European support on SMEs working on cybersecurity and digital privacy and available funds or programmes
Within the cybersecurity supply industry, a very substantial part of innovation is driven by SMEs and start-ups. The European Commission has been working on fostering European cybersecurity industry and supporting specifically SMEs towards that direction all along the cybersecurity policy and regulatory initiatives. For example, in its Communication of 5 July 2016 Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry,1 the European Commission announced the launch of a contractual public private partnership on cybersecurity (cPPP)2 and additional market-oriented policy measures to boost industrial capabilities in Europe.
One of the main objectives of the cPPP signed with Cybersecurity market players, represented by the European Cyber Security Organisation (ECSO),3 is the enhancement of competitiveness and growth of the cybersecurity industry in Europe (i.e. both large companies and SMEs) through innovative cybersecurity technologies, applications, services and solutions. To achieve this goal, ECSO has created a Working Group "Support to SMEs, coordination with countries (in particular East and Central EU) and regions".4 Today, ECSO is organising a series of events called 'Investors' day'; these events seek to bring together SMEs and start-ups with investors.5
Furthermore, while assessing the policy options for the proposal on the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres Competence Centre,6 the European Commission identified the main problems that SMEs are facing in the area of cybersecurity. Among other issues, the Commission noted that there are many innovative SMEs in the field but they are often unable to scale up their operations due to the lack of easily available funding supporting them in the early phases of development.
Most times, European cybersecurity companies, and especially SMEs, have limited budget available for commercial development and marketing; an activity that could improve their visibility across markets. They often struggle with insufficient capacities and access to necessary facilities for cybersecurity experimentation, testing, and operations, which are often too large/costly for a single entity.
In order to tackle the abovementioned problems, in the text of the European Regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre with a Network of National Coordination Centres (adopted on 12th September 2018), the European Commission proposes inter alia a set of provisions aimed at supporting SMEs.
The European Cybersecurity Industrial, Technology and Research Competence Centre is expected to enhance capabilities, knowledge and infrastructures at Member States and EU-level. Notably, the Centre would provide access for a wide range of users (i.e. industry, SMEs, public sector and research communities) to the state-of-the-art cybersecurity industrial and research infrastructures and related services. This would help market players to address cybersecurity related industrial challenges and, ultimately, allow them to develop innovative products and services.
In addition, the European Cybersecurity Competence Centre will contribute to the wide deployment of state-of-the-art cybersecurity products and solutions across the economy by providing financial support and technical assistance to cybersecurity start-ups and SMEs. The Centre would support cybersecurity start-ups and SMEs to attract investment by:
- Developing tools and coordination mechanisms to facilitate access of cybersecurity start-ups and SMEs to venture capital (e.g. enhance visibility of cybersecurity projects/products European companies are working on; create database of venture capital funds interested in cybersecurity);
- Creating a platform of cooperation for cybersecurity SMEs to connect them and foster cooperation on projects as well as help them create consortia to respond to tenders and procurement offers.
This European Commission proposal allows start-ups and SMEs to attract investment to turn their research ideas into a marketable product or solution. Given that access to funding is one of key challenges for the European cybersecurity SME and start-up community, the mechanism is likely to improve the situation by helping the community gain visibility towards potential investors. At the same time, businesses, and especially SMEs, are likely to reduce costs related to their efforts in designing innovative cyber secure products.
Beyond its policy initiatives, the European Commission and the EU also seeks to support SMEs and start-ups working on cybersecurity via its Horizon 2020 work programme and EU funded support actions. For example, the 'cyberwatching.eu' project7 is the European observatory of research and innovation (R&I) in the cybersecurity and digital privacy space, and is playing a vital role in improving awareness of cybersecurity and privacy for SMEs through the uptake of results coming from European R&I projects. The project has recently launched the SMEs End-User Club. The club offers European small businesses early access to brand-new services designed by Europe’s leading cybersecurity and privacy experts.8
For the next long-term EU budget 2021-2027, the European Commission has proposed the EU to invest €2 billion in cybersecurity (i.e. Cybersecurity and Trust objective of the proposed Digital Europe Programme).9 Funding allocated to this objective will be instrumental to boost cyber defence and the Union's cybersecurity industry, ensuring that the EU's digital economy, society and democracies are better protected. The proposed budget could finance state-of-the-art cybersecurity equipment and infrastructure as well as the development of the necessary skills and knowledge.
Beyond the specific actions related to cybersecurity, the European Commission is very active in supporting SMEs. In particular, the Commission cooperates with financial institutions with a view to increasing finding opportunities for SMEs.10
Part 2: European support to SMEs and start-ups to develop cybersecurity capabilities
The 2017 Cybersecurity Act11,11 launched by the European Commission, proposes the creation of a European Cybersecurity Certification Framework for Information and Communication Technology (ICT) products and services in order to address the risk of fragmentation arising from the emergence of national (not mutually recognised) certification schemes across the EU.
European SMEs will be positively affected by the creation of such a Framework. In particular, the possibility to obtain a single European cybersecurity certificate valid across Member States would simplify the regulatory ecosystem, reduce the administrative burden and enable new businesses and SMEs to gain a wider access to the internal market. As a result, cybersecurity certification can play an important role in supporting both SMEs’ growth and our collective cybersecurity. In addition, highly innovative SMEs, developing cutting-edge solutions for which cybersecurity is a crucial factor, could benefit the most from certifying their products and services. This would apply in particular to the fields of Internet of Things, connected and automated cars, electronic health, industrial automation control systems and smart grids.
Moreover, in case a SME is identified as an Operator of Essential Service identified as Operators of Essential Services (OES) under the Directive on the Security of Network and Information Systems12 (‘NIS Directive’), it can be granted funding under the Connecting Europe Facility (CEF) instrument.13 In the recently closed 2018 CEF Telecom Call14 dedicated to cybersecurity, SMEs could receive funding as an incentive to develop their cybersecurity capacity above the minimum baseline security and reporting requirements set by the NIS Directive. The Call closed on 22 November and the Commission is currently assessing proposals received. New funding opportunities could be available through next year’s CEF Telecom Work Programme.
2 Established through Commission decision of 5.7.2016 on the signing of a contractual arrangement on a public-private partnership for cybersecurity industrial research and innovation between the European Union, represented by the Commission, and the stakeholder organisation (C(2016) 4400 final)
For further details, see hiips://ec.europa.eu/digital-single-market/en/news/proposal-regulation-establishing-european-cybersecurity-industrial-technology-and-research
11 COM/2017/0477 final - 2017/0225 (COD) Regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act''). More information available here : hiips://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2017:0477:FIN