It seems to normalize an a la carte blanche creation of legal structures without due regard for established EU institutional practice.

Introduction

Recognising the significance of cybersecurity in an increasingly inter-connected society, in September 2018 the European Commission proposed establishing a European Cybersecurity (Competence) Centre and Network – on the basis of Articles 173 (3) and 188 TFEU – with the aim to improve and strengthen the Union’s competitiveness, as well as the autonomy of its cybersecurity value chain. With funding foreseen under two financial framework programmes – the Horizon Europe (Horizon) and Digital Europe Programme (DEP) – the main objective of the proposal can be defined as the establishment of an integrated funding and implementation mechanism for cybersecurity research and industrial policy.

Given the fragmentation of cybersecurity capabilities within the Union, the case for such a Centre is easy to make. Unfortunately, the proposal is characterised by legal uncertainty, leading to much – and as yet inconclusive – debate in the Council. First and foremost, this concerns the uncertain status of the Centre within the EU’s institutional architecture. Second, and related to this, is the unclear relationship between the Centre and the European Union Agency for Cybersecurity (ENISA) – an agency tasked to actively contribute to policy making and to offer technical support to Member States and Institutions.

Ceci n’est pas une agence

The concept of a ‘Union body with legal personality’ is traditionally regarded as an omnibus term encompassing both agencies – be it decentralised or executive – and ‘institutionalised’ research structures alike. However, within recent institutional practice, the notion of a ‘Union body’ is increasingly interpreted as an ‘autonomous legal entity’.

Although decentralised agencies form the backbone of the Union’s heterogenic institutional landscape, they are neither defined by primary law nor bound by a framework under secondary law. Lacking an official definition, decentralised agencies are generally established as permanent bodies under EU public law, established by secondary legislation and endowed with their own legal personality. In addition to executive and decentralised agencies, the following Union bodies form part of the EU’s institutional landscape: public-public partnerships in accordance with Article 185 TFEU, public-private partnerships established pursuant to Article 187 TFEU – such as Joint Undertakings – and the European Institute of Innovation and Technology – a sui generis legal entity established on the basis of Article 177(3) TFEU.

Following a textual interpretation of Articles 188 and 187 TFEU, the Centre could either be classified as a ‘Joint Undertaking’ or established as another ‘structure’ necessary for the efficient execution of Union research programmes. Alternatively, the Centre could have been proposed as a decentralised agency under Article 173(3) TFEU, in accordance with the common institutional practice of agency creation on the basis of a specific sectoral legal basis. The Commission’s impact assessment references to the European Institute of Innovation and Technology (the Institute) as a precedent for the Centre, which would however seem to contradict the alleged sui generis charterer of both the Centre and the Institute.

The Centre’s main task will be to implement funding under the Horizon Regulation, to which the Digital Europe Programme explicitly refers. In order to ensure the efficient implementation of that Regulation, the EU legislature already provided for a novel and uniform implementation ‘structure’, within the meaning of the broadly formulated Article 187 TFEU. As a result, it seems that the Centre could only be properly established as the first of these new ‘Institutionalised European Partnerships’. However, the deletion of mandatory co-financing of the Centre by the Council – one of the criteria for the establishment of these bodies – made the legal classification as a European partnership unfeasible. A political discussion on the seat allocation of the Centre, normally reserved for decentralised agencies, furthermore added to the confusion on its legal nature.

A legal Frankenstein?

The Commission suggested that the Centre be established as an ‘EU body set up under the Treaty’ charged with implementing funding in accordance with the provisions on indirect management of the Financial Regulation. Under this rather pragmatic approach, the Centre would have to be considered as a ‘partnership’ – not to be confused with a ‘European Partnership’ – for budget implementation, but with a ‘special nature’ as regards the execution of its other tasks. This sui generis approach may support the idea that the classification as a non-specified ‘Union body’ would suffice under primary law. This, however, risks overlooking questions of institutional balance and accountability, which have not even been fully settled in relation to more ‘traditional’ agencies. It also risks contradicting the overall policy approach of European partnerships under Horizon, and stretching the scope of Articles 187 and 177(3) TFEU to its limits. It would seem to provide the EU legislature almost with a carte blanche as regards the establishment of unique legal structures, neither specified by primary law nor bound by a framework under secondary law

Way forward

Given that the Centre’s main task would be to implement funding from Horizon Europe, a logical step would be to establish the Centre in accordance with the provisions of that principal Regulation, requiring however mandatory co-financing by the Member States. This would create both an implementation and coordinating funding mechanism, i.e. a European Institutionalised Partnership as foreseen by Horizon Europe pursuant to Article 187 TFEU. The consequence of such qualification would however be that the Centre’s tasks would have to be limited to supporting research and innovation and could not include more ‘agency-like tasks’, such as facilitating the acquisition of cybersecurity infrastructures and capabilities or enhancing the collaboration and sharing of expertise among relevant stakeholders .

The option to confer such tasks to ENISA was discarded on the basis of an apparent mismatch in objectives and governance structure, yet the impact assessment fails to substantiate the legal impediments to such widening of its mandate. Article 11 of the ENISA founding regulation already includes an – albeit limited – role within research and industrial policy. This article could have formed the stepping-stone for broadening the scope of ENISA’s activities. If indeed ENISA – a Union body in accordance with Article 70 of the Financial Regulation – had been given the tasks now included in the proposal for the new Centre, it could have established a local liaison office in Brussels to ensure effective coordination and cooperation with other Union bodies, avoiding any duplication of efforts within cybersecurity research and industrial policy. However, in order to also include powers in the field of cyber defence industrial policy, the founding regulation of ENISA would need to be amended in order to include Article 173 (3) TFEU as its legal basis.

Conclusion

As argued above, the proposal for a European Cybersecurity Centre is at odds with established EU institutional law and practice. Two alternatives have been proposed, but both have their own respective drawbacks. It remains to be seen whether inter-institutional and political agreement can be reached regardless of these legal considerations.

This blog is part of the project: Mobility and Security in Europe.