Legal provisions of COM(2003)63 - European Network and Information Security Agency - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2003)63 - European Network and Information Security Agency. |
---|---|
document | COM(2003)63 |
date | March 10, 2004 |
Contents
- SECTION 1 - SCOPE, OBJECTIVES AND TASKS
- Article 1 - Scope
- Article 2 - Objectives
- Article 3 - Tasks
- Article 4 - Definitions
- SECTION 2 - ORGANISATION
- Article 5 - Bodies of the Agency
- Article 6 - Management Board
- Article 7 - Executive Director
- Article 8 - Permanent Stakeholders' Group
- SECTION 3 - OPERATION
- Article 9 - Work programme
- Article 10 - Requests to the Agency
- Article 11 - Declaration of interests
- Article 12 - Transparency
- Article 13 - Confidentiality
- Article 14 - Access to documents
- SECTION 4 - FINANCIAL PROVISIONS
- Article 15 - Adoption of the budget
- Article 16 - Combating fraud
- Article 17 - Implementation of the budget
- SECTION 5 - GENERAL PROVISIONS
- Article 18 - Legal status
- Article 19 - Staff
- Article 20 - Privileges and immunities
- Article 21 - Liability
- Article 22 - Languages
- Article 23 - Protection of personal data
- Article 24 - Participation of third countries
- SECTION 6 - FINAL PROVISIONS
- Article 25 - Review clause
- Article 26 - Administrative control
- Article 27 - Duration
- Article 28 - Entry into force
SECTION 1 - SCOPE, OBJECTIVES AND TASKS
Article 1 - Scope
2. The Agency shall assist the Commission and the Member States, and in consequence cooperate with the business community, in order to help them to meet the requirements of network and information security, thereby ensuring the smooth functioning of the internal market, including those set out in present and future Community legislation, such as in the Directive 2002/21/EC.
3. The objectives and the tasks of the Agency shall be without prejudice to the competencies of the Member States regarding network and information security which fall outside the scope of the EC Treaty, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the issues relate to State security matters) and the activities of the State in areas of criminal law.
Article 2 - Objectives
2. The Agency shall provide assistance and deliver advice to the Commission and the Member States on issues related to network and information security falling within its competencies as set out in this Regulation.
3. Building on national and Community efforts, the Agency shall develop a high level of expertise. The Agency shall use this expertise to stimulate broad cooperation between actors from the public and private sectors.
4. The Agency shall assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of network and information security.
Article 3 - Tasks
(a) collect appropriate information to analyse current and emerging risks and, in particular at the European level, those which could produce an impact on the resilience and the availability of electronic communications networks and on the authenticity, integrity and confidentiality of the information accessed and transmitted through them, and provide the results of the analysis to the Member States and the Commission;
(b) provide the European Parliament, the Commission, European bodies or competent national bodies appointed by the Member States with advice, and when called upon, with assistance within its objectives;
(c) enhance cooperation between different actors operating in the field of network and information security, inter alia, by organising, on a regular basis, consultation with industry, universities, as well as other sectors concerned and by establishing networks of contacts for Community bodies, public sector bodies appointed by the Member States, private sector and consumer bodies;
(d) facilitate cooperation between the Commission and the Member States in the development of common methodologies to prevent, address and respond to network and information security issues;
(e) contribute to awareness raising and the availability of timely, objective and comprehensive information on network and information security issues for all users by, inter alia, promoting exchanges of current best practices, including on methods of alerting users, and seeking synergy between public and private sector initiatives;
(f) assist the Commission and the Member States in their dialogue with industry to address security-related problems in the hardware and software products;
(g) track the development of standards for products and services on network and information security;
(h) advise the Commission on research in the area of network and information security as well as on the effective use of risk prevention technologies;
(i) promote risk assessment activities, interoperable risk management solutions and studies on prevention management solutions within public and private sector organisations;
(j) contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations to promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security;
(k) express independently its own conclusions, orientations and give advice on matters within its scope and objectives.
Article 4 - Definitions
(a) 'network' means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed;
(b) 'information system' means computers and electronic communication networks, as well as electronic data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance;
(c) 'network and information security' means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems;
(d) 'availability' means that data is accessible and services are operational;
(e) 'authentication' means the confirmation of an asserted identity of entities or users;
(f) 'data integrity' means the confirmation that data which has been sent, received, or stored are complete and unchanged;
(g) 'data confidentiality' means the protection of communications or stored data against interception and reading by unauthorised persons;
(h) 'risk' means a function of the probability that a vulnerability in the system affects authentication or the availability, authenticity, integrity or confidentiality of the data processed or transferred and the severity of that effect, consequential to the intentional or non-intentional use of such a vulnerability;
(i) 'risk assessment' means a scientific and technologically based process consisting of four steps, threats identification, threat characterisation, exposure assessment and risk characterisation;
(j) 'risk management' means the process, distinct from risk assessment, of weighing policy alternatives in consultation with interested parties, considering risk assessment and other legitimate factors, and, if need be, selecting appropriate prevention and control options;
(k) 'culture of network and information security' has the same meaning as that set out in the OECD Guidelines for the security of Information Systems and Networks of 25 July 2002 and the Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security(17).
SECTION 2 - ORGANISATION
Article 5 - Bodies of the Agency
(a) a Management Board;
(b) an Executive Director, and
(c) a Permanent Stakeholders' Group.
Article 6 - Management Board
(a) information and communication technologies industry;
(b) consumer groups;
(c) academic experts in network and information security.
2. Board members shall be appointed on the basis of their degree of relevant experience and expertise in the field of network and information security. Representatives may be replaced by alternates, appointed at the same time.
3. The Management Board shall elect its Chairperson and a Deputy Chairperson from among its members for a two-and-a-half-year period, which shall be renewable. The Deputy Chairperson shall ex-officio replace the Chairperson in the event of the Chairperson being unable to attend to his/her duties.
4. The Management Board shall adopt its rules of procedure, on the basis of a proposal by the Commission. Unless otherwise provided, the Management Board shall take its decisions by a majority of its members with the right to vote.
A two-thirds majority of all members with the right to vote is required for the adoption of its rules of procedure, the Agency's internal rules of operation, the budget, the annual work programme, as well as the appointment and the removal of the Executive Director.
5. Meetings of the Management Board shall be convened by its Chairperson. The Management Board shall hold an ordinary meeting twice a year. It shall also hold extraordinary meetings at the instance of the Chairperson or at the request of at least a third of its members with the right to vote. The Executive Director shall take part in the meetings of the Management Board, without voting rights, and shall provide the Secretariat.
6. The Management Board shall adopt the Agency's internal rules of operation on the basis of a proposal by the Commission. These rules shall be made public.
7. The Management Board shall define the general orientations for the operation of the Agency. The Management Board shall ensure that the Agency works in accordance with the principles laid down in Articles 12 to 14 and 23. It shall also ensure consistency of the Agency's work with activities conducted by Member States as well as at Community level.
8. Before 30 November each year, the Management Board, having received the Commission's opinion shall adopt the Agency's work programme for the following year. The Management Board shall ensure that the work programme is consistent with the Agency's scope, objectives and tasks as well as with the Community's legislative and policy priorities in the area of network and information security.
9. Before 31 March each year, the Management Board shall adopt the general report on the Agency's activities for the previous year.
10. The financial rules applicable to the Agency shall be adopted by the Management Board after the Commission has been consulted. They may not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002 on the framework Financial Regulation for the bodies referred to in Article 185 of the Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities(18), unless such departure is specifically required for the Agency's operation and the Commission has given its prior consent.
Article 7 - Executive Director
2. The Executive Director shall be appointed by the Management Board on the basis of a list of candidates proposed by the Commission after an open competition following publication in the Official Journal of the European Union and elsewhere of a call for expressions of interest. The Executive Director shall be appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security. Before appointment the candidate nominated by the Management Board shall be invited without delay to make a statement before the European Parliament and to answer questions put by members of that institution. The European Parliament or the Council may also ask at any time for a hearing with the Executive Director on any subject related to the Agency's activities. The Executive Director may be removed from office by the Management Board.
3. The term of office of the Executive Director shall be up to five years.
4. The Executive Director shall be responsible for:
(a) the day-to-day administration of the Agency;
(b) drawing up a proposal for the Agency's work programmes after prior consultation of the Commission and of the Permanent Stakeholders Group;
(c) implementing the work programmes and the decisions adopted by the Management Board;
(d) ensuring that the Agency carries out its tasks in accordance with the requirements of those using its services, in particular with regard to the adequacy of the services provided;
(e) the preparation of the Agency's draft statement of estimates of revenue and expenditure and the execution of its budget;
(f) all staff matters;
(g) developing and maintaining contact with the European Parliament and for ensuring a regular dialogue with its relevant committees;
(h) developing and maintaining contact with the business community and consumers organisations for ensuring a regular dialogue with relevant stakeholders;
(i) chairing the Permanent Stakeholders' Group.
5. Each year, the Executive Director shall submit to the Management Board for approval:
(a) a draft general report covering all the activities of the Agency in the previous year;
(b) a draft work programme.
6. The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall have it published.
7. The Executive Director shall, following adoption by the Management Board, transmit the Agency's general report to the European Parliament, the Council, the Commission, the Court of Auditors, the European Economic and Social Committee and the Committee of the Regions and shall have it published.
8. Where necessary and within the Agency's scope, objectives and tasks, the Executive Director may establish, in consultation with the Permanent Stakeholders' Group, ad hoc Working Groups composed of experts. The Management Board shall be duly informed. The procedures regarding in particular the composition, the appointment of the experts by the Executive Director and the operation of the ad hoc Working Groups shall be specified in the Agency's internal rules of operation.
Where established, the ad hoc Working Groups shall address in particular technical and scientific matters.
Members of the Management Board may not be members of the ad hoc Working Groups. Representatives of the Commission shall be entitled to be present in their meetings.
Article 8 - Permanent Stakeholders' Group
2. The procedures regarding in particular the number, the composition, the appointment of the members by the Executive Director and the operation of the Group shall be specified in the Agency's internal rules of operation and shall be made public.
3. The Group shall be chaired by the Executive Director. The term of office of its members shall be two-and-a-half years. Members of the Group may not be members of the Management Board.
4. Representatives of the Commission shall be entitled to be present in the meetings and participate in the work of the Group.
5. The Group may advise the Executive Director in the performance of his/her duties under this Regulation, in drawing up a proposal for the Agency's work programme, as well as in ensuring communication with the relevant stakeholders on all issues related to the work programme.
SECTION 3 - OPERATION
Article 9 - Work programme
Article 10 - Requests to the Agency
2. Requests referred to in paragraph 1 may be made by:
(a) the European Parliament;
(b) the Commission;
(c) any competent body appointed by a Member State, such as a national regulatory authority as defined in Article 2 of Directive 2002/21/EC.
3. The practical arrangements for the application of paragraphs 1 and 2, regarding in particular the submission, the prioritisation, the follow up as well as the information of the Management Board on the requests to the Agency shall be laid down by the Management Board in the Agency's internal rules of operation.
Article 11 - Declaration of interests
2. External experts participating in ad hoc Working Groups, shall declare at each meeting any interests, which might be considered prejudicial to their independence in relation to the items on the agenda.
Article 12 - Transparency
2. The Agency shall ensure that the public and any interested parties are given objective, reliable and easily accessible information, in particular with regard to the results of its work, where appropriate. It shall also make public the declarations of interest made by the Executive Director and by officials seconded by Member States on a temporary basis, as well as the declarations of interest made by experts in relation to items on the agendas of meetings of the ad hoc Working Groups.
3. The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Agency's activities.
4. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.
Article 13 - Confidentiality
2. Members of the Management Board, the Executive Director, the members of the Permanent Stakeholders Group, external experts participating in ad hoc Working Groups, and members of the staff of the Agency including officials seconded by Member States on a temporary basis, even after their duties have ceased, are subject to the requirements of confidentiality pursuant to Article 287 of the Treaty.
3. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.
Article 14 - Access to documents
2. The Management Board shall adopt arrangements for implementing the Regulation (EC) No 1049/2001 within six months of the establishment of the Agency.
3. Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Communities, under Articles 195 and 230 of the Treaty respectively.
SECTION 4 - FINANCIAL PROVISIONS
Article 15 - Adoption of the budget
2. The expenditure of the Agency shall include the staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts entered into with third parties.
3. By 1 March each year at the latest, the Executive Director shall draw up a draft statement of estimates of the Agency's revenue and expenditure for the following financial year, and shall forward it to the Management Board, together with a draft establishment plan.
4. Revenue and expenditure shall be in balance.
5. Each year, the Management Board, on the basis of a draft statement of estimates of revenue and expenditure drawn up by the Executive Director, shall produce a statement of estimates of revenue and expenditure for the Agency for the following financial year.
6. This statement of estimates, which shall include a draft establishment plan together with the provisional work programme, shall by 31 March at the latest, be transmitted by the Management Board to the Commission and the States with which the Community has concluded agreements in accordance with Article 24.
7. This statement of estimates shall be forwarded by the Commission to the European Parliament and the Council (both hereinafter referred to as the 'budgetary authority') together with the preliminary draft general budget of the European Union.
8. On the basis of this statement of estimates, the Commission shall enter in the preliminary draft general budget of the European Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall submit to the budgetary authority in accordance with Article 272 of the Treaty.
9. The budgetary authority shall authorise the appropriations for the subsidy to the Agency.
The budgetary authority shall adopt the establishment plan for the Agency.
10. The Management Board shall adopt the Agency's budget. It shall become final following final adoption of the general budget of the European Union. Where appropriate, the Agency's budget shall be adjusted accordingly. The Management Board shall forward it without delay to the Commission and the budgetary authority.
11. The Management Board shall, as soon as possible, notify the budgetary authority of its intention to implement any project which may have significant financial implications for the funding of the budget, in particular any projects relating to property such as the rental or purchase of buildings. It shall inform the Commission thereof.
Where a branch of the budgetary authority has notified its intention to deliver an opinion, it shall forward its opinion to the Management Board within a period of six weeks from the date of notification of the project.
Article 16 - Combating fraud
2. The Agency shall accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament and the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-fraud Office (OLAF)(20) and shall issue, without delay, the appropriate provisions applicable to all the employees of the Agency.
Article 17 - Implementation of the budget
2. The Commission's internal auditor shall exercise the same powers over the Agency as over Commission departments.
3. By 1 March at the latest following each financial year, the Agency's accounting officer shall communicate the provisional accounts to the Commission's accounting officer together with a report on the budgetary and financial management for that financial year. The Commission's accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 128 of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities(21) (hereinafter referred to as the general Financial Regulation).
4. By 31 March at the latest following each financial year, the Commission's accounting officer shall transmit the Agency's provisional accounts to the Court of Auditors, together with a report on the budgetary and financial management for that financial year. The report on the budgetary and financial management for the financial year shall also be transmitted to the budgetary authority.
5. On receipt of the Court of Auditor's observations on the Agency's provisional accounts, pursuant to Article 129 of the general Financial Regulation, the Executive Director shall draw up the Agency's final accounts under his/her own responsibility and transmit them to the Management Board for an opinion.
6. The Management Board shall deliver an opinion on the Agency's final accounts.
7. The Executive Director shall, by 1 July at the latest following each financial year, transmit the final accounts to the European Parliament, the Council, the Commission and the Court of Auditors, together with the Management Board's opinion.
8. The final accounts shall be published.
9. The Executive Director shall send the Court of Auditors a reply to its observations by 30 September at the latest. He/she shall also send this reply to the Management Board.
10. The Executive Director shall submit to the European Parliament, at the latter's request, all information necessary for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 146(3) of the general Financial Regulation.
11. The European Parliament, on a recommendation from the Council acting by a qualified majority, shall, before 30 April of year N+2 give a discharge to the Executive Director in respect of the implementation of the budget for the year N.
SECTION 5 - GENERAL PROVISIONS
Article 18 - Legal status
2. In each of the Member States the Agency shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.
3. The Agency shall be represented by its Executive Director.
Article 19 - Staff
2. Without prejudice to Article 6, the powers conferred on the appointing authority by the Staff Regulations and on the authority authorised to conclude contracts by the Conditions of employment of other servants, shall be exercised by the Agency in respect of its own staff.
The Agency may also employ officials seconded by Member States on a temporary basis and for a maximum of five years.
Article 20 - Privileges and immunities
Article 21 - Liability
The Court of Justice of the European Communities shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.
2. In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by it or its servants in the performance of their duties.
The Court of Justice shall have jurisdiction in any dispute relating to compensation for such damage.
3. The personal liability of its servants towards the Agency shall be governed by the relevant conditions applying to the staff of the Agency.
Article 22 - Languages
2. The translation services required for the functioning of the Agency shall be provided by the Translation Centre for the Bodies of the European Union(23).
Article 23 - Protection of personal data
Article 24 - Participation of third countries
2. Arrangements shall be made under the relevant provisions of those agreements, specifying in particular the nature, extent and manner in which these countries will participate in the Agency's work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff.
SECTION 6 - FINAL PROVISIONS
Article 25 - Review clause
2. The evaluation shall assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices and envisage, if necessary, the appropriate proposals.
3. The Management Board shall receive a report on the evaluation and issue recommendations regarding eventual appropriate changes to this Regulation to the Commission. Both the evaluation findings and recommendations shall be forwarded by the Commission to the European Parliament and the Council and shall be made public.
Article 26 - Administrative control
Article 27 - Duration
Article 28 - Entry into force
This Regulation shall be binding in its entirety and directly applicable in all Member States.