Brussels, 30 September 2010
Digital Agenda: Commission proposal to strengthen and modernise European Network and Information Security Agency (ENISA) – frequently asked questions
The European Commission today presented a proposal for a new mandate to strengthen and modernise the European Network and Information Security Agency (ENISA). This initiative is foreseen by the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200) and to boost trust and network security. Strengthening and modernising ENISA will help the EU, Member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cyber-security challenges. The proposal will be forwarded to the European Parliament and the EU's Council of Ministers for adoption. The ENISA proposal is complemented by a proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks ("botnets") See also IP/10/1239 and MEMO/10/463.
What is ENISA?
ENISA is the European Network and Information Security Agency. The Agency was created in 2004 for an initial period of five years. Its current mandate expires in March 2012. It is located in Heraklion, Greece.
ENISA's main goal is to ensure a high and effective level of network and information security within the EU in order to develop a culture of network and information security in society which will benefit citizens, consumers, businesses and public sector organisations, and so contribute to the smooth functioning of the Single Market.
ENISA has two main roles. The Agency gives support, advice and expertise to the EU institutions and the Member States on all relevant aspects of network and information security. It also facilitates the exchange of best practices and cooperation between both public and private sector organisations.
What are the aims of today's proposal?
One of the key actions of the Digital Agenda for Europe is measures for a reinforced and high level network and information security policy, including a legislative proposal for the modernisation of ENISA.
The main objective of today's proposal is to reinforce network and information security in Europe by enabling the EU, Member States and stakeholders to develop a high degree of capability and preparedness to prevent, detect and better respond to network and information security problems.
A modernised ENISA will play an important role in boosting trust, which underpins the development of today's digital society and economy, by enhancing the security and privacy of users. This will help make European businesses more competitive and strengthen the development of the Single Market.
Why modernise ENISA?
The evolving challenge of cyber-threats requires a greater effort from the EU.
In particular, the need to strengthen the role of ENISA was underlined by an evaluation of the Agency in 2007, the outcome of two public consultations (on ENISA in 2007 and on cyber security policy instruments in 2008-2009) and of a political debate that took place on network and information security. This debate resulted in December 2009 in a Council Resolution on a collaborative approach to network and information security (2009/321/01), which specifically called for further development of ENISA into a more efficient body and for an increase of its resources.
The Commission's proposal aims to give the Agency the appropriate tools to better focus on EU priorities and needs, to gain a more flexible response capability, to develop European skills and competences and to bolster its operational efficiency and overall impact.
How would ENISA's proposed new mandate enable it to face Europe's network and information security challenges?
Since the threat of cyber attacks is evolving and growing, a more cooperative approach is needed in which a reinforced and modernised ENISA has an essential role. The Commission's proposal would to extend ENISA's mandate for five years (to 2017) and includes the following key elements:
Greater flexibility, adaptability and capability to focus.
Better alignment of the Agency to the EU regulatory process, providing EU countries and institutions with assistance and advice.
Interface with the fight against cybercrime; the Agency would take into account the network and information security aspects of the fight against cyber crime.
Strengthened governance structure: stronger supervisory role of the Management Board, in which the EU Member States and the European Commission are represented.
Simplification of procedures to improve efficiency.
Gradual increase of the Agency's financial and human resources1.
How would a modernised ENISA further enhance the security of electronic communications and of the Internet for Europeans?
This proposal complements a number of ongoing EU regulatory and non-regulatory policy initiatives in the area of network and information security, as consolidated in the Digital Agenda for Europe putting "Trust and Security" as one of its priorities.
ENISA provides direct support and advice to several of these:
ENISA supports the policy cooperation in the European Forum for Member States (EFMS) and the European Public-Private Partnership for Resilience (EP3R), launched in 2009 by the Action Plan on Critical Information Infrastructure Protection (CIIP).
ENISA provides expertise and assistance regarding the implementation of the security and data breach notification provisions of the revised EU telecoms rules.
ENISA contributes to making EU-wide cyber security preparedness exercises and provides technical support for the establishment of a Computer Emergency Response Team (CERT) for the EU institutions, and for the establishment of a Europe-wide network of national CERTs.
How would a modernised ENISA help in the fight against cyber-crime?
One of the elements of the proposal is that ENISA will act as an interface between cyber-security experts and public authorities involved in the fight against cyber-crime. By bringing together law enforcers, the judiciary and privacy protection authorities, network and information security aspects of the fight against cyber-crime will be better co-ordinated.
Will the tasks of ENISA change?
ENISA will take on a broader range of tasks. The tasks of the Agency are updated and formulated more broadly to allow for a more dynamic response to the constantly evolving network and information security challenges.
For example, ENISA will:
Regularly assess, in cooperation with the Member States and the European institutions, the state of network and information security in Europe.
Assist the EU and the Member States in promoting the use of risk management and security good practice and standards for electronic products, systems and services.
How does this proposal relate to other EU initiatives in the area of justice (e.g., the Stockholm programme) and the fight against cyber crime (e.g., the proposal for a Directive on attacks against information systems)?
The 2009 Stockholm Programme, adopted by the European Council on 10-11 December, promotes policies to ensure network and information security and faster reactions in the event of cyber attacks in the EU. In this respect, it called for both a modernised ENISA and a Directive on attacks against information systems.
Under the new ENISA proposal, law enforcement and privacy protection authorities would become fully fledged stakeholders in ENISA, which would allow the Agency to be an interface with the fight against cybercrime.
Why is the Commission proposing an interim measure of one and a half years along with a fully-fledged proposal on ENISA ?
The Commission is aware that the European Parliament and Council may require some time to adopt the proposal on ENISA. Since there would be a risk of a legal vacuum if the new mandate of the Agency were not adopted before the expiry of the current mandate in March 2012, the Commission is also proposing, as an interim measure, a Regulation extending the current mandate of the Agency with identical terms (same mandate and budget) for 18 months.
This would allow time for debate and adoption while ensuring the consistency and continuity of ENISA's work.
Why is the Commission proposing a mandate of limited duration for ENISA?
Information and communication technologies are evolving rapidly. Both the sector's societal, economic and industrial aspects and the appearance of unforeseen challenges have to be taken into account. 2017 meets a balance that allows medium-term planning for ENISA while granting the EU institutions the means to adjust their approach to cyber-threats.
The new proposal would reinforce ENISA's mandate to contribute to ensuring network and information security in Europe.
Figures for the post-2013 period will be made after the Commission has made its proposals on the future Multi-Annual Financial Framework, in the Autumn 2011.