On 4 May, the historical city of Burgos in Northern Spain gathered together local and regional representatives from EU Member States in the framework of the European Year of Cultural Heritage 2018. The seminar was organised jointly by the Government of Castilla y León and the SEDEC Commission of the European Committee of the Regions with the aim to highlight and boost the role of culture as an important resource for for the future of Europe. The discussion on the importance of cultural heritage and its financing in the future of Europe comes timely as the new budget proposal for the EU after 2020 was presented by the European Commission last 2 May. From 2007 to 2013, almost EUR 4.5 billion was dedicated to European cultural heritage coming from a range of EU policies, programmes and funding schemes .

In his opening speech, Juan Vicente Herrera Campo (ES/EPP), President of the Government of Castilla y León, highlighted the rich cultural heritage of his region which hosts the highest number (11) of UNESCO World Heritage sites in the world, among them the Burgos Cathedral and the city’s historical centre. “The region of Castilla y León wants cultural heritage to be part of the future of Europe. It’s our duty to work for Europe’s cultural heritage preservation, also for our economic and social cohesion”, said President Herrera Campo.

The SEDEC Commission is currently chaired by José Ignacio Ceniceros (ES/EPP), President of the Government of La Rioja. In his intervention, President Ceniceros highlighted the social and economic importance of cultural heritage as well as its role in building the future of Europe and the resulting effect on local and regional development. “Cultural and creative sectors have proved their value even during the difficult times of the economic and financial crisis. In recent years, they have been one of the key sources of employment and growth in many of our communities”, President Ceniceros said.

Delegates pointed out that Europe’s rich cultural heritage is an invaluable asset: by contributing to the quality of life it determines attractiveness for business, investors and creative and enterprising individuals. Designing cultural development strategies can therefore boost local and regional competitiveness and increase a community’s comparative advantage.

Participants also signalled the fundamental role of local and regional authorities in the management, promotion, protection and safeguarding of cultural heritage. Some best practices were presented from the Castilla y León region such as the excavations at the archaeological site of Atapuerca and the Museum of Human Evolution.

The European Year of Cultural Heritage 2018 will be a key moment of the next plenary session of the European Committee of the Regions on 16-17 May.

In the presence of Tibor Navracsics, Commissioner for Education, Culture, Youth and Sport, the assembly will adopt two opinions on Strengthening European Identity through Education and Culture (rapporteur Tanya Hristova, BG/EPP) and on Cultural Heritage as a strategic resource for more cohesive and sustainable regions in the EU (rapporteur Babette Winter, DE/PES).

Note to editors:

European cultural heritage benefits from a range of EU policies, programmes and funding. In 2007-13, €3.2 billion was invested in heritage from the European Regional Development Fund; a further €1.2 billion on rural heritage from the European Agricultural Fund for Rural Development, and around €100 million worth of heritage research was funded from the 7th Framework Programme. For more information click here.

Contact: Lauri Ouvinen | lauri.ouvinen@cor.europa.eu

#CohesionAlliance: European Commission’s EU long-term budget proposals set to cut cohesion policy by up to 10% and indicate worrying signals of centralisation

Commissioner Margrethe Vestager, in charge of competition policy said: ”When we take a trip on a plane, we usually don’t think about all the different components that go into building the aircraft. UTC and Rockwell Collins are two of the biggest suppliers of these components to aircraft makers worldwide. We need to ensure that competition is preserved for all of them. We can allow this merger to go ahead because in all the markets where we raised concerns, UTC has committed to divest activities covering the entire overlap between the two companies.”

UTC and Rockwell Collins are suppliers of aerospace systems and equipment to aircraft producers such as Airbus and Boeing. Both manufacture a broad range of products, with largely complementary portfolios. UTC focuses on products such as power generation, propulsion systems and landing systems, while Rockwell Collins focuses on avionics and different cabin interior products.

The Commission’s investigation

The Commission gathered extensive information from dozens of aircraft component manufacturers, airlines and airframe manufacturers during its investigation.

On the basis of its preliminary investigation, the Commission was concerned that the transaction, as originally notified, would have reduced competition in the markets for trimmable horizontal stabiliser actuators (THSAs), certain pilot controls (throttle quadrant assemblies and rudder brake pedal systems), pneumatic wing ice protection and oxygen systems.

Following its investigation, the Commission found that:

• concerning THSAs, pilot controls and pneumatic wing ice protection, UTC and Rockwell Collins are important global players that would have faced limited competition from competing suppliers after the transaction.

• concerning oxygen systems, the market is already highly concentrated, with Rockwell Collins as the leading global supplier, while UTC had plans to enter that market and challenge Rockwell Collins with newly developed technologies.

The Commission concluded that other overlaps and vertical links between UTC and Rockwell Collins’ activities did not lead to any competition concerns, mainly because of the existence of a sufficient number of alternative suppliers.

The Commission also investigated whether the merged entity would have the ability and incentive to use components in its portfolio to shut out competitors, through practices such as bundling or tying. The Commission concluded that the merged entity would have neither the market power nor the incentives to engage in such strategies and harm competition.

The proposed remedies

To address the Commission’s preliminary concerns, UTC offered to divest the following activities:

• Rockwell Collins’ entire global THSA and pilot control businesses, located at several sites mainly in the US and Mexico,
• Rockwell Collins’ entire global business in ice protection, located in a single facility in the US,
• UTC’s two research projects in oxygen systems.

The Commission found that the proposed commitments fully remove the overlaps between UTC and Rockwell Collins in the markets where competition concerns had been identified.

Therefore, the Commission concluded that the proposed transaction, as modified by the commitments, would no longer raise competition concerns in the European Economic Area (EEA). The decision is conditional upon full compliance with the commitments.

International cooperation

Given the worldwide scope of the companies’ activities, the Commission has cooperated closely with other competition authorities, including the US Department of Justice and the Canadian Competition Bureau as well as the competition authorities of Brazil and China.

Companies and products

UTC, based in the US,provides high-technology products and services for the building systems and aerospace industries worldwide. The UTC group comprises the following business units: (i) Otis Elevator Company, (ii) UTC Climate, Controls & Security, (iii) Pratt & Whitney, and (iv) UTC Aerospace Systems.

Rockwell Collins,based in the US,manufactures and supplies aviation and integrated solutions for both commercial and government applications. It also manufactures and supplies a variety of aircraft cabin interior products.

Merger control rules and procedures

The transaction was notified to the Commission on 12 March 2018.

The Commission has the duty to assess mergers and acquisitions involving companies with a turnover above certain thresholds (see Article 1 of the Merger Regulation) and to prevent concentrations that would significantly impede effective competition in the EEA or any substantial part of it.

The vast majority of notified mergers do not pose competition problems and are cleared after a routine review. From the moment a transaction is notified, the Commission generally has a total of 25 working days to decide whether to grant approval (Phase I) or to start an in-depth investigation (Phase II). This deadline is extended to 35 working days in cases where remedies are submitted by the parties, such as in this case.

More information will be available on the Commission’s competition website, in the Commission’s public case register under the case number M.8658.

The NIS Directive is the first EU-wide legislation on cybersecurity. The objective of the Directive is to achieve evenly high level of security of network and information systems across the EU, through:

1. Improved cybersecurity capabilities at national level;
2. Increased EU-level cooperation;
3. Risk management and incident reporting obligations for operators of essential services and digital service providers.

As part of the cybersecurity package adopted in September 2017, the Commission issued the Communication “Making the Most of the Directive on Security of Network and Information Systems” to assist Member States with guidance and best practice examples as well as to ensure a harmonised transposition of the new rules.

According to the Directive, all Member States need to adopt a national strategy on the security of network and information systems (NIS Strategy) defining the objectives and appropriate policy and regulatory measures. The strategy should include:

• Strategic objectives, priorities and governance framework
• Identification of measures on preparedness, response and recovery
• Cooperation methods between the public and private sectors
• Awareness raising, training and education
• Research and development plans related to NIS Strategy
• Risk assessment plan
• List of actors involved in the strategy implementation

Member States have to designate at least one national competent authority to monitor the application of the NIS Directive at national level and to nominate a single point of contact to liaise and ensure cross–border cooperation with other Member States. Additionally, the Member States need to appoint at least one Computer Security Incident Response Team (CSIRT). The CSIRTs role is to:

• monitor incidents at national level;
• provide early warning, alerts and information to relevant stakeholders about risks and incidents;
• respond to incidents;
• provide dynamic risk and incident analysis and increase situational awareness;
• participate in a network of the CSIRTs across Europe.

The European Commission supports Member States financially to increase their operational capabilities through the Connecting Europe Facility (CEF) – a key EU funding instrument for cross-border infrastructures in digital sectors. The CEF programme is providing €6.3 million in funding for the cooperation and information sharing platform for the Computer Security Incident Response Teams (CSIRTs), known as MeliCERTes. €18.7 million are allocated from the CEF programme for cybersecurity projects increasing capabilities of the CSIRTs between 2017 to 2020 (for example, for purchasing software tools, or covering the costs of trainings and exercises).

CEF funding is additionally being opened up to other stakeholders concerned by the NIS Directive – namely operators of essential services, digital service providers, single points of contact and national competent authorities with a further €13 million being available to those who apply under the next call for proposals from May to late November this year.

The NIS Directive established a cooperation group that is chaired by the Presidency of the Council of the European Union. The group gathers representatives of the Member States, the Commission (acting as secretariat) and the European Union Agency for Network and Information Security (ENISA). This cooperation group facilitates strategic cooperation and exchange of information among Member States and helps develop trust and confidence. The cooperation group has met six times to date starting from February 2017.

The Directive also established a Network of the national Computer Security Incident Response Teams (network of CSIRTs), to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation.

The group is chaired by a representative of the Member State holding the Presidency of the Council of the EU. It operates by consensus and can set up sub-groups to examine specific questions related to its work. The Commission provides the secretariat of the cooperation group.

The group works on the basis of biennial work programmes. Its main tasks are to steer the work of the Member States in the implementation of the Directive, by providing guidance to the Computer Security Incident Response Teams (CSIRTs) network and assisting Member States in capacity building, sharing information and best practices on key issues, such as risks, incidents and cyber awareness.

The Cooperation Group has so far produced, for example, non-binding guidelines on the security measures and the incident notification for operators of essential services.

Every one and a half years the group will provide a report assessing the benefits of the cooperation. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.

How does the CSIRTs Network function?

The network is composed of representatives of the Member States’ CSIRTs (Computer Security Incident Response Teams) and CERT–EU (the Computer Emergency Response Team for the EU institutions, agencies and bodies). The Commission participates in the CSIRTs Network as an observer. The European Union Agency for Network and Information (ENISA) provides the secretariat, actively supporting the cooperation among the CSIRTs.

Two years after entry into force of the NIS Directive (by 9 August 2018), and every 18 months thereafter, the CSIRTs Network will produce a report assessing the benefits of operational cooperation, including conclusions and recommendations. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.

More intense coordination in the netowork could be seen already mid-2017 during the Wannacry and Non-Petya ransonware attacks.

What are operators of essential services, and what will they be required to do?

Operators of essential services are private businesses or public entities with an important role to provide security in healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply.

Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious cyber incidents to the relevant national authority.

The security measures include:

• Preventing risks
• Ensuring security of network and information systems
• Handling incidents

How will Member States identify operators of essential services?

Member States have until 9 November 2018 to identify the entities who have to take appropriate security measures and to notify significant incidents according to the following criteria criteria:

(1) The entity provides a service which is essential for the maintenance of critical societal and economic activities;

(2) The provision of that service depends on network and information systems; and

(3) A security incident would have significant disruptive effects on the essential service.

Which sectors does the Directive cover?

The Directive covers operators in the following sectors:

• Energy: electricity, oil and gas
• Transport: air, rail, water and road
• Banking: credit institutions
• Financial market infrastructures: trading venues, central counterparties
• Health: healthcare settings
• Water: drinking water supply and distribution
• Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries

What kind of incidents should be notified by the operators of essential services?

The Directive does not define threshold of what is a significant incident requiring notification to the the relevant national authority. Three parameters that should be taken into account regarding the notifications are:

• the number of users affected;
• the duration of the incident;
• the geographic spread.

What are digital service providers and do they have to notify cyber incidents?

The NIS Directive covers:

• Online marketplaces (that allow businesses to make their products and services available online)
• Cloud computing services
• Search engines

All entities meeting the definitions will be automatically subject to the security and notification requirements under the NIS Directive. Micro and small enterprises (as defined in Commission Recommendation 2003/361/EC) do not fall under the scope of the Directive.

What are the obligations for digital service providers?

Digitial service providers covered by the NIS Directive are required to take appropriate security measures and to notify substantial incidents to the competent authority.

Security measures are similar to those undertaken by the operators of essential services and cover the following:

• Preventing risks
• Ensuring security of network and information systems
• Handling incidents

The security measures taken by digital service providers should also take into account some specific factors defined in the 2018 Commission implementing regulation:

• security of systems and facilities: a set of policies to manage the risk posed to the security of DSPs, which can be aimed at facilitating technical IT security as well as physical and environmental security or the security of supply and access control;
• incident handling: measures taken to detect, report and respond to cybersecurity incidents and assess their root causes;
• business continuity management: the capacity to be adequately prepared with the ability of minimise impacts on services and to quickly recover from cyber incidents.
• monitoring, auditing and testing: regular checks to assess anomalies, verification that risk management measures are in place and that processes are being followed.
• compliance with international standards, for example, those adopted by international standardisation bodies (e.g. ISO standards).

What kind of incidents will be notifiable by the digital service providers?

The Directive defines five parameters that should be taken into consideraton, as specified by the Commission in its 2018 implementing regulation:

• Number of users affected: users with a contract in place (especially for online marketplaces and cloud computing service) or habitually using the service (based on previous traffic data);
• Duration of incident: the period of time starting when a digital service is disrupted until when it is recovered;
• Geographic spread: the area affected by the incident;
• The extent of the disruption of the service: characteristics of the service impaired by an incident;
• The impact on economic and societal activities: losses caused to users in relation to health, safety or damage to property.

The implementing regulation specifies four situations in which digital service providers are required to notify the relevant national competent authority or CSIRT, notably:

• If the digital service is unavailable for more than 5 million user-hours in the EU;
• If more than 100,000 users in the Union are impacted by a disruption;
• If the incident has created a risk to public safety, public security or of loss of life;
• If the incident has caused material damage of more than €1 million.

This list may be reviewed on the basis of guidance issued by the cooperation group, which will take into account the experience gained through the implementation of the NIS Directive.

What is the timeline for implementation of the Directive?

Member States have time until 9 November 2018 to identify businesses operating in their territory as “operators of essential services” – i.e. private businesses or public entities with an important role for the society and economy operating in critical sectors that will have to comply with security requirements and notify to national authorities significant incidents. The Commission will regularly update the overview on the state-of-play of transposition in each Member State on its website.

For More Information

Joint statement by Vice-President Ansip and Commissioners Avramopoulos, King and Gabriel