Towards the Design of a Collaborative Cybersecurity Networked Organisation: Identification and Prioritisation of Governance Needs and Objectives

The effective response to the proliferation and growing diversity and sophistication of cyber threats requires a broad spectrum of competencies, human, technological and financial resources that are in the powers of very few countries. The European Union is addressing this challenge through an initiative to establish one or more cybersecurity competence networks. A number of existing technologies can support collaboration in networked organisations; however, network governance remains a challenge. The study presented in this article aimed to identify and prioritise network governance issues. Towards that purpose, qualitative and quantitative methods were applied in the analysis of norms and regulations, statutory documents of existing networks, academic sources and interviews with representatives of funding organisations and potential major customers. The comprehensiveness and complementarity of these primary sources allowed to identify 33 categories of governance issues and group them in four tiers, indicative of the respective priority level. The results of the study are currently used to inform and orient the development of alternative models for governance of a cybersecurity network and a set of criteria for their evaluation. They will support informed decision-making on the most appropriate governance model of a future networked organisation, evolving from a project consortium.


Introduction
Modern societies increasingly rely on information and communications technologies and infrastructures in their economies, the provision of public services, and social interaction. While access to abundant information and digital infrastructures provide various advantages, they introduce vulnerabilities that are readily exploited by malicious actors in the pursuit of financial gain, i.e., through cybercrime, or political objectives by gathering intelligence, retaliation against an attack, disrupting essential services during conflict, interfering in elections, and other forms of cyber warfare and cyber terrorism [1]. Accordingly, information and cyber security incidents have evolved from isolated attacks to targeted, sophisticated cyber threats at individual, organisational and even national levels [2].
Notwithstanding the risks of malicious exploitation, advanced sensors, actuators, computational technologies, increased data storage, communications, achievements in artificial intelligence, etc., will be progressively incorporated in industrial processes, transport vehicles and networks, health services, critical infrastructures and homes. The provision of safety, security and privacy in utilising the benefits of technology will remain a persistent challenge in the foreseeable future [3].
Very few organisations have the resources and the competencies required to protect their communications, information systems, and smart devices from attacks through cyberspace. A recent • the effective contribution of private persons to formal computer emergency response arrangements, e.g., crowdsourcing, requires recognition and division based on the roles and individual needs and can encourage 'netizens' to co-produce cybersecurity [24]; • trust is key for sharing cyber intelligence and motivating partners to join a cybersecurity alliance [25]; • the timely identification, management and resolution of conflicts among partner organisations is key for successful collaboration [26]; • traditional assessments of security risks often focus on tangible assets, while intangibles such as tacit knowledge are in some cases more important than physical assets [27]; • knowledge sharing is a fundamental factor for strategic decision making, particularly in relation to innovation management and sustainability of collaborative organisations [28]; • Interoperability is a must for cybersecurity information sharing and timely threat intelligence [29].
This partial list provides just a glimpse into the governance challenges of cybersecurity collaboration. The challenge is much more extensive, which explains why policy-governed (and not technology-driven) and secure collaboration is defined by the Science of Security initiative of the US National Security Agency as one of the top five 'hard problems' of cybersecurity [30].
One of the four pilot projects launched to establish a cybersecurity competence network on the basis of the project consortium includes 30 partners from 14 European countries [31]. Recognising that networks differ widely in terms of history, activities, communication modalities, member commitment, consensus on goals, perceptions of results, and respective governance structures [32], the project invests significant effort into designing, implementing and enhancing an adequate network governance model.
The first stage of the design was to identify and prioritise governance needs, objectives, and requirements. This article presents the results of the respective study, that led to the identification of 33 categories of governance issues grouped in four tiers in terms of priority. The prioritised list, along with best practices in business and governance models of collaborative networked organisations, serves in the next stage of the study both to design and to evaluate alternative governance models and select the most appropriate model for governing a future cybersecurity competence network evolving from the project consortium.

Materials and Methods
Collaborative networks consist of "a variety of entities (e.g., organisations and people) that are largely autonomous, geographically distributed, and heterogeneous in terms of their operating environment, culture, social capital and goals, but that collaborate to better achieve common or compatible goals, thus jointly generating value" [9]. Subject of this study is the governance of Collaborative Networked Organisations (CNOs) consisting of independent organisations, connected by IT, that work together to jointly accomplish tasks, reach common goals and serve customers over a period of time [33]. In the study's working definition of governance, the term is defined as specification of rules, criteria for decision-making, responsibilities, and boundaries of actions and autonomy for the actors involved in the CNO [34].
The study of governance of cybersecurity requires interdisciplinary research [30] drawing, among others, from governance theory, actor-network theory, and the study of sociotechnical regimes [35]. Research on Internet governance has already utilised actor-network theory and interpretative policy analysis to conceptualise multi-stakeholder arrangements engaging heterogeneous actors [36,37]. The study of governance challenges and models in another one of the four pilot projects also utilises actor-network theory and is based primarily on interviews with stakeholders [38].
This study used four types of information sources: norms and regulations; existing networked organisations; academic publications; and interviews with stakeholders. It was organised in four phases: (1) Preparation; (2) Preliminary analysis; (3) Secondary analysis; and (4) Aggregation.
In the Preparation phase, based on analysis of the project documents, own experience and an online search, a core team of researchers prepared a list of governance issues, issues related to business and governance models of networked organisations and a list of existing organisations of possible interest, and distributed them among partners for feedback and amendment. An amended draft was discussed during a project meeting, leading to a final draft list and a template in Excel format to present the analysis of networked organisations. The template was piloted by six partner organisations, analysing 12 networks in total. The feedback received from piloting the template and the overall analysis process was used to prepare the final template. The list of governance issues in this final template served also to construct the questionnaire for interviews with stakeholders (which included an additional open question) and to orient the selection and analysis of normative documents and academic sources.
In the second phase of the Preliminary analysis, partners analysed three types of sources in parallel: • Ninety-two existing network organisations of four kinds: networks dedicated to information/cybersecurity research and services; cybersecurity incubators/accelerators/tech parks/ecosystems; other research-intensive networks; and networked organisations providing (among others) information services related to cybersecurity (for the full list of the analysed network organisations see Supplementary S1); • Fourteen regulations and other normative documents, related to the governance of networked organisations in the field of cybersecurity, including relevant EU norms and available governance documents of the four pilot projects; • Sixty academic articles, books, book chapters and conference papers. In the identification of sources, an initial list of 543 publications was generated by a Scopus search for "networked organizations"/"networked organisations" AND "collaborative". A subset was selected by reviewing abstracts to identify sources discussing governance issues. In addition, preference was given to more recent and open-access publications, adding also books presenting comparative analyses and benchmarking studies of collaborative networked organisations (for the full list of the analysed academic sources see Supplementary S2).
The fourth source of information came from conducting interviews with stakeholders. Nine person-to-person interviews were conducted. Three of the interviewees represented funding organisations (including one current and one former national cybersecurity coordinator), while the other six were mid-to senior-level representatives of potential major customer organisations. The interviewees came from seven EU Member States and two represented the views of EU-based international organisations. Researchers transcribed the interviews and translated them into English.
In the phase of Secondary analysis, the results of the preliminary analysis for each type of primary source-extracts from normative documents and academic sources, bylaws of existing networked organisations, and interview transcripts-were processed using both qualitative and quantitative analysis [39,40]. Content analysis was used to highlight issues of interest and group them in categories of governance issues (needs, objectives, requirements). Then, the information on each primary source was coded vis-à-vis each governance issue/category, i.e., assigning "1" if the governance issue is referenced in the text or the interviewee considers it important, or "0" if it is not or the interviewee sees it as not sufficiently important to comment. The same coding method was applied to excerpts from normative documents, academic publications, and documents of existing networks.
For each type of primary source, a maximum was defined, equal to the highest number of primary sources addressing a certain governance issue. Then, the interval between 0 and the maximum was split in quartiles. All governance categories were placed in four tiers, with Tier 1 including issues of highest interest, hence possibly of highest priority; followed by Tier 2, etc.
The final phase of Aggregation of results from various sources allowed to highlight the key issues in business and governance models of network organisations and, in particular, to prioritise governance needs, objectives, and requirements. Each governance issue was placed in the highest tier it appears in Future Internet 2020, 12, 62 5 of 19 in the secondary analysis, i.e., even if in the secondary analysis it appears only once in Tier 1, it was placed in the highest priority tier as a result of aggregation.
This approach was adopted to reflect on the complementarity of the primary sources. For example, so far, the academic literature on governance of collaborative networked organisations practically does not treat networked organisations in the field of cybersecurity (which are still emerging) and hence the respective secondary analysis places confidentiality and security in Tier 4. When, however, cybersecurity is the focus, e.g., in the interviews with stakeholders and in the analysed norms and regulations, it is placed in Tier 1.

Results
This section presents results from the secondary analysis by type of primary source and concludes by aggregating these results and prioritising governance needs and requirements. All governance categories are listed consecutively with a number in parentheses.

Analysis of Interviews
This sub-section presents briefly results from the secondary analysis of transcripts of the interviews with stakeholders (fuller description is provided in [41]). It starts with the responses along the 16 governance issues included in the questionnaire, then presents an analysis of the responses to the open-ended invitation to address additional governance issues, and concludes by ranking the governance issues based on the stakeholders' views.
Profit Orientation The first question was whether profit or non-profit arrangements are preferable for a cybersecurity network. All interviewees considered both options possible. Two of them gave some preference to non-profit arrangements citing as reasons that it would be easier to reach an agreement between member organisations and to exercise public oversight. Another two of the interviewees would prefer for-profit arrangements that would provide better opportunities for investing in CNO capabilities and infrastructure. A fifth interviewee combined the two types of arguments, stating that non-profit organisations may be selected for some funding streams, while for-profit arrangements might be preferable in terms of sustainability of the network. This is interpreted as de facto agreement that, while the profit orientation is important for the CNO business model and the respective governance model, it is not a governance issue per se and was not included in further considerations as such.

(1) Geographical Representation or Exclusion
One interviewee noted that the composition of the network depends on its purpose, and this is reflected in all responses. Two focused on national representation; one of them stating that "national arrangements are preferred for strategic sectors [as cybersecurity]". Most interviewees stated that balanced, EU-wide representation is necessary or even crucial. One emphasised the need to achieve cohesion by providing support to less developed regions, e.g., by a strategy of smart specialization; another interviewee stressed that EU cohesion is important to guarantee "European cyber sovereignty". Two of the responses addressed local representation as beneficial, but not mandatory in one case, and as advantageous in competing on target (local) markets in the other. One interviewee stated that an EU-centred network should be flexible to include partners also from both EU-associated and NATO countries. Two of the respondents stated that EU-centred networks cannot be open to partners from "Eastern countries".

(2) Supply Chain Security
The question of involving non-EU partners relates to supply chain security concerns. The majority of the respondents shared these concerns, while the provision of skills (both basic and advanced) and of R&D capacity, in particular R&D in academia, was noted. The views on supply chain security measures differed widely-from preference for a completely national management of cybersecurity services or at least a requirement for national security accreditation through the need for complete tracking of the supply chain (understanding that "advanced social engineering and the chain of supplies are extraordinarily good tools to violate a system") to a view that having in place legally binding agreements is sufficient.

(3) Involvement of External Stakeholders
All interviewees agreed that a network organisation should involve external stakeholders and identified several possible roles and modalities. The views on involving governments differ. Two interviewees stated that governmental (political) stakeholders need to be involved, while one asserted that "representation [on network bodies] of organisations with political or governmental affiliation should be avoided".

(4) Standards and Methodologies
The interviewees identified a number of norms, frameworks, and methodologies to be followed, and one of them stressed the need to adopt a standards-oriented approach to network governance and management. However, in their responses, most interviewees did not focus on standards and methodologies, but emphasised instead that the governance model needs to provide for flexibility of the decision-making process and autonomy in implementation, including giving the "right level" of autonomy to the CEO in the decision process, unity of purpose of the network and capacity to adapt to changing circumstances. One interviewee pointed to the need to have rules and procedures in place to allow for processing sensitive information and, in certain cases, of classified information.

(5) Representation on Senior Governance body/Ies
All interviewees who responded to this question stated that "fair" representation of network members on the senior governance body or bodies is sine qua non, a factor that will influence decisions on using the services provided by the network or not. Some more specific points were made regarding regional representation, representation of EU member states plus key agencies, and the need to provide for collaboration between academia, industry and government.

(6) Decision Making
Interviewees agreed that consensus is the preferred desired decision-making principle, but may be difficult to reach. Yet, decisions on some issues, e.g., adding a new partner to the network, need to be taken by consensus. On other issues, decisions can be taken by a majority vote. The opinions of interviewees who commented on this are equally split-some consider simple majority sufficient, while others call for decision-making by qualified majority.

(7) Auditing
One third of the interviewees dismissed the question on the need for internal and/or external audits. The remaining respondents agree that regular auditing is necessary. There is preference on using external auditors, that are not (and have not been) part of the network operation. One interviewee emphasised that the external auditors need to have a mandate; for an "EU network" this mandate should be given by a respective EU organisation.

(8) Dispute/Conflict Management Arrangements
Two thirds of the interviewees consider that it is important to have some sort of arbitration in place to resolve disputes or conflicts between partners in the network and a number of modalities were suggested. Respective rules need to be set in advance.

(9) Confidentiality
Most interviewees refer to confidentiality as a crucial consideration for the proper functioning of a network organisation in the field of cybersecurity, including the protection of personal data and other sensitive or classified information, and suggested a number of specific measures.

(10) Intellectual Property Management Arrangements
Most interviewees saw intellectual property management arrangements as needed or very important, e.g., to protect valuable knowledge, competence and capacity while facilitating collaboration and sharing of experience. One interviewee advised to follow the European Commission rules for the IPR developed under EU funding, but introduce specific arrangements for customer funding, and in all cases to seek preservation of IPR for the network organisation, thus allowing to multiply to results of the common work.

(11) Ethics Code
Nearly half of the interviewees consider ethical behaviour as an issue that does not require special discussion, since all network partners are expected to adhere to applicable EU policies and guidelines. Yet, other respondents state that a network organisation needs an Ethics Code and outlined its purpose and key content.

(12) Specific Ethical Issues
The interviewees were asked to evaluate the relevance to cybersecurity networks of specific ethical issues, such as policy in regard to slavery and the use of labour of minors in the supply chain. Most respondents consider these issues either not applicable or not in need of discussion. The general opinion is that adherence to the relevant EU regulations and guidelines will suffice in this respect.

(13) 'Green' Policies
Most interviewees agree that environmental considerations are important, but they cannot be in the focus of network governance policies and models, and that adherence to "applicable EU policy" is sufficient.

(14) Gender Policies and Representation
Just over half of the interviewees elaborate on this governance aspect, some clearly stating that this is "not a fundamental aspect; [we need to] put the merit in front of gender equality". Others are content with adherence to "applicable EU policy". One of the interviewees recommended adopting an "equal treatment, equal opportunities" framework.

(15) Transparency
Transparency of network governance is seen as sine qua non by more than half of the respondents. One of the respondents stated: "We enter only networks that are transparent to participants and respect the integrity of network partners".

(16) Accountability
Half of the interviewees see accountability also as an essential prerequisite that can be guaranteed, for example, by introducing requirements for publication of an annual report and a financial statement, separation of roles and responsibilities to make sure that decision-making bodies abide to transparency requirements, and assuring compliance to the regulatory, legal and operational framework defined in the founding charter of the network.

(17) Anti-Corruption/Integrity Policies
Interviewees were asked to assess the importance of other good governance issues, including integrity, protection of whistleblowers, or anti-corruption policy more generally. More than half of them considered these aspects important, and one called for "maximum transparency and integrity in the governance." The general view, however, is that if one follows EU legislation, no special additional requirements need to be set. One specific recommendation was to provide "special training [for network organisations' personnel] for conflict of interest and anti-fraud, plus e-exam and signing of a declaration". Table 1 presents the prioritisation of these 17 governance issues on the basis of the responses to the interviews.

Network Governance Issues in Academic Sources
Sixty articles, conference papers, books, and book chapters were analysed to identify the best practices in setting up business and governance models of collaborative networked organisations and elicit additional views on network governance issues. This subsection presents the results on the latter objective, reflecting also interviewees' responses to the open question, grouped in another 16 governance categories.

(18) Innovation
The need for and the opportunities for innovation provided by collaboration are addressed in 24 of the analysed academic sources. The references span from the importance of innovation to capturing new business opportunities, through the need to develop capacity and readiness to innovate, and the application of the Open Innovation paradigm arguing for the need to establish new models, where much of the knowledge comes from outside the boundaries of the company [42], to the call for establishing Collaborative Innovation Networks, or COINs-"self-organizing emergent social systems"-as "primary building blocks of innovation" [43].

(19) Adaptiveness
Based on the analysis of the academic literature, adaptiveness emerged as the most salient governance issue, along with the consideration of competitiveness. It is addressed by 35, or nearly 60 percent, of the analysed sources. Authors emphasise that "systems that want to live long must co-evolve with their environment" [44] and highlight various aspects of adaptiveness, including: • CNOs' adaptability to changing environment (markets, technologies), the need to cope with external change through an adequate rate of adaptation, and evolutionary development, aiming at continuous improvement; • flexibility and the need to swiftly adjust to market challenges and adapt to turbulent contexts; • change management; redesign, reengineering, renewal and restructuring; process reengineering and having flexible business processes; • agility and the capabilities "to sense and respond to predictable and unpredictable events [45]; • the capacity to self-organise, self-adapt, and exhibit emergent behaviour [16]; • achieving "strategic flexibility" [46], e.g., through adaptive policy-making [47].

(20) Cohesion
Sixteen academic sources underline the importance of achieving cohesion. Network cohesion builds on shared understanding and attitudes, negotiation and agreement on rules of cooperation, a planning and prediction process shaped by negotiation, a good level of alignment among the value systems of the various members of the network, and other intangible elements, such as reputation, friendship, interdependence, and trust. When there is harmonisation among CNO partners and cohesion of the network, one witnesses a better sense of identity, high levels of solidarity, shared passion and motivation, and better opportunities for: • balancing interests; • complementarity and subdivision of successes and risks; • developing social capital; • alignment and integration across an increasingly complex network of multiple partners and collaborators; • exploiting creative synergies.

(21) Trust
Twenty-seven of the analysed academic sources refer to trust. Twenty-six of them look into trust among partners, i.e., trust building and confidence among participants, while five reference trust into the collaborative networked organisation by external stakeholders, users, and society, including criticality of relationships and knowledge, image and reputation of the CNO and customer confidence. Four of the sources address both internal and external aspects of trust.

(22) Sustainability
Seven of the academic sources reference aspects of sustainability, including sustenance under uncertain and rapidly changing conditions [48], that would provide for more predictable organisational behaviour and less turbulence [49], stability and robustness.

(23) Resilience
The resilience of networked organisations is referenced in six sources. A resilient organisation preserves its key functionalities under negative impact and has a capacity to recover from disruptive and even catastrophic events by securing access to critical resources and information in an effective and timely manner [50].

(24) Communication and Engagement
Eighteen of the studied academic sources address the issue of communication is several aspects. First, communication among partners in the networked organisation, in particular that related to knowledge sharing, is seen as an indicator of the level of maturity of the network [48]. Second is the communication with external stakeholders, more specifically the interaction with customers and customer communities, e.g., to receive feedback from users. Third, open and transparent communication and engagement of users and wider society may be of a strategic nature, leading to co-creation [51] and co-innovation, or "open innovation" [52]. It needs to include rewarding mechanisms for involved customers and will thus reinforce the network's social influence and support knowledge transfer. The analysis of the literature allows also to highlight also some more specific issues of interest, such as: • managing tacit knowledge [46,53]; • the importance of aligning knowledge management with structured business processes [53]; • the need for systematic efforts to increase the absorptive capacity of the networked organisation, i.e., its "ability to acquire, assimilate, transform and exploit new knowledge" [54]; • the conditions of performance, creativity and collaboration of knowledge workers, seen as central to an organisation's success [53]; • information and knowledge brokering and the roles a knowledge broker may play in a networked organisation [55]; • the use of active knowledge models [56].

(26) Long-Term Perspective on Collaboration
Fourteen sources, or nearly a quarter of the ones under study, refer to the need for a longer-term view on collaboration. Some of the authors emphasise prerequisites, such as having a common purpose, or coherence of the purposes of collaborating partners, and shared goals. Among the tools for achieving such a long-term perspective are the collaborative predicting and planning [57] and setting reasonable expectation of success [58]. Of particular importance is the 'strategic approach' to collaboration by establishing a long-term "network vision" [59,60] to define the strategic mission and strategic options. In that respect, some authors call for strategy-based governance and management and focusing efforts by aligning proactive strategies [61].

(27) Interoperability
The issue of interoperability is subject of discussion in seven academic sources. Some of them examine technical aspects, such as requirements to the technical infrastructure supporting the collaboration, including requirements to information systems [16] and architecture frameworks that can be used to facilitate interoperability, while others refer to norms, procedures and allocation of decision-making roles to allow for smooth interoperation among network partners. Importantly, interoperability is included among key issues examined in assessing the readiness of collaborative networked organisations to effectively deliver their products and services [62].

(28) Leadership
Six of the examined sources refer to the leadership in collaborative organisations, including commitment, motivating and empowering members of the networks, e.g., through the enhancement of their capacities, readiness of executives able to allocate resources when needed, and adhering to the principle of neutrality in network management. Some of the authors emphasise even less-tangible aspects of leadership, such as fairness and capacity to effectively manage complexity, as well as the understanding and utilisation of informal leadership in the network.

(29) Organisational Culture
Ten sources refer to cultural issues in collaborative networked organisations. Bilal, Daclin, and Chapurlat examine diversity as a "crucial characteristic" of a system of systems (the "engineering twin" of a CNO) [16]. Others see differences in organisational cultures as a significant deterrent to effective collaboration [48]. Yet others argue that adequate culture, in their case study-through professional peer pressure, is more conducive to shaping ideas, motivating and energising the workforce, than is the strict compliance to rules and regulations [63]. In any case, CNO leaders are advised to promote mutual respect, spirit and ethic of collaboration, culture of openness and sharing ideas, and to invest in advancing cultural competence and mutual understanding [64] and "communicative culture" [65].

(30) Competences
Forty percent of the analysed sources address CNO competences and learning. That includes: • understanding of and developing the CNO expertise potential, seeking to build the network mass and also multidisciplinary competences; • building CNO competences by sharing knowledge and exchanging skills [42]; • developing individual and organisational capabilities for intuitive thinking, complex data analysis and communication [46].
The issue of network competences (along with the access to new markets) is of particular importance in the process of identification, assessment and selection of new partners [66], as well as retaining existing partners. The purpose is to develop and maintain the requisite collaborative capability [58].
Individual and organisational learning is another venue in which to develop the network competences. The academic literature addresses a number of learning issues, including the learning process, self-learning, agile learning, learning mechanisms for transformation, incremental learning, and the adoption of common best practices for organisational learning.

(31) Risk Management
The role of risk is referenced in 14 academic sources, covering respectively the need for: • Identifying and quantifying existing or potential hazards, for example at the level of communication, management and sharing of knowledge [67]; • major concerns related to the use of shared assets and risks of intellectual property infringement [15]; • reducing uncertainty [68]; • risk mitigation [48]; and • sharing risks among network partners [52].

(32) Evidenceence-based Decision-Making
The importance of data-and evidence-based decision-making is referenced in nine sources. The implementation of this core principle of quality management according to the international standards (including the ISO 9000 series) requires putting in place organisational processes for systematic data collection [69] and maintaining a repository of network assets [33], including data, information and knowledge.

(33) Competitiveness
Aspects of competitiveness are addressed in the highest number of the analysed academic sources-39 sources or nearly 70 percent. This can be expected, since value, generated benefits and-for the profit-oriented organisations-market share, return on investments, etc., are the lead drivers for establishing collaborative networked organisations in the first place.
This governance objective was not among those studied in the interviews and the analysis of existing networked organisations, with the assumption that a collaborative networked organisation coming out of the project consortium would have the technical capacity and organisational performance to be among the top most competitive suppliers of cybersecurity services; hence the focus there was on other governance issues.
The academic literature addresses, at times very comprehensively, aspects of competitiveness like: Among the tools to achieve a differentiated competitive advantage, the academic literature suggests performance management, collaborative process management, business process alignment, effective and timely resource coordination, quality control, etc. Figure 1 visualises the ranking of governance issues as they are referenced in the selected academic sources. Among the tools to achieve a differentiated competitive advantage, the academic literature suggests performance management, collaborative process management, business process alignment, effective and timely resource coordination, quality control, etc. Figure 1 visualises the ranking of governance issues as they are referenced in the selected academic sources.

Normative Requirements to Networks' Governance
The analysis of EU regulations and the main governance documents of the four pilot projects (14 documents in total) allowed to identify both explicitly stated and implicit requirements to the governance of networked organisations. Figure 2 presents the ranking for all 33 governance issues. According to current norms, of highest priority are the issues of geographic representation in the network organisation, implemented standards and methodologies, auditing, confidentiality and security, the network cohesion, trust, competences, risk management, and evidence-based decisionmaking.

Normative Requirements to Networks' Governance
The analysis of EU regulations and the main governance documents of the four pilot projects (14 documents in total) allowed to identify both explicitly stated and implicit requirements to the governance of networked organisations. Figure 2 presents the ranking for all 33 governance issues. According to current norms, of highest priority are the issues of geographic representation in the network organisation, implemented standards and methodologies, auditing, confidentiality and security, the network cohesion, trust, competences, risk management, and evidence-based decision-making.

Governance Issues in Statutory Documents of Existing Networks
The analysis of bylaws and other statutory documents of existing networked organisations provided numerous examples of the ways in which governance requirements are addressed in practice. Three governance categories appeared in the highest priority tier: representation of

Governance Issues in Statutory Documents of Existing Networks
The analysis of bylaws and other statutory documents of existing networked organisations provided numerous examples of the ways in which governance requirements are addressed in practice. Three governance categories appeared in the highest priority tier: representation of members on senior governance bodies of the network, knowledge management, and strategy-based long-term perspective on the collaboration. The full ranking is represented in Figure 3.

Governance Issues in Statutory Documents of Existing Networks
The analysis of bylaws and other statutory documents of existing networked organisations provided numerous examples of the ways in which governance requirements are addressed in practice. Three governance categories appeared in the highest priority tier: representation of members on senior governance bodies of the network, knowledge management, and strategy-based long-term perspective on the collaboration. The full ranking is represented in Figure 3.   Table 2 presents the prioritised list of governance needs, objectives and requirements. It was constructed adhering to the following method.

Summary on Governance Objectives and Requirements
First, all governance issues were split into two groups: • Those that can be designated as "objectives" which can be achieved by devising and effectively implementing sets of normative, organisational, procedural, technical and training measures (included in the second column of Table 2); • Those that depend on various intangibles and the interplay of numerous factors and contexts, and can be addressed only partially by norms, procedures, training and technical measures. These governance issues are designated as "features of CNOs" and included in the third column of Table 2.
In the secondary analysis, all these governance issues were classified in tiers depending on the number of times they have been addressed in primary sources (with Tier 1 including issues of highest interest, hence possibly of highest priority; followed by Tier 2, etc.).
In Table 2 each governance issue is placed in the highest tier it appears in the secondary analysis, i.e., even if it appears only once in Tier 1, e.g., engaging external stakeholders in the interviews, adaptiveness in the academic literature, and trust in norms and regulations, it is included in Tier 1 of the summary table below.

Conclusions
The study of EU norms and regulations related to existing and prospective cybersecurity competence networks, statutory documents of networked organisations, academic sources and the opinion of interviewed stakeholders allowed to identify 33 categories of governance issues. Twenty-four of them are classified as "objectives" that can be pursued by devising and effectively implementing a consistent set of organisational measures, and another nine-as desired features of collaborative networked organisations that are context dependent and can be addressed directly only to an extent. Further, the governance categories were placed in four tiers, depending on the number of times a category has been referenced in primary sources. Placement of a governance issue in the highest tier (Tier 1) is indicative of the potentially highest priority of that issue.
The list of governance issues will be used to inform the development of alternative governance models and a weighted set of criteria for their evaluation by the research team in follow-on research. That will allow us to make an informed decision on the most appropriate governance model (or models) for the future cybersecurity network.
This prioritisation is expected to orient the development of alternative governance models and their evaluation, and not to predetermine the actions of the research team. It is possible that additional considerations may come into play in the meantime, e.g., requirements and expectations in the final version of Regulation 630.
To the author's knowledge, this is the first comprehensive study of the needs, objectives, and requirements to the governance of collaborative networked organisations in the field of cybersecurity. While it has been conducted with the specific needs of the Horizon 2020 call and the description of activities for a concrete project, the results may be of use to other endeavours towards arranging cybersecurity collaborative formats, as well as for the EU ambition to establish a European industrial, technology and research cybersecurity competence centre and a network of national coordination centres. They can be of use also in developing architectures, infrastructures and a broad variety of tools supporting collaboration in networked organisations.