Proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

1.

Kerngegevens

Document date 07-12-2011
Publication date 12-12-2011
Reference 18156/11
From Presidency
To Council
External link original PDF
Original document in PDF

2.

Text

COUNCIL OF Brussels, 7 December 2011 THE EUROPEAN UNION

18156/11

Interinstitutional File: 2010/0275 (COD)

TELECOM 203 MI 644 DATAPROTECT 148 JAI 920 CAB 56 INST 615 CODEC 2318

PROGRESS REPORT from: Presidency to: Council

No. Cion prop.: 14358/10 TELECOM 99 MI 346 DATAPROTECT 70 JAI 794 CAB 16 INST 361 CODEC 943

No prev. doc. 17948/11 TELECOM 199 MI 633 DATAPROTECT 146 JAI 909 CAB 55 INST 596 CODEC 2275

Subject: Proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

  • 1. 
    On 1 October 2010 the Commission transmitted to the Council a proposal for a Regulation

    of the European Parliament and of the Council concerning the European Network and Information Security Agency (hereafter "ENISA"). The proposal, which was referred to in

    the Digital Agenda for Europe 1 , is intended to strengthen and modernise the ENISA and to

    establish a new mandate for a period of five years. The current mandate of the ENISA will expire on 13 September 2013.

1 Doc 9981/1/10 REV 1. Key Action 6 of the Digital Agenda for Europe stipulates that in 2010

the Commission will present measures aiming at a reinforced and high level Network and Information Security Policy, including legislative initiatives such as a modernised European Network and Information Security Agency (ENISA), and measures allowing faster reactions in the event of cyber attacks, including a CERT for the EU institutions.

  • 2. 
    The proposal has been examined in numerous meetings of the Working Party on

    Telecommunications and the Information Society. A first progress report was presented by

the Presidency to the TTE Council of 3 December 2010 2 . A second progress report was

presented to the TTE Council on 27 May 2011. A Presidency compromise text on the draft Regulation, attached to the second progress report, was broadly supported in principle by

delegations 3 . However, the duration of the agency was signalled as an outstanding issue and

no compromise proposal was presented at that point. During the discussions several delegations agreed in principle to a mandate limited in time, including a longer mandate than that proposed by the Commission. On the other hand, several delegations supported an indefinite mandate.

  • 3. 
    The European Parliament has started its first reading and Mr Giles Chichester, rapporteur in

    the ITRE Committee of the European Parliament, presented his draft report on 5 October 2011. The vote in the ITRE Committee, initially scheduled to take place on 10 November 2011, was postponed and is now scheduled for March 2012.

  • 4. 
    With the aim of achieving a progress, the Working Party on Telecommunications and the

    Information Society continued the examination of the proposal under the Polish Presidency and collected the views of delegations on several issues related to, among others, the duration, the tasks and the structure of the ENISA. In addition, the recitals were examined and modified so that they correspond to the respective articles. The progress achieved is reflected in the attached Presidency compromise proposal.

2 Doc. 16835/10.

3 Doc. 10296/11.

  • 5. 
    Concerning the tasks, the Presidency proposed that the ENISA should have the additional

    task of supporting and promoting voluntary co-operation between relevant organisations e.g.

    CSIRTs/CERTs and regularly share best practices with the aim to arrive at an advanced

    level of network and information security (article 3, par. 1, letter e). Furthermore, the

    ENISA should support the Member States, at their request, and the Union's institutions to

    organise awareness raising and other outreach activities to increase network and information

    security and its visibility (article 3, par. 1, letter f). On international cooperation, the ENISA

    should contribute to the Union's efforts to cooperate with third countries and international

    organisations, for instance by supporting cooperation with the relevant organisations e.g.

    CSIRTs/CERTs and promoting involvement in international network and information

    security exercises (article 3, par. 1, letter l). Finally, the ENISA should provide Member

    States, at their request with the necessary knowledge and other resources available to

    strengthen their network and information security capability (article 3, par. 1, letter m).

    These Presidency compromise proposals on the tasks were acceptable in principle to

    delegations.

  • 6. 
    The duration of the Agency is still an outstanding issue. The Presidency compromise

    proposal to extend the duration of the ENISA for 14 years, corresponding to a period covered by two Multiannual Financial Frameworks, was supported by some delegations in the spirit of compromise, while other delegations supported an indefinite mandate or a mandate from 5 to 7 years.

  • 7. 
    On 7 December 2011, the Coreper agreed to submit the progress report to the Council. The

    Council is requested to take note of this progress report reflected in the attached Presidency compromise proposal.

_________________

ANNEX

Presidency Compromise Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Concerning the European Network and Information Security Agency (ENISA)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

Having regard to the opinion of the European Economic and Social Committee 4 ,

After consulting the Committee of the Regions,

After transmission of the proposal to the national Parliaments,

Acting in accordance with the ordinary legislative procedure,

Whereas:

4 OJ C107, 6.4.2011, p. 58.

(1) Electronic communications, infrastructure and services are an essential factor in economic and societal development. They play a vital role for society and have become ubiquitous

utilities in the same way that electricity or water supplies are. Their disruption has the potential to cause considerable economic damage, underlining the importance of measures to increase protection and resilience aimed at ensuring continuity of critical services. The security of electronic communications, infrastructure and services, in particular their integrity, availability and confidentiality faces continuously expanding challenges. This is of increasing concern to society not least because of the possibility of problems due to system complexity, accidents, mistakes and attacks that may have consequences for the physical infrastructure which delivers services critical to the well-being of European citizens.

(2) The threat landscape is continuously changing and security incidents can undermine the trust that users have in technology, networks and services, thereby affecting their ability to exploit the full potential of the internal market and widespread use of ICT.

(3) The representatives of the Member States, meeting in the European Council on 13 December 2003, decided that the European Network and Information Security Agency (ENISA), that

was to be established on the basis of the proposal submitted by the Commission, would have its seat in a town in Greece to be determined by the Greek Government. The Greek Government decided to asign the seat of the Agency to Heraklion, Crete.

(4) In 2004 the European Parliament and the Council adopted a Regulation (EC) No 460/2004 i 5

establishing the European Network and Information Security Agency with the purpose of contributing to the goals of ensuring a high level of network and information security within the Union and developing a culture of network and information security for the benefit of citizens, consumers, enterprises and public administrations. In 2008, the European Parliament

and the Council adopted a Regulation (EC) No 1007/2008 i 6 extending the mandate of the

Agency until March 2012. In 2011, the European Parliament and the Council adopted

Regulation (EC) No 580/2011 i 7 extending the mandate of the Agency until

13 September 2013.

5 OJ L 77, 13.3.2004, p. 1.

6 OJ L 293, 31.10.2008, p. 1

7 OJ L 165, 24.6.2011, p. 3.

(5) In response to the changing challenges of network and information security, the Union has updated its priorities for network and information security policy in a number of documents, including the 2006 Commission Communication Strategy for a Secure Information Society —

Dialogue, partnership and empowerment, 8 the Council Resolution of 2007 on a Strategy for a Secure Information Society in Europe 9 , the 2009 Communication Critical Information

Infrastructure Protection – ‘Protecting Europe from large scale cyber-attacks and

disruptions: enhancing preparedness, security and resilience’ 10 , the 2009 Presidency

Conclusions of the Ministerial Conference on Critical Information Infrastructure Protection (CIIP) in Tallinn, the Council Resolution of 2009 on a collaborative European approach to

Network and Information Security 11 , the 2011 Presidency Statement following the Ministerial

Conference on CIIP in Balatonfüred and the 2011 Council Conclusions on the Critical

Information Infrastructure Protection "Achievements and next steps: towards global cybersecurity"

12 . The Digital Agenda for Europe 13 recognized the need to modernise the Agency.

The present proposal aims to strengthen the Agency to successfully contribute to the efforts of

the Union's institutions and the Member States to develop a European capacity to cope with

network and information security challenges.

(6) The European Data Protection Supervisor was consulted and adopted its opinion on 20

December 2010 14 ,

8 COM(2006) 251 i, 31.5.2006.

9 Council Resolution of 22 March 2007 on a Strategy for a Secure Information Society in

Europe (OJ C 68, 24.3.2007, p. 1).

10 COM(2009) 149 i, 30.3.2009.

11 Council Resolution of 18 December 2009 on a collaborative approach to Network and

Information Security (OJ C 321, 29.12.2009, p. 1).

12 Council Conclusions of 27 May 2011, doc. 10299/11.

13 COM(2010)245 i, 19.5.2010.

14 OJ C 101, 1.4.2011, p. 20.

(7) Internal market measures in the field of security of electronic communications, and, more generally, network and information security require different forms of technical and

organisational applications by the Member States and the Commission. The heterogeneous application of these requirements can lead to inefficiencies and can create obstacles to the internal market. This calls for a centre of expertise at European level providing guidance, advice, and when called upon, assistance on issues related to network and information security, which may be relied upon by the Member States and the Union's institutions. The Agency can respond to these needs by developing and maintaining a high level of expertise and assisting the Member States, the Commission and as a consequence the business community to meet the legal and regulatory requirements of network and information security, thereby contributing to the smooth functioning of the internal market.

(8) The Agency should carry out the tasks conferred on it by Union legislation in the field of electronic communications and, in general, contribute to an enhanced level of security of electronic communications by, among other things, providing expertise and advice, and promoting the exchange of good practices.

(9) Directive 2002/21/EC i of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services

(Framework Directive) 15 requires that providers of public electronic communications

networks or publicly available electronic communications services take appropriate measures

to safeguard their integrity and security and introduces the obligation for the national

regulatory authorities, where appropriate, to inform inter alia, the Agency about a security

breach and integrity loss that has had a significant impact on the operation of networks or

services and to submit to the Agency an annual summary report on the notifications received

and the action taken. Directive 2002/21/EC i further calls on the Agency to contribute to the

harmonisation of appropriate technical and organisational security measures by providing

opinions.

15 OJ L 108, 24.4.2002, p. 33.

(10) Directive 2002/58/EC i of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic

communications sector (Directive on privacy and electronic communications) 16 requires a

provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard the security of its services and also requires confidentiality of the communications and related traffic data. Directive 2002/58/EC i introduces personal data breach information and notification requirements for electronic communication services providers. It also requires the Commission to consult the Agency on any technical implementing measures to be adopted concerning the circumstances or format of and procedures applicable to information and notification requirements. Directive 95/46/EC i of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of

such data 17 requires Member States to provide that the controller must implement appropriate

technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing.

(11) The Agency should operate as a point of reference establishing trust and confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates,

the transparency of its procedures and methods of operation, and its diligence in carrying out the tasks assigned to it. The Agency should build on national and Union efforts and therefore carry out its tasks in full cooperation with the Member States and be open to contacts with industry and other relevant stakeholders. In addition, the Agency should build on the input from and cooperation with the private sector, which plays an important role in securing electronic communications, infrastructures and services.

16 OJ L 201, 31.7.2002, p. 37.

17 OJ L 281, 23.11.1995, p. 31.

(12) A set of tasks should indicate how the Agency is to accomplish its objectives while allowing flexibility in its operations.

(13) The Agency should assist the Commission by means of advice, opinions and analyses on all the Union matters related to policy development in the area of network and information

security, including CIIP and resilience. The Agency should also assist, the Member States, at

their request, and the Union institutions and bodies set up by Union law in their efforts to

develop network and information security policy and capability.

(14) The Agency should utilise the ongoing research, development, and technological assessment activities, in particular those carried out by the different Union research initiatives to advice the Union and, at their request, the Member States on research needs in the area of network

and information security.

(15) The Agency should assist the Member States, at their request, as well as the Union's institutions and bodies set up by Union law in their efforts to build and enhance cross-border capability and preparedness to prevent, detect, and respond to network and information security problems and incidents; in this regard, the Agency should facilitate cooperation among the Member States and between the Member States and the Commission. To this end, the Agency should support the Member States, at their request, in their continuous efforts to improve their response capability and to organise and run national and European

cybersecurity exercises.

(16) To understand better the challenges in the network and information security field, the Agency needs to analyse current and emerging risks. For that purpose the Agency should, in

cooperation with Member States, Union bodies and, as appropriate, statistical bodies, collect relevant information. Furthermore, the Agency should assist the Member States and the Union' s institutions and bodies set up by Union law in their efforts to collect, analyse and disseminate network and information security data. The collection of appropriate statistical information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services should take place on the basis of the information provided by the Member States and the Agency's insight to the Union's Institutions's ICT infrastructures in accordance with the Union provisions and national provisions in compliance with the Union law. On the basis of this information, the Agency should maintain awareness of the latest state of network and information security and related trends in Europe for the benefit of the Member States and the Union's institutions.

(17) To ensure full achievement of its objectives, the Agency should liaise with bodies set up by Union law, including those dealing with cybercrime and privacy protection authorities to

exchange know how and best practices and provide advice on network and information security aspects that might have an impact on their work aiming to deliver synergies between their efforts and the Agency's efforts to promote advanced network and information security. Representatives of Union law enforcement and privacy protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group.In liaising with law enforcement bodies on network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.

(18) The Commission has launched a European Public-Private Partnership for Resilience as a flexible Europe-wide cooperation platform for resilience of ICT infrastructure, in which the Agency should play a facilitating role, bringing together public and private sector

stakeholders to discuss public policy priorities, economic and market dimensions of challenges and measures for resilience of ICT.

(19) To promote network and information security and its visibility the Agency should facilitate cooperation among the Member States’ competent public bodies, in particular by supporting the development and exchange of good practices and awareness-raising schemes and by

enhancing their outreach activities. The Agency should also support cooperation between public and private stakeholders and the Union's institutions, partly by promoting information sharing and awareness-raising activities.

(20) To enhance an advanced level of network and information security in the Union the Agency shall promote voluntary cooperation and exchange of good practices between relevant organisations e.g. Computer Security Incident Response Teams (CSIRTs)/Computer Emergency Response Teams (CERTs).

(21) Efficient security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are used at different levels with no common practice on their efficient application. The promotion and

development of best practice for risk assessment and for interoperable risk management solutions in public and private sector organisations will increase the security level of networks and information systems in Europe. To this end, the Agency should support cooperation between public and private stakeholders at Union level, facilitating their efforts relating to the establishment and take-up of European and international standards for risk management and for measurable security of electronic products, systems, networks and services.

(22) Network and information security problems are global issues. There is a need for closer international cooperation to improve security standards, improve information exchange, and promote a common global approach to network and information security issues. To this end, the Agency should contribute to the Union efforts to cooperate with third countries and international organisations, where appropriate, with the European External Action Service (EEAS).

(23) The Agency should operate according to, respectively, (i) the principle of subsidiarity, ensuring an appropriate degree of coordination between the Member States on NIS-related matters and improving the effectiveness of national policies, thus adding value to them and (ii) the principle of proportionality, not going beyond what is necessary in order to achieve the objectives set out by this Regulation. The exercise of the Agency’s tasks should not interfere with the competencies nor pre-empt, impede or overlap with the relevant powers and tasks of: the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as on the Body of European Regulators for

Electronic Communications (BEREC) established by Regulation 1211/2009 i 18 of the European

Parliament and the Council and the Communications Committee referred to in Directive 2002/21/EC i, the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC i of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field

of technical standards and regulations and of rules on Information Society Services 19 and the

supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data.

(24) In order to ensure that the Agency is effective, the Member States and the Commission should be represented on a Management Board, which should define the general direction of the

operation of the Agency and ensure that it carries out its tasks in accordance with this Regulation.

(25) The Executive Director should be appointed after an open competition on the grounds of merit and perform his/her duties with complete independence. The Executive Director should manage the Agency in accordance with this Regulation and take all necessary steps to ensure the smooth functioning of the Agency.

18 OJ L 337, 18.12.2009, p.1.

19 OJ L 204, 21.7.1998, p. 37.

(26) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, providers of electronic communications networks or services available to the public and other relevant stakeholders.

(27) The Agency should apply the relevant Union legislation concerning public access to documents as set out in Regulation (EC) No 1049/2001 i of the European Parliament and of the

Council 20 . The information processed by the Agency for purposes relating to its internal

functioning as well as the information processed during the performance of its tasks should be

subject to the Regulation (EC) No 45/2001 i of the European Parliament and of the Council of

18 December 2000 on the protection of individuals with regard to the processing of personal

data by the Community institutions and bodies and on the free movement of such data. 21

(28) Within its scope, in its objectives and in the fulfilment of its tasks, the Agency should comply in particular with the provisions applicable to the Union' institutions, and with national

legislation regarding the treatment of sensitive documents.

(29) In order to guarantee the full autonomy and independence of the Agency, it is considered necessary to grant it an autonomous budget whose revenue comes primarily from a

contribution from the Union and contributions from third countries participating in the Agency’s work. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union’s budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the Union are concerned. Moreover, the Court of Auditors should undertake the auditing of accounts.

20 Regulation (EC) No 1049/2001 i of the European Parliament and of the Council of 30 May

2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).

21 Regulation (EC) No 45/2001 i of the European Parliament and of the Council of 18 December

2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(30) The Agency should succeed ENISA as established by Regulation No 460/2004 i. Within the framework of the decision of the Representatives of the Member States, meeting in the

European Council of 13 December 2003, the host Member State should maintain and develop the current practical arrangements in order to ensure the smooth and efficient operation of the

Agency.

(31) The Agency should be established for a limited period. By….and every four years thereafter,its operations should be evaluated independently with regard to the effectiveness of achieving the objectives, of its working practices and the relevance of the activities pursued, in order to determine the continuing validity, or otherwise, of the objectives of the Agency and, based on this, whether and for which period the duration of its operations should be further extended.

SECTION 1 SCOPE, OBJECTIVES AND TASKS

Article 1 Subject matter and Scope

  • 1. 
    This Regulation establishes a European Network and Information Security Agency

    (hereinafter ‘the Agency’) for the purpose of contributing to a high level of network and information security within the Union and in order to raise awareness, and develop a culture of network and information security in society for the benefit of the citizens, consumers, enterprises and public sector organisations in the Union, thus contributing to the smooth functioning of the internal market.

  • 2. 
    The objectives and the tasks of the Agency shall be without prejudice to the competencies of the Member States regarding network and information security and in any case to activities

    concerning public security, defence, State security (including the economic well-being of the State when the issues relate to State security matters) and the activities of the State in areas of criminal law.

  • 3. 
    For the purposes of this Regulation “network and information security” shall mean the ability of a network or an information system to resist, at a given level of confidence, accidental

    events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems.

    Article 2 Objectives

  • 1. 
    The Agency shall develop and maintain a high level of expertise.
  • 2. 
    The Agency shall assist the Union's institutions to develop the necessary policies in network and information security.
  • 3. 
    The Agency shall assist the Member States to implement the policies necessary to meet the legal and regulatory requirements of network and information security in present and future Union legislation, thus contributing to the smooth functioning of the internal market.
  • 4. 
    The Agency shall assist in enhancing and strengthening the capability and preparedness of the Union and of Member States to prevent, detect and respond to network and information

    security problems and incidents.

  • 5. 
    The Agency shall use its expertise to stimulate broad cooperation between actors both from the public and private sectors.

Article 3

Tasks

  • 1. 
    Within the purpose set out in Article 1, and for the objectives referred to in Article 2, the

    Agency shall perform the following tasks:

    (a) Assist the Commission, at its request or on its own initiative, on all matters related to network and information security policy by providing it with advice, opinions and

    analyses, and with preparatory work for developing and updating Union legislation in the field of network and information security;

    (b) Advice the Union and, at their request, the Member States on research needs in the area of network and information security with a view to enabling effective responses to

    current and emerging network and information security risks and threats and to using risk prevention technologies effectively;

    (c) Facilitate the cooperation among the Member States and between the Member States and the Union's Institutions in their efforts to prevent, detect and respond to network and information security problems and incidents where these have an impact across borders;

    (d) Support Member States, at their request, in their efforts to develop and improve network and information security prevention, detection, analysis and response capability, to

    organize and run national and European network and information security exercises;

    (e) Support and promote voluntary co-operation between relevant organizations e.g. CSIRTs/CERTs and continually develop and regularly share best practices in their cooperation with the aim to arrive at an advanced level of network and information security;

(f) Support the Member States, at their request, and the Union's Institutions to organise awareness raising and other outreach activities to increase network and information security and its visibility;

(g) Assist the Union's institutions and bodies set up by Union law in their efforts to develop network and information security prevention, detection, analysis and response

capability;

(h) Assist the Member States and the Union's institutions and bodies set up by Union law in their efforts to collect, analyse and disseminate network and information security data;

(i) On the basis of information provided by the Member States and the Union's Institutions in accordance with the Union provisions and national provisions in compliance with the Union law, maintain awareness of the latest state of network and information security in the Union for the benefit of the Member States and the Union's Institutions;

(j) Liaise, exchange know how and best practices with bodies set up by Union law, including those dealing with cybercrime and data protection, and provide advice on network and information security aspects that might have an impact on their work aiming to deliver synergy between their efforts and the Agency's efforts to promote improved network and information security;

(k) Support and promote cooperation among the competent public bodies and between public and private stakeholders, including universities and research centres in the

Union, inter alia, facilitate dialogue and efforts to develop and exchange good practices, promote information sharing and awareness raising, facilitate the establishment and take

up of European and international standards for risk management and for the security of electronic products, networks and services;

(l) Contribute to the Union efforts to cooperate with third countries and international organisations, where appropriate with the EEAS, to promote international cooperation and a global common approach to network and information security issues for instance by supporting cooperation with the relevant organisations e.g. CSIRTs/CERTs and promoting involvement in international network and information security exercises;

(m) Provide Member States, at their request, with the necessary knowledge and other resources available to strengthen their network and information security capability;

(n) Express independently its own conclusions, orientations and give advice on matters within the scope and objectives of this Regulation.

  • 2. 
    The Agency shall carry out tasks conferred on it by Union legislative acts.

SECTION 2 ORGANISATION

Article 4 Bodies of the Agency

The Agency shall comprise:

(a) a Management Board;

(b) an Executive Director and the staff; and

(c) a Permanent Stakeholders’ Group.

Article 5 Management Board

  • 1. 
    The Management Board shall define the general direction of the operation of the Agency and ensure that the Agency works in accordance with the rules and principles laid down in this

    Regulation. It shall also ensure consistency of the Agency’s work with activities conducted by the Member States as well as by the Union's Institutions and bodies set up by Union law.

  • 2. 
    The Management Board shall adopt its rules of procedure after consulting the Commission.
  • 3. 
    The Management Board shall adopt the Agency’s internal rules of operation after consulting the Commission. These rules shall be made public.
  • 4. 
    The Management Board shall appoint the Executive Director in accordance with Article 10(2) and may dismiss the Executive Director.
  • 5. 
    The Management Board shall be consulted by the Executive Director on the main activities, priorities and objectives that the Agency shall be focusing on for the next year. The first draft of the Agency's work programme shall be based on the result of this consultation.
  • 6. 
    The Management Board shall adopt the Agency's work programme in accordance with Article 12.
  • 7. 
    The Management Board shall adopt the general report on the Agency’s activities for the previous year in accordance with Article 13 (2).
  • 8. 
    The Management Board, after consulting the Commission, shall adopt the multi-annual Staff Policy Plan, taking into account the multi-annual outlook of the work programme and the

    statement of estimates of the Agency's revenue and expenditure. It shall duly inform the Budgetary Authority.

  • 9. 
    The Management Board shall adopt the financial rules applicable to the Agency. They may not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002 on the framework Financial Regulation for the bodies referred to in Article 185 of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the

    general budget of the European Communities, unless such departure is specifically required for the Agency’s operation and the Commission has given its prior consent.

  • 10. 
    The Management Board shall adopt appropriate implementing rules, in accordance with

    Article 110 of the Staff Regulations of officials of the European Union. 11. The Management Board may set up working bodies composed of its members to assist it in

    carrying out its tasks, including drafting its decisions and monitoring the implementation thereof.

    Article 6 Composition of the Management Board

  • 1. 
    The Management Board shall be composed of one representative of each Member State, authorised to act on behalf of that Member State, three representatives appointed by the Commission, and four representatives without the right to vote, appointed by the

    Commission, each of whom represent one of the following groups: (a) the information and communication technologies industry; (b) providers of electronic communications networks or services available to the public; (c) consumer groups; (d) academic experts in network and information security. Management Board members may be replaced by their alternates in accordance with the rules of procedure of the Management Board.

  • 2. 
    Management Board members and their alternates shall be appointed on the basis of their degree of relevant experience and expertise in the field of network and information security.
  • 3. 
    The term of office of the representatives of the groups referred to in points (a) to (d) of paragraph 1 shall be four years. This term of office may be extended once. If a representative ceases his/her affiliation with the respective interest group, the Commission shall appoint a replacement.

    Article 7 Chair of the Management Board

    The Management Board shall elect its Chair and a Deputy Chair from among its members for

    a period of three years, which shall be renewable once. The Deputy Chair shall ex officio

    replace the Chair if the latter is unable to attend to his or her duties.

    Article 8 Meetings

  • 1. 
    Meetings of the Management Board shall be convened by its Chair.
  • 2. 
    The Management Board shall hold an ordinary meeting twice a year. It shall also hold extraordinary meetings at the instance of the Chair or at the request of at least a third of its members with the right to vote.
  • 3. 
    The Executive Director shall take part in the meetings of the Management Board, without voting rights.

Article 9

Voting

  • 1. 
    The presence of at least two thirds of the Management Board members with the right to vote or of their alternates is required to enable the Management Board to vote. A member of the Management Board who is prevented from attending a meeting may arrange to be represented in accordance with the rules of procedure of the Management Board. The Management Board shall take its decisions by a majority of its members with the right to vote.
  • 2. 
    A two-thirds majority of all Management Board members with the right to vote is required for the adoption of its rules of procedure, the Agency’s internal rules of operation, the budget, the annual work programme and the appointment, extension of the term of office or dismissal of

    the Executive Director.

    Article 10 Executive Director

  • 1. 
    The Agency shall be managed by its Executive Director, who shall be independent in the performance of his/her duties and demonstrate on an ongoing basis commitment to good and efficient management.
  • 2. 
    The Executive Director shall be appointed by the Management Board from a list of candidates proposed by the Commission after an open competition following publication in the Official

    Journal of the European Union and elsewhere of a call for expressions of interest. The Executive Director shall be appointed for a period of five years, on grounds of merit and documented administrative and managerial skills, as well as specific competence and experience. Before appointment, the candidate selected by the Management Board may be invited to make a statement before the competent committee of the European Parliament and answer questions put by its members.

  • 3. 
    In the course of the nine months preceding the end of the Executive Director's term of office referred to in paragraph 2 and without prejudice to Article 23 (1) and (2), the Commission

    shall draw up an evaluation report. In the evaluation report, the Commission shall assess in particular:

    -the performance of the Executive Director and

    -the Agency's duties and requirements in the coming years.

  • 4. 
    The Management Board, acting on a proposal from the Commission, taking into account the evaluation report and only in those cases where it can be justified by the duties and

    requirements of the Agency, may extend the term of office of the Executive Director for a period not longer than three years.

  • 5. 
    The Management Board shall inform the European Parliament about its intention to extend the Executive Director's term of office. Within three months before the extension of his/her term of office, the Executive Director shall, if invited, make a statement before the competent committee of the Parliament and answer questions put by its members.
  • 6. 
    The Executive Director shall remain in office until the appointment of his/her successor.
  • 7. 
    The Executive Director shall be responsible for:

    (a) the day-to-day administration of the Agency;

    (b) implementing the work programme and the decisions adopted by the Management Board;

    (c) ensuring that the Agency performs its activities in accordance with the requirements of those using its services, in particular with regard to the adequacy of the services

    provided;

    (d) all specific staff matters, ensuring compliance with the general directions of the Management Board and with Management Board decisions of a general nature;

    (e) developing and maintaining contact with the Union's institutions and bodies set up by Union law;

    (f) developing and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;

    (g) other tasks assigned to him/her by this Regulation.

  • 8. 
    Where necessary and within the Agency’s objectives and tasks, the Executive Director may set up ad hoc Working Groups composed of experts, including from the Member States

    competent authorities. The Management Board shall be informed in advance. The procedures regarding in particular the composition, the appointment of the experts by the Executive Director and the operation of the ad hoc Working Groups shall be specified in the Agency’s internal rules of operation.

  • 9. 
    The Executive Director shall make administrative support staff and other resources available to the Management Board whenever necessary.

    Article 11 Permanent Stakeholders’ Group

  • 1. 
    The Management Board shall set up a Permanent Stakeholders’ Group on a proposal by the

    Executive Director, composed of experts representing the relevant stakeholders, such as the information and communication technologies industry, providers of electronic communications networks or services available to the public, consumer groups, academic experts in network and information security, and relevant authorities, including Union law enforcement and privacy protection authorities.

  • 2. 
    Procedures for, in particular, the number, composition, and appointment of the members by the Management Board, proposal by the Executive Director and the operation of the Group shall be specified in the Agency’s internal rules of operation and shall be made public.
  • 3. 
    The Group shall be chaired by the Executive Director. On a proposal of the Executive

    Director, the Management Board may decide to delegate the task of the Chair of the Group to a Member of the Group.

  • 4. 
    The term of office of the Group’s members shall be two-and-a-half years. Members of the

    Management Board may not be members of the Group. Commission staff and experts from the Member States shall be entitled to be present at the meetings and participate in the work of the Group. If they are not members, other relevant bodies set up by Union law may be invited to be present at the meetings and participate in the work of the Group.

  • 5. 
    The Group shall advise the Agency in the performance of its activities. The Group shall in particular advise the Executive Director on drawing up a proposal for the Agency’s work programme, and on ensuring communication with the relevant stakeholders on all issues

    related to the work programme.

SECTION 3 OPERATION

Article 12 Work Programme

  • 1. 
    The Agency shall carry out its operations in accordance with its work programme, which shall contain all of its planned activities. The work programme shall not prevent the Agency from

    taking up unforeseen activities that fall within its objectives and tasks and within the limits of its budget. The Executive Director shall inform the Management Board of activities of the Agency that are not provided for in the work programme.

  • 2. 
    The Executive Director shall be responsible for drawing up the first draft of the Agency’s work programme after prior consultation with the Commission, the Management Board and the Permanent Stakeholders Group. The Executive Director shall ensure that the first draft of the Agency's work programme has clear objectives and provides for performance indicators allowing for an effective assessment of the results achieved.
  • 3. 
    Before 1 March each year the Executive Director shall submit the first draft of the Agency's work programme for the following year to the Management Board.
  • 4. 
    Before 30 November each year, the Management Board shall adopt the Agency’s work programme for the following year in consultation with the Commission. The work programme shall include a multi-annual outlook, which shall cover main aspects of the Agency’s

    operations, activities and commitments. The Management Board shall ensure that the work programme clearly states the objectives to be achieved, the resources to be allocated, how the results of the Agency's activities shall be measured and that the work programme is consistent with the Agency’s objectives and with the Union's legislative and policy priorities in the area of network and information security.

  • 5. 
    The work programme shall be organised in accordance with the Activity-Based Management (ABM) principle, with an indication of the anticipated human and financial resources

    allocated to each activity. The work programme shall be in line with the statement of estimates of the Agency’s revenue and expenditure and the Agency’s budget for the same financial year.

    Article 13 General report

  • 1. 
    Each year, the Executive Director shall submit to the Management Board a draft general report covering all the activities of the Agency in the previous year. The general report shall measure and publish the impact of the Agency's activities for the previous year.
  • 2. 
    Before 31 March each year, the Management Board shall adopt the general report on the

    Agency’s activities for the previous year.

  • 3. 
    The Executive Director shall, following adoption by the Management Board, transmit the

    Agency’s general report to the European Parliament, the Council, the Commission, the Court of Auditors, the European Economic and Social Committee and the Committee of the Regions and shall have it published.

    Article 14 Requests to the Agency

  • 1. 
    Requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed to the Executive Director and accompanied by background information explaining the issue to be addressed. The Executive Director shall inform the Management Board of the requests received, the potential resource implications and in due course, of the follow-up

    given to the requests. If the Agency refuses a request, justification shall be given.

  • 2. 
    Requests referred to in paragraph 1 may be made by:

    (a) the European Parliament; (b) the Council; (c) the Commission; (d) any competent body appointed by a Member State, such as a national regulatory authority as defined in Article 2 of Directive 2002/21/EC i.

  • 3. 
    The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow up and information of the Management Board on the requests to the Agency, shall be laid down by the Management Board in the Agency’s internal rules of operation.

    Article 15 Declaration of interest

  • 1. 
    Members of the Management Board, the Executive Director and officials seconded by

    Member States on a temporary basis shall make a declaration of commitment and a declaration indicating either the absence of any direct or indirect interests which might be considered prejudicial to their independence or any direct or indirect interests which might be considered prejudicial to their independence. Those declarations shall be made annually in writing and updated whenever necessary.

  • 2. 
    Members of the Management Board, external experts participating in ad hoc Working Groups and the Executive Director, shall declare at the latest at each meeting any interest which might be considered prejudicial to their independence in relation to the items on the agenda. The

    procedure related to the replacement of a member in the meeting or its abstention from participating in the discussions on such points shall be laid down by the Management Board in the Agency's internal rules of operation.

    Article 16 Transparency

  • 1. 
    The Agency shall ensure that it carries out its activities with a high level of transparency and in accordance with Article 14 and 15.
  • 2. 
    The Agency shall ensure that the public and any interested parties are given, objective, reliable and easily accessible information, in particular with regard to the results of its work, where appropriate. It shall also make public the declarations of interest made in accordance with Article 15.
  • 3. 
    The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Agency’s activities.
  • 4. 
    In its internal rules of operation, the Agency shall lay down the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.

    Article 17 Confidentiality

  • 1. 
    Without prejudice to Article 14, the Agency shall not divulge to third parties information that it processes or receives for which confidential treatment, has been requested.
  • 2. 
    Members of the Management Board, the Executive Director, the members of the Permanent Stakeholders Group, external experts participating in ad hoc Working Groups, and members of the staff of the Agency including officials seconded by Member States on a temporary

    basis are subject to confidentiality requirements under Article 339 of the Treaty even after their duties have ceased.

  • 3. 
    The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.
  • 4. 
    The Management Board may decide to allow the Agency to handle classified information. In that case the Management Board shall, in agreement with the Commission, adopt internal

    rules of operation applying the security principles contained in Commission Decision 2001/844/EC, ECSC, Euratom of 29 November 2001 amending its internal rules of

    procedure 22 . This shall cover, inter alia, provisions for the exchange, processing and storage

    of classified information.

    Article 18 Access to documents

  • 2. 
    The Management Board shall adopt arrangements for implementing Regulation (EC) No

    1049/2001 within six months of the establishment of the Agency.

  • 3. 
    Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 i may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Union, under Articles 228 and 263 of the Treaty respectively.

22 OJ L 317, 3.12.2001, p. 1.

SECTION 4 FINANCIAL PROVISIONS

Article 19 Adoption of the budget

  • 1. 
    The revenues of the Agency shall consist of a contribution from the European Union budget, contributions from third countries participating in the work of the Agency as provided for in Article 28, and voluntary contributions from Member States, in money or in kind. Member

    States providing voluntary contributions cannot claim any specific right or service as a result of this contribution.

  • 2. 
    The expenditure of the Agency shall include staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts entered into with third parties.
  • 3. 
    By 1 March each year at the latest, the Executive Director shall draw up a draft statement of estimates of the Agency’s revenue and expenditure for the following financial year, and shall forward it to the Management Board, together with a draft establishment plan.
  • 4. 
    Revenue and expenditure shall be in balance.
  • 5. 
    Each year, the Management Board, on the basis of a draft statement of estimates of revenue and expenditure drawn up by the Executive Director, shall produce a statement of estimates of revenue and expenditure for the Agency for the following financial year.
  • 6. 
    This statement of estimates, which shall include a draft establishment plan together with the draft work programme, shall, by 31 March at the latest, be sent by the Management Board to the Commission and the States with which the European Union has concluded agreements in accordance with Article 28.
  • 7. 
    This statement of estimates shall be forwarded by the Commission to the European Parliament and the Council (both hereinafter ‘the budgetary authority’) together with the draft general

    budget of the European Union.

  • 8. 
    On the basis of this statement of estimates, the Commission shall enter in the draft general budget of the European Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall submit to the budgetary authority in accordance with Article 314 of the Treaty.
  • 9. 
    The budgetary authority shall authorise the appropriations for the subsidy to the Agency.
  • 10. 
    The budgetary authority shall adopt the establishment plan for the Agency.
  • 11. 
    Together with the work programme, the Management Board shall adopt the Agency’s budget. It shall become final following final adoption of the general budget of the European Union.

    Where appropriate, the Management Board shall adjust the Agency’s budget and work programme in accordance with the general budget of the European Union. The Management Board shall forward it without delay to the Commission and the budgetary authority.

    Article 20 Combating fraud

  • 1. 
    In order to combat fraud, corruption and other unlawful activities, Regulation (EC) No

1073/1999 of the European Parliament and of the Council of 25 May 1999 concerning

investigations conducted by the European Anti-fraud Office (OLAF) 23 shall apply without

restriction.

23 OJ L 136, 31.5.1999, p. 1.

  • 2. 
    The Agency shall accede to the Interinstitutional Agreement of 25 May 1999 between the

    European Parliament and the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-fraud Office

    (OLAF) 24 and shall issue, without delay, the relevant provisions applicable to all the

    employees of the Agency.

    Article 21

    Implementation of the budget

  • 1. 
    The Executive Director shall implement the Agency’s budget.
  • 2. 
    The Commission’s internal auditor shall exercise the same powers over the Agency as over Commission departments.
  • 3. 
    By 1 March at the latest following each financial year, the Agency’s accounting officer shall send the provisional accounts to the Commission’s accounting officer together with a report on the budgetary and financial management for that financial year. The Commission’s

    accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 128 of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of

    the European Communities 25 (hereinafter ‘the general Financial Regulation’).

  • 4. 
    No later than 31 March following each financial year, the Commission’s accounting officer shall send the Agency’s provisional accounts to the Court of Auditors, together with a report on the budgetary and financial management for that financial year. The report on the

    budgetary and financial management for the financial year shall also be sent to the budgetary authority.

24 OJ L 136, 31.5.1999, p. 15.

25 OJ L 248, 16.9.2002, p. 1.

  • 5. 
    On receipt of the Court of Auditor’s observations on the Agency’s provisional accounts, pursuant to Article 129 of the general Financial Regulation, the Executive Director shall draw up the Agency’s final accounts under his/her own responsibility and send them to the

    Management Board for an opinion.

  • 6. 
    The Management Board shall deliver an opinion on the Agency’s final accounts.
  • 7. 
    The Executive Director shall, no later than 1 July following each financial year, transmit the final accounts to the European Parliament, the Council, the Commission and the Court of

    Auditors, together with the Management Board’s opinion.

  • 8. 
    The Executive Director shall publish the final accounts.
  • 9. 
    The Executive Director shall send the Court of Auditors a reply to its observations by

30 September at the latest. He/she shall also send this reply to the Management Board.

  • 10. 
    The Executive Director shall submit to the European Parliament, at the latter’s request, all the information necessary for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 146(3) of the general Financial Regulation.
  • 11. 
    The European Parliament, acting on a recommendation from the Council, shall, before

    implementation of the budget for the year N.

18156/11 ELK/ek 33

SECTION 5 GENERAL PROVISIONS

Article 22 Legal status

  • 1. 
    The Agency shall be a body of the Union. It shall have legal personality.
  • 2. 
    In each of the Member States the Agency shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.
  • 3. 
    The Agency shall be represented by its Executive Director.

Article 23

Staff

  • 1. 
    The rules and regulations applicable to officials and other staff of the Union shall apply to the staff of the Agency, including its Executive Director.
  • 2. 
    In respect of the Executive Director, the Management Board shall exercise all the powers conferred on the appointing authority by the Staff Regulations of officials of the European Union and on the authority entitled to conclude contracts by the Conditions of Employment.
  • 3. 
    In respect of the staff of the Agency, the Executive Director shall exercise the powers conferred on the appointing authority by the Staff Regulations of officials of the European Union and on the authority entitled to conclude contracts by the Conditions of Employment.
  • 4. 
    The Agency may employ national experts from Member States on secondment. The Agency shall lay down in its internal rules of operation the practical arrangements for implementing this.

    Article 24 Privileges and immunities

The Protocol on the Privileges and Immunities of the European Communities shall apply to the

Agency and its staff.

Article 25

Liability

  • 1. 
    The contractual liability of the Agency shall be governed by the law applicable to the contract in question.

    The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.

  • 2. 
    In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by it or its servants in the performance of their duties.

    The Court of Justice shall have jurisdiction in any dispute relating to compensation for such damage.

  • 3. 
    The personal liability of its servants towards the Agency shall be governed by the relevant conditions applying to the staff of the Agency.

    Article 26 Languages

  • 1. 
    The provisions laid down in Regulation No 1 of 15 April 1958 determining the languages to

be used in the European Economic Community 26 shall apply to the Agency. The Member

States and the other bodies appointed by them may address the Agency and receive a reply in the European Union language of their choice.

  • 2. 
    The translation services required for the functioning of the Agency shall be provided by the Translation Centre for the Bodies of the European Union.

    Article 27 Protection of personal data

When processing data relating to individuals, in particular while performing its tasks, the Agency shall observe the principles of personal data protection in, and be subject to, the provisions of Regulation (EC) No 45/2001 i.

Article 28 Participation of third countries

  • 1. 
    The Agency shall be open to the participation of third countries which have concluded agreements with the European Union by virtue of which they have adopted and applied Union legislation in the field covered by this Regulation.
  • 2. 
    Arrangements shall be made under the relevant provisions of those agreements, specifying in particular the nature, extent and manner in which these countries will participate in the

    Agency’s work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff.

26 OJ 17, 6.10.1958, p. 385/58. Regulation as last amended by the 1994 Act of Accession.

SECTION 6 FINAL PROVISIONS

Article 29 Review clause and evaluation

  • 1. 
    By [….] and every four years thereafter, the Commission, taking into account the views of all

    relevant stakeholders, shall request an independent third party evaluation on the basis of terms

    of reference agreed with the Management Board.

  • 2. 
    The evaluation shall assess the effectiveness of the Agency in achieving the objectives set out

    in Article 2, the relevance of the activities pursued and their relationship and/or complementarity with existing Union policies, and the effectiveness of the Agency’s working practices.

  • 3. 
    The evaluation shall serve as a basis in order to determine whether an Agency is still an

    effective instrument, whether its budget planning for the following years is still appropriate and whether and for which period the duration of the Agency should be further extended beyond the period specified in Article 33.

  • 4. 
    The evaluation report shall be forwarded by the Commission to the European Parliament and

    the Council and shall be made public.

  • 5. 
    The Management Board shall receive the evaluation report and issue recommendations

    regarding changes to this Regulation, the Agency, its budget and its working practices to the Commission. The Management Board and the Executive Director shall take the results of the evaluation into consideration in the Agency’s multi-annual planning.

    Article 30 Cooperation of the host Member State

The Agency’s host Member State shall ensure the best possible conditions for the smooth and efficient operation of the Agency.

Article 31 Administrative control The operations of the Agency are subject to the supervision of the Ombudsman in accordance with Article 228 of the Treaty.

Article 32 Repeal and succession

  • 2. 
    The Agency succeeds the Agency that was established by Regulation (EC) No 460/2004 i as regards all ownership, agreements, legal obligations, employment contracts, financial

    commitments and liabilities.

[Article 33

Duration

[The Agency shall be established from the date specified in art. 34 for a period of [...] years.]

Article 34

Entry into force

This Regulation shall enter into force on the day following that of its publication in the Official

Journal of the European Union, and shall apply with effect from […] or from the day following that of its publication, whichever comes later.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at […],

For the European Parliament For the Council

The President The President

___________________

 
 
 

3.

More information

 

4.

EU Monitor

The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.