ExpectedOutcome
- World-class cross-border SOC platforms across the Union for pooling data on cybersecurity threat between several Member States, equipped with a highly secure infrastructures and advanced data analytics tools for detecting, gathering and storing data on cybersecurity threats, analysing this data, and sharing and reporting CTI, reviews and analyses.
- Sharing of Threat Intelligence between National SOCs, and information sharing agreements with competent authorities and CSIRTs.
Objective
The general objective of cross-border SOC platforms is to strengthen capacities to analyse, detect and prevent cyber threats and to support the production of high-quality intelligence on cyber threats, notably through the exchange of data from various sources, public and private, as well as through the sharing of state-of-the-art tools and jointly developing cyber detection, analysis, and prevention capabilities in a trusted environment.
This action aims at new cross-border SOC platforms, as well as supporting those that were already launched under the previous DIGITAL work programme (2021-2022). While the main focus of this action is on processes and tools for prevention, detection and analysis of emerging cyber-attacks, it also foresees in particular the acquisition and/or adoption of common (automation) tools, processes and shared data infrastructures for the management and sharing of contextualised and actionable cybersecurity operational information across the EU.
Scope
Cross-border SOC platforms will contribute to enhancing and consolidating collective situational awareness and capabilities in detection and CTI, supporting the development of better performing data analytics, detection, and response tools, through the pooling of larger amounts of data, including new data generated internally by the consortia members.
The platforms should act as a central point allowing for broader pooling of relevant data and CTI, enable the spreading of threat information on a large scale and among a large and diverse set of actors (e.g., CERTs/CSIRTs, ISACs, operators of critical infrastructures).
Also, for cross-border SOC platforms, there is a crucial need for novel tools based on advanced Artificial Intelligence and machine learning (AI/ML), data analytics and other relevant cybersecurity relevant technologies, based on research results and further tested and validated in real conditions, in combination with access to supercomputing facilities (e.g., to boost the correlation and detection features of cross-border platforms).
The platforms will support common situational awareness and effective crisis management and response by providing relevant information to networks and entities responsible for cybersecurity operational cooperation and crisis management at Union level, without undue delay, where they obtain information related to an ongoing large-scale, cross-border incident, or to a major threat or a major vulnerability likely to have significant cross-border impacts or significant impacts on services and activities falling within the scope of the Directive (EU) 2022/2555.
A call for expression of interest will be launched to select entities in Member States that provide the necessary facilities to host and operate Cross-Border SOC platforms for pooling data on cybersecurity threat between several Member States. Applicants to the call for expressions of interest should describe the aims and objectives of the Cross-Border SOC platform, describe its role and how such role relates to other cybersecurity actors, and its eventual cooperation with other public or private cybersecurity stakeholders. Applicants should also provide the detailed planning of the activities and tasks of the Cross-Border SOC platform, the services it will offer, the way they will operate and be operationalised, and describe the duration of the activity as well as the main milestones and deliverables. They should also specify what equipment, tools and services need to be procured and integrated to build up the Cross-Border SOC platform, its services and its infrastructure.
To support the above activities of a Cross-Border SOC platform, the following two workstreams of activities are foreseen:
- [Procurement] A Joint Procurement Action with the Member State participating in the Cross-Border SOC platform: this will cover the procurement of the main equipment, tools and services needed to build up the Cross-Border SOC platform.
- [Building up and running the Cross-Border SOC platform] A grant will also be available to cover, among others, the preparatory activities for setting up the Cross-Border SOC platform, its interaction and cooperation with other stakeholders, as well as the running/operating costs involved, enabling the effective operation of the Cross-Border SOC platform, e.g., using the equipment, tools and services purchased through the joint procurement. These will also indicate milestones and deliverables to monitor progress.
Applications shall be made to both workstreams. Applications will be object of evaluations procedures. Grants will only be awarded to applicants that have succeeded the evaluation of the joint procurement action.
These actions aim at creating or strengthening cross-border SOCs, which occupy a central role in ensuring the (cyber-)security of national authorities, providers of critical infrastructures and essential services. SOCs are tasked with monitoring, understanding and proactively managing cybersecurity threats. In light of the crucial operative role of SOCs for ensuring cybersecurity in the Union, the nature of the technologies involved as well as the sensitivity of the information handled, SOCs must be protected against possible dependencies and vulnerabilities in cybersecurity to pre-empt foreign influence and control. As previously noted, participation of non-EU entities entails the risk of highly sensitive information about security infrastructure, risks and incidents being subject to legislation or pressure that obliges those non-EU entities to disclose this information to non-EU governments, with an unpredictable security risk. Therefore, based on the outlined security reasons, the actions relating to SOCs are subject to Article 12(5) of Regulation (EU) 2021/694, in consistency with WP 2021/2022.