The European Commission has been postponing the appointment of a permanent executive director of its new cybersecurity body in order to retain partial control over the organisation, several EU diplomatic sources told EURACTIV.
The European Cybersecurity Competence Centre (ECCC) was recently set up in Bucharest to boost Europe’s cybersecurity capacities. However, the centre is still under the patronage of the European Commission, which has so far prevented it from reaching complete autonomy.
“This is a ‘chicken and the egg’ type of problem, because as long as the ECCC does not have a permanent executive director, it is not autonomous from the Commission. However, the Commission is responsible for filling this position, which it keeps delaying,” Dan Cimpean, the Romanian representative of the ECCC Governing Board, told EURACTIV.
Although the Commission published the vacancy at the end of last year, it unexpectedly cancelled the application procedure. Instead, the EU executive appointed an interim executive director, Miguel Gonzalez-Sancho, a Commission’s middle manager specialised in cybersecurity.
According to another ECCC board member who talked to EURACTIV under condition of anonymity, Gonzalez-Sancho is fulfilling all the tasks foreseen for the permanent Executive Director.
“Of course, everyone would like the appointment of a permanent director to move more quickly. However, it is in the hands of the Commission,” the board member added.
Reason for delay
The ECCC and the related Network of National Coordination Centres aim to strengthen European cybersecurity capacities and promote research, awareness and innovation in the field.
It should do so by managing cybersecurity funds from the Digital Europe and Horizon Europe programmes, as well as by additional funding provided by the EU Member States.
The centre is also due to manage the Cybersecurity Emergency Fund, which was initiated following an informal meeting of EU telecommunication ministers in Nevers, France, last month. The new fund is intended to prepare member states to face large-scale cyberattacks, notably by financing penetration testing and simulated cyberattacks used to identify vulnerabilities.
The Commission was tasked with the setting up and running of the centre, with the goal of it ultimately operating autonomously. However, according to an EU diplomatic source, the postponement of the new executive director allows the EU executive to maintain control over such funding.
Cimpean said he is expecting clashes between the Commission and member states, which control and co-finance the ECCC. Romania stands at the top of the list of disgruntled governments, as it is hosting the EU body.
“There does not seem to be much drive from part of the European Commission to hand over the ECCC. The board is not happy, to say the least,” Cimpean said.
The next board meeting is foreseen to take place in mid-June. However, it is unlikely that the application process will have been relaunched and reached the stage where the board will choose the final candidate until then, meaning the appointment will probably be delayed until yet another board meeting towards the end of 2022.
The process of appointing the executive director is highly time-consuming. First, a vacancy needs to be published. After the deadline, there is a thorough screening process followed by creating a shortlist of candidates. For such a high-level position, the Commissioners Thierry Breton and Margrethe Vestager then decide on the final candidates presented to the board.
The board, which only meets a few times per year, would have to decide with a 75% majority, which further complicates the appointment.
“In the last application procedure, the final candidates were not even forwarded to the Commissioners or the board. The process was cancelled beforehand, in mid-February,” said Cimpean.
Lack of transparency
Member states have lamented that the responsible Commission service, namely the Directorate-General for Human Resources and Security, has been dealing with this procedure in a non-transparent manner.
The termination of the application process was vaguely justified by citing unsatisfactory gender balance. A Commission spokesperson told EURACTIV that the procedure “will be reopened in the coming weeks, with a view to achieving a wider and gender-balanced pool of candidates.”
Responding to EURACTIV’s request to see the concrete number of applications received and the respective gender proportions, the spokesperson answered that no further details could be provided “to protect the Commission’s decision-making procedures as well as personal data.”
“As a matter of fact, I myself know of a number of competent, female applicants,” Cimpean said. Therefore, he believes the European Commission is deliberately delaying the appointment and, consequently, the autonomous operationality of the ECCC.
Similarly, the EU diplomat also said they knew female candidates well qualified for the position. EURACTIV tried to reach some candidates, but they all declined to comment.
“In reality, we need a new player. It cannot be that the Commission is holding back the ECCC. This is also a matter of national prestige for the host country, Romania, which finally wants to get started on improving cybersecurity,” Cimpean said.
[Edited by Luca Bertuzzi/Nathalie Weatherald]