Annexes to SEC(2010)1127 - SUMMARY OF THE IMPACT ASSESSMENT Accompanying document to the Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND THE COUNCIL concerning the European Network and Information Security Agency (ENISA) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | SEC(2010)1127 - SUMMARY OF THE IMPACT ASSESSMENT Accompanying document to the Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND THE ... |
|---|---|
| document | SEC(2010)1127  |
| date | September 30, 2010 |
Comparing these different organisational formats, the Agency format seems best suited as the policy instrument of choice because of its advantages regarding: (1) legal certainty of the organisational structure as well as on substance, (2) its suitability for the specific concerns of a sector as sensitive as NIS (body of external expertise, coordination of relationship with stakeholders, involvement/commitment of Member States) and (3) acceptance of and the reputation of ENISA in the NIS community.
Hence, the following policy options were developed and assessed in detail for the organisational format of an Agency.
Policy option 1: No policy
Under the option ‘No policy’, it is assumed that ENISA would stop existing after March 2012 and that no other EU institution would take over all or part of ENISA’s current activities.
Closing down ENISA would mean all the investment made so far, for example in setting up an organisation that is capable of attracting highly specialised people, in building up experience, and in creating networks with and between stakeholders and with international institutions, would be withdrawn at a moment when the existing Agency has reached cruising speed.
The complex nature of the NIS problem across Europe calls for a modernised and strengthened Agency, not for closing the existing one down. This is confirmed by the explicit role given to ENISA, for example in the reformed regulatory framework for electronic communications10, and the general support expressed by stakeholders for a more important role for a European NIS Agency.
Policy option 2: Continuation à l'identique
Option 2 represents the ‘business as usual’ scenario, i.e. continuation of the same policy instrument in an identical form and with the same resources. Among stakeholders, there is a general consensus that ENISA has matured into a credible point of reference for NIS issues and developed into a centre of excellence in its domain.
Given the current staffing and budgetary restrictions, the Agency will be able to have an impact only on a very limited number of NIS issues. However, this contrasts with the overall expectations of stakeholders. Not giving the Agency the possibility to further evolve and live up to such increasing expectations could ultimately lead to a crisis of credibility.
Policy option 3: Expanding the functions currently defined for ENISA and adding law enforcement and privacy protection agencies as fully fledged stakeholders
Under this option the role of a NIS Agency would be expanded, focusing on:
- Building and maintaining a liaison network between stakeholders and a knowledge network;
- Being a NIS support centre for policy development and policy implementation (in particular with respect to e-privacy, e-sign, e-ID and procurement standards for NIS);
- Supporting the EU CIIP & resilience policy (e.g. exercises, EP3R11, European Information Sharing and Alert System, etc.);
- Setting up an EU framework for the collection of NIS data, including developing methods and practices for legal reporting and sharing;
- Studying and reporting on the economics of NIS;
- Stimulating cooperation with third countries and international organisations to promote a common global approach to NIS and to give impact to high-level international initiatives in Europe);
- Performing non-operational tasks related to NIS aspects of law enforcement and judicial cooperation.
The Agency would dispose of all resources necessary to perform its activities in a satisfactory in-depth way, i.e. allowing for a real impact. With more resources available, ENISA could take a much more pro-active role and take more initiatives to stimulate active participation by the stakeholders. Moreover, this new situation would allow for more flexibility to react quickly to changes in the constantly evolving NIS environment.
Policy option 4: Adding operational functions in fighting cyber attacks and response to cyber incidents
In addition to the activities set out under option 3, the Agency would have operational functions such as taking a more active role in EU CIIP, for example in incident prevention and response, specifically by acting as an EU NIS Computer Emergency Response Team (CERT) and by coordinating national CERTs as an EU NIS Storm Centre, including both day-to-day management activities and handling emergency services.
This option would require a substantial increase in the Agency’s budget and human resources, which raises concerns about its absorption capacity and effective use of the budget in relation to the benefits to be attained.
Policy option 5: Adding operational functions in supporting law enforcement and judicial authorities in fighting cybercrime
In addition to the activities listed in option 4, this option would include functions for the Agency relating to:
- Providing support on procedural law (cf. Convention on Cybercrime): e.g. collection of traffic data, interception of content data, monitoring flows in case of denial-of-service attacks;
- Being a centre of expertise for criminal investigation including NIS aspects.
Like option 4, this would require a substantial increase in the Agency’s resources and raise similar concerns regarding absorption capacity and effective use of the budget.
6.Comparison of policy options and assessment of impacts
Analysis of the possible economic, social and environmental impacts reveals that option 1 would produce negative effects in all respects and the situation would worsen.
Option 2 turns out to be sub-optimal as the Agency would not have the necessary resources to address adequately the challenges of the constantly changing NIS landscape, which could lead to reputational risk and — ultimately — a crisis of credibility.
Under option 3, a modernised NIS Agency would contribute to:
Reducing the fragmentation of national approaches (problem driver 1), increasing data and knowledge/information-based policy and decision making (problem driver 3) and increasing overall awareness of and the tackling of NIS risks and challenges (problem driver 4) by contributing to:
- more efficient collection of relevant information on risks, threats and vulnerabilities by each individual Member State;
- increased availability of information on current and future NIS challenges and risks;
- higher-quality NIS policy provision in Member States.
Improving European early warning and response capability (problem driver 2) by:
- helping the Commission and Member States to set up pan-European exercises, thereby achieving economies of scale in responding to EU-wide incidents;
- facilitating the functioning of the EP3R, which could ultimately lead to more investment triggered by common policy objectives and EU-wide standards for security and resilience.
Promoting a common global approach to NIS (problem driver 5) by:
- increasing the exchange of information and knowledge with non-EU countries.
Fighting cybercrime more efficiently and effectively (problem driver 7) by:
- being involved in non-operational tasks relating to NIS aspects of law enforcement and judicial cooperation, such as bi-directional exchange of information and training (e.g., in cooperation with the European Police College CEPOL).
Option 4 would produce a greater impact at operational level, in addition to the impacts to be achieved under option 3. By acting as an EU NIS CERT and by coordinating national CERTs, the Agency would contribute to higher economies of scale in responding to EU-wide incidents and lower operational risks for business due to higher levels of security and resilience, for example.
Option 5 would achieve greater effectiveness in fighting cybercrime than options 3 and 4, with the addition of operational functions in supporting law enforcement and judicial authorities.
However, while both options 4 and 5 would have greater positive impacts than option 3, both these options would be politically sensitive for the Member States in relation to their CIIP responsibilities (i.e. a number of Member States would not be in favour of centralised operational functions). In addition, enlarging the mandate as examined under options 4 and 5 may create render the Agency’s position ambiguous. Moreover, adding these new and completely different operational tasks to the Agency’s mandate may turn out to be very challenging in the short run and there is a significant risk that the agency would not be able to carry out this kind of task properly within a reasonable time-span. Last, but not least, the cost of implementing options 4 and 5 is prohibitively high — the budget required would be four or five times as much as ENISA's current budget .
When comparing the impacts of all five policy options for the organisational format of a modernised NIS Agency, options 1 and 2 have to be discarded because neither would allow the complex NIS problem to be addressed adequately at EU level. Options 3, 4 and 5, on the other hand, would an enable the EU to address future NIS policy options appropriately. Options 4 and 5 seem, for the time being, over-ambitious, both as regards the political sensitivities of the majority of Member States and as regards the budget implications. Hence, option 3 appears to be the best option to address the seven NIS problems identified in the most efficient way.
7.Monitoring and evaluation: how are the actual costs and benefits and the achievement of the desired effects to be measured?
This policy initiative would provide for periodic evaluations which would be forwarded by the Commission to the European Parliament and the Council and be made public. These evaluations would take into account the views of all relevant stakeholders, on the basis of terms of reference agreed with the Management Board of the Agency, and would assess the effectiveness of the Agency in achieving its objectives, whether an Agency is still an effective instrument and whether any changes should be made to the Agency’s mandate and/or other aspects of its establishing Regulation. Following an evaluation, the Management Board of the Agency would issue recommendations to the Commission regarding any appropriate changes to be made to the Regulation. The Management Board and the Executive Director of the Agency should take the results of the evaluations into consideration in the Agency’s multi-annual planning.
The operations of the Agency are subject to the supervision of the Ombudsman in accordance with Article 228 of the Treaty.
1Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency.
2Communication from the Commission to the European Parliament and the Council on the evaluation of the European Network and Information Security Agency (ENISA) - COM(2007) 285, 1.6.2007,
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52007DC0285:EN:NOT.
3The consultation ran from 13 June to 7 September 2007.
4Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration (OJ L 293, 31.10.2008).
5From 7 November 2008 through 9 January 2009, report available at
http://ec.europa.eu/information_society/policy/nis/nis_public_consultation/index_en.htm.
6Communication from the Commission to the European Parliament and the Council on Critical Information Infrastructure Protection - COM(2009)149, 30.3.2009.
7Council Resolution of 18 December 2009 on a collaborative European approach to Network and Information Security, (2009/C 321/01).
8COM(2010) 2020.
9IDC EMEA, The European Network and Information Security Market, Scenario, Trends and Challenges, April 2009, with reference to the Eurobarometer E-Communications Survey, April 2007.
10See http://eur-lex.europa.eu/JOHtml.do?uri=OJ:L:2009:337:SOM:EN:HTML.
11European Public Private Partnership for Resilience, see COM(2009) 149.
EN EN