Capacity building of Security Operation Centres

Outcomes and deliverables

• Several cross-border platform(s) for pooling data on cybersecurity threat between several Member States, equipped with a highly secure infrastructures and advanced data analytics tools;
• World-class SOCs across the Union, strengthened with state of the art technology in areas such as AI;
• Sharing of Threat Intelligence between SOCs, and information sharing agreements with competent authorities and CSIRTs;
• Threat intelligence and situational awareness capabilities supporting strengthened collaboration in the framework of the Blueprint/CyCLONe and the Joint Cybersecurity Unit, as well as with law enforcement and defence.

The objective will be to create, support and/or strengthen and interconnect SOCs at regional, national and EU level. This will allow for reinforced capacities to monitor and detect cyber threats, the creation of collective knowledge and sharing of best practices. In addition, data and capacities related to cybersecurity threat intelligence will be brought together from multiple sources (such as CSIRTs and other relevant cybersecurity actors) through cross-border platforms across the EU. The use of state-of-the-art AI, machine learning capabilities and common infrastructures will make it possible to more efficiently and more rapidly share and correlate the signals detected, and to create high-quality threat intelligence for national authorities and other stakeholders, thus enabling a fuller situational awareness and a more rapid reaction.

The aim is to improve cybersecurity resilience with faster detection and response to cybersecurity incidents and threats at national and EU level through the establishment of SOCs, leveraging disruptive technologies, and sharing of information leading to increased situational awareness and stronger EU supply chains. Specifically:

• Supporting existing SOCs or establishing national, regional or sectoral SOCs serving private (SMEs in particular) and/or public organisations with real-time monitoring and analysis of data from public internet network traffic to detect malicious activities and incidents that affect the resilience of network and information systems;
• Strengthening SOCs by leveraging state of the art Artificial Intelligence (including Machine Learning techniques) and computing power to improve the detection of malicious activities, and dynamically learning about the changing threat landscape;
• Supporting information sharing among public authorities (including competent authorities and CSIRTs under the NIS Directive), as well as with other SOCs (e.g. operated by private entities), facilitated through appropriate sharing agreements, while complying with all obligations related to privacy and personal data protection;
• Developing and deploying appropriate tools, platforms and infrastructures to securely share and analyse large data sets among SOCs. Where possible and appropriate, existing building blocks will be re-used, including the results of relevant Connecting Europe Facility and Horizon 2020 projects;
• Supporting the increased availability, quality, usability and interoperability of threat intelligence data among SOCs and relevant entities;
• Identify potential critical dependencies on foreign suppliers and solutions in the area of threat intelligence and develop an EU supply chain on threat intelligence;
• Provide Member States bodies with threat intelligence and situational awareness capabilities helping to anticipate and respond to cyber-attacks, notably in the framework of the Blueprint/CyCLONe and the Joint Cybersecurity Unit;
• Bridge cooperation between various cybersecurity communities, e.g. civilian cybersecurity resilience, law enforcement, defence, taking into account cooperation frameworks such as the Blueprint/CyCLONe and the Joint Cybersecurity Unit.

To achieve this aim, the following activities are foreseen:

• Grants will be made available to enable capacity building, e.g. through the establishment or reinforcing of SOCs serving private or public organisations, leveraging state of the art technology such as artificial intelligence and dynamic learning of the threat landscape
• A call for expression of interest will be launched to select entities in Member States that provide the necessary facilities to host and operate cross-border platforms for pooling data on cybersecurity threat between several Member States (data potentially coming from various sources). The call for expression of interest will also build up the planning and design of necessary tools and infrastructures.
• Building on the call for expression of interest, a joint procurement will be launched to develop and operate capacities for the selected cross-border platforms, including advanced tools and infrastructures to securely share and analyse large data sets and threat intelligence among the selected cross-border platforms (e.g. highly-secure infrastructure or advanced data analytics aimed at significantly improving the ability to analyse large sets of data).