European Network and Information Security Agency (ENISA): further development

PURPOSE: to extend and strengthen the tasks of the European Network and Information Security Agency (ENISA).

LEGISLATIVE ACT: Regulation (EU) No 526/2013 of the European Parliament and of the Council  concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004.

CONTENT: the European Parliament and the Council adopted a Regulation setting out a new mandate for the European Union Network and Information Security Agency (ENISA). ENISA was set up in 2004 with the goal of ensuring a high level of network and information security across the EU. Since then, the challenges for the security of electronic communications have been continuously expanding, with increasing threats from cyber attacks. Against this background, and also in view of the role ENISA is supposed to play in the forthcoming cyber strategy to be presented by the Commission, the new Regulation aims to strengthen and modernise the agency so as to enhance its efficiency.

To this end, a series of amendments were adopted revising the Agency’s mandate which expires on 13 September 2013.

The main amendments may be summarised as follows:

Length of mandate: the Agency shall be established for a period of seven years from 19 June 2013 with a possibility of extending this duration if this can be justified by an evaluation of the effectiveness of its work.

Objectives of the Agency: the Agency shall develop and maintain a high level of expertise. Among other things, it shall assist the Union institutions, bodies, offices and agencies in:

• developing policies in network and information security;
• implementing the policies necessary to meet the legal and regulatory requirements of network and information security under existing and future legal acts of the Union, thus contributing to the proper functioning of the internal market;
• enhancing and strengthening their capability and preparedness to prevent, detect and respond to network and information security problems and incidents.

Tasks: the Agency’s tasks are strengthened and more clearly stipulated. As a matter of priority, these should:

• support the development of Union policy and legislation, by: assisting and advising on all matters related to (i) the Union network and information security policy and legislation; (ii) publicly available network and information security strategies and promoting their publication;
• support capability building by: (i) supporting Member States, at their request and assisting the Union institutions, bodies, offices and agencies in their efforts to develop the prevention and analysis of and the capability to respond to network and information security problems and incidents; (ii) supporting the organisation and running of Union network and information security exercises; (iii) supporting the development of a Union early warning mechanism; (iv) offering network and information security training for relevant public bodies;
• support voluntary cooperation among competent public bodies, and between public and private stakeholders, including universities and research centres in the Union, and assisting Union institutions and bodies in their efforts to develop the prevention, detection and analysis of problems and incidents in relation to network and information security, in particular by supporting the operation of the Computer Emergency Response Team (CERT);
• support research, development and standardisation;
• cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, to address issues of common concern;
• contribute to the Union efforts to cooperate with third countries and international organisations, to promote international cooperation on network and information security issues.

Member State bodies and Union institutions, bodies, offices and agencies may request advice from the Agency in case of breach of security or loss of integrity with a significant impact on the operation of networks and services.

The Agency shall express independently its own conclusions, guidance and advice on matters within the scope and objectives of the Regulation.

Organisation and operation: the tasks of the Management Board are clearly stipulated. Among other things, it shall adopt the Agency’s annual and strategic multiannual work programme and an annual report on the Agency's activities.

To strengthen the efficiency and the cost-efficiency of the Agency, the Management Board shall be assisted by an Executive Board, which shall prepare decisions to be adopted by the Management Board on administrative and budgetary matters only.

Technical and organisational clarifications were introduced in regard to the Executive Director’s tasks and appointment. Among other things, the Executive Director shall draw up the Agency’s draft work programme which shall be transmitted, following its adoption by the Management Board, to the European parliament, the Council, the Commission and the Member States. At the invitation of the relevant committee of the European Parliament, the Executive Director shall present and hold an exchange of views on the adopted annual work programme.

Headquarters: on 1 April 2005, a Headquarters Agreement was concluded between the Agency and the Greek government to establish the Agency’s headquarters at Heraklion in Crete. It is, however, stipulated that a branch office should be established in the metropolitan area of Athens in order to improve the operational efficiency of the Agency.

Evaluation and review: by 20 June 2018 the Commission shall commission an evaluation to assess, in particular, the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.

ENTRY INTO FORCE: 19.06.2013. Regulation (EC) No 460/2004 is repealed.