European Network and Information Security Agency (ENISA): further development

he European Parliament adopted by 626 to 45 with 16 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA).

Parliament adopted its position in first reading following the ordinary legislative procedure. It amended the Commission proposal as follows:

Objectives: Parliament considers that the Agency should develop and maintain a high level of expertise and assist the Union's institutions, bodies, offices and agencies in: (i) developing policies in network and information security; (ii) implementing the policies necessary to meet the legal and regulatory requirements of network and information security in present and future Union legislation, thus contributing to the smooth functioning of the internal market.

Tasks: the Agency’s tasks have been clarified. It shall:

·        support the development of Union policy and legislation, by: assisting and advising on all matters related to (i) the Union network and information security policy and legislation; (ii) publicly available network and information security strategies and promoting their publication;

·        support capability building by: (i) supporting Member States, at their request and assisting the Union institutions, bodies, offices and agencies in their efforts to develop the prevention and analysis of and the capability to respond to network and information security problems and incidents; (ii) supporting the organisation and running of Union network and information security exercises; (iii) supporting the development of a Union early warning mechanism; (iv) offering network and information security training for relevant public bodies;

·        support voluntary cooperation among competent public bodies, and between public and private stakeholders, including universities and research centres in the Union, and awareness raising;

·        support research, development and standardisation;

·        cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, to address issues of common concern;

·        contribute to the Union efforts to cooperate with third countries and international organisations, to promote international cooperation on network and information security issues.

Member State bodies and Union institutions, bodies, offices and agencies may request advice from the Agency in case of breach of security or loss of integrity with a significant impact on the operation of networks and services.

The Agency shall express independently its own conclusions, guidance and advice on matters within the scope and objectives of the Regulation.

Organisation: Members call on the Management Board to adopt the Agency’s annual and strategic multiannual work programme. The Management Board shall adopt an annual report on the Agency's activities and send it, by 1 July of the following year, to the European Parliament, the Council, the Commission and the Court of Auditors.

The Management Board shall: (i) adopt an anti-fraud strategy, as well as rules for the prevention and management of conflicts of interest; (ii) exercise with respect to the staff of the Agency, the appointing authority powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude Contract of Employment.

In order to strengthen the efficiency of the Agency, Parliament wants the Management Board to be assisted by an Executive Board, which shall prepare decisions to be adopted by the Management Board on administrative and budgetary matters only.

Executive Director: Members seek to clarify the role of the Executive Director who shall be engaged as a temporary agent and appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.

Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee of the European Parliament and to answer questions by its members.

The term of office of the Executive Director shall be five years. By the end of this period, the Commission shall undertake an assessment that takes into account the evaluation of the performance of the Executive Director and the Agency's future tasks and challenges. The term of office of the Executive Director may be extended for no more than five years after obtaining the views of the European Parliament.

The Executive Director shall be responsible for the implementation of the Agency’s budget.

Seat of the Agency: Parliament wants the Agency's host Member State to provide the best possible conditions to ensure the proper functioning of the Agency, which should be based in an appropriate location, among other things providing appropriate transport connections and facilities for spouses and children accompanying members of staff of the Agency. Members recall that on 1 April 2005, a Headquarters Agreement was concluded between the Agency and the Host Member State. The Greek Government determined that ENISA should have its seat in Heraklion, Crete. The resolution calls for a branch office to be established in the metropolitan area of Athens in order to improve the operational efficiency of the Agency.

Evaluation and review: Members ask that no later than 5 years from the day of entry into force of the Regulation, the Commission shall commission an evaluation to assess particularly the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.