Are we getting the deserved return-on-investment from the EU research on critical infrastructure resilience?

By October 17, 2024, the EU member states were supposed to notify the European Commission that the transposition of the Critical Entities Resilience (CER) Directive into respective national laws had been accomplished. Only two (out of 27) member states managed to meet that deadline.

Could the EU research projects in the area of critical infrastructure/entities (CI/CE) resilience have helped more to mitigate this delay? Could that mitigation be part of a more optimal return on investment (RoI)? Was the investment in recent years (e.g., over 4.5 b€ in digital transformation initiatives, or 450 M€ for cybersecurity projects and civil security ) not adequate? Could it have produced more convincing answers to claims like “Europe’s critical infrastructure is becoming dangerously vulnerable” ? Especially in the context of new and evolving challenges or the “European CIs under continuous attacks” ?

There is a general agreement about the need to reach better RoI or, in the same context, Return on Research Investment (RoRI). But the agreement about how to do it practically is still to be achieved. Leaving the extreme positions aside, like “the only real RoI is the commercially measurable use of project results”, on one side, and “any use of project results represents RoI”, on the other side, one can opt for the middle ground and assume that “an evident use leading to tangible benefits represents an RoI”. For the CI/CE-related research, that can include, e.g., resilience standards, broadly adopted guidelines or evidence provided as inputs for the new EU and national policies. Applying such a definition, however, when searching for RoI-relevant results in the repositories of the EU project results such as CORDIS, Innovation Radar, or Dealflow, yields hardly any convincing evidence. The reported RoI-relevant results are often only vaguely described, not quantified, often out of date, and almost regularly lacking examples of real use or quantified benefits. As an example, the search for the results mentioning the CER Directive in the EU Dealflow tool provides no entries (January 2025). Similarly, the search for “resilience and infrastructure” among approx. 14,000 entries in the EU Innovation Radar, yields only 44 matches.

The reasons for the above can be numerous. E.g., the difficulty in aligning the needs and interests of industrial security and openness required by public research. Or, the lack of full-scale industry involvement (e.g., not participating with departments directly involved in production or marketing). Or, in the area of standardization, the rules and timing of standardization bodies being incompatible with the rules and timing of the EU projects. Or, the project results are simply not reported in the tools. Or, the main motivation of the researchers in the projects being to get new, follow-up projects, not necessarily to exploit the results of the finished ones. Many of these reasons are mentioned and explained in the recommendations of the evaluation reports made during the transition from one EU Framework Programme (FP) to another  , but less often implemented afterward. The fact that EU projects legally and practically do not exist after their final date, certainly also does not contribute to the sustainability of accessibility to project results and achieving good RoI.

In addition, imposing a too broad spectrum of (sometimes contradictory) goals, or the need to balance between breakthrough technology research and market success, on one side, and political constraints on the other side, can be very challenging for a good RoI. The latter is especially true and applicable to the area of CI/CE resilience, nowadays at the very top of the EU priorities . Their final results in many cases “never cross the chasm to the market, even if they achieved technological goals set in the project proposal”   (exceptions available, of course). Even worse, on the researchers’ side, the difficulties of meeting too many different or too highly set goals can lead to unrealistic or deceiving reporting, nowadays potentially worsened by the possible indiscriminate and unreported use of AI. On the EU side, limiting resources for monitoring the achievement of multiple goals, lower the threshold to clientelism.

How could the situation be improved? Generic, top-down, solutions suggested so far are generally well-aligned and present in the recommendations: strengthening and leveraging existing platforms (ERNCIP, Hubs, Radars…), better integration of research with industry and standardization, introducing mechanisms that support project continuity beyond formal completion, strong involvement of industry stakeholders, rewarding genuine success and penalizing exploitative practices, promoting monitoring and accountability, to mention just some of them. But, looking at the past decades of EU research, it seems that many suggested solutions have not been implemented as recommended.

Hence, the bottom-up solutions should be tried. Among them, establishing measurable indicators of success and robust evaluation systems is certainly at the top of the priority list. The data collection for the indicators such as those in the EUR 27314 EN should become mandatory and the indicators better known and understood, possibly including also the non-self-declared indicators of successful exploitation (which could be used for monitoring and stress-testing, too – e.g., in combination with standards like DIN 91461). The key research-to-market transfer RoI indicators, quantifying effectiveness, efficiency, and transformation are generally available, but not used because data are missing, and the mandates and obligations are not well defined, especially not at the EU level. The prerequisite for such a system is a joint EU strategy, e.g., similar to the recent US strategy documents  specifying both the overall framework and the need to “prioritize measurement”. A future extension of the CER Directive?

To conclude, the EU research on critical infrastructure resilience and researchers should be further encouraged and incentivized to deliver more tangible RoI, including results directly usable and useful for the application of the CER Directive and the overall EU resilience, thus helping in meeting both the deadlines like the “October 17, 2024” one and the top level goals like the ones declared by the EU7. The push should include also the readiness and courage to openly name and address the real issues, avoid the “newspeak”, and undertake efficiently the actions needed.