3 LT 1 1 LU 1 MT NL 3 4 PL 5 1 PT 2 1 RO 1 SE 1 1 SI 2 SK 1 SP 20 4 TR 1 UK 4 5 TOTAL 92 55 EoI Membership Likely Interested LARGE IND 26 12 INDUSTRY ORG/ASSOC 21 16 SME 26 18 USERS / OP 2 1 RTO / UNI 17 8 TOTAL 92 55

Expression of Interest for ECYS cPPP / ECYSA received

EUROPEAN COMMISSION ECYSA General Assembly

ECYSA Members Working Groups / Task Forces ECYSA ‐ Association Board of Directors

(Management of the ECYSA Association ‐ policy / market actions)

Coordination / Strategy Committee

ECYS cPPP Partnership Board (Monitoring of the ECYS cPPP ‐ R&I priorities)

INDUSTRIAL POLICY RESEARCH & INNOVATION

Scientific & Technology Committee

ECYSA Association ECYS ‐ Cybersecurity cPPP