The general context for this call for proposals is defined in section 3.8 of the 2019 Connecting Europe Facility (CEF) Telecom Work Programme1 as published on the call page on the Innovation and Networks Executive Agency (INEA) website.2 The background and rationale for this call for proposals are defined in section 3.8.1 of the 2019 – 2020 Work Programme.
Funding under this call is intended to facilitate improved capabilities on cybersecurity in the Member States, as well as cooperation. In particular, this involves effective implementation of the Security of Network and Information Systems Directive (Directive (EU) 2016/1148) ("NIS Directive") and initial steps to support security certification stakeholders as referenced in the EU Cybersecurity Act3.
2. PRIORITIES & OBJECTIVES
2.1 Priority outcomes
The priority outcomes of this call for proposals are defined in section 184.108.40.206 of the 2019 – 2020 Work Programme.
Agence exécutive pour l'innovation et les réseaux /Uitvoerend Agentschap innovatie en netwerken, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111
Applicants who already received CEF funding under previous CEF Telecom Cybersecurity calls and who plan to apply again under this call must clearly explain in the relevant section of application form part D of their proposal (notably section 1 and/or 2.1) how their proposed Action will build upon and/or differ from the action(s) funded under the previous call(s).
The Objectives of this call and the activities that could be funded are described below.
Each proposal must address only one of the following Objectives and should clearly specify which Objective is being addressed.
Objective 1: Cooperation among designated national CSIRTs (Computer Security Incident Response Teams) for the joint use of MeliCERTes
Funding will be granted as an incentive to national CSIRTs for their participation in the MeliCERTes facility co-operation mechanism and, if applicable, to develop their cybersecurity capacity. Details of the MeliCERTes software are publicly available4.
Proposals submitted under this Objective must be submitted by a consortium of at least two national CSIRTs, designated by a Member State as required by the NIS Directive5. These national CSIRTs must be located in at least two different Member States.
If not already done so, these national CSIRTs are expected to install and use MeliCERTes shortly after the commencement of the Action.
Proposals must address both types of activities outlined below:
a) activities to complement the functionality of the MeliCERTes facility to enhance swift and effective cross-border cooperation between different national CSIRTs. This must include the development and implementation of IT infrastructure in order to allow the joint use of MeliCERTes to exchange information e.g. by jointly developing software tools for MeliCERTes, by improving access to MeliCERTes, by devising joint incident handling processes relying on MeliCERTes.
b) trust-building activities to enhance cross-border cooperation e.g. organisation of joint cyber exercises or knowledge sharing.
Only if a national CSIRT has not received funding for CSIRTs under the CEF Telecom Cybersecurity Calls of 2016, 2017, or 20186, its proposal may also address activities for improving its cyber capabilities. Such activities can be infrastructure or soft support e.g. the development or acquisition of infrastructure including software tools; development of skills and structural support encompassing training and services both for the CSIRT staff and as part of service provision for its constituency.
Proposals selected under this Objective are expected to demonstrate the sustained use of the MeliCERTes facility at least throughout the duration of the Action.
Objective 2: Support for identified Operators of Essential Services (OES) for capability development and for the set-up of Information Sharing and Analysis Centres (ISACs)
Funding will be granted as an incentive to Operators of Essential Services (OESs) to improve their capabilities to manage their cybersecurity and to report cyber incidents to relevant authorities in accordance with relevant national and EU legislation. Funding will also be granted as an incentive for the creation of Information Sharing and Analysis Centres (ISACs).
Proposals submitted under this Objective must include at least one OES, as identified in line with the NIS Directive.
Proposals must address one or both types of activities outlined below:
a) improving internal capabilities to meet security and reporting requirements under national and EU legislation. Examples include risk assessments, penetration testing and audits to get a better grasp on security maturity levels, exercises and internal training. Proposals must clearly explain how the security and reporting requirements will be addressed by the proposed activities, and should take the guidance documentation published by the NIS Cooperation Group into account7.
b) setting-up a national or European level ISAC to enhance the cybersecurity preparedness of OES through effective information sharing and improved situational awareness. Such an ISAC must be limited in scope to an industry sector or subsector as set out in Annex II of the NIS Directive or to other such sectors as included by the Member State concerned in its implementation of the NIS Directive. Furthermore, the ISAC must be chaired by an OES, be representative of industry stakeholders, and involve public authorities.
ISACs generally involve structured and voluntary sharing of secure information between trusted colleagues from both suppliers and operators in a particular industrial sector. ISACs can assist with improved cybersecurity preparedness, situational awareness, and coordinated vulnerability disclosure. Related documentation made available by the European Union Agency for Network and Information Security (ENISA)8 should be taken into account.
Applications from OES that provide essential services in more than one Member State are particularly encouraged, as are those from OES in the banking, financial market infrastructures and health sectors. In this case the application should clearly explain which services are provided and where.
Proposals funded under this Objective are expected to improve the applicants' preparedness and situational awareness through voluntary secure information exchange of cybersecurity risks, threats, vulnerabilities and incidents.
Beneficiaries funded under this Objective will be expected:
either to join a relevant European Level Sectoral ISAC, or
to participate in events to establish a relevant European Level Sectoral ISAC
organised by the ISAC facilities manager (which is being set-up by the European Commission)9 and to have used the support services of that manager.
The amount of funding expected to be allocated under this objective is €3 million out of the total budget for the call of €10 million.
Objective 3: Support to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs) to undertake the liaison, regulation and enforcement obligations set out in the NIS Directive
Funding will be granted as incentive to designated National Competent Authorities (NCAs) and Single Points of Contact (SPOCs) to undertake their role effectively as set out by the NIS Directive.
Proposals submitted under this Objective must include at least one NCA or SPOC.
Proposals must address activities to build up in-house capabilities to undertake effectively the liaison, regulation, and enforcement obligations set out in the NIS Directive e.g. by training and upskilling staff to undertake information security audits, by facilitating interaction with NCAs and with other Member States.
In addition to building-up in-house capabilities, proposals may address one or more of the following activities:
a) facilitating reporting from OESs and Digital Service Providers (DSPs) to NCAs and SPOCs.
b) structured interaction between NCAs and SPOCs and OESs and DSPs; e.g. consultation and stakeholder engagement.
Beneficiaries funded under this Objective will be expected to participate in activities and events organised by the cybersecurity co-operation facilitation manager for NCAs and SPOCs10 (which is being set-up by the European Commission11) and to use the support services of that manager.
Objective 4: Trans-European cooperation for effective joint cybersecurity operations and to build mutual trust/confidence
Funding will be granted as incentive to facilitate sustained cooperation between Member States for effective joint cybersecurity operations and to build mutual trust/confidence.
Proposals submitted under this Objective must be submitted by a consortium of at least two national public bodies/institutions entrusted with national level cybersecurity. These bodies must be located in at least two different Member States.
Proposals must include cooperation activities between Member States for effective joint cybersecurity operations and to build mutual trust/confidence. These cooperation activities should facilitate the continuation or creation of stable transnational relationships.
Proposals could address, but might not be limited to, the type of activities outlined below:
a) Further development and implementation of the operational layer of the European Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises12 e.g. through cyber-exercises
b) Secure information exchange of cybersecurity risks, threats, vulnerabilities and incidents
c) Joint awareness raising initiatives for the public and industries
d) Joint cyber rapid response, hybrid threat monitoring, mutual assistance initiatives
Beneficiaries funded under this Objective will be expected to participate in activities and events organised by the cybersecurity co-operation facilitation manager for NCAs and SPOCs13 (which is being set-up by the European Commission) and to use the support services of that manager.
Objective 5: Support to a common level of maturity in cybersecurity certification
Funding will be granted as an incentive to improve the capabilities and cooperation of entities that have primary responsibility for cybersecurity certification at the national level, in order to facilitate the implementation of the EU Cybersecurity Act14.
Proposals submitted under this Objective must include at least one entity that that has primary responsibility for cybersecurity certification at the national level. In the case of multi-applicant proposals, the applying entities must be located in at least two different Member States.
Proposals could address, but might not be limited to, the type of activities outlined below:
a) building up internal capabilities to undertake effectively the certification obligations of national authorities in charge of cybersecurity certification, as set out in the EU Cybersecurity Act e.g. by training and upskilling staff to develop their own training capabilities. Such training may range from technical (e.g. how to use testing equipment) to more general aspects (e.g. how to write protection profiles, certification reports).
b) Increasing operational capabilities for certification through acquisition and interoperability of relevant equipment and infrastructure (e.g. equipment to test IT systems such as pentesting, IT support to facilitate documentation review).
c) Exchange of best practices, exchange of relevant information related to certification, and peer support related to cybersecurity certification e.g. on technical issues related to carrying out audits of conformity assessment bodies. Such exchanges may range from staff exchange programmes to the creation of expert-validated good practice databases.
Beneficiaries funded under this Objective will be expected to contribute to activities and working groups of the European Cybersecurity Certification Group established in line with the EU Cybersecurity Act.
The amount of funding expected to be allocated under this objective is €1 million out of the total budget for the call of €10 million.
2.2 Results expected from the financial assistance
The benefits and expected outcomes of this call for proposals are defined in section 220.127.116.11 of the 2019 – 2020 Work Programme.
The call will assist the Member States to limit the economic and political damage of cyber incidents, while reducing the overall costs of cybersecurity for individual Member States and for the EU as a whole.
The call is likely to result in improved compliance with the NIS Directive, as well as higher levels of situational awareness and crisis response in Member States. This may open new avenues for cross European and multidisciplinary methodological and experimental cooperation that include Europe-wide views, perceptions, and behaviours, leading to higher preparedness and better cybersecurity resilience.
Date of publication of call for proposals
Thursday 4 July 2019
Deadline for the submission of proposals
Thursday 14 November 2019 (17:00.00 Brussels time)
Evaluation of proposals
December 2019 – February 2020 (indicative)
Consultation of the CEF Committee
April 2020 (indicative)
Adoption of the Selection Decision
May 2020 (indicative)
Preparation and signature of grant agreements
Between May and August 2020 (indicative)
4. BUDGET AVAILABLE
The total budget earmarked for the co-financing of projects under this call for proposals is estimated at €10 million.
Out of the total budget of €10 million, it is expected to allocate €3 million under Objective 2 and allocate €1 million under Objective 5.
The Commission reserves the right not to distribute all the funds available.
The Commission reserves the right to award a grant of less than the amount requested by the applicant.
5. ADMISSIBILITY REQUIREMENTS
In order to be admissible, proposals must be:
Submitted no later than the deadline for submitting applications referred to in section 3 on Timetable;
Submitted in writing (see section 14), using the application forms15 and electronic submission system available at https://webgate.ec.europa.eu/tentec/grant/esubmission.16 In this respect, proposals or part(s) of proposals submitted by e-mail or hard copy will not be admissible;
Complete, i.e. all parts of the application form (A, B, C or D) are complete and uploaded in TENtec;
Duly signed by the applicant(s).
Failure to comply with any of these requirements will lead to the rejection of the application.
6. ELIGIBILITY CRITERIA
6.1 Eligible applicants
In accordance with the 2019 – 2020 Work Programme and pursuant to Article 9 of the CEF Regulation,17 only those proposals submitted by the following types of applicants are eligible:
One or more Member States;
With the agreement of the Member State(s) countr(y)ies concerned, international
organisations, Joint Undertakings18, or public or private undertakings or bodies established in Member States.
For Objective 1: Proposals submitted under this Objective must be submitted by a consortium of at least two national CSIRTs, designated by a Member State as required by the NIS Directive19. These national CSIRTs must be located in at least two different Member States.
For Objective 2: Proposals submitted under this Objective must include at least one Operator of Essential Services (OES) identified by the Member States in the context of the NIS Directive. All OES must download from the call webpage20, fill in, and upload as a supporting document the letter of support, to be signed by the relevant Ministry/National Authority declaring that the applicant is or is in the process of being identified as an OES. Where the same Ministry/National Authority is responsible for the identification of several applicants as OES, it is possible to submit one letter of support listing all the relevant applicants.
If their proposal is retained for funding, entities in the process of being identified as OES at the moment of submission will have to demonstrate their OES status before the signature of the grant agreement (see the indicative timing for preparation and signature of grant agreements under section 3). This requirement must be fulfilled within the specified timeline; otherwise the Agency reserves the right to cancel the grant agreement preparation.
For Objective 3: Proposals submitted under this Objective must include at least one National Competent Authority (NCA) or Single Point of Contact (SPOC) designated by the Member States in line with the NIS Directive.
For Objective 4: Proposals submitted under this Objective must be submitted by a consortium of at least two national public bodies/institutions entrusted with national level cybersecurity. These bodies must be located in at least two different Member States.
For Objective 5:
Proposals submitted under this Objective must include at least one entity that that has primary responsibility for cybersecurity certification at the national level. In the case of multi-applicant proposals, applying entities must be located in at least two different Member States. Applicants must download from the call webpage21, fill in, and upload as a supporting document the letter of endorsement, to be signed by the relevant Ministry/National Authority declaring that the applicant currently has primary responsibility of cybersecurity certification at the national level.
In accordance with section 5.3.1 of the 2019 – 2020 Work Programme, European Free Trade Association (EFTA) countries which are members of the European Economic Area (EEA) may participate22 in the call for proposals, even when not explicitly mentioned in the Work Programme text, with the same rights, obligations and requirements as EU Member States. At the time of call publication, these conditions apply to Norway and Iceland only.
For British applicants: Please be aware that eligibility criteria must be complied with for the entire duration of the grant. If the United Kingdom withdraws from the EU during the grant period without concluding an agreement with the EU ensuring in particular that British applicants continue to be eligible, you will cease to receive EU funding (while continuing, where possible, to participate) or be required to leave the project on the basis of Article II.16.3.1 (a) (change of the legal situation of the beneficiary) of the grant agreement.23
Third countries and third country entities
Where necessary to achieve the objectives of a given project of common interest and where duly motivated, third countries and entities established in third countries may participate in actions contributing to the projects of common interest. They may not receive funding under the CEF Regulation, except where it is indispensable to achieve the objectives of a given project of common interest.
Acceding states and candidate countries benefiting from a pre-accession strategy may also participate in the sector of the CEF covering telecommunications infrastructure in accordance with agreements signed with the EU. As at the time of call publication no such agreements have been signed, the same conditions as for third countries apply to acceding states and candidate countries.
Third countries and entities established in third countries may only participate as part of a consortium with applicants from EU/EEA countries. The application must contain the agreement of the Member State concerned by the proposed Action and a declaration from the European partner involved in the proposal on why the participation of the third country applicant is indispensable. Applicants that are entities established in a third country must also provide proof of the support of the third country authorities concerned by the action.
Applicants without legal personality
Proposals may be submitted by entities which do not have legal personality under the applicable national law, provided that their representatives have the capacity to undertake legal obligations on their behalf and offer a guarantee for the protection of the EU's financial interests equivalent to that offered by legal persons.
Proposals submitted by natural persons are not eligible.
Applicants may designate affiliated entities within the meaning of Article 187 of the Financial Regulation, for the purpose of supporting the implementation of the action submitted for funding. Such affiliated entities must comply with the eligibility criteria for applicants.
Member State agreement
Any applicant that cannot provide the agreement of the EU Member State or EEA country concerned will not be eligible.
6.2 Eligible actions
In line with Article 7 of the CEF Regulation, only actions contributing to "projects of common interest" as identified in the Telecom Guidelines24 shall be eligible for support through EU financial aid in the form of grants.
Please note that failure to comply with any of the eligibility criteria indicated above will lead to the rejection of the application.
The Action may not start before the date of submission of the application25.
The indicative duration of an Action proposed under this call is 3 years.
7 EXCLUSION CRITERIA
applicant shall be excluded from participating in call for proposals procedures where:
the applicant is bankrupt, subject to insolvency or winding-up procedures, where its assets are being administered by a liquidator or by a court, where it is in an arrangement with creditors, where its business activities are suspended, or where it is in any analogous situation arising from a similar procedure provided for under national laws or regulations;
it has been established by a final judgment or a final administrative decision that the applicant is in breach of its obligations relating to the payment of taxes or social security contributions in accordance with the applicable law;
it has been established by a final judgment or a final administrative decision that the applicant is guilty of grave professional misconduct by having violated applicable laws or regulations or ethical standards of the profession to which the applicant belongs, or by having engaged in any wrongful intent or gross negligence, including, in particular, any of the following:
(i) fraudulently or negligently misrepresenting information required for the verification of the absence of grounds for exclusion or the fulfilment of eligibility or selection criteria or in the performance of a contract, a grant agreement or a grant decision;
(ii) entering into agreement with other applicants with the aim of distorting competition;
(iii) violating intellectual property rights;
(iv) attempting to influence the decision-making process of the
Commission/Agency during the award procedure;
(v) attempting to obtain confidential information that may confer upon it undue advantages in the award procedure;
it has been established by a final judgment that the applicant is guilty of any of the following:
(i) fraud, within the meaning of Article 3 of Directive (EU) 2017/1371 of the European Parliament and of the Council and Article 1 of the Convention on the protection of the European Communities' financial interests, drawn up by the Council Act of 26 July 1995;
(ii) corruption, as defined in Article 4(2) of Directive (EU) 2017/1371 or Article 3 of the Convention on the fight against corruption involving officials of the European Communities or officials of Member States of the European Union, drawn up by the Council Act of 26 May 1997, or conduct referred to in Article 2(1) of Council Framework Decision 2003/568/JHA, or corruption as defined in the applicable law;
(iii) conduct related to a criminal organisation, as referred to in Article 2 of Council Framework Decision 2008/841/JHA;
(iv) money laundering or terrorist financing, within the meaning of Article 1(3), (4) and (5) of Directive (EU) 2015/849 of the European Parliament and of the Council;
(v) terrorist offences or offences linked to terrorist activities, as defined in Articles 1 and 3 of Council Framework Decision 2002/475/JHA,