Explanatory Memorandum to COM(2007)861 - Amendment of Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2007)861 - Amendment of Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its ... |
|---|---|
| source | COM(2007)861  |
| date | 20-12-2007 |
Communication networks and information systems have become an essential factor in economic and societal development. The security and resilience of communication networks and information systems are of increasing concern to society. The Commission’s i2010 strategy “A European Information Society for growth and employment”[1] reiterated the importance of network and information security for creating a single European information space.
More recently, the Communication “A strategy for a Secure Information Society – Dialogue, partnership and empowerment”[2] reviewed the current threats to the information society and presented an updated policy strategy, highlighting the positive impact of technological diversity on security and the importance of openness and interoperability.
On 22 March 2007 the Council issued a Resolution on a strategy for a secure information society i which called upon the ENISA “to continue working in close cooperation with the Member States, the Commission and other relevant stakeholders, in order to fulfil those tasks and objectives that are defined in Regulation (EC) No 460/2004 and to assist the Commission and the Member States in their efforts to meet the requirements of network and information security, thus contributing to the implementation and further development of the Strategy for a Secure Information Society in Europe as set out in this Resolution.”
ESTABLISHMENT OF ENISA
In order to enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and respond to network and information security problems, the European Network and Information Security Agency (ENISA) was established in 2004 for a period of five years i.
The Agency was set up with the main purpose of “ensuring a high and effective level of network and information security within the Community and in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market.”
In its proposal for a Regulation of the European Parliament and the Council establishing ENISA i, the Commission acknowledged that network and information security “ has become a major policy concern. Governments see a widening responsibility for society and are increasingly making efforts to improve security on their territory. They want to promote security, for instance by giving support to computer emergency response teams, to research and for awareness campaigns. (…) Member States are, however, in different stages of their work and the focus of attention varies. (…) there is no systematic cross-border cooperation on network and information security (…) Implementation of the legal framework varies. Product certification is national whilst key standards are developed by the global industry, and operators and vendors are faced with different attitudes of governments. All this leads to a lack of interoperability that impedes a proper use of the security products and services. ” The proposal argued for improved and effective coordination between Member States and also between Member States and stakeholders to enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and respond to network and information security problems.
The review of ENISA
Article 25 of the Regulation establishing the Agency provides for the Commission to carry out an evaluation of the Agency by March 2007. To this end, the Commission “ shall undertake the evaluation, notably with the aim to determine whether the duration of the Agency should be extended beyond the period specified in Article 27 ” (that is, five years). Furthermore, “ the evaluation shall assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices and envisage, if necessary, the appropriate proposals. ”
In accordance with terms of reference agreed with the ENISA Management Board, in October 2006 the Commission launched an independent evaluation by a panel of external experts as the basis for the evaluation provided for in the ENISA Regulation. The purpose of the external evaluation was to provide a formative assessment of the Agency’s working practices, organisation and remit and, if appropriate, recommend improvements. As specified in the terms of reference, the external evaluation took account of the views of all relevant stakeholders. In January 2007 the experts submitted their report, which confirmed that the original policy reasons for establishing the Agency and its original goals are still valid i.
In accordance with Article 25 i of the Regulation establishing the Agency, in March 2007 the Management Board of the Agency issued recommendations regarding appropriate changes to the Regulation i. One of these was that the Regulation should be amended to extend the mandate of the Agency but that the scope of the Agency should not be materially changed.
In June 2007 the Commission submitted to the European Parliament and the Council Communication COM(2007) 285 on the evaluation of the Agency, which outlined the evaluation process and made an appraisal of the evaluation by the panel of external experts.
In line with the Commission’s Better Regulation strategy i, a public consultation on the extension and future of the Agency was held from 13 June to 7 September 2007 i. Most respondents agreed, inter alia , that an Agency would still be the right instrument to deal with the challenges of network and information security.
REASONS FOR ACTION
On 13 November the Commission proposed establishment of a European Electronic Communications Market Authority i. The Commission proposed that this authority should take over responsibility for the activities of ENISA that fall within the scope of the Regulation establishing the Authority from 14 March 2011 on.
Since the mandate of the Agency will expire on 13 March 2009, in order to ensure continuity it will be necessary to adopt an interim measure for the two years between the scheduled expiry of the Agency and the date when the European Electronic Communications Market Authority will take over responsibility for its activities that fall within the scope of the Regulation establishing the Authority.