EUGlobal Projects

This section provides a summary of EU funded R&D activities, with particular emphasis on PACs-related FP7 projects, the core of which are funded under the FP7-ICT Trust and Security umbrella. Projects included here are either already completed or have already presented significant findings and are at the latter stages of completion.

Several parallel FP7 project initiatives have provided their own analyses of FP7 Trust and Security activities, most notably the SecCord, FIRE and EFFECTS+ initiatives, and their key findings are strongly reflected in this section [SEC14], [FIR13], [EFF11].

Key PACS Funding Silos

The CORDIS system classifies Trust and Security projects into several key silos as depicted in Table 11.1 below. While the mapping aids comprehension of the broad scope of such efforts across ICT hardware and software, in reality many of the funded projects are cross-cutting across several of the categories below. Key summary silos are as follows:

  • Secure Services – increasing trustworthiness of service infrastructures, particularly security properties of composed services with Service Oriented Architectures, secure online collaboration, improved service certification schemes, and improvements around data sharing and information protection
  • Enabling Technology and Tools – improving the ability to define robust T+S policies, supporting next generation cryptography enhancements, and improving overall software and hardware development lifecycles from security, privacy and trust perspectives
  • Secure Networks – improving wireless and sensor security (particularly around emerging IoT challenges, improving resilience against offensive threats, improving network management approaches
  • Cloud Security – enhancing user “chain of trust” in cloud solutions, improving capabilities around secure and privacy-preserving remote data processing
  • Secure Devices – improving security properties of emerging devices, particularly around mobile and emerging Internet of Things
  • Privacy Technologies – improvements around privacy-preserving identity management, increased empowerment of users and self-management of data, increased transparency between data controllers and processors regarding data use

Such emphases sit within broader “future internet” initiatives, as well as towards achieving the goal of improved critical information infrastructure protection. Funding is also provided towards projects that support overall interactions and co-ordination between EU projects.

Other project clustering activities have proposed other classification mechanisms; for example the EFFECTS+ initiative proposes further project classifications based on (1) Technology Abstraction Level, whereby project themes are classified based on the layers in the technology stack that they focus on, and (2) Security Selling Proposition, the latter labelled as a “Provisioning” or “Assessment” proposition, relating to the commercial service that their outputs provide [EFF2_11].


Thematic summary of EU Trust and Security Projects (Source: CORDIS Website)

  • Trustworthy Service Infrastructures
  • Data Sharing and Protection
  • Secure Online Collaboration
  • Certification Services
  • Trust & Security Policies
  • Cryptography
  • Secure Software Engineering
  • Secure Embedded Systems


  • Secure Network Infrastructures

and Architectures

  • Wireless and Sensor Networks
  • Heterogeneous Environments
  • Fights against Cyberattacks and Botnets
  • Cloud Security Solutions
  • Application Ecosystems
  • Remote Data Processing


  • Security of Mobile Devices and


  • Internet of Things
  • Identity Management
  • Biometrics
  • Privacy Management



Breakdown of Historical PACS Funding Activities

Figure 11.1 below provides a historical summary of funding breakdown activities (based on SecCord analysis of FP7-ICT calls 1, 5 and 8) – projects emphasising Secure Services (21%) and Enabling Technology and Tools (21%) account for the largest portions in budget terms, followed by Secure Networks and Privacy Technologies (both at 14%). 

Table 11.2 indicates how funding allocations have evolved for each of the categories across FP7 ICT Calls 1, 5 and 8 over time. While emphasis on earlier calls was positioned towards thematic areas positioned “within” PACS (e.g. Secure Services, Networks, Privacy, and information protection), emphasis since then has shifted somewhat towards the wider ICT context in which security and privacy techniques are applied - particularly themes such as the application development lifecycle, the cloud, and emerging mobile and sensor-based devices in particular – with related areas receiving increasing rates of funding in relative terms. In turn, as a wider spectrum of research projects receive funding, funding rates around networking and co-ordination activities are also receiving increased priority.



 T+S Funding allocation by Thematic Area


The following table characterise the organisation types participating in project activities, with recent SecCord statistics estimating that 454 organisations have participated across the calls – namely 234 private industry organisations, and 220 research and non-commercial organisations. With private industry participants, ICT integrators offering a wide range of ICT Services are the largest cohort (23%), followed by specialist ICT Security companies (16%) and various ICT Service providers (13%).


table science tech

Funding allocation by Organisation Type





Key PACs EU Project Examples

The EU have supported a broad number Trust and Security projects across FP7 ICT Calls 1, 5 and 8 across many of the thematic areas already described in this section. A summary overview of key projects is provided in Appendix A, in particular based on prior analysis from SecCord project activities [SEC14]. Many of these are referred to throughout remaining discussion in this section. Most Call 1 and 5 projects are already complete, whereas later Call 8 projects are still presently a work-in-progress.
Several past FP7-ICT projects have also placed emphasis on co-ordination and analysis across EU Trust and Security Research, defining go-forward research agendas, and promoting greater commercialisation and innovation from funded research outputs. Key project initiatives include:

  • SecCord (SECurity and trust COoRDination and enhanced collaboration): ongoing project that aims to provide Trust and Security (T&S) research programme and its projects, building on current collaborations between existing T&S projects, conducting detailed analysis of existing work, increasing overall awareness and visibility of the T&S research programme, and to promote greater impact potential from project results developed.
  • EFFECTS+ (European Framework for Future Internet Compliance, Trust, Security and Privacy through effective clustering): aims to co-ordinate existing EU project contributions with respect to the development of the Future Internet, feeding such contributions into future internet research. Project activities were premised on increasing co-ordination of T&S research activities with Future Internet Assembly (FIA) work that is being carried out in parallel.
  • FIRE (Facilitate Industry and Research in Europe): project aims to improve overall networking capabilities across researchers, consultants, technology developers, system integrators and policy makers within the European security marketplace. Such enhanced T&S co-ordination will be achieved via development of a pan-EU cluster strategy and key research agendas/roadmaps. Challenges/needs identified for key market sectors (energy, finance, healthcare and mobile communications) will also be itemised and assessed.
  • BIC (Building International Cooperation for Trustworthy ICT: Security, Privacy and Trust in Global Networks & Services): focussed on increasing co-ordination and clustering of EU T&S projects with activities going on in other emerging global regions – particularly Brazil, India and South Africa. Key goals include charting overall global landscape and initial EU alignment; prioritisation of EU influenced vision and research directions amongst emerging regions (Brazil, India, South Africa); achieving global alignment, consensus and outreach of visions and challenges across all countries; defining tangible international activities and related success metrics, and setting up global-level research projects.

Several other roadmapping projects have been commissioned, for example SysSec, STREWS (standardisation emphasis), INCO-Trust, CAMINO (cyber-crime), and PARSIFAL (critical finance infrastructures) among others.


The following table provides a summary overview of key EU-funded Trustworthy ICT projects across calls 1, 5 and 8. Further detail and analysis (on these and other similar projects) is provided in the SecCord Research and Innovation Yearbook.

Name/Acronym Timeline Thematic Area + Summary Innovation Outputs


(Accountability For Cloud and Other Future Internet Services)



Oct ’12 – Mar ‘16 Focussed on enabling cloud providers to implement accountable cloud services, whereby obligations to protect data are observed by all who store and process data, irrespective of where that processing occurs – increasing confidence among cloud consumers placing data in third-party clouds. A4CLOUD results are produced with respect to technical, legal, socio-economic and ethical perspectives, including
  1. A framework for accountability in the cloud that includes concrete practical definitions of accountability and attributes to be implemented
  2. Toolset for accountability including preventative, corrective and detective modules
  3. Architecture for accountability and best practices that can be implemented by an organisation.


(Attribute-based Credentials for Trust)


Goethe University, Frankfurt, Germany

Nov ’10 - Oct ‘14

Focus on improving internet privacy by developing capabilities to introduce attribute-based credentials into identity management systems, allowing users to only reveal the minimum information required by the application, without giving away full identity information

  1. ABC4trust reference architecture for attribute-based credentials, a new privacy enhancing authentication technology
  2. Prototype implementations of attribute-based credentials schemes which are validated by large pilots with end-users
  3. Smart card-based operations with attribute-based credentials and prototype systems of issuers and verifiers


(Secure and Trustworthy Composite Services)


SINTEF, Norway

Aug ’10 -Jan’ 14 Focus on establishing and maintaining trustworthiness and secure behaviour of services in a constantly changing environment, increasing end user guarantees that a particular service will deliver claimed security characteristics
  1. Language for expressing security and trustworthiness requirements on socio-technical systems, in the form of Socio-Technical Security Modelling Language (STS-ml) and the accompanying tool (STS-tool)
  2. Security-by-Contract paradigm for services that enables services to express their security and trust requirements in machine readable forms
  3. Umbrella platform and tool support to support service designers in building composite services, and to allow administrators to monitor service execution


(Advanced Security Service cERTificate for SOA)


SAP Germany

Oct ’10 – Sept ‘13

Focus on security certification for service-based applications, and increased confidence in security of third party composite services.

Project aims to produce security certification standards for services, accounting for dynamic nature of services and tackling assurance for service compositions.

  1. Machine readable description language (ASSERT) for defining service security certificates
  2. ASSERT architecture enabling an ontology-based format for certificates, and linking of security properties to evidence supporting them.
  3. ASSERTSOA integrated prototype for implementing an ASSERT-enabled service marketplace.


(Achieving The Trust Paradigm Shift)


BICORE, Netherlands

Jul ’12 – Jun ‘15

Focused on promoting public awareness of the reality that trustworthy solutions that do not disclose user data to third parties are rarely available for free – aimed at enabling a “trust paradigm shift” in the community.

Additional focus on experimental platform for validating trustworthiness of internet solutions.

  1. ATTPs validation environment including testbeds and secure components developed by members of ATTPS, supporting analysis of trustworthiness and acceptability of their services.
  2. Environment can be used either with support of a usability lab or a living lab with actual end users
  3. Generic trust architectures for mobile and service platform integrity, and secure data lifecycle management


(Automated VAlidatioN of Trust and Security of Service-oriented Architectures)


University of Verona, Italy

Jan ‘08 – Dec ‘10

Focus on increasing security of service oriented architectures – particularly the validation service oriented architectures from a Trust and Security (T+S) perspective, and their composition into secure service architectures.

Project proposed a rigourous technology for the formal specification and automated validation of trust and security of service oriented architectures, supported by automated toolset components

(1) A formal language for specifying trust and security properties of services, policies and composition into service architectures (ASLan++);

(2) Automated tech techniques for reasoning about dynamic composite services + policies

(3) Validation platform for validating T+S of SOAs

(4) Library of validated composed services and service architectures to show evidence of solution scalability


(Context-aware data-centric information sharing


Microsoft Germany

Jan ’08- Dec ’10

Focus on development of data centric information protection framework, based on data-sharing agreements – aiming to mitigate privacy and confidentiality threats associated with unauthorised data sharing.

Framework aims to take simultaneous account for technological, economic and social aspects of exchange.

  1. Scalable, secure context aware and resilient architecture for data sharing – facilitating dynamic policy management and enforcement, and end-to-end data protection across multiple orgs
  2. Techniques for organisation neutral data sharing agreements (incl. models, algorithms, tools
  3. POC implementation of CONSEQUENCE framework


(Secure European Virtualization for Trustworthy Applications in Critical Domains)



Oct ’10 – Sept ‘15

Focussed on deriving standards for security evaluation of highly critical embedded systems based on MILS (Multiple Independent Levels of Security) approach.

Project focusing on providing trustworthiness by design, and high assurance for such systems, including strong guarantees for isolation of resources by means of security certification.

Target outputs include:
  1. The first MILS-enabled certification in Europe across the main implementation of the MILS demonstrator.
  2. MILS platform design that offers secure virtualisation of complex systems into independent components with tight control of information flow among them
  3. Proof of concept prototypes for the project use cases in the avionics and automotive domains


(Shaping the future of electronic identity)


Fraunhofer IAO, Germany

Nov ’12 – Oct ‘ 15

Project aiming  for comprehensive, flexible, privacy friendly but usable identity management infrastructure for Europe, integrating existing eID solutions and trust infrastructures

Focuses on interoperability of eID systems. Existing eID technologies are often not compatible, with identity providers issuing its own credentials unrecognisable by other providers. 

  1. Identity broker technology providing middleware that guides users to the right identity scheme.
  2. Open source eID client implementing FutureID, capable of running on multiple platforms
  3. Application integration service for relying parties that eases integration of existing services into the FutureID infrastructure


(Interoperable Trust Assurance Infrastructure)


Softeco Sismat Italy

Nov ’12 – Apr ‘15 Focuses on security in SOA environments, investigating the means to bring security and compliance with legal, social and economics requirements to SOA
  1. Conceptual INTER-TRUST framework for trust and security policies negotiation among composite services and dynamic introduction of security features to existing software, without needing to fully rewrite code
  2. Prototype serving as a complete proof-of-concept implementation of the conceptual framework.


(MAnagement of Security information and events in Service InFrastructures)


ATOS, Spain

Oct ’10 – Sept ‘13 Focus on advancement of Security Information and Event Management (SIEM) Solutions, with a particular emphasis on multi-layer event processing beyond traditional SIEMs that focus on events at the platform layer, as well as increasing SIEM ability to scalably handle events.
  1. Improved support for scalable multilevel event processing and predictive security monitoring
  2. Key mechanisms include advanced attack detection methods, cross-layer security event correlation and decision support for potential attack impacts, predictive security monitoring, attack response mechanisms
  3. An overall architecture integrating the above mechanisms


(Managing Assurance, Security and Trust for Services)


Atos Spain

Jan ’08 – Jan’ 11 Focus on developing a system for ensuring compliance with regulations, internal policies, and contractual obligations by an organisation, via leveraging a structured and automated approach where possible. 
  1. A MASTER methodology for describing how an organisation can derive specific activities to be done and control objectives from high-level regulations and policies
  2. A MASTER design workbench, which is a toolset for translating high-level regulations and policies into low-level policies that control management process in an organisation.


(Tool for systemic risk analysis and secure mediation of data exchanged across linked CI information infrastructures)


Selex, Italy

Sept ’08 – Feb’11 Focus on critical infrastructure (CI) protection, in particular developing an alerting system for real-time identification of possible threats induced on a particular CI or other interdependent critical facilities, allowing authorities to be notified of associated risks. 
  1. Modelling support for off-line design of critical infrastructures that support detection of dominant dynamics from a series of occurring undesired events
  2. MICIE Secure mediation gateways for collection of undesired events, and their translation into a common meta-data model for secure exchange
  3. MICIE online risk prediction tool for predicting risk levels in real-time from CI models, and the meta-data received.


(Multiplatform Usable Endpoint Security)


S2 Grupo, Spain

Oct ’12 – Sept ‘15 Focussed on providing systems to enforce corporate security policies, while taking into account such challenges as information delocalisation, end-user privacy, mixing of private and corporate activities on a single device, and usability. Project aims to deliver a device independent, user centric and self-adaptive corporate security framework to deploy and enforce corporate security policies.
  1. Device agnostic technique to deploy and enforce corporate ICT security policies
  2. Technique to detect anomalies in user behaviour while not intruding on user privacy and compliance with existing EU and national laws
  3. Open source prototype demonstrating BYOD security


(Enhanced Network Security for Seamless Service Provisioning in the Smart Mobile Ecosystem)


Imperial College London UK                      

Nov ’12 – Oct ‘15 Focus on addressing security of mobile devices and networks, aiming to analyse mobile device vulnerabilities and proposing novel detection and protection mechanisms. Target outputs include:
  1. Threat database based on existing smartphone platforms and comprehensive analysis of these threats
  2. Virtualised honeypots along with corresponding anomaly detection algorithms produced for several mobile platforms
  3. Scalable and interactive visualisation tools supporting security and network events analysis


(Privacy and Identity Management for Community Services


Goethe University, Frankfurt, Germany

Jan ’08 – Feb ‘11 Focus on improving privacy enhanced identity and trust management features within complex online and mobile services – via development of a privacy respecting identity management platform that supports provision of online community services and a client application for this platform.
  1. “Partial Identity” concept, allowing users to reveal only selected personal information as their identity
  2. Privacy Advisor tool that guides in managing their privacy and online identity via alerts, prompts and warnings
  3. Privacy-friendly advertising technology


(Policy and Security Configuration Management)


SAP Germany

Oct ’10 – Sept ‘13

Focus on security requirements traceability, in particular enabling a traceable and sustainable link between requirements and system configuration settings.

Particular emphasis on ISPs who now have to manually resolve inter-dependencies between high-level requirements and policies and low-level configurations

  1. Traceability support supported by PoSecCo models representing functional elements of IT systems, and corresponding models of security-relevant information for each of these elements. This model repository can be further extended with new models suitable for different kinds of policies.
  2. An integrated prototype that smoothly consolidates different prototypes developed in the project, including the central model repository (MoVE), collaborative system for eliciting security requirements and high-level policies monitoring (CoSeRMaS), a tool for policies specification and conflict resolution, and a decision support system for security (SDSS) and tools for audit support and configuration validation.


(Compositional Risk Assessment and Security Testing of Networked Systems)


SINTEF, Norway

Oct ’12 – Sept ‘15 Focus on improving combination of security risk assessment and security testing disciplines – streamlining interaction between these two fields to allow an organisation to have a more global view on security status and improve results of both disciplines.
  1. Risk-based security testing technique that allows prioritisation of security tests to be executed based on the result of risk analysis
  2. Test-based risk assessment technique to reduce uncertainty of risk analysis by using results of security testing of the system
  3. Legal security risk assessment methodology which will be used by organisations to show that software systems developed are compliant with existing laws and regulations
  4. Compositional risk assessment methodology that allows execution of risk assessment on large systems in a modular way


(A European Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet: Europe for the World)



Sept ’10 – Aug ‘14 Focus on promoting cyber security education and training, creating a research roadmap, identifying future internet threats and vulnerabilities, and support EU research collaboration.
  1. Various tools supporting dynamic mobile malware detection, in particular Andrubis, a dynamic analysis environment for Android applications produced within the project.
  2. Tool provides a publicly available submission interface for security researchers and mobile users
  3. Other outputs include an EU systems research roadmap and common curriculum in security for EU universities


(TAMper Resistant Sensor Node)


IHP Innovations for High Performance Microelectronics, Germany

Oct ’10 – Sept ‘13 Focus on security mechanisms for microcontrollers to be used in various IoT devices – particularly on wireless sensor nodes that are most likely to become the most vulnerable part in the chain of trust.
  1. Secure development process for microcontrollers that enable resistance to physical attacks, fault injection and side-channel attacks
  2. A number of security engines such as cryptographic engines and hashing engines
  3. Secure wireless interface for microcontrollers
  4. Secure memory mechanism to run attested code
  5. Attack resistant TAMPRES architecture that securely integrates all developed components


(TRustworthy Embedded systems for Secure Cloud Computing Applications)


OFFIS, Germany

Oct ’12 – Sept ‘15 Focus on security and trustworthiness of cloud platforms, particularly the chain of trust between the cloud operators and end-users
  1. Secure client platform that is able to securely process sensitive data in a fully transparent manner, whereby cloud providers outsource computation primitives necessary in order to perform operations on locally stored user data
  2. Prototype implementation (hardware and software components) of the secure client, along with an accompanying ecosystem
  3. Approach to securely migrate virtual machines from one platform to another


(Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security)


University of Twente, Netherlands

Nov ’12 – Oct ‘16

Focus on identifying and protecting against information security threats and improving existing risk management methods – delivering an Attack Navigator tool that will be able to automatically predict and prioritise attacks, and evaluate benefit of possible countermeasures.

  1. Attack Navigator tool that will be able to provide a map of existing system components and identify potential attack avenues and their impact – as well as evaluate the benefits of countermeasures against the detected vulnerabilities.
  2. Threats identified by the Attack Navigator will not only be technical threats but also social (social engineering attack opportunities).


(Underwater Acoustic Network)


CINTAL Portugal

Jan ’08 – Sept ‘11 Focus on development of a wireless sensor network for protection of off-shore and coastline critical infrastructures (CI) – including underwater, land and air-based sensors that gather information for surveillance, monitoring and deterrence
  1. UAN acoustic modems, gateway access point, ground station and accompanying software
  2. Full UAN Network Demonstrator


(Usable TRUST in the Internet of Things)


CURE Austria

Sept ’10 – Aug ‘13 Focus on understanding trust in the Internet of Things, providing user control around personal data sharing, and transparency around the information being sent – while ensuring usability and compliance with EU regulations
  1. Trust Feedback Toolkit (TFT) enabling the user to administer relevant devices and gain an understanding of their potential to transmit private information
  2. Virtual environment implementation comprising various devices where users can navigate and interact with such devices.
  3. Investigation of legal and ethical constraints for IoT and TFT


(Vital infrastructure, networks, information and control systems management)


ABB Germany

Jan ’08 – Nov ‘11

Focus on investigation of cyberthreats on SCADA systems controlling electricity supply, and proposed mitigation against exploits of these threats

Development of holistic framework for identification and assessment of SCADA vulnerabilities and estimation of societal consequences from power breakdowns.

  1. System for running model-based SCADA risk assessment on systems
  2. Development of quantitative metrics for different control system solutions
  3. Vulnerability estimations for key higher order applications (e.g. State Estimators, Automatic Generation Control)
  4. Simulators for calculation of economic and non-economic consequences of electrical blackouts
  5. Testbeds for simulating and testing SCADA system attacks


EU R&D Projects - Innovation and Market Acceptance Challenges

Various analyses from such clustering and co-ordination projects have highlighted benefits of T&S project outputs; for example EFFECTS+ activities divide technical results into several categories:

  • Projects that develop product innovation in ICT for citizens
  • Product innovation for IT system administrators
  • Product innovation for software developers
  • Product and Process innovation for ICT Specialists
  • Knowledge based contributions.

Clearly quantifying the outputs and impact of such research is a non-trivial task, particularly as PACs is a process driven endeavour where commercial paths from new insights are often unclear and varied in nature. Much of the outputs relate to knowledge transfer, which is manifested both in security-specific products and processes, as well as more generalist ICT processes and systems.
SecCord analysis highlights a number of key project success stories. Considerable successes have been highlighted around work on privacy preserving electronic identity, and related work in the PRIMELIFE and ABC4TRUST projects – where pilots have been executed in Greece and Sweden, and work is being reflected in standardisation activities around OASIS and SAML v2.0. Activities in AVANTSAAR in relation to single sign-on (SSO) systems identified significant faults in Google’s SSO service which if exploited would have huge global impact. The research also highlighted the likelihood that similar flaws existed in other proprietary SSO mechanisms. Significant high-potential advances have been made in the secure multi-party computation domain in the SECURESCM project, with SAP (Germany) exploiting several innovative project achievements in their SAP Benchmarking suite in particular.

However other sources identified a large number of constrasting barriers to successful and tangible commercial outcomes from such project activities. For example, analysis of several T&S projects as part of the FIRE CSA project itemised such barriers into the following high-level categories [FIR2_13]:

  • End users being excluded from key parts of development
  • Project outputs deemed to be incompatible with existing user context
  • Adoption of output technology entails too much uncertainty
  • There is no perceived need for the technology
  • Insufficient connection/communication between technology developers and end-users
  • Poor technology usability
  • Lack of trust among users in using the technology

Table 11.5 elaborates on these and other identified barriers in further detail, as identified from existing interviews and analysis of EU PACs projects.

Innovation Barrier Summary and Examples
User Misalignment Barriers

Challenge: gaining continuous alignment between user problems, needs, proposed solution and commercial outcome.

Often there a gap in understanding between what the target user wants (either now or in the future) and the technology developer’s often idealised view of the solution.  This can occur due to several factors - e.g. a “supply-side” bias where the developer has identified a solution to start and is unsuccessfully attempting to fit that solution to a user need that may or may not exist; user requirements may be unclear or unspecified altogether, perhaps due to users not being sufficiently consulted about the technological choices made by developers.

A related problem is the difficulty in gaining sustained access to target industrial users depending on the stakeholder in question – researchers from academia in particular highlighted this as a key issue.

Complexities in influencing and gaining buy-in from the entire stakeholder map within the target user organisation are also highlighted, for example economic buyers and influencers that relate to the direct users. For example the UAESMC project that focussed on Secure Multiparty Computation highlighted that key target stakeholders needed benefits to be sold to non-experts in a simple non-technical manner in order for the technology to be adopted – hence addressing user needs and benefits should take precedence over solely stressing novel technological possibilities. The SHIELDS project on formally representing security vulnerabilities highlighted that proposed product branding needed significant development in order to achieve market differentiation.

TAS3 project identified such issues when deploying its trusted architecture for securely shared services in the Social Services and E-Health domains, citing that despite involving users in the development process via surveys, lab tests, workshops and live demonstrations, users still had to resort to unexpected bespoke workarounds, and some complained that users were excluded from participating in key decision choices at the development level.  

Pre-Planning Barriers

Challenge: difficulties in executing sufficient commercial pre-analysis at an early stage, leading to wasted downstream research and product development effort.

This barrier relates to a lack of upfront analysis and planning around proposed research project activities, particularly in relation to commercial market pre-analysis to understand possible existence of competitors and alternative solutions, and thorough understanding of the related scientific state of the art. At project proposal stage this crucial pre-planning is often overlooked or not devoted sufficient resources, and even when done, the resulting analysis is often not critiqued or evaluated appropriately.

When pre-planning is not performed sufficiently, project post-evaluations often identify that existing solutions already were sufficient to meet user needs at too late a stage, and that sufficient functional substitutes already exist. A large number of more nuanced issues can also emerge, for example while the solution does solve problems it does not solve priority problems that are those “worth solving” and of greatest relevance to users, and problems stated by collectives may not translate to specific problems worth addressing at the level of the individual.

For example, commercial assessments in the SECURESCM project highlighted that centralised collective planning using the proposed solutions may indeed increase overall supply chain efficiency, but for individual participating organisations this may not be the case, meaning that the “efficiency” of such a technology would be socially contested, leading to a lack of adoption… potentially leading to a lack of adoption across all partners in the chain. 

Commercial Barriers

Challenges: justifying economic costs, aligning shorter commercial timeframes with typically longer EU project timeframes, know-how and IP disputes.

Even when a strong fit between target users and proposed technology solution is achieved, a number of commercial factors can still limit or prevent market adoption.

A key element for PACs technologies is economic costs of using the technology, and difficulties in ensuring in advance that they will be viable to ensure acceptance. How companies can use such technologies to increase their profits is often unclear without a solid business case. Several projects highlighted this as a key risk factor in relation to project adoption – ASSERTSOA highlighted the high potential cost of service certification as a significant risk barrier, particularly for low risk applications. HINT also highlighted this as a key risk in relation to its Trusted Computing integrity checking technology, as did EURO-MILS participants in relation to its secure embedded system outputs. Such a lack of an upfront business case can lead to a collective wait-and-see among enterprises, in turn reducing the ability to realise such a case in the first place. 

Another aspect relates to the timeline of typical EU projects (typically 2 to 4 years), versus the shorter timeframe mind-set of industry product business units (1-2 years). EU project participants have cited that while it is easier to collaborate with industrial R&D units on these timeframe terms, collaboration and traction with industrial product units is much more difficult… and poor synergies between R&D and product divisions within industrial partners can also hinder adoption.

Competing agendas in relation to intellectual properties generated within project consortia were also cited by ANIKETOS and NEMESYS, particularly if technology development within research project activities is successful; in this case there is increased risk that industrial partners may keep key findings in house rather than disseminating them publically. Researchers in the crypto and privacy space often find that crypto protocols that are implemented in practice often do not get published or disseminated to the wider public [CSP14] . By extension this may also mean that results are not made publically available, increasing difficulty in measuring project impact.

In relation to privacy technologies, companies can be placed in positions of inverse incentives, whereby the value gleaned from datasets for purposes such as analysis and direct marketing can outweigh privacy implementation benefits. Customers providing data may not care about privacy, may feel they have nothing to hide due to lack of awareness; or may feel that their sensitive data is already out there and adoption of other services is of little relevance to their privacy [CSP14] .

Uncertainty Barriers

Challenge: dealing with fear of future unknowns among target buyers and end-users, including legal and economic concerns, and trust and awareness issues.

As research looks broadly into the unknown and is heavily based on managing uncertainty, this environment by its nature has and will not always guarantee successful market adoption.  In fact, innovation experts argue that a low rate of failure on research and innovation projects reflects that not enough blue-sky risks are being taken across an overall portfolio thereby achieving the most dramatic impact.

Uncertainty around research project outputs can create a significant issue of trust among end-users, particularly so when the technology is PACs related and tasked with securing crucial assets. Factors influencing decisions around using a technology exist for many reasons, for example (1) when the technology is at an immature lifecycle stage, (2) when user-related malpractice may have a high risk of compromising the overall security of a system, (3) when a high-level of technical expertise is necessary to use the solution in a risk-free manner, (4) when target users are unfamiliar or untrained on the solution’s core working principles  (5) when the commercial credibility of the technology provider is still unclear , (6) when various working parties involved in the adoption of the solution do not trust each other, or (7) when adoption of past similar solutions has led to past negative experiences. 

Evaluations within the uTrustit IoT (project focusing on allowing users to evaluate security properties of IoT more clearly thereby increasing trust), highlighted that such trust enhancing mechanisms are ineffective when initial trust between relevant competing parties is absent in advance. The PICOs identity management project observed the same reaction among users, many of whom were sceptical about the community service provider’s willingness and motivation to actually withdraw such data. SECURESCM also highlighted reluctance among supply chain participants to mutually share such data, despite the proposed privacy benefits of the solution. Users of the proposed MUSES BYOD solution expressed concerns of being monitored while working with their own device.

Other legal and economic barriers can also contribute to such uncertainty around adoption – for example when legal specifications are insufficiently embedded into the technology, when there are concerns that the intended use of the new technology might be illegal, and when the exact conditions in which the technology is to be applied are uncertain or unknown. A lack of a clear beachhead business case also increases such adoption uncertainty. 

Many research stakeholders cited a lack of awareness among target users of the potential of their outputs as common theme, particularly for longer term technology areas – for example ANIKETOs in relation to secure composition of SOA-based services, MASSIF in relation to potential of security monitoring (SIEM) solutions and advanced next generation features, ASSERT in relation to a perceived lack of awareness among target users for certification of application services, and TAMPREs in relation to a lack of an existing market for secure microcontroller mechanisms.  

Execution Barriers

Challenges: executing on R&D vision and goals effectively in highly distributed collaboration scenarios; successfully making technologies user friendly, making people from diverse backgrounds work together effectively.

Executing correctly on a long term research plan to ensure an effective and accurate research output adopted by target audiences is extremely challenging, particularly in EU projects where a large degree of distributed collaboration and cultural diversity exist. It is also perceived that collaborative research projects can only be as “strong as the weakest link”, and that non-performing partners can jeopardise the work of other performing partners.

A key criticism generally is that outputs can be too technology-oriented and do not account for higher-order commercial concerns throughout different stages of project conception, delivery and exploitation – as alluded to by other barrier categories discussed in this section.

Security innovation is often hard to visualise and hence can appear unspectacular [CSP14]. In terms of core technology outputs from research projects, many project outcomes have cited difficulties around product usability, and its related dimensions such as learnability, understandability, operability and attractiveness. Specific elements include a lack of help and documentation, information overflow leading to technology learning difficulties, interfaces that enforce thinking that is overly formal, shortcomings in overall interface look-and-feel (especially as users increasing compare technology-oriented interfaces to the standards of consumer devices that they use), overall difficulties in carrying out workflow tasks, and poor integration with services and technologies supporting the core focal technology.

Usability evaluations performed on AVANTSAAR SOA prototypes highlighted interface mismatches between the level of information needed by developer end-users, versus the information abstractions provided by the AVANTSAAR tools. Achieving this without introducing the user’s cognitive load is a significant challenge however. Similar deficiencies of varying significance were reported by validations of PICOS, PoSecCo, PRIMELIFE, SHIELDS, and TAS3 outputs.  

Other human issues may also hinder commercial execution in practice; for example key researchers/scientists may be reluctant to leave comfortable positions of tenure in academia for higher risk startups that may fail; also researchers may feel disenfranchised by commercial stakeholders, for example if they are not given an expected leadership role in the spinoff commercial entity, in contrast commercial stakeholders may be necessary if the researcher does not possess managerial, leadership or other commercial credentials. Researchers acting as idea and technology generators may also feel disenfranchised by commercial processes, for example that their idea or IP is being stolen by commercial/product units unless there is clear upfront agreement, communication and consensus on the role of the key idea generator(s) in next stage commercialisation.

Technological Barriers

Challenge: inherent complexity in the research process by its nature, achieving positive research outcomes to the most advanced technology challenges.

Research projects by nature aim to solve significant technological challenges and by nature imply a large degree of technological risk in the innovation process.

Many of the most highly funded and advanced research projects in the PACs domain require high standards of security and are targeted at the hardest security problems – hence such solutions must achieve such high security and quality standards in order to be deemed acceptable for use.  EURO-MIL’s aim to bring advanced levels of security and trust into critical embedded systems is one such example, with high security levels demanded by key critical infrastructure partners (e.g. Airbus) who are involved in the project.

Indirect technological barriers may also hinder adoption, for example solutions that may cause an invasion of privacy, or new technologies that may end up posing a health hazard. The ACTIBIO project raised both such concerns, the first around fear that the information obtained by biometric authentication could be misused. The potential hazards of biometric authentication to health (e.g. iris scanners) were also noted. As most of these fears are arguably not grounded in empirical evidence this barrier might be seen as a special case of insufficient communication.

Several other projects have highlighted the technical complexity of their proposed solutions – for example TRESSCA cites highly ambitious goals around improving security and trustworthiness of cloud platforms, and the potential complexity in successfully achieving them, and INTER-TRUST in relation to securing  Service Oriented Architectures (SOA) elements.  

Procedural and Contextual Barriers

Challenges: fitting the proposed technology successfully around the existing target deployment context.

Even when user requirements are well-articulated and an appropriate solution is developed alongside a theoretical user desire to use the solution, barriers may still exist towards successful adoption of the technology. These obstacles may relate to the existing technological, organisational and institutional context that may slow the adoption process down to the point of impracticality.

Barriers may include (1) the implementation requires  much time and effort and is too complex, (2) the implementation only focusses on technological possibilities and omits the organisational needs, (3) adoption costs are too high, (4) the solution is not compatible with existing systems and technologies in use, (5) the technology may be over-engineered and too complex for the organisation’s current needs, or (6) at the opposite end it may be too general and lack the appropriate depth required.

Such contextual and procedural barriers have been experienced at the adoption stage of various projects – for example target users of the UaESMC project pointed out that Secure Multiparty Computation techniques would require the rollout of new legal contracts that would greatly increase adoption costs, and that the level of security supported is unnecessarily high and the solution overly elaborate and complex for purpose. MASSIF activities highlighted the non-standard nature of existing IT systems and their different security event collection mechanisms, as well as the very high overhead in replacing existing monitoring solutions and workflows, which in cases can prohibit adoption of new technologies. Similarly PoSecCo’s reliance on requiring organisations to manually input legacy security models and diagrams into their solution, without any structured modelling support could be a highly prohibitive barrier to adoption for potential end-users. Issues relating to legal misalignment and the non-standard nature of relevant legislation also was cited in other projects.

Exploitation Barriers

Challenges: successfully transitioning from prototypes to fully working solutions

While the majority of technology research project activities focus on producing research outputs and results, a significant gap typically exists between the output state of those results and making them ready for practical use, i.e. moving from prototype to actual production use.

Project leaders are also forced to prescribe detailed validation and exploitation activities in advance of solving the research problems, which at best is a challenging task. This has led some participants to proposed separating the problem solving aspects of research work and the exploitation and validation tasks in separate projects, with the latter potentially involving a smaller number of partners.

Feedback from some projects highlights difficulties in maintaining and updating prototype outputs after a project is complete, thereby limiting their sustained use. RASEN highlights this need to graduate its prototype security risk and security testing tools via separate funding approaches in order to make the outputs usable in practice.

Another cited element that can prevent next-stage exploitation and commercialisation can be the reluctance of academic-based innovators to leave stable tenure and career paths for start-up environments that are much riskier.   

Network Barriers

Challenges: overcoming challenges around required standardisations and network effects often necessary for proposed solution to succeed.

The ambitious nature of many projects result in outputs that require large numbers of participants to accept in order to stimulate practical use, hence requiring large network effects for this to happen. Without standardisation efforts across multiple partners, it is far less likely that such outputs will be useful.

For example, UTRUSTIT requires IoT providers to comply with the transparency principles of its Trust Feedback Toolkit (TFT) technology, and provide the TFT with access to a dedicated API of their applications. Adoption of A4CLOUD outputs requires alignment and integration with Cloud Service Provider’s common practices and established guidelines, so that they become de-facto practices in the community. Regarding Identity Management systems, the infrastructure developed in the FutureID infrastructure can only be successful if service providers accept it for accessing their services. This indicates why widely used consumer online access management services are developed by large online vendors in Facebook and Google, where large customer network bases already exist.    


Potential improvement areas in PACS and wider ICT R&D processes

In relation to the particular pursuit of highly disruptive innovation with strong extended commercial impact - what makes this goal so difficult to achieve, and how might better innovation supports be developed to support this aim?
Based on analysis inputs from multiple sources within the PACs context around R&D and close-to-market projects, several explicit innovation stages have been highlighted as particular challenge stages throughout this analysis.

These key challenges are interleaved with a broad range of more tacit concerns. These stages are:

  1. User requirements and scenario gathering – approaches that are both technology and commercially focussed, with radical/disruptive innovation objectives in mind, and that are compelling and engage target customers
  2. Market/opportunity assessment – performing this task more thoroughly, accurately, systematically, and in greater concert with R&D or product development
  3. R&D project opportunity assessment – better systems and checklists for assessing potential impacts of R&D projects such that go/no-go decisions can be made more clearly, both upfront and throughout project development. This however should be supported in a manner that supports pragmatism and ambition in projects, without killing or stifling innovation potential too early.
  4. Project Validation and Exploitation – more explicit procedures and project initiatives that plan and invest appropriately in transferring the R&D assets into a commercially usable state from which commercial impact is achievable.

Traditionally, these stages are all identifiable from a typical R&D project approach alongside core technology development – and are common requirements of typical EU funded technology projects. However a core criticism is that while the core technology development stage is often addressed in the most systematic manner, crucial support stages such as those above are not pursued with the same rigour for many reasons. These stages can often be heavily under-resourced (leading to wasteful technology development tasks that are misaligned or doomed to fail at an early stage), are often managed by teams with skillsets misaligned with the tasks, are performed either too early or late in the project cycle, are not delineated appropriately as explicit stages or phases with decision points, in line with phased best practices found in typical innovation frameworks. Existing R&D projects are also not clinical enough in killing projects if results from certain stages are not favourable, particularly if outputs from requirements, scenario gathering, and market assessment aspects findings are not up to standard. Another crucial factor in the defence of researchers and innovators however is that executing these stages is not trivial and can be highly challenging to do correctly.

Such misalignments ultimately lead to long cycles of wasted investment, where knowledge transfer and incremental innovations assets may be produced, but lead to greatly limited possibilities for highly disruptive commercial impact.

The following table discusses these four key stage areas in more detail, and how IPACSO framework development may support better outcomes.

Improvement Area #1: User Requirements and Scenario Gathering

Stakeholders involved in R&D and innovation technology projects have expressed several concerns around the process of requirements gathering within such projects. 

For example, one criticism is that scenarios are defined at a very high level (often under extreme time pressure) at project proposal stage, based on the assumption that detailed use cases with high commercial impact will emerge during the actual project. In experience the latter outcome rarely happens, leading to use cases being developed at project time that are often weak and of poor commercial potential at best, or are even fabricated to meet project deliverable requirements in worst cases. Also, careful consideration of relevant business and legal contexts and existing relevant procedures may be weak in detail or lacking altogether.

Another common issue is that an insufficient number use cases are generated, particularly across a sufficiently broad number of separate target end-users to allow assessment of the scale of the problem at hand, to determine the ranking and extent of the issue being tackled, and ultimately if the problem is worth solving and is a priority to invest in, leading to the best potential for commercial impact. Hence business requirements developed should include a commercial innovation focus as a priority, alongside traditional functional requirements.  

Another issue is that prior to project funding being issued, the strength of the end-user’s commitment to the project is often not sufficiently evaluated, nor is the degree to which the user scenarios and problem areas are of a commercial priority to them. This is highly important as it will ultimately determine their motivation of those end users to support refinement of those scenarios during the project, their desire to stay engaged throughout longer term project duration, and ultimately their ability to implement the project outputs and achieve commercial impact. Establishing the strength of relationship between the end-users and solution providers (particularly the key solution leaders in particular in a collaborative project context) also needs to be evaluated and justified for similar reasons.

Another traditional criticism is that requirements are not defined in a form that is specific enough or implementable for technology development, not just due to issues around technical complexity, but also due to the political barriers and commercial analysis shortcomings indicated above.

Improvements To Consider:  introduce more prescriptive rigour into developing such innovation focused requirements and scenario gathering, potentially making it an explicit funded pre-project in their own right (or at least within a wider Market/Opportunity pre-assessment). Pursuit of further project activities should (partly) be dependent on the ability to define implementable scenarios meeting key requirements outlined above. Funding sources should support instruments around this activity, and should not assume that companies will co-ordinate and pay for this themselves – for many SMEs in particular there is a significant opportunity cost to doing this work.

Similarly target end-users need to be incentivised to participate, either via funded supports that cover their costs within the initiative, and/or also via use of appropriate interview techniques that help prioritise the discussion in areas of highest relevance to them. “Problem interviewing” and “solution interviewing” techniques highlighted by emerging Lean development approaches are one such promising approach.

Introduction of the SME instrument in H2020 is a positive development in support of such aims, particularly the Phase 1 instrument, but it still assumes that a sufficiently concrete idea has been identified upfront, which may not always be the case. IPACSO and similar innovation guidance efforts should build on such instruments, assisting innovators in the practical execution of such approaches, maximising return on internal or public funding invested.     

Improvement Area #2: Market/Opportunity Assessment

While market assessments are a required input within R&D projects both at funding proposal and project delivery stages they are difficult to execute with the right timing or accuracy that will support prioritisation of activities and high commercial impact. Such assessment will ideally be a precursor to any structured requirements gathering mentioned in the previous section above, or at least should be executed highly iteratively and in parallel. Market opportunity assessments within R&D and innovation project initiatives often make claims and figures about an opportunity, but too often these figures are overly broad, are based on secondary data rather than detailed primary analysis, and lack any facilitation that allows third party validation of findings. This is in contrast to norms in the investment community whereby brokers/analysts must provide detailed traceability to real supporting sources that justify their findings such that dealmakers are able to evaluate the deal and opportunity at hand on the basis of such analysis. In balance however, market opportunity assessments that are too stringent may stifle a good project, so evaluations in a longer term, high-risk R&D project scenario should support clarity and pragmatism rather than being overly critical and bureaucratic.... in order to encourage risk-taking and experimentation. Nevertheless any approach must enforce early discipline, ensuring that tough questions are asked early and appropriate efforts are made to answer them.

Improvements To Consider: Again, greater rigour and precision around market opportunity assessments should be introduced as a separate project instrument or activity, and more prescriptive market assessment requirements at an early lifecycle stage are necessary. Without meeting such requirements, remaining core project development funding should not be allocated.  Flexibility in refining project outcomes and proposing alternative project directions on the back of such commercial findings should be encouraged. Real interactions with target customers in line with emerging approaches (e.g. Lean, Customer Development) should be a required part of any market opportunity assessment approach.

In response, policymakers should provide more explicit funding mechanisms that support appropriate resourcing of these efforts, and innovation supports such as IPACSO should build on this offering tactical guidance on how to perform this work. It should not be assumed that SMEs will self-fund such activities to the idea stage, particularly due to the high perceived opportunity costs (particularly if high-value revenue generating personnel are necessary to be deployed at a cost to the business), as well as having available skills or resources to perform such opportunity assessments appropriately. Again, instruments such as the SME Phase 1 instrument are a step in the right direction, although they still may not stretch far enough to support initial pre-idea generation analysis.

Improvement Area #3: R&D Project Opportunity Assessment

Decision making around investment in R&D projects and whether to pursue individual project opportunities has a broad range of potential considerations that should be carefully assessed. This is particularly challenging in collaborative projects that are publicly funded, particularly as a large number of competing agendas and objectives and agendas will exist within project consortia, and resulting project objectives can be unclear and overly broad to accommodate varying interests of parties.

However, for long term R&D projects with high risk factor, such assessment should support clarity and pragmatism, rather than overly focusing on a scorecard approach that may eliminate good ideas and stifle innovation too early. For innovation focused projects that are closer to market, a stricter ratings-based approach will likely be more relevant, particularly incorporating the market opportunity and user scenario requirements highlighted above. 

Improvements to Consider: consider developing appropriate R&D supports such as IPACSO, consider developing appropriate R&D project assessment checklists that facilitate such analysis, using highlighted innovation barriers from past R&D experiences as a guide (such as those highlighted in Table 3.5 in this deliverable)

Example checklist considerations at a broad level might include (1) existence of good use case scenarios and buy-in of target end-users with properly assessed problems and pain-points, and ability to refine and validate within proposal, (2) strong supporting data around business case and commercial opportunity, (3) evaluated understanding of economic costs of technology adoption, (4) understanding of uncertainty risks, (5) upfront understanding of likely kind(s) of innovation that will be developed, i.e. radical, incremental, or process-oriented, (6) estimate of likely technical difficulty to be encountered in developing solutions, (7) challenges around integrating with relevant business procedures and legal context (8) ability to put practical exploitation and validation activities in place, and ability to demonstrate commercial impact in real terms.    

Improvement Area #4: Validation and Exploitation

While the majority of technology research project activities focus on producing research outputs and results, a significant gap typically exists between the output state of those results and making them ready for practical use, i.e. moving from prototype to actual production use. While plans around defining market opportunities and user requirements are viewed as not being done early enough, existing R&D proposal requirements are also viewed as being overly prescriptive around defining detailed validation and exploitation plans at too early a stage, forcing project leaders to promise too many detailed activities and impact objectives that may no longer be viable once technology development aspects are completed.

Feedback from some R&D projects also highlights difficulties in maintaining and updating prototype outputs after a project is complete, thereby limiting their sustained use.

Improvements to Consider:  introducing more flexibility into post-project commercial planning is viewed as an important goal, leading some participants to propose separating the problem solving aspects of research work and the exploitation and validation tasks in separate projects, with the latter potentially involving a smaller number of partners. Pooling innovation outputs across multiple complementary projects into a unified exploitation/validation project instrument may also be another option. Guidance on how to combine product and service innovation offerings more effectively may assist in overcoming some commercialisation barriers.

While such recommendations are beyond the remit of specific innovation support requirements, getting other upfront planning activities right at an earlier stage should make it much easier to provide more meaningful and relevant exploitation and validation activities.



[CSP14] "Privacy technologies: From research to the real world", Dr. Gregory Neven, IBM Research - Zurich Cyber Security & Privacy Forum, Athens, 21-22 May 2014


[EFF2_11] EFFECTS+, D2.1 - Results and Impacts of FP7 Projects (includes Draft Clusters Analysis) –28th February 2011,

[FIR13] FIRE FP7 Project – D5.3, Recommendations to improve pull-through and hence industrial competitiveness for clusters and stakeholders, 31 August 2014,

[FIR2_13] FIRE D6.1 - D6.1, Addressing societal concerns on legal and privacy issues in ICT-related projects,





Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework


Joomla! Debug Console


Profile Information

Memory Usage

Database Queries