National Cyber Hubs

World-class National Cyber Hubs across the Union, supported by state-of-the-art technology, acting as clearing houses for detecting, gathering and storing data on cybersecurity threats, analysing this data, and sharing and reporting CTI, reviews and analyses, taking into account well-established standards for sharing and automation processes.

Threat intelligence and situational awareness capabilities and capacity building supporting strengthened collaboration between cybersecurity actors, including private and public actors.

• Targeted training courses on the basis of the ECSF to improve the capacity of cyber security roles. •
• Applications for automated notification of private and public actors about compromised or insecure systems

Where a Member State decides to participate in the European Cybersecurity Alert System, it shall designate or, where applicable, establish a National Cyber Hub, a single entity acting under the authority of the Member State.

National Cyber Hubs have the capacity to act as a reference point and gateway to other public and private organisations at national level for collecting and analysing information on cyber threats and incidents and to contribute to a Cross-Border Cyber Hub. They are capable of detecting, aggregating, and analysing data and information relevant to cyber threats and incidents, such as cyber threat intelligence, by using in particular state-of-the-art technologies, and with the aim of preventing incidents.

For the following programming cycle, the emphasis is on continuation of activities initiated during past years.

The objective is to create or strengthen National Cyber Hubs, with state-of-the-art tools for monitoring, understanding and proactively managing cyber events, in close collaboration with relevant entities such as CSIRTs, ISACs, etc. They will also, where possible, benefit from information and feeds from other Cyber Hubs in their countries and use the aggregated data and analysis to deliver early warnings to targeted critical infrastructures on a need-to-know basis. National Cyber Hubs could also consider the possibility of monitoring undersea infrastructure, such as submarine cables.

The aim is to build capacity for new or existing National Cyber Hubs, e.g. equipment, tools, data feeds, as well as costs related to data analysis, interconnection with Cross-Border Cyber Hubs, etc. This can include for example automation, analysis and correlation tools and data feeds covering Cyber Threat Intelligence (CTI) at various levels, ranging from field data to Security Information and Event Management (SIEM) data to higher level CTI. Automation is a key aspect in the efficient handling and processing of information. Where available, already established standards should be used, such as the Common Security Advisory Framework (CSAF)¹ , for security advisories or for collecting and processing cybersecurity-related messages (e.g. IntelMQ project²). Applications developed by Cyber Hubs/SOCs should be compatible with European standardisation projects like the EU vulnerability database (EUVD). National Cyber Hubs should also leverage state-of-the-art technology such as artificial intelligence and dynamic learning of the threat landscape and context. This also includes the use of shared cybersecurity information, to the extent possible based on existing taxonomies and/or ontologies, and hardware to ensure the secure exchange and storage of information. The operations should be built upon live network data and other training data required in the initial phases. Where relevant, consideration should be given to SMEs as the ultimate recipients of cybersecurity operational information.

A key element is the translation of advanced AI, data analytics and other relevant cybersecurity tools from research results to operational tools, and further testing and validating them in real conditions in combination with access to supercomputing facilities (e.g. to boost the correlation and detection features of cross-border platforms). Such activities are identified and proposed for financing in section 2.3, dedicated to AI for Cybersecurity, and topic 2.3.1.

Furthermore, National Cyber Hubs could also consider deploying solutions for the surveillance and protection of critical undersea infrastructure, such as submarine cables, and the detection of malicious activities around them, to improve the resilience and security of this infrastructure, which is critical for global communications. The response to such hybrid threats could also include situational awareness performed through the collection and analysis of in situ, sea based sensor data as well as relevant satellite imagery. For such activities, operational synergies with the EU Copernicus Space Programme and in particular with its Security Service are required.

Another key role for National Cyber Hubs is to facilitate knowledge transfer and sharing, as well as support training initiatives for all needed cybersecurity roles the basis, for instance, of the European Cybersecurity Skills Framework (ECSF³). For example, Cyber Hubs/SOCs dealing with critical infrastructures play a key role and should benefit from the knowledge and experience acquired by or concentrated in National Cyber Hubs.

National Cyber Hubs must share information with other stakeholders in a mutually beneficial exchange of information and commit to apply to participate in a Cross-Border Cyber Hub within the next 2 years, with a view to exchanging information with other National Cyber Hubs.

To achieve this aim, a call for expression of interest⁴ will be launched to select entities in Member States that provide the necessary facilities to host and operate National Cyber Hubs. Applicants to the call for expressions of interest should describe the aims and objectives of the National Cyber Hub, describe its role and how such role relates to other cybersecurity actors, such as CSIRTs, and its potential cooperation with other public or private cybersecurity stakeholders. Applicants should also provide the detailed planning of the activities and tasks of the National Cyber Hub, the services it will offer, the way it will operate and be operationalised, and describe the duration of the activity as well as the main milestones and deliverables. They should also specify what equipment, tools and services need to be procured and integrated to build up the National Cyber Hub, its services and its infrastructure.

To support the above activities of a National Cyber Hub, the following two workstreams of activities are foreseen:

• [Procurement] A Joint Procurement Action with the Member State where the National Cyber Hub is located: this will cover the procurement of the main infrastructure, tools and services needed to build up the National Cyber Hub.
• [Building up and running the National Cyber Hub] A grant will also be available to cover, among others, the preparatory activities for setting up the National Cyber Hub, its interaction and cooperation with other stakeholders, as well as the running/operating costs involved, enabling the effective operation of the National Cyber Hub, e.g. using the infrastructure, tools and services purchased through the joint procurement. These will also indicate milestones and deliverables to monitor progress

Applications shall be made to both workstreams. The applications will be subject to an evaluation procedure. Grants will only be awarded to applicants that have succeeded in the evaluation of the joint procurement action.

These actions aim at creating or strengthening National Cyber Hubs, which occupy a central role in ensuring the cybersecurity of national authorities, providers of critical infrastructures and essential services. Cyber Hubs, in cooperation with other relevant national/regional entities, are tasked with monitoring, understanding and proactively managing cybersecurity threats. Cyber Hubs will have a crucial operative role in ensuring cybersecurity in the Union and will handle sensitive information.

Pursuant to Article 12(5a) of the Cyber Solidarity Act amending Article 12 of Regulation (EU) 2021/694, Article 12(5) of Regulation (EU) 2021/694 shall not apply if the conditions stipulated in Article 12(5a) are cumulatively met. The assessment of these conditions should take into account the results of the mapping of the availability of tools, infrastructure and services for the National Cyber Hubs to be carried out by the ECCC pursuant to Article 9(4) of the Cyber Solidarity Act.

The first mapping exercise is ongoing. Until the mapping is completed and in line with the relevant provisions of the Cyber Solidarity Act, participation to the calls funded under this topic will be therefore subject to the restrictions of Article 12(5), as specified in Appendix 3 of this Work Programme. These security conditions may be later amended taking into account the results of the final mapping of services carried out by the ECCC pursuant to Article 9(4) of the Cyber Solidarity Act.

¹ Common Security Advisory Framework (CSAF): Machine-processable format enables automated database reconciliation - https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Industrielle-Steuerungs-und-Automatisierungssysteme/CSAF/CSAF_node.html

² IntelMQ: https://github.com/certtools/intelmq

³ https://www.enisa.europa.eu/topics/education/european-cybersecurity-skills-framework

⁴ Please note this is not a call for expression of interest within the meaning of Point 13 of Annex I of the Regulation (EU, Euratom) 2018/1046. The aim is to select the future contracting authorities taking part in a joint procurement