Legislative Observatory
European Parliament
Please fill in this field to find a procedure

European Network and Information Security Agency (ENISA): further development

2010/0275(COD)

PURPOSE: the recast of the Regulation establishing the European Network and Information Security Agency (ENISA) in order to extend its mandate.

PROPOSED ACT: Regulation of the European Parliament and of the Council

BACKGROUND: the European Network and Information Security Agency (ENISA) was set up in March 2004 for an initial period of five years by Regulation (EC) No 460/2004. Regulation (EC) No 1007/2008 extended ENISA’s mandate until March 2012.

The extension of ENISA’s mandate in 2008 also launched a debate on the general direction of European efforts towards network and information security (NIS), to which the Commission contributed by launching a public consultation (which ran from November 2008 to January 2009 and gathered nearly 600 contributions).

On 30 March 2009, the Commission adopted a Communication on Critical Information Infrastructure Protection (CIIP) focusing on the protection of Europe from cyber attacks and cyber disruptions by enhancing preparedness, security and resilience, with an Action Plan calling on ENISA to play a role, mainly in support to Member States. The Action Plan was broadly endorsed in the discussion at the Ministerial Conference on CIIP held in Tallinn, Estonia, on 27 and 28 April 2009. The European Union Presidency’s Conference Conclusions stress the importance of the need torethink and reformulate the Agency’s mandate.

ENISA was originally created with the main goal of ensuring a high and effective level of network and information security within the Union. However, given the experience gained with the Agency, as well as the current challenges and threats to network and information security (NIS), it is necessary to modernise its mandate to make it better fit the European Union’s needs. These stem from a variety of factors such as: the fragmentation of national approaches to tackling the evolving challenges; the lack of collaborative models in the implementation of NIS policies; the insufficient level of preparedness also due to the limited European early warning and response capability; the lack of reliable European data and limited knowledge about evolving problems; the low level of awareness of NIS risks and challenges; and the challenge of integrating NIS aspects in policies to fight cybercrime more effectively.

This proposal for the recast of the ENISA Regulation therefore seeks to address these new challenges by revising the Agency’s mandate.

It should be noted that another proposal has been issued in parallel which would extend the current mandate of the Agency until September 2013, the time it is estimated that will be required for the institutions to agree on the text of this proposal.

IMPACT ASSESSMENT: starting from the principle that keeping an Agency had been identified as an appropriate solution for attaining European policy objectives, five policy options were selected for further analysis:

  • Option 1: no policy;
  • Option 2: carry on as before, i.e., with a similar mandate and the same level of resources;
  • Option 3: expand the tasks of ENISA, adding law enforcement and privacy protection authorities as fully fledged stakeholders;
  • Option 4: add fighting cyber attacks and response to cyber incidents to its tasks;
  • Option 5: add supporting law enforcement and judicial authorities in fighting cybercrime to its tasks.

Following a comparative cost-benefit analysis, option 3 was identified as the most cost-effective and efficient way of achieving the policy objectives because ENISA’s role would focus on: i) building and maintaining a liaison network between stakeholders and a knowledge network to ensure that ENISA is comprehensively informed of the European NIS landscape; ii)  being the NIS support centre for policy development and policy implementation; iii) supporting the Union CIIP & Resilience policy; iv) setting up an Union framework for the collection of NIS data; v) studying the economics of NIS; vi) stimulating cooperation with third countries and international organisations; vii) performing non-operational tasks related to NIS aspects of cybercrime law enforcement and judicial cooperation.

LEGAL BASE: Article 114 of the Treaty on the Functioning of the European Union (TFEU).

CONTENT: the proposed Regulation aims to strengthen and modernise ENISA and to establish a new mandate for a period of five years.

The proposal includes some key changes as compared to the original Regulation:

Tasks of the Agency:

  • ENISA’s tasks are updated and reformulated broadly, in order to provide more scope for Agency activities; they are sufficiently precise to depict the means by which the objectives are to be achieved. This would be, among other things, to:
  • assist the Commission with policy development in the area of network and information security by providing it with advice by means of opinions and technical and socio-economic analyses, as well as undertaking preparatory work on the preparation and updating of EU legislation in this field;
  • facilitate cooperation among the Member States and between the Member States and the Commission to prevent, detect, mitigate and respond to network and information security problems and incidents;
  • assist the Member States and the European institutions and bodies in their efforts to collect, analyse and disseminate network and information security data;
  • facilitate cooperation among the Member States’ competent public bodies, in particular supporting the development and exchange of good practices and standards;
  • assist the Union and the Member States in promoting the use of risk management and security good practice and standards for electronic products, systems and services;
  • encourage cooperation among public and private stakeholders and facilitate dialogue and exchanges of best practice at all levels in particular on aspects of the fight against cybercrime;
  • assist the Commission on policy developments that take into account NIS aspects of the fight against cybercrime;
  • carry out tasks conferred on the Agency by Union legislative acts.

The Agency’s new mandate would permit:

    1. The European institutions and bodies could refer to it for assistance and advice which is in line with political and regulatory developments.
    2. Law enforcement and privacy protection authorities would become fully fledged stakeholders of the Agency, which would mean it would become a key interface in the fight against cybercrime.

Management: on the organisational level, the main proposed changes relate to the following

- strengthened governance structure. the proposal enhances the supervisory role of the Agency’s Management Board, in which the Member States and the Commission are represented. For example, the Management Board is able to issue general directions on staff matters (previously the sole responsibility of the Executive Director). It may also establish working bodies to assist it in carrying out its tasks, including monitoring the implementation of its decisions.

- streamlining procedures: procedures that have proved to be unnecessarily burdensome are simplified.

  • simplified procedure for Management Board internal rules;
  • the opinion on the ENISA Work programme is provided by Commission services rather than via a Commission Decision.

In addition, the Management Board is also given adequate resources in case it needs to take executive decisions and implement them (e.g., if a staff member lodges a complaint against the Executive Director or the Board itself).

- gradual increase of resources: to meet the reinforced European priorities and the expanding challenges, without prejudice to the Commission's proposal for the next multi-annual financial framework, a gradual increase of the financial and human resources of the Agency are gradually to be increased between 2012 and 2016 is anticipated (see financial implication below).

- option of extending the term of office of the Executive Director: the Management Board may extend the term of office of the Executive Director for three years.

Review clause: the Regulation provides for an evaluation of the Agency, covering the period since the previous evaluation in 2007. Based on the findings, the Management Board will make recommendations to the Commission regarding changes to this Regulation, the Agency and its working practices. To enable the Commission to draft any proposal for an extension of the mandate in good time, the evaluation will have to be done by the end of the second year of the mandate provided by the Regulation.

FINANCIAL IMPLICATION: The proposal will impact on the Union budget. It is anticipated that the Agency will be given the resources required to carry out its activities satisfactorily. EU funding after 2013 will be examined in the context of a Commission-wide debate on all proposals for the post-2013 period. This means that once the Commission has made its proposal for the next multi-annual financial framework, the Commission will present an amended legislative financial statement taking into account the conclusions of the impact assessment.