Legislative Observatory
European Parliament
Please fill in this field to find a procedure

European Network and Information Security Agency (ENISA): further development

2010/0275(COD)

Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

On 30 September 2010, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council concerning ENISA, the European Network and Information Security Agency which aimed to extend the mandate and its activities.

Out of several options the Commission chose to propose an expansion of the tasks of ENISA and to add law enforcement and data protection authorities as fully fledged members of its permanent stakeholders’ group. The new list of tasks does not include operational ones, but updates and reformulates the current tasks.

Main conclusions: the overall assessment of the proposal is positive and the EDPS welcomes the extension of the Agency’s mandate and the expansion of its tasks by the inclusion of data protection authorities and law enforcement bodies as fully fledged stakeholders. The EDPS considers that the continuity of the Agency will encourage at European level professional and streamlined management of security measures for information systems.

The EDPS recommends that in order to avoid any legal uncertainty, the proposal should be clarified with regard to the expansion of the Agency’s tasks and in particular those that relate to the involvement of law enforcement bodies and data protection authorities. Also, the EDPS draws the attention to the potential loophole created by the inclusion of a provision in the proposal that allows the addition of new tasks to the Agency by any other Union legislative Act without any additional restriction.

The EDPS invites the legislator to clarify whether, and if so which of ENISA’s activities will include the processing of personal data.

It recommends including provisions on the establishment of a security policy for the Agency itself, in order to reinforce the role of the Agency as enabler of excellence in security practices, and as promoter of ‘privacy by design’ (privacy and data protection compliance is designed into systems holding information right from the start) by integrating the use of best available techniques in security with the respect to personal data protection rights.

The EDPS invites the legislator to solve some inconsistencies with regard to the restrictions expressed on Article 14 concerning the capacity to request the assistance of the Agency. In particular, the EDPS recommends that these restrictions are waived and all institutions, bodies, agencies and offices of the Union are empowered to request assistance from the Agency.

Lastly, it recommends that the extended capacities of the Management Board include some concrete aspects that could enhance the assurance that good practices are followed within the Agency with regard to security and data protection. Among others, it is proposed to include the appointment of a data protection officer and the approval of the measures aimed at the correct application of Regulation (EC) No 45/2001.