Explanatory Memorandum to COM(2010)521 - European Network and Information Security Agency (ENISA) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2010)521 - European Network and Information Security Agency (ENISA). |
|---|---|
| source | COM(2010)521  |
| date | 30-09-2010 |
1.1. Policy context
The European Network and Information Security Agency (ENISA) was established in March 2004 for an initial period of five years by Regulation (EC) No 460/2004 i, with the main goal of ‘ ensuring a high and effective level of network and information security within the [Union], […] in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market. ’ Regulation (EC) No 1007/2008 i extended ENISA’s mandate until March 2012.
The extension of ENISA’s mandate in 2008 also launched a debate on the general direction of European efforts towards network and information security (NIS) to which the Commission contributed by launching a public consultation on the possible objectives for a strengthened NIS policy at Union level. This public consultation ran from November 2008 to January 2009 and gathered nearly 600 contributions i.
On 30 March 2009, the Commission adopted a Communication on Critical Information Infrastructure Protection i (CIIP) focusing on protecting Europe from cyber attacks and cyber disruptions by enhancing preparedness, security and resilience, with an Action Plan calling on ENISA to play a role, mainly in support to Member States. The Action Plan was broadly endorsed in the discussion at the Ministerial Conference on Critical Information Infrastructure Protection (CIIP) held in Tallinn, Estonia, on 27 and 28 April 2009 i. The European Union Presidency’s Conference Conclusions stress the importance of ‘ leveraging the operational support ’ of ENISA; they state that ENISA ‘ provides a valuable instrument for bolstering Union-wide cooperative efforts in this field ’ and point to the need to rethink and reformulate the Agency’s mandate ‘ to better focus on EU priorities and needs; to attain a more flexible response capability; to develop skills and competences; and to bolster the Agency’s operational efficiency and overall impact ’ in order to render the Agency ‘ a permanent asset for each Member State and the European Union at large ’.
After discussion at the Telecom Council of 11 June 2009, where Member States expressed support for extending ENISA’s mandate and increasing its resources in the light of the importance of NIS and the evolving challenges in the area, the debate was brought to a conclusion under the Swedish Presidency of the Union. The Council Resolution of 18 December 2009 on a collaborative European approach to NIS i recognises the role and potential of ENISA and the need to ‘ further develop ENISA into an efficient body ’. It also stresses the need to modernise and reinforce the Agency to support the Commission and the Member States in bridging the gap between technology and policy, serving as the Union's centre of expertise in NIS matters.
1.2. General context
Information and communication technologies (ICTs) have become the backbone of the European economy and society as a whole. ICTs are vulnerable to threats which no longer follow national boundaries and which have changed with technology and market developments. As ICTs are global, interconnected and interdependent with other infrastructure, their security and resilience cannot be secured by purely national and uncoordinated approaches. At the same time, challenges related to NIS evolve quickly. Networks and information systems must be effectively protected against all kinds of disruptions and failures, including man-made attacks.
Policies on Network and Information Security (NIS) play a central role in the Digital Agenda for Europe i (DAE), a flagship initiative under the EU 2020 Strategy, to exploit and advance the potential of ICTs and to translate this potential into sustainable growth and innovation. Encouraging the take-up of ICTs and boosting trust and confidence in the information society are key priorities of the DAE.
ENISA was initially created to ensure a high and effective level of network and information security within the Union. The experience gained with the Agency and the challenges and threats have underlined the need to modernise its mandate to make it better fit needs of the European Union stemming from:
- the fragmentation of national approaches to tackling the evolving challenges;
- the lack of collaborative models in the implementation of NIS policies;
- the insufficient level of preparedness also due to the limited European early warning and response capability;
- the lack of reliable European data and limited knowledge about evolving problems;
- the low level of awareness of NIS risks and challenges;
- the challenge of integrating NIS aspects in policies to fight cybercrime more effectively.
1.3. The policy objectives
The general objective of the proposed regulation is to enable the Union, Member States and stakeholders to develop a high degree of capability and preparedness to prevent, detect and better respond to NIS problems. This will help to build trust, which underpins the development of the Information Society, to improve the competitiveness of European businesses and to ensure that the Internal Market functions effectively.
1.4. Existing provisions in the area of the proposal
This proposal complements regulatory and non-regulatory policy initiatives on Network and Information Security taken at Union level to enhance the security and resilience of ICTs:
- The Action Plan launched by the CIIP Communication addressed the establishment of both:
- A European Forum for Member States (EFMS) aimed at fostering discussion and exchange regarding good policy practices with the aim of sharing policy objectives and priorities on security and resilience of ICT infrastructure, also directly benefiting from the work and the support provided by the Agency.
- A European Public-Private Partnership for Resilience (EP3R), which is the flexible Europe-wide governance framework for resilience of ICT infrastructure, which operates by fostering the cooperation between the public and the private sector on security and resilience objectives, baseline requirements, good policy practices and measures.
- The Stockholm Programme, adopted by the European Council on 11 December 2009, promotes policies ensuring network security and allowing faster reaction in the event of cyber attacks in the Union.
- These initiatives contribute to giving effect to the Digital Agenda for Europe. Policies on NIS play a central role in that part of the strategy that focuses on boosting trust and security in the information society. They also support the Commission’s support measures and policy on the protection of privacy (notably ‘privacy by design’) and personal data (review of the framework), the CPC network, identity management, and the Safer Internet Programme.
1.5. Developments in current NIS policy related to the proposal
Several of the ongoing developments in NIS policy, notably those announced in the Digital Agenda for Europe, benefit from the support and expertise of ENISA. These include:
- Strengthening NIS policy cooperation by intensifying activities in the European Forum of Member States (EFMS) , that will, with the direct support of ENISA, help:
- define ways to establish an effective European network through cross-border cooperation between national/governmental Computer Emergency Response Teams (CERTs);
- identify long-term objectives and priorities for pan-European large scale exercises on NIS incidents;
- leverage minimum requirements in public procurement to boost security and resilience in public systems and networks;
- identify economic and regulatory incentives for security and resilience;
- evaluate the state of NIS health in Europe.
- Strengthening cooperation and partnering between the public and the private sector, by supporting the European Public-Private Partnership for Resilience (EP3R) . ENISA plays a growing role in the facilitation of EP3R meetings and activities. The next steps of EP3R will include:
- Discussing innovative measures and instruments to improve security and resilience, such as:
- baseline security and resilience requirements, particularly in public procurement for ICT products or services, to provide a level playing field while ensuring an appropriate level of preparedness and prevention;
- exploring issues of economic operators’ liability, for instance when they put in place minimum security requirements;
- economic incentives for the development and uptake of risk management practices, security processes and products;
- risk assessment and management schemes to assess and manage major incidents on a common basis of understanding;
- cooperation between the private and the public sector in the event of large-scale incidents;
- organising a Business Summit on economic barriers and drivers for security and resilience.
- Putting the security requirements of the regulatory package on electronic communications into practice, for which ENISA’s expertise and assistance is required:
- to support the Member States and the Commission, taking into account the views of the private sector as appropriate, in laying down a framework of rules and procedures to implement the security breach notification provisions (laid down in Article 13(a) of the revised Framework Directive).
- to set up a yearly Forum for NIS national competent bodies/National Regulatory Authorities and the private sector stakeholders to discuss lessons learnt and exchange good practices on the application of regulatory measures for NIS.
- Facilitating EU-wide cyber security preparedness exercises with the support of the Commission and the contribution of ENISA, with a view to extending such exercises at a later stage at international level.
- Establishing a CERT (Computer Emergency Response Team) for the EU institutions . Key Action 6 of the Digital Agenda for Europe is that the Commission will present ‘measures aimed at a reinforced and high level Network and Information Security Policy, including […] measures allowing faster reactions in the event of cyber attacks, including a CERT for the EU institutions’[8]. This will require the Commission and the other Union institutions to analyse, and set up a Computer Emergency Response Team for which ENISA can provide technical support and expertise.
- Mobilising and supporting the Member States in completing and where necessary in setting up national/governmental CERTs in order to establish a well-functioning network of CERTs covering all of Europe . This activity will also be instrumental in further developing a European Information Sharing and Alert System (EISAS) for citizens and SMEs to be built with national resources and capabilities by the end of 2012.
- Raising awareness of NIS challenges, which will include:
- the Commission working with ENISA to draft guidance on promoting NIS standards, good practices and a risk management culture. The first sample of guidance will be produced.
- ENISA organising, in cooperation with the Member States, the ‘ European month of network and information security for all, ’ featuring national/European Cyber Security Competitions.
1.6. Consistency with other policies and objectives of the Union
The proposal is consistent with existing policies and objectives of the European Union and fully in line with the objective of contributing to the smooth functioning of the internal market through enhancing preparedness and responsiveness to the challenges of Network and Information Security.
Contents
2.1. Consultation of interested parties
This policy initiative is the result of a wide discussion carried out following an inclusive approach and respecting the principles of participation, openness, accountability, effectiveness and coherence. The broad process that took place included an evaluation of the Agency in 2006/2007 followed by Recommendations by the Management Board of ENISA, two public consultations (in 2007 and in 2008-2009) and a number of workshops on NIS-related matters.
The first public consultation was launched in connection with the Commission Communication on the mid-term evaluation of ENISA. It focused on the Agency’s future, ran from 13 June to 7 September 2007 and gathered a total of 44 online contributions plus two more submitted in writing. The responses came from a variety of stakeholders and interested parties, including Member States’ ministries, regulatory bodies, industry and consumer associations, academic institutions, companies, and individual citizens.
The responses highlighted a number of interesting issues concerning the evolution of the threat scenario; the need to clarify and build more flexibility into the Regulation to allow ENISA to adapt to the challenges; the importance of ensuring effective interaction with stakeholders; and the opportunity for a limited increase in its resources.
The second public consultation, which ran from 7 November 2008 to 9 January 2009, aimed to identify the priority objectives for a strengthened NIS policy at European level and the means of achieving those objectives. Nearly 600 contributions were received from Member State authorities, academic/research institutions, industry associations, private companies and other stakeholders, such as data protection organisations and consultancies, and private citizens.
A large majority of the respondents i supported extending the Agency’s mandate and advocated an enlarged role in coordination of NIS activities at the European level and an increase in its resources. Key priorities were the need for a more coordinated approach to cyber threats across Europe, transnational cooperation to respond to large-scale cyber attacks, building trust and improved information exchange among stakeholders.
An impact assessment on the proposal was carried out, starting in September 2009, based on a preparatory study carried out by an external contractor. A wide variety of stakeholders and experts were involved. The contributors included Member State NIS bodies, national regulatory authorities, telecommunications operators and internet service providers and related sector associations, consumers associations, ICT manufacturers, Computer Emergency Response Teams (CERTs), academics, and corporate users. An Inter-Service Steering Group, composed of the relevant Commission Directorates-General, was set up to support the impact assessment process.
2.2. Impact assessment
Keeping an Agency was identified as an appropriate solution for attaining European policy objectives i. Following a pre-screening process, five policy options were selected for further analysis:
- Option 1 — No policy;
- Option 2 — Carry on as before, i.e., with a similar mandate and the same level of resources;
- Option 3 — Expand the tasks of ENISA, adding law enforcement and privacy protection authorities as fully fledged stakeholders;
- Option 4 — Add fighting cyber attacks and response to cyber incidents to its tasks;
- Option 5 — Add supporting law enforcement and judicial authorities in fighting cybercrime to its tasks.
Following a comparative cost-benefit analysis, option 3 was identified as the most cost-effective and efficient way of achieving the policy objectives.
Option 3 envisages an expansion of ENISA’s role, to focus on:
- building and maintaining a liaison network between stakeholders and a knowledge network to ensure that ENISA is comprehensively informed of the European NIS landscape;
- being the NIS support centre for policy development and policy implementation (in particular with respect to e-privacy, e-sign, e-ID and procurement standards for NIS);
- supporting the Union CIIP & Resilience policy (exercises, EP3R, European Information Sharing and Alert System, etc.);
- setting up an Union framework for the collection of NIS data, including developing methods and practices for legal reporting and sharing;
- studying the economics of NIS;
- stimulating cooperation with third countries and international organisations to promote a common global approach to NIS and to give impact to high-level international initiatives in Europe;
- performing non-operational tasks related to NIS aspects of cybercrime law enforcement and judicial cooperation.
3.1. Summary of the proposed action
The proposed Regulation aims to strengthen and modernise the European Network and Information Security Agency (ENISA), and to establish a new mandate for a period of five years.
The proposal includes some key changes as compared to the original Regulation:
1. More flexibility, adaptability and capability to focus . The tasks are updated and re-formulated broadly, in order to provide more scope for Agency activities; they are sufficiently precise to depict the means by which the objectives are to be achieved. This better focuses the Agency’s mission, improves its capability to achieve its objectives and strengthens its tasks to support the implementation of Union policy.
2. Better alignment of the Agency to the Union’s policy and regulatory process . The European institutions and bodies may refer to the Agency for assistance and advice. This is in line with political and regulatory developments: the Council has started addressing the Agency directly in Resolutions, and the EP and the Council have assigned network and information security-related tasks to the Agency in the regulatory framework on electronic communications.
3. Interface with the fight against cybercrime . In the achievement of its objectives, the Agency takes account of the fight against cybercrime. Law enforcement and privacy protection authorities become fully fledged stakeholders of the Agency, notably in the Permanent Stakeholders Group.
4. Strengthened governance structure . The proposal enhances the supervisory role of the Agency’s Management Board, in which the Member States and the Commission are represented. For example, the Management Board is able to issue general directions on staff matters, previously the sole responsibility of the Executive Director. It may also establish working bodies to assist it in carrying out its tasks, including monitoring the implementation of its decisions.
5. Streamlining Procedures . Procedures that have proved to be unnecessarily burdensome are simplified. Examples: (a) simplified procedure for Management Board internal rules, (b) the opinion on the ENISA Work programme is provided by Commission services rather than via a Commission Decision. The Management Board is also given adequate resources in case it needs to take executive decisions and implement them (e.g., if a staff member lodges a complaint against the Executive Director or the Board itself).
6. Gradual increase of resources . In order to meet the reinforced European priorities and the expanding challenges, without prejudice to the Commission's proposal for the next multi-annual financial framework, a gradual increase of the financial and human resources of the Agency are gradually to be increased between 2012 and 2016 is anticipated. Based on the Commission's proposal for the regulation laying down the multiannual financial framework post-2013 and taking into account the conclusions of the impact assessment, the Commission will present an amended Legislative Financial Statement.
7. Option of extending the term of office of the Executive Director . The Management Board may extend the term of office of the Executive Director for three years.
3.2. Legal basis
This proposal is based on Article 114 of the Treaty on the Functioning of the European Union i (TFEU).
In accordance with the European Court of Justice judgment i, before the entry into force of the Lisbon Treaty, Article 95 of the EC Treaty was to be considered the appropriate legal basis for the creation of a body for the purpose of ensuring a high and effective level of NIS within the Union. By using the expression ‘measures for the approximation’ in Article 95 the authors of the Treaty intended to confer on the Union legislature a discretion to choose the appropriate measures for achieving the desired result. Enhancing the security and resilience of ICT infrastructures is thus an important element contributing to the smooth functioning of the Internal Market.
Under the Lisbon Treaty, Article 114 of the TFEU i describes — almost identically — the internal market responsibility. For the reasons set out above, it will continue to be the applicable legal basis for adopting measures to improve NIS. The Internal Market responsibility is now a shared competence between the Union and the Member States (Article 4(2)(a) TFEU). This means that the Union and the Member States may adopt (binding) measures and that the Member States will act if the Union has not exercised its competence or has decided not to act anymore (Article 2 i TFEU).
Measures under the Internal Market responsibility will require the ordinary legislative procedure (Articles 289 and 294 of the TFEU), which is similar i to the former co-decision procedure (Article 251 of the EC Treaty).
With the Lisbon treaty, the former distinction between the pillars has disappeared. Preventing and combating crime has become a shared competence of the Union. This has created an opportunity for ENISA to play a role as a platform on NIS aspects of the fight against cybercrime and to exchange views and best practices with cyber defence, law enforcement and privacy protection authorities.
3.3. Subsidiarity principle
The proposal complies with the subsidiarity principle: NIS policy requires a collaborative approach and the objectives of the proposal cannot be achieved by the Member States individually.
A complete non-intervention strategy by the Union in national NIS policies would leave the task up to the Member States, disregarding the clear interdependence between existing information systems. A measure ensuring an appropriate degree of coordination between the Member States to ensure that NIS risks can be well managed in the cross border context in which they arise does therefore respect the subsidiarity principle. Furthermore, European action would improve the effectiveness of existing national policies and thus add value.
In addition, setting up a concerted and collaborative NIS policy will have a beneficial impact on the protection of fundamental rights, and specifically the right to the protection of personal data and privacy. The need to protect data is currently crucial given the fact that European citizens are increasingly entrusting their data to complex information systems, either out of choice or of necessity, without necessarily being able to correctly assess the related data protection risks. When incidents occur, they will therefore not necessarily be able to take suitable steps, nor is it certain that the Member States would be able to effectively address any international incidents in the absence of European NIS coordination.
3.4. Proportionality principle
This proposal complies with the proportionality principle since it does not go beyond what is necessary in order to achieve its objective.
3.5. Choice of instruments
Proposed instrument: a regulation, which is directly applicable in all Member States.
The proposal will impact on the Union budget.
Since the tasks to be included in the new mandate for ENISA are laid down, it is anticipated that the Agency will be given the resources required to carry out its activities satisfactorily. The evaluation of the Agency, the extensive consultation process with stakeholders at all levels and the impact assessment show general agreement that the size of the Agency is below its critical mass and that an increase in resources is required. The consequences and effects of an increase in the staff and budget of the Agency are analysed in the Impact Assessment accompanying the proposal.
EU funding after 2013 will be examined in the context of a Commission-wide debate on all proposals for the post-2013 period.
5.1. Duration
The Regulation shall cover a period of five years.
5.2. Review clause
The Regulation provides for an evaluation of the Agency, covering the period since the previous evaluation in 2007. It will assess the Agency’s effectiveness in achieving its objectives as set out in the Regulation, whether it is still an effective instrument and whether the duration of the Agency should be further extended. Based on the findings, the Management Board will make recommendations to the Commission regarding changes to this Regulation, the Agency and its working practices. To enable the Commission to draft any proposal for an extension of the mandate in good time, the evaluation will have to be done by the end of the second year of the mandate provided by the Regulation.
5.3. Interim measure
The Commission is aware that the legislative procedure in the European Parliament and in the Council may require extensive time for debate on the proposal, and there is a risk of a legal vacuum if the new mandate of the Agency is not adopted in due time before the expiry of the current mandate. The Commission is therefore proposing, along with this proposal, a Regulation extending the current mandate of the Agency for 18 months to allow sufficient time for debate and due process.