Legal provisions of COM(2010)521 - European Network and Information Security Agency (ENISA)

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2010)521 - European Network and Information Security Agency (ENISA).
document COM(2010)521 EN
date May 21, 2013

Contents

SECTION 1 - SCOPE OBJECTIVES AND TASKS


Article 1 - Subject matter and Scope

1. This Regulation establishes a European Union Agency for Network and Information Security (ENISA, hereinafter ‘the Agency’) to undertake the tasks assigned to it for the purpose of contributing to a high level of network and information security within the Union and in order to raise awareness of network and information security and to develop and promote a culture, of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organisations in the Union, thus contributing to the establishment and proper functioning of the internal market.

2. The objectives and the tasks of the Agency shall be without prejudice to the competences of the Member States regarding network and information security and in any case to activities concerning public security, defence, national security (including the economic well-being of the state when the issues relate to national security matters) and the activities of the state in areas of criminal law.

3. For the purposes of this Regulation ‘network and information security’ means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via those networks and systems.

Article 2 - Objectives

1. The Agency shall develop and maintain a high level of expertise.

2. The Agency shall assist the Union institutions, bodies, offices and agencies in developing policies in network and information security.

3. The Agency shall assist the Union institutions, bodies, offices and agencies and the Member States in implementing the policies necessary to meet the legal and regulatory requirements of network and information security under existing and future legal acts of the Union, thus contributing to the proper functioning of the internal market.

4. The Agency shall assist the Union and the Member States in enhancing and strengthening their capability and preparedness to prevent, detect and respond to network and information security problems and incidents.

5. The Agency shall use its expertise to stimulate broad cooperation between actors from the public and private sectors.

Article 3 - Tasks

1. Within the purpose set out in Article 1, and in order to attain the objectives set out in Article 2, whilst respecting Article 1(2), the Agency shall perform the following tasks:

(a)support the development of Union policy and law, by:

(i)assisting and advising on all matters relating to Union network and information security policy and law;

(ii)providing preparatory work, advice and analyses relating to the development and update of Union network and information security policy and law;

(iii)analysing publicly available network and information security strategies and promoting their publication;

(b)support capability building by:

(i)supporting Member States, at their request, in their efforts to develop and improve the prevention, detection and analysis of and the capability to respond to network and information security problems and incidents, and providing them with the necessary knowledge;

(ii)promoting and facilitating voluntary cooperation among the Member States and between the Union institutions, bodies, offices and agencies and the Member States in their efforts to prevent, detect and respond to network and information security problems and incidents where these have an impact across borders;

(iii)assisting the Union institutions, bodies, offices and agencies in their efforts to develop the prevention, detection and analysis of and the capability to respond to network and information security problems and incidents, in particular by supporting the operation of a Computer Emergency Response Team (CERT) for them;

(iv)supporting the raising of the level of capabilities of national/governmental and Union CERTs, including by promoting dialogue and exchange of information, with a view to ensuring that, with regard to the state of the art, each CERT meets a common set of minimum capabilities and operates according to best practices;

(v)supporting the organisation and running of Union network and information security exercises, and, at their request, advising Member States on national exercises;

(vi)assisting the Union institutions, bodies, offices and agencies and the Member States in their efforts to collect, analyse and, in line with Member States’ security requirements, disseminate relevant network and information security data; and on the basis of information provided by the Union institutions, bodies, offices and agencies and the Member States in accordance with provisions of Union law and national provisions in compliance with Union law, maintaining the awareness, on the part of the Union institutions, bodies, offices and agencies as well as the Member States of the latest state of network and information security in the Union for their benefit;

(vii)supporting the development of a Union early warning mechanism that is complementary to Member States’ mechanisms;

(viii)offering network and information security training for relevant public bodies, where appropriate in cooperation with stakeholders;

(c)support voluntary cooperation among competent public bodies, and between stakeholders, including universities and research centres in the Union, and support awareness raising, inter alia, by:

(i)promoting cooperation between national and governmental CERTs or Computer Security Incident Response Teams (CSIRTs), including the CERT for the Union institutions, bodies, offices and agencies;

(ii)promoting the development and sharing of best practices with the aim of attaining an advanced level of network and information security;

(iii)facilitating dialogue and efforts to develop and exchange best practices;

(iv)promoting best practices in information sharing and awareness raising;

(v)supporting the Union institutions, bodies, offices and agencies and, at their request, the Member States and their relevant bodies in organising awareness raising, including at the level of individual users, and other outreach activities to increase network and information security and its visibility by providing best practices and guidelines;

(d)support research and development and standardisation, by:

(i)facilitating the establishment and take-up of European and international standards for risk management and for the security of electronic products, networks and services;

(ii)advising the Union and the Member States on research needs in the area of network and information security with a view to enabling effective responses to current and emerging network and information security risks and threats, including with respect to new and emerging information and communications technologies, and to using risk-prevention technologies effectively;

(e)cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, with a view to addressing issues of common concern, including by:

(i)exchanging know-how and best practices;

(ii)providing advice on relevant network and information security aspects in order to develop synergies;

(f)contribute to the Union’s efforts to cooperate with third countries and international organisations to promote international cooperation on network and information security issues, including by:

(i)being engaged, where appropriate, as an observer and in the organisation of international exercises, and analysing and reporting on the outcome of such exercises;

(ii)facilitating exchange of best practices of relevant organisations;

(iii)providing the Union institutions with expertise.

2. Union institutions, bodies, offices and agencies and Member State bodies may request advice from the Agency in the event of breach of security or loss of integrity with a significant impact on the operation of networks and services.

3. The Agency shall carry out tasks conferred on it by legal acts of the Union.

4. The Agency shall express independently its own conclusions, guidance and advice on matters within the scope and objectives of this Regulation.

SECTION 2 - ORGANISATION


Article 4 - Composition of the Agency

1. The Agency shall comprise:

(a)a Management Board;

(b)an Executive Director and staff; and

(c)a Permanent Stakeholders’ Group.

2. In order to contribute to enhancing effectiveness and efficiency of the operation of the Agency, the Management Board shall establish an Executive Board.

Article 5 - Management Board

1. The Management Board shall define the general direction of the operation of the Agency and ensure that the Agency works in accordance with the rules and principles laid down in this Regulation. It shall also ensure consistency of the Agency’s work with activities conducted by the Member States as well as at Union level.

2. The Management Board shall adopt the Agency’s annual and multiannual work programme.

3. The Management Board shall adopt an annual report on the Agency’s activities and send it, by 1 July of the following year, to the European Parliament, the Council, the Commission and the Court of Auditors. The annual report shall include the accounts and describe how the Agency has met its performance indicators. The annual report shall be made public.

4. The Management Board shall adopt an anti-fraud strategy that is proportionate to the fraud risks having regard to a cost-benefit analysis of the measures to be implemented.

5. The Management Board shall ensure adequate follow-up to the findings and recommendations resulting from investigations of the European Anti-fraud Office (OLAF) and the various internal or external audit reports and evaluations.

6. The Management Board shall adopt rules for the prevention and management of conflicts of interest.

7. The Management Board shall exercise, with respect to the staff of the Agency, the powers conferred by the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Union (the ‘Staff Regulations’ and the ‘Conditions of Employment of Other Servants’), laid down in Regulation (EEC, Euratom, ECSC) No 259/68 (17) on the Appointing Authority and on the Authority Empowered to Conclude Contract of Employment, respectively.

The Management Board shall adopt, in accordance with the procedure under Article 110 of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants delegating the relevant Appointing Authority powers to the Executive Director. The Executive Director may sub-delegate those powers.

Where exceptional circumstances so require, the Management Board may revoke the delegation of the powers of the Appointing Authority to the Executive Director and those sub-delegated by the Executive Director. In such a case, the Management Board may delegate them, for a limited period to one of its members or to a staff member other than the Executive Director.

8. The Management board shall adopt appropriate rules implementing the Staff Regulations and the Conditions of Employment of Other Servants in accordance with the procedure provided for in Article 110 of the Staff Regulations.

9. The Management Board shall appoint the Executive Director and may extend his term of office or remove him from office in accordance with Article 24 of this Regulation.

10. The Management Board shall adopt the rules of procedure for itself and for the Executive Board after consulting the Commission. The rules of procedure shall provide for expedited decisions through either written procedure or by remote conferencing.

11. The Management Board shall adopt the Agency’s internal rules of operation after consulting the Commission services. Those rules shall be made public.

12. The Management Board shall adopt the financial rules applicable to the Agency. They may not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002 on the framework Financial Regulation for the bodies referred to in Article 185 of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (18), unless such departure is specifically required for the Agency’s operation and the Commission has given its prior consent.

13. The Management Board shall adopt a Multiannual Staff Policy Plan, after consulting the Commission services and having duly informed the European Parliament and the Council.

Article 6 - Composition of the Management Board

1. The Management Board shall be composed of one representative of each Member State, and two representatives appointed by the Commission. All representatives shall have voting rights.

2. Each member of the Management Board shall have an alternate to represent the member in their absence.

3. Members of the Management Board and their alternates shall be appointed in light of their knowledge of the Agency’s tasks and objectives, taking into account the managerial, administrative and budgetary skills relevant to fulfil the tasks listed in Article 5. The Commission and the Member States should make efforts to limit turnover of their representatives in the Management Board, in order to ensure continuity of that board’s work. The Commission and the Member States shall aim to achieve a balanced representation between men and women on the Management Board.

4. The term of office of members of the Management Board and of their alternates shall be four years. That term shall be renewable.

Article 7 - Chairperson of the Management Board

1. The Management Board shall elect its Chairperson and a Deputy Chairperson from among its members for a period of three years, which shall be renewable. The Deputy Chairperson shall ex officio replace the Chairperson if the latter is unable to attend to his or her duties.

2. The Chairperson may be invited to make a statement before the relevant committee(s) of the European Parliament and answer Members’ questions.

Article 8 - Meetings

1. Meetings of the Management Board shall be convened by its Chairperson.

2. The Management Board shall hold an ordinary meeting at least once a year. It shall also hold extraordinary meetings at the request of the Chairperson or of at least a third of its members.

3. The Executive Director shall take part, without voting rights, in the meetings of the Management Board.

Article 9 - Voting

1. The Management Board shall take its decisions by an absolute majority of its members.

2. A two-thirds majority of all Management Board members shall be required for the adoption of the Management Board’s rules of procedure, the Agency’s internal rules of operation, the budget, the annual and multiannual work programme, the appointment, extension of the term of office or removal of the Executive Director, and the designation of the Chairperson of the Management Board.

Article 10 - Executive Board

1. The Management Board shall be assisted by an Executive Board.

2. The Executive Board shall prepare decisions to be adopted by the Management Board on administrative and budgetary matters only.

Together with the Management Board, it shall ensure adequate follow-up to the findings and recommendations stemming from investigations of OLAF and the various internal or external audit reports and evaluations.

Without prejudice to the responsibilities of the Executive Director, as set out in Article 11, the Executive Board shall assist and advise the Executive Director in implementing the decisions of the Management Board on administrative and budgetary matters.

3. The Executive Board shall be made up of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who may also chair the Executive Board, and one of the representatives of the Commission.

4. The term of office of members of the Executive Board shall be the same as that of members of the Management Board set out in Article 6(4).

5. The Executive Board shall meet at least once every three months. The chairperson of the Executive Board shall convene additional meetings at the request of its members.

Article 11 - Duties of the Executive Director

1. The Agency shall be managed by its Executive Director, who shall be independent in the performance of his/her duties.

2. The Executive Director shall be responsible for:

(a)the day-to-day administration of the Agency;

(b)implementing the decisions adopted by the Management Board;

(c)after consultation with the Management Board, preparing the annual work programme and the multiannual work programme and submitting them to the Management Board after consulting the Commission;

(d)implementing the annual work programme and the multiannual work programme and reporting to the Management Board thereon;

(e)preparing the annual report on the Agency’s activities and presenting it to the Management Board for approval;

(f)preparing an action plan following-up on the conclusions of the retrospective evaluations and reporting on progress every two years to the Commission;

(g)protecting the financial interests of the Union by the application of preventive measures against fraud, corruption and any other illegal activities, by effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;

(h)preparing an anti-fraud strategy for the Agency and presenting it to the Management Board for approval;

(i)ensuring that the Agency performs its activities in accordance with the requirements of those using its services, in particular with regard to the adequacy of the services provided;

(j)developing and maintaining contact with the Union institutions, bodies, offices and agencies;

(k)developing and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;

(l)other tasks assigned to the Executive Director by this Regulation.

3. Where necessary and within the Agency’s objectives and tasks, the Executive Director may set up ad hoc Working Groups composed of experts, including from the Member States’ competent authorities. The Management Board shall be informed in advance. The procedures regarding in particular the composition, the appointment of the experts by the Executive Director and the operation of the ad hoc Working Groups shall be specified in the Agency’s internal rules of operation.

4. The Executive Director shall make administrative support staff and other resources available to the Management Board and the Executive Board whenever necessary.

Article 12 - Permanent Stakeholders’ Group

1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups, academic experts in network and information security, and representatives of national regulatory authorities notified under Directive 2002/21/EC as well as of law enforcement and privacy protection authorities.

2. Procedures for, in particular, the number, composition, and the appointment of the members of the Permanent Stakeholders’ Group by the Management Board, the proposal by the Executive Director and the operation of the Group shall be specified in the Agency’s internal rules of operation and shall be made public.

3. The Permanent Stakeholders’ Group shall be chaired by the Executive Director or by any person the Executive Director appoints on a case-by-case basis.

4. The term of office of the Permanent Stakeholders’ Group’s members shall be two-and-a-half years. Members of the Management Board may not be members of the Permanent Stakeholders’ Group. Experts from the Commission and the Member States shall be entitled to be present at the meetings of the Permanent Stakeholders’ Group and to participate in its work. Representatives of other bodies deemed relevant by the Executive Director, who are not members of the Permanent Stakeholders’ Group, may be invited to be present at the meetings of the Permanent Stakeholders’ Group and to participate in its work.

5. The Permanent Stakeholders’ Group shall advise the Agency in respect of the performance of its activities. It shall in particular advise the Executive Director on drawing up a proposal for the Agency’s work programme, and on ensuring communication with the relevant stakeholders on all issues related to the work programme.

SECTION 3 - OPERATION


Article 13 - Work Programme

1. The Agency shall carry out its operations in accordance with its annual and multiannual work programme, which shall contain all of its planned activities.

2. The work programme shall include tailored performance indicators allowing for effective assessment of the results achieved in terms of objectives.

3. The Executive Director shall be responsible for drawing up the Agency’s draft work programme after prior consultation with the Commission services. By 15 March each year the Executive Director shall submit the draft work programme for the following year to the Management Board.

4. By 30 November each year, the Management Board shall adopt the Agency’s work programme for the following year, after having received the opinion of the Commission. The work programme shall include a multiannual outlook. The Management Board shall ensure that the work programme is consistent with the Agency’s objectives and with the Union’s legislative and policy priorities in the area of network and information security.

5. The work programme shall be organised in accordance with the activity-based management principle. The work programme shall be in line with the statement of estimates of the Agency’s revenue and expenditure and the Agency’s budget for the same financial year.

6. The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall publish it. At the invitation of the relevant committee of the European Parliament, the Executive Director shall present and hold an exchange of views on the adopted annual work programme.

Article 14 - Requests to the Agency

1. Requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed to the Executive Director and accompanied by background information explaining the issue to be addressed. The Executive Director shall inform the Management Board and Executive Board of the requests received, the potential resource implications, and, in due course, of the follow-up to the requests. If the Agency refuses a request, it shall give a justification.

2. Requests referred to in paragraph 1 may be made by:

(a)the European Parliament;

(b)the Council;

(c)the Commission;

(d)any competent body appointed by a Member State, such as a national regulatory authority defined in Article 2 of Directive 2002/21/EC.

3. The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow-up and information to the Management and Executive Board on the requests to the Agency, shall be laid down by the Management Board in the Agency’s internal rules of operation.

Article 15 - Declaration of interest

1. Members of the Management Board, the Executive Director and officials seconded by Member States on a temporary basis shall each make a declaration of commitments and a declaration indicating the absence or presence of any direct or indirect interest which might be considered prejudicial to their independence. The declarations shall be accurate and complete, made annually in writing and updated whenever necessary.

2. Members of the Management Board, the Executive Director, and external experts participating in ad hoc Working Groups shall each accurately and completely declare, at the latest at the start of each meeting, any interest which might be considered prejudicial to their independence in relation to the items on the agenda, and shall abstain from participating in the discussion of and voting upon such points.

3. The Agency shall lay down, in its internal rules of operation, the practical arrangements for the rules on declarations of interest referred to in paragraphs 1 and 2.

Article 16 - Transparency

1. The Agency shall ensure that it carries out its activities with a high level of transparency and in accordance with Articles 17 and 18.

2. The Agency shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information, in particular with regard to the results of its work. It shall also make public the declarations of interest made in accordance with Article 15.

3. The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Agency’s activities.

4. The Agency shall lay down, in its internal rules of operation, the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.

Article 17 - Confidentiality

1. Without prejudice to Article 18, the Agency shall not divulge to third parties information that it processes or receives in relation to which a reasoned request for confidential treatment, in whole or in part, has been made.

2. Members of the Management Board, the Executive Director, the members of the Permanent Stakeholders Group, external experts participating in ad hoc Working Groups, and members of the staff of the Agency including officials seconded by Member States on a temporary basis shall comply with the confidentiality requirements under Article 339 of the Treaty on the Functioning of the European Union (TFEU), even after their duties have ceased.

3. The Agency shall lay down, in its internal rules of operation, the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.

4. If required for the performance of the Agency’s tasks, the Management Board shall decide to allow the Agency to handle classified information. In that case the Management Board shall, in agreement with the Commission services, adopt internal rules of operation applying the security principles set out in Commission Decision 2001/844/EC, ECSC, Euratom of 29 November 2001 amending its internal rules of procedure (19). Those rules shall cover, inter alia, provisions for the exchange, processing and storage of classified information.

Article 18 - Access to documents

1. Regulation (EC) No 1049/2001 shall apply to documents held by the Agency.

2. The Management Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001 within six months of the establishment of the Agency.

3. Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint to the Ombudsman under Article 228 TFEU or of an action before the Court of Justice of the European Union under Article 263 TFEU.

SECTION 4 - FINANCIAL PROVISIONS


Article 19 - Adoption of the budget

1. The revenues of the Agency shall consist of a contribution from the Union budget, contributions from third countries participating in the work of the Agency as provided for in Article 30, and voluntary contributions from Member States in money or in kind. Member States that provide voluntary contributions may not claim any specific right or service as a result thereof.

2. The expenditure of the Agency shall include staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts entered into with third parties.

3. By 1 March each year, the Executive Director shall draw up a draft statement of estimates of the Agency’s revenue and expenditure for the following financial year, and shall forward it to the Management Board, together with a draft establishment plan.

4. Revenue and expenditure shall be in balance.

5. Each year, the Management Board shall, on the basis of a draft statement of estimates of revenue and expenditure drawn up by the Executive Director, produce a statement of estimates of revenue and expenditure for the Agency for the following financial year.

6. The Management Board shall, by 31 March each year, send that statement of estimates, which shall include a draft establishment plan together with the draft work programme, to the Commission and the third countries with which the Union has concluded agreements in accordance with Article 30.

7. The Commission shall forward that statement of estimates to the European Parliament and the Council together with the draft general budget of the Union.

8. On the basis of that statement of estimates, the Commission shall enter in the draft budget of the Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall submit to the European Parliament and the Council in accordance with Article 314 TFEU.

9. The European Parliament and the Council shall authorise the appropriations for the subsidy to the Agency.

10. The European Parliament and the Council shall adopt the establishment plan for the Agency.

11. Together with the work programme, the Management Board shall adopt the Agency’s budget. It shall become final following definitive adoption of the general budget of the Union. Where appropriate, the Management Board shall adjust the Agency’s budget and work programme in accordance with the general budget of the Union. The Management Board shall forward the budget without delay to the European Parliament, the Council and the Commission.

Article 20 - Combating fraud

1. In order to facilitate the combating of fraud, corruption and other unlawful activities under Regulation (EC) No 1073/1999 (20), the Agency shall, within six months from the day it becomes operational, accede to the Interinstitutional Agreement of 25 May 1999 concerning internal investigations by the European Anti-fraud Office (OLAF) (21) and shall adopt the appropriate provisions applicable to all the employees of the Agency, using the template set out in the Annex to that Agreement.

2. The Court of Auditors shall have the power of audit, on the basis of documents and on the spot, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the Agency.

3. OLAF may carry out investigations, including on-the-spot checks and inspections, in accordance with the provisions and procedures laid down in Regulation (EC) No 1073/1999 and Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities (22) with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by the Agency.

4. Without prejudice to paragraphs 1, 2 and 3, cooperation agreements with third countries and international organisations, contracts, grant agreements and grant decisions of the Agency shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.

Article 21 - Implementation of the budget

1. The Executive Director shall be responsible for the implementation of the Agency’s budget.

2. The Commission’s internal auditor shall exercise the same powers over the Agency as over Commission departments.

3. By 1 March following each financial year (1 March of year N + 1), the Agency’s accounting officer shall send the provisional accounts to the Commission’s accounting officer together with a report on the budgetary and financial management for that financial year. The Commission’s accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 147 of the Financial Regulation.

4. By 31 March of year N + 1, the Commission’s accounting officer shall send the Agency’s provisional accounts to the Court of Auditors, together with a report on the budgetary and financial management for that financial year. The report on the budgetary and financial management for the financial year shall also be sent to the European Parliament and the Council.

5. On receipt of the Court of Auditor’s observations on the Agency’s provisional accounts, pursuant to Article 148 of the Financial Regulation, the Executive Director shall draw up the Agency’s final accounts under his/her own responsibility and send them to the Management Board for an opinion.

6. The Management Board shall deliver an opinion on the Agency’s final accounts.

7. The Executive Director shall, by 1 July of year N + 1, transmit the final accounts, including the report on the budgetary and financial management for that financial year and the Court of Auditor’s observations, to the European Parliament, the Council, the Commission and the Court of Auditors, together with the Management Board’s opinion.

8. The Executive Director shall publish the final accounts.

9. The Executive Director shall send the Court of Auditors a reply to its observations by 30 September of year N + 1 and shall also send to the Management Board a copy of that reply.

10. The Executive Director shall submit to the European Parliament, at the latter’s request, all the information necessary for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 165(3) of the Financial Regulation.

11. The European Parliament, acting on a recommendation from the Council, shall, before 15 May of year N + 2, give a discharge to the Executive Director in respect of the implementation of the budget for the year N.

SECTION 5 - STAFF


Article 22 - General provisions

The Staff Regulations and the Conditions of Employment of Other Servants and the rules adopted by agreement between the Union institutions for giving effect to those Staff Regulations shall apply to the staff of the Agency.

Article 23 - Privileges and immunity

Protocol No 7 on the Privileges and Immunities of the European Union annexed to the Treaty on European Union and to the TFEU shall apply to the Agency and its staff.

Article 24 - Executive Director

1. The Executive Director shall be engaged as a temporary agent of the Agency under Article 2(a) of the Conditions of Employment of Other Servants.

2. The Executive Director shall be appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.

For the purpose of concluding the contract of the Executive Director, the Agency shall be represented by the Chairperson of the Management Board.

Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the relevant committee of the European Parliament and to answer Members’ questions.

3. The term of office of the Executive Director shall be five years. By the end of that period, the Commission shall undertake an assessment which takes into account the evaluation of the performance of the Executive Director and the Agency’s future tasks and challenges.

4. The Management Board may, acting on a proposal from the Commission which takes into account the assessment referred to in paragraph 3 and after obtaining the views of the European Parliament, extend once the term of office of the Executive Director for no more than five years.

5. The Management Board shall inform the European Parliament about its intention to extend the Executive Director’s term of office. Within three months before any such extension, the Executive Director shall, if invited, make a statement before the relevant committee of the European Parliament and answer Members’ questions.

6. An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post.

7. The Executive Director may be removed from office only by decision of the Management Board.

Article 25 - Seconded national experts and other staff

1. The Agency may make use of seconded national experts or other staff not employed by the Agency. The Staff Regulations and the Conditions of Employment of Other Servants shall not apply to such staff.

2. The Management Board shall adopt a decision laying down rules on the secondment to the agency of national experts.

SECTION 6 - GENERAL PROVISIONS


Article 26 - Legal status

1. The Agency shall be a body of the Union. It shall have legal personality.

2. In each of the Member States the Agency shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may, in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.

3. The Agency shall be represented by its Executive Director.

4. A branch office established in the metropolitan area of Athens shall be maintained in order to improve the operational efficiency of the Agency.

Article 27 - Liability

1. The contractual liability of the Agency shall be governed by the law applicable to the contract in question.

The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.

2. In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by it or its servants in the performance of their duties.

The Court of Justice of the European Union shall have jurisdiction in any dispute relating to compensation for such damage.

3. The personal liability of its servants towards the Agency shall be governed by the relevant conditions applying to the staff of the Agency.

Article 28 - Languages

1. Regulation No 1 of 15 April 1958 determining the languages to be used in the European Economic Community (23) shall apply to the Agency. The Member States and the other bodies appointed by them may address the Agency and receive a reply in the official language of the institutions of the Union of their choice.

2. The translation services required for the functioning of the Agency shall be provided by the Translation Centre for the Bodies of the European Union.

Article 29 - Protection of personal data

1. When processing data relating to individuals, in particular while performing its tasks, the Agency shall observe the principles of personal data protection in, and be subject to, the provisions of Regulation (EC) No 45/2001.

2. The Management Board shall adopt implementing measures referred to in Article 24(8) of Regulation (EC) No 45/2001. The Management Board may adopt additional measures necessary for the application of Regulation (EC) No 45/2001 by the Agency.

Article 30 - Participation of third countries

1. The Agency shall be open to the participation of third countries which have concluded agreements with the European Union by virtue of which they have adopted and applied Union legal acts in the field covered by this Regulation.

2. Arrangements shall be made under the relevant provisions of those agreements, specifying in particular the nature, extent and manner in which those countries will participate in the Agency’s work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff.

Article 31 - Security Rules on the protection of classified information

The Agency shall apply the security principles contained in the Commission’s security rules for protecting European Union Classified Information (EUCI) and sensitive non-classified information, as set out in the Annex to Decision 2001/844/EC, ECSC, Euratom. This shall cover, inter alia, provisions for the exchange, processing and storage of such information.

SECTION 7 - FINAL PROVISIONS


Article 32 - Evaluation and review

1. By 20 June 2018 the Commission shall commission an evaluation to assess, in particular, the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.

2. The evaluation referred to in paragraph 1 shall take into account any feedback made to the Agency in response to its activities.

3. The Commission shall forward the evaluation report together with its conclusions to the European Parliament, the Council and the Management Board. The findings of the evaluation shall be made public.

4. As part of the evaluation, there shall also be an assessment of the results achieved by the Agency, having regard to its objectives, mandate and tasks. If the Commission considers that the continuation of the Agency is justified with regard to its assigned objectives, mandate and tasks, it may propose that the duration of the mandate of the Agency set out in Article 36 be extended.

Article 33 - Cooperation of the host Member State

The Agency’s host Member State shall provide the best possible conditions to ensure the proper functioning of the Agency, including the accessibility of the location, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses.

Article 34 - Administrative control

The operations of the Agency shall be supervised by the Ombudsman in accordance with Article 228 TFEU.

Article 35 - Repeal and succession

1. Regulation (EC) No 460/2004 is repealed.

References to Regulation (EC) No 460/2004 and to ENISA shall be construed as references to this Regulation and to the Agency.

2. The Agency succeeds the Agency that was established by Regulation (EC) No 460/2004 as regards all ownership, agreements, legal obligations, employment contracts, financial commitments and liabilities.

Article 36 - Duration

The Agency shall be established for a period of seven years from 19 June 2013.

Article 37 - Entry into force

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.