Cross-border Cyber Hubs

• World-class Cross-Border Cyber Hubs across the Union for pooling data on cybersecurity threats between several Member States, equipped with a highly secure infrastructures and advanced data analytics tools for detecting, gathering and storing data on cybersecurity threats, analysing this data, and sharing and reporting CTI, reviews and analyses.
• Sharing of Threat Intelligence between National Cyber Hubs, and information sharing agreements with competent authorities and networks, including CSIRTs.

The former Cross-border SOC platforms were financed during previous calls and such collaboration is envisaged for the Cross-Border Cyber Hubs. They should provide new additional capacity building upon and complementing existing SOCs/Cyber Hubs, Computer Security Incident Response Teams (CSIRTs), ISACs and other relevant actors.

This action is aimed mainly at new Cross-Border Cyber Hubs. Supporting activities for the SOCs that were already launched under the previous DIGITAL work programmes (2021-2022 and 2023-2024)¹ could also be included when relevant to ensure collaboration with the Cross-Border Cyber Hubs.

In addition to setting up processes, tools and services for prevention, detection and analysis of emerging cyberattacks, the scope also covers the acquisition and/or adoption of common (automation) tools, processes and shared data infrastructures for the management and sharing of contextualised and actionable cybersecurity operational information across the EU. Well-established open standards for CTI sharing (e.g. MISP Standard²) or automation of advisory information (e.g. CSAF³) and cybersecurity related messages (e.g. by IntelMQ) should be considered. Cross-Border Cyber Hubs could also foresee the possibility to monitor undersea infrastructure, such as submarine cables.

¹ ENSOC and ATHENA consortia are already financed.

² MISP Standard: https://www.misp-standard.org/.

³ Common Security Advisory Framework (CSAF): Machine-processable format enables automated database reconciliation - https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und Empfehlungen/Empfehlungen-nach-Angriffszielen/Industrielle-Steuerungs-und Automatisierungssysteme/CSAF/CSAF_node.html.

The Cross-Border Cyber Hubs platforms will contribute to enhancing and consolidating collective situational awareness and capabilities in detection and CTI, supporting the development of better performing data analytics, detection, and response tools, through the pooling of large amounts of data, including new data generated internally by the consortia members.

The platforms should act as a central point allowing for broader pooling of relevant data and CTI, enabling the dissemination of threat information on a large scale and among a large and diverse set of actors (e.g. CERTs/CSIRTs, ISACs, operators of critical infrastructures).

According to the Cyber Solidarity Act, the Cross-Border Cyber Hubs and the CSIRTs Network shall cooperate closely, in particular for the purpose of sharing information. To that end, they shall agree procedural arrangements on cooperation and sharing of relevant information and on the types of information to be shared.

Furthermore, Cross-Border Cyber Hubs could also deploy solutions for the surveillance and protection of critical undersea infrastructure, such as submarine cables, and the detection of malicious activities around them, to improve the resilience and security of this infrastructure, which is critical for global communications. The response to such hybrid threats could also include situational awareness performed through the collection and analysis of in-situ, sea based sensor data as well as relevant satellite imagery. For this activity, operational synergies with the EU Copernicus Space Programme and in particular with its Security Service are required.

Where the Cross-Border Cyber Hubs obtain information relating to a potential or ongoing large-scale cybersecurity incident, they shall ensure, for the purpose of common situational awareness, that relevant information as well as early warnings are provided to the authorities in the Member States and to the Commission through the EU-CyCLONe and the CSIRTs network61, without undue delay. A call for expression of interest will be launched to select entities in Member States that provide the necessary facilities to host and operate Cross-Border Cyber Hubs for pooling data on cybersecurity threats between several Member States. Applicants to the call for expressions of interest should describe the aims and objectives of the Cross-Border Cyber Hub, describe its role and how such role relates to other cybersecurity actors, and its potential cooperation with other public or private cybersecurity stakeholders. Applicants should also provide the detailed planning of the activities and tasks of the Cross-Border Cyber Hub, the services it will offer, the way they will operate and be operationalised, as well as the main milestones and deliverables. They should also specify what equipment, tools and services need to be procured and integrated to build up the Cross-Border Cyber Hub, its services and its infrastructure.

To support the above activities of a Cross-Border Cyber Hub, the following two workstreams of activities are foreseen:

• [Procurement] A Joint Procurement Action with the Member State participating in the Cross-Border Cyber Hub: this will cover the procurement of the infrastructure, tools and services needed to build up the Cross-Border Cyber Hub.
• [Building up and running the Cross-Border Cyber Hub] A grant will also be available to cover, among others, the preparatory activities for setting up the Cross-Border Cyber Hub, its interaction and cooperation with other stakeholders, as well as the running/operating costs involved, enabling the effective operation of the Cross-Border Cyber Hub, e.g. using the infrastructure, tools and services purchased through the joint procurement, personnel. These will also indicate milestones and deliverables to monitor progress.

Applications shall be made to both workstreams. The applications will be subject to an evaluation procedure. Grants will only be awarded to applicants that have succeeded in the evaluation of the joint procurement action.

These actions aim at creating or strengthening Cross-Border Cyber Hubs, which occupy a central role in ensuring the cybersecurity of national authorities, providers of critical infrastructures and essential services. As previously noted, Cyber Hubs will have a crucial operative role in ensuring cybersecurity in the Union and will handle sensitive information.

Pursuant to Article 12(5a) of the Cyber Solidarity Act amending Article 12 of Regulation (EU) 2021/694, Article 12(5) of the Regulation (EU) 2021/694 shall not apply if the conditions stipulated in Article 12(5a) are cumulatively met. The assessment of these conditions should take into account the results of the mapping of the availability of tools, infrastructure and services for the Cross-Border Cyber Hubs to be carried out by the ECCC pursuant to Article 9(4) of the Cyber Solidarity Act.

The first mapping exercise is ongoing. Until the mapping is completed and in line with the relevant provisions of the Cyber Solidarity Act, participation to the calls funded under this topic will be therefore subject to the restrictions of Article 12(5), as specified in Appendix 3 of this Work Programme. These security conditions may be later amended taking into account the results of the final mapping of services carried out by the ECCC pursuant to Article 9(4) of the Cyber Solidarity Act.