Legislative Observatory
European Parliament
Please fill in this field to find a procedure

European Network and Information Security Agency (ENISA): further development

2010/0275(COD)

In accordance with Regulation (EU) No 526/2013, the Commission presented a report on the evaluation of the European Union Agency for Network and Information Security (ENISA).

Background: ENISA’s mandate, which expires on 19 June 2020, is to contribute to a high level of network and information security within the Union.

In addition, Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the 'NIS Directive') attribute important roles to ENISA in the implementation of the law.

The Agency is located in Greece. It has 84 staff members and an annual operating budget of EUR 11.25 million.

In light of the significant changes that occurred in the cybersecurity landscape since 2013, the Commission announced that it would advance the evaluation and review of ENISA (initially for the 20 of June 2018). The Council confirmed this priority stating that the ENISA Regulation is one of the ‘core essential elements of an EU cyber resilience framework’.

Main findings of the evaluation: in order to evaluate the Agency's functioning, the Commission procured an independent study, which was carried out from November 2016 to July 2017, and which constitutes the main source of the evaluation together with internal analysis carried out by the Commission. The following conclusions were reached:

Effectiveness and added value: despite an inadequately detailed mandate limiting its ability to exert great influence, the objectives set for the Agency proved to be relevant during the period 2013-2016 in the light of developments technologies and threats and the pressing need to increase network and information security in the EU.

The Agency managed to achieve good levels of efficiency and showed the added value of acting at the EU level, in particular through key activities, such as the pan-European Cyber Exercises, the support to the CSIRTs community (established to promote swift and effective operational cooperation between Member States), the analyses on the threat landscape.

ENISA’s added value lays primarily in the Agency's ability to enhance cooperation, mainly between Member States but also with related NIS communities.

Reform is needed: in a context where new threats are emerging, where Europe’s dependence on digital infrastructure and services is increasing and the Internet of Things opens new perspectives in the field of energy efficiency, environmental protection, and connected mobility, the evaluation showed that the current mandate does not provide ENISA with the necessary tools to face the current and future cybersecurity challenges.

There is also a clear need for cooperation and coordination across different stakeholders. The need for a coordinating entity at EU level to facilitate information flows, minimise gaps and avoid overlapping of roles and responsibilities becomes ever more acute. ENISA, as a decentralised EU agency and a neutral broker, is in the position to coordinate EU's approach to cyber threats.

On this basis, the Commission has put forward a proposal to reform ENISA, entrusting it with a permanent mandate that builds on the key strengths showed by the Agency and the new priority areas for action, for example in the area of cybersecurity certification.