Research & Innovation - Participant Portal

Search

TOPIC : Digital security, privacy, data protection and accountability in critical sectors

Topic identifier: SU-DS05-2018-2019
Publication date: 27 October 2017
Focus area: Boosting the effectiveness of the Security Union (SU)

Types of action: IA Innovation action
DeadlineModel:
Planned opening date:
single-stage
15 March 2018
Deadline: 28 August 2018 17:00:00

Types of action: RIA Research and Innovation action
IA Innovation action
DeadlineModel:
Planned opening date:
single-stage
14 March 2019
Deadline: 22 August 2019 17:00:00

Time Zone : (Brussels time)
  Horizon 2020 H2020 website
Pillar: Societal Challenges
Work Programme Year: H2020-2018-2020
Topic Description
Specific Challenge:

In critical vertical sectors/domains, cybersecurity technologies deployed in several application domains should be aligned to the specific domain needs, linking the demand and supply sides for such cyber technologies. In the context of an increased digitization and also of growing complexity of cyber-attacks, there are certain sectors/subsectors identified as critical from the point of view of cybersecurity needs in the NIS Directive: energy (electricity, oil, gas), transport (air transport, rail transport, water transport, road transport), banking, financial market infrastructures, health sector (health care settings, including hospitals and private clinics), drinking water supply and distribution, and digital infrastructure. These sectors are important customers of cybersecurity solutions; hence it is of outmost importance to facilitate the engagement of end-users towards defining and providing sector-specific common requirements about digital security, privacy and personal data protection. Building security, privacy and personal data protection by design and by default, principles and standards should be clearly defined to protect the critical infrastructures in these sectors and ensure personal data integrity and confidentiality.

For transport domain, security must be managed pro-actively over the system as a whole. This must also extend to include interfaces to critical supporting infrastructures such as communication networks and satellite systems. The complexity of the transport sector finds its roots in the diversity of components that build the solutions in use and the very long lifecycle of these components. The challenge is to migrate these solutions, systems, and infrastructures to a higher level of cybersecurity.

ICT enables the healthcare sector to provide efficient, effective, cross-border top-quality healthcare services improving the public healthcare. Healthcare operations, services and applications are provided via various interconnected infrastructures, systems, entities and people. Personalized medicine is on the brink of becoming a successful approach in treating diseases. This increases the complexity of the pharmaceutical supply chain and raises the importance of achieving a zero error rate in the supply of personalized medications. Cybersecurity in this respect is safety critical and novel approaches are needed to ensure traceability and zero error deliveries. Moreover, requirements related to data protection legislation should also be taken into account, as health is a very sensitive sector from this point of view[1].

This interconnectivity reveals various threats, making the healthcare ecosystem vulnerable to catastrophic attacks with high impact to healthcare institutions and people's lives. The healthcare industry has seen a major rise in cyber-attacks over the past two years, and data breaches increasingly damage the healthcare industry as well as the privacy and personal data protection of the people. Vulnerable patients’ records management systems can be attacked leading to unauthorised disclosure of and access to personal data concerning health. Connected medical devices are increasingly used, in particular wearables and home health monitoring devices which often transmit sensitive data over unsecure wireless networks from the patients’ home to the hospitals exposing the privacy and personal data of the patients and the resilience of the healthcare infrastructures.

Digital technologies are also profoundly changing the financial sector. Cybersecurity solutions are essential to make possible digital technologies for finance and for the stability of the financial sector which must respond to increasingly sophisticated cyber-attacks.

Scope:

Among the critical sectors mentioned in the NIS Directive[2], proposals should treat generic aspects for at least two of them, by identifying common threats and attacks, and by developing proof of concepts for managing cybersecurity and privacy risks. In addition, proposals should treat specific aspects for one of the three critical sectors/domains mentioned as sub-topics, i.e. transport, healthcare and finance, by identifying specific vulnerabilities, propagation effects and counter measures, by developing and testing cyber innovation-based solutions and validating them in pilots/demonstrators. During the conception and development steps, critical sectors/domains' specificities, such as complexity of infrastructure and their large scale, should be taken into account. These pilots/demonstrators are encouraged to use relevant transversal cyber infrastructures and capabilities developed in other projects.

Proposals should also include (but should not be limited to) the delivery of specific social aspects of digital security related to training, in particular practical, operational and hands-on training, including: (i) increasing the dynamics of the training and awareness methods, to match/exceed the same rate of evolution of the cyber attackers; that is to say new methods of awareness/training offering more qualification tracks to fully and efficiently integrate ICT security workers and employers in the European e-Skills market; and (ii) integrating awareness into the eco-system of humans, competences, services and solutions which are able to rapidly adapt to the evolutions of cyber attackers or even surpass them.

Participation of SMEs is strongly encouraged.

Proposals are invited against the following sub-topics below, in 2018 and 2019

(a) [2019]: Digital security, privacy and personal data protection in multimodal transport

Proposals under this sub-topic should tackle on at least two of the following items:

(1): Secure access management for citizens to all types of vehicles. A European Single Transport market requires a pan-European, seamless privacy aware solution to access across mass, shared and individual mobility, which will bring added value to citizens while safeguarding data protection and privacy. However the corresponding increased interconnection of smarter systems increases the vulnerability surface and therefore novel tailored solutions should be proposed.

(2): Assurance and protection against specific cyber-attacks in the multimodal transport domain, addressing interconnected threats and propagated vulnerabilities. Feasible solutions in practice should be delivered, shielding the vulnerabilities that have severe impact and catastrophic propagation effects to the multimodal transport operations. Applicants should propose integrated, holistic approaches and tools for dynamically, automatically forecast and manage complex security and privacy incidents, and personal data breaches in the multimodal transport service and operation. Proposals should improve the security intelligence of treating complex multimodal transport security and privacy incidents, notably personal data breaches, vulnerabilities and attacks. Proposals should develop practical solutions for relevant on-line sharing information and distributing real-time security, privacy and data protection warnings to all stakeholders in the multimodal transport ecosystem; collaboration with CERTs/CSIRTs is highly encouraged.

(3): Standardization to allow the quick adoption of cybersecurity best practices in the domain. Proposals should evaluate the feasibility of a security labelling for transport and deliver relevant recommendations and options.

The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 7; please see Annex G of the General Annexes.

The Commission considers that proposals requesting a contribution from the EU of about EUR 5 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.

Type of Action: Innovation action

(b) [2019]: Digital security, privacy and personal data protection in healthcare ecosystem

Proposals responding to this sub-topic should contribute towards the practical implementation of relevant EU legislation (e.g. NIS, eIDAS and GDPR) in the healthcare complex ecosystem involving all stakeholders (e.g. security officers, ICT administrators, operators, auditors, developers, manufactures, integrators, data protection officers) of all entities in the healthcare ecosystem and considering all types of data handled, with special focus on sensitive data as defined by the GDPR.

Proposals under this sub-topic should tackle at least two of the following items:

(1): In collaboration with all stakeholders in the healthcare ecosystem and CERTs/CSIRTs, develop dynamic vulnerability data basis for collecting, uploading, maintaining, and disseminating vulnerabilities of ICT-based medical systems, technologies, applications and services (enhancing the ICT generic ones e.g. NIST, MITRE). Build dynamic taxonomies for medical-related attacks in order to become the basis for building healthcare cybersecurity incident management systems.

(2): Deliver dynamic, evidence-based, sophisticated security, privacy and personal data protection risk assessment frameworks and tools that can deal with cascading effects of threats, and propagated vulnerabilities in interconnected healthcare infrastructures, entities, systems, supply chain services and applications (compliant with appropriate cybersecurity standards e.g. ISO27001, ISO27005, ISO28000).

(3): Provide collaborative privacy-aware tools enabling healthcare stakeholders to access and share information (where its integrity is guaranteed), advise and provide best/good practices about incident handling through appropriate interaction with healthcare participants respecting their privacy and personal data protection.

The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 7; please see Annex G of the General Annexes.

The Commission considers that proposals requesting a contribution from the EU of about EUR 5 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.

Type of Action: Research and Innovation action

(c) [2018]: Digital security, privacy and personal data protection in finance

Proposals under this sub-topic should tackle at least one of the following items:

(1): Development of resilience enhancing technologies. Proposers are expected to develop innovative solutions tailored for the finance domain, ensuring that a proactive preparedness helps financial market participants and infrastructures to share information and better cope with technological shortfalls. Proposals should (i) deliver tools for making the exfiltration of data for attackers unattractive, both for ‘data at rest’ and 'data in transit'; (ii) consider incipient trends (e.g. digital on boarding based on biometric data); and (iii) collaborate with CERTs/CSIRTs.

(2): Development of new/enhanced, parameterized, automated and collaborative ICT tools for insurance companies, which are needed in order to collect security, privacy, personal data protection and accountability requirements from their clients and upgrade their insurance and liability policies respecting the EU legislation on cybersecurity, privacy and personal data protection, as well as cybersecurity standards (e.g. ISO27001, 27005).

(3): Standardization to allow the quick adoption of cybersecurity best practices in the domain. Applicants should propose novel solutions for promoting common standards for conducting stress and resilience testing across systemic financial market infrastructures and institutions or for certifying companies/organizations that can perform accredited conformity tests.

The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 7; please see Annex G of the General Annexes.

The Commission considers that proposals requesting a contribution from the EU of between EUR 3 and 4 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.

Type of Action: Innovation action

Projects should also foresee activities and envisage resources for clustering with other projects funded under this topic and with other relevant projects in the field funded by H2020.

Expected Impact:

Short term:

  • The technological and operational enablers of co-operation in Response and Recovery will contribute to the development of the CSIRT Network across the EU, which is one of the key targets of the NIS Directive.
  • Identified relevant generic and specific aspects related to cybersecurity and digital privacy in the respective critical domains/sectors addressed.
  • Advanced holistic systems and innovative proof concepts for managing cybersecurity and privacy risks in the respective critical domains/sectors addressed.
  • Advances in the state-of-the-art analysis of specific aspects of the respective critical domains/sectors addressed, such as related cyber threats, attacks and vulnerabilities;
  • Sound analysis of cascading effects of specific related cyber threats within the supply chain of the respective critical domains/sectors addressed.
  • Improved cybersecurity information sharing and collaboration among stakeholders of the respective critical domains/sectors addressed, and with CERTs/CSIRTs.
  • More targeted and acceptable security management solutions addressing specificities of the respective critical domains/sectors addressed.
  • Trigger the fast adoption of cybersecurity/privacy/personal data protection best practices in the respective critical domains/sectors addressed.

Medium term:

  • Better response and recovery technologies and services that will help organizations in the respective critical domains/sectors addressed to significantly reduce the impact of propagated and cascaded threats, vulnerabilities and breaches.
  • Enhanced protection against emerging novel advanced threats in the respective critical sectors/domains addressed.
  • Improved security governance of the respective critical domains/sectors addressed.
  • Greater and more mature EU cybersecurity market in the respective critical domains/sectors addressed.
  • Reduce the impact of breaches with various levels of success in penetrating the defences.

Long term:

  • Better cybersecurity for specific standards in the respective critical domains/sectors addressed, that will trigger fast adoption of best practices in the related industry.
  • Established trust chains among all entities in the eco-systems of the respective critical domains/sectors addressed.
  • Better implementation of the relevant EU legislation (e.g. NIS, eIDAS, GDPR) in the respective critical domains/sectors addressed.
  • Companies/organisations in the respective critical domains/sectors addressed are more willing to promote cyber security, privacy and personal data protection in the whole EU specific ecosystem.
Cross-cutting Priorities:

Socio-economic science and humanities
Contractual Public-Private Partnerships (cPPPs)
Cybersecurity

[1]The GDPR in its Article 9 (processing of special categories of personal data) prohibits the processing of personal data concerning health unless one of the conditions set out in Article 9(2) apply.

[2]NIS directive - Annex II .

Topic conditions and documents

1. Eligible countries: described in Annex A of the Work Programme.
A number of non-EU/non-Associated Countries that are not automatically eligible for funding have made specific provisions for making funding available for their participants in Horizon 2020 projects. See the information in the Online Manual.

 

2. Eligibility and admissibility conditions: described in Annex B and Annex C of the Work Programme.

 

Proposal page limits and layout: please refer to Part B of the proposal template in the submission system below.

 

3. Evaluation:

 

4. Indicative time for evaluation and grant agreements:

Information on the outcome of evaluation (single-stage call): maximum 5 months from the deadline for submission.
Signature of grant agreements: maximum 8 months from the deadline for submission.

 

5. Proposal templates, evaluation forms and model grant agreements (MGA):

Research and Innovation Action:

Specific provisions and funding rates
Standard proposal template
Standard evaluation form
General MGA - Multi-Beneficiary
Annotated Grant Agreement

Innovation Action:

Specific provisions and funding rates
Standard proposal template
Standard evaluation form
General MGA - Multi-Beneficiary
Annotated Grant Agreement

 

6. Additional provisions:

Horizon 2020 budget flexibility
Classified information
Technology readiness levels (TRL) – where a topic description refers to TRL, these definitions apply

 

Members of consortium are required to conclude a consortium agreement prior to the signature of the grant agreement.

 

7. Open access must be granted to all scientific publications resulting from Horizon 2020 actions.

Where relevant, proposals should also provide information on how the participants will manage the research data generated and/or collected during the project, such as details on what types of data the project will generate, whether and how this data will be exploited or made accessible for verification and re-use, and how it will be curated and preserved.

Open access to research data
The Open Research Data Pilot has been extended to cover all Horizon 2020 topics for which the submission is opened on 26 July 2016 or later. Projects funded under this topic will therefore by default provide open access to the research data they generate, except if they decide to opt-out under the conditions described in Annex L of the Work Programme. Projects can opt-out at any stage, that is both before and after the grant signature.

Note that the evaluation phase proposals will not be evaluated more favourably because they plan to open or share their data, and will not be penalised for opting out.

Open research data sharing applies to the data needed to validate the results presented in scientific publications. Additionally, projects can choose to make other data available open access and need to describe their approach in a Data Management Plan.

Projects need to create a Data Management Plan (DMP), except if they opt-out of making their research data open access. A first version of the DMP must be provided as an early deliverable within six months of the project and should be updated during the project as appropriate. The Commission already provides guidance documents, including a template for DMPs. See the Online Manual.

Eligibility of costs: costs related to data management and data sharing are eligible for reimbursement during the project duration.

The legal requirements for projects participating in this pilot are in the article 29.3 of the Model Grant Agreement.

 

8. Additional documents:

1. Introduction WP 2018-20

14. Secure societies – protecting freedom and security of Europe and its citizens WP 2018-20

18. Dissemination, Exploitation and Evaluation WP 2018-20

General annexes to the Work Programme 2018-2020

Legal basis: Horizon 2020 Regulation of Establishment
Legal basis: Horizon 2020 Rules for Participation
Legal basis: Horizon 2020 Specific Programme

 


Partner Search
0
Organisations are looking for collaborating partners for this topic
View/Edit Partner Search

LEARs, Account Administrators or self-registrants can publish partner requests for open and forthcoming topics after logging into the Participant Portal.








Submission Service

To access the Electronic Submission Service of the topic, please select the type of action that is most relevant to your proposal from the list below and click on the 'Start Submission' button. You will then be asked to confirm your choice of the type of action and topic, as these cannot be changed in the submission system. Upon confirmation you will be linked to the correct entry point.

To access existing draft proposals for this topic, please login to the Participant Portal and select the My Proposals page of the My Area section.

Get support

H2020 Online Manual is your guide on the procedures from proposal submission to managing your grant.

Participant Portal FAQ – Submission of proposals.

National Contact Points (NCP) - contact your NCP for further assistance in your national language(s).

Research Enquiry Service – ask questions about any aspect of European research in general and the EU Research Framework Programmes in particular.

Enterprise Europe Network – contact your EEN national contact for advice to businesses with special focus on SMEs. The support includes guidance on the EU research funding.

IT Helpdesk - contact the Participant Portal IT helpdesk for questions such as forgotten passwords, access rights and roles, technical aspects of submission of proposals, etc.

Ethics – for compliance with ethical issues, see the Online Manual and Science and Society Portal

European IPR Helpdesk assists you on intellectual property issues

CEN and CENELEC, the European Standards Organisations, advise you how to tackle standardisation in your project proposal. Contact CEN-CENELEC Research Helpdesk at research@cencenelec.eu

The European Charter for Researchers and the Code of Conduct for their recruitment

Partner Search Services help you find a partner organisation for your proposal.