The European Commission launched a public consultation on 18 January 20171 to seek views on the performance of the European Union Agency for Network and Information Security ("ENISA"). The consultation exercise will form part of the European Commission's evaluation of ENISA, which will assess whether ENISA's mandate and capabilities remain adequate to achieve its mission of supporting EU Member States in boosting their cyber resilience.
The results of the evaluation will influence decisions regarding the possible extension of ENISA's mandate and any alterations to it. This public consultation gives citizens and organisations the opportunity to help shape one element of the EU's response to the increasingly complex issue of cyber-security.
WHAT IS ENISA?
ENISA was established in 2004 to contribute to the overall goal of ensuring a high level of network and information security within the EU. In this context `network and information security' ("NIS") means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via those networks and systems.
ENISA helps the Commission, the Member States and the private sector to address, respond, and, most crucially, prevent, NIS deficiencies. ENISA supports the development and implementation of the EU's law and policy on cyber-security and delivers advice to public and private actors. ENISA's main activities include:
- collecting and analysing data on European security incidents and emerging risks;
- promoting risk assessment and methods to enhance capability to deal with NIS threats;
- coordinating pan-European cybersecurity exercises (for example, Cyber Europe 2016)2;
- encouraging the development of national cyber-security strategies; and
- awareness-raising and cooperation between actors in the NIS field.
COMPOSITION OF ENISA
ENISA has approximately 80 staff members and operates from two offices located in Heraklion and Athens in Greece. ENISA is composed of several bodies: the Executive Director, the Management Board, the Executive Board, and the Permanent Stakeholders Group. The Executive Director is responsible for the administration of ENISA, including the implementation of decisions adopted by the Management Board and the preparation of the work programmes in consultation with the Management Board. The Management Board is composed of representatives of the Member States and European Commission. Its main responsibilities are to devise and execute the budget, adopt the work programme and appoint the Executive Director. The Executive Board is composed of five members of the Management Board. It prepares decisions on administrative and budgetary matters, which may then be adopted by the Management Board. The Permanent Stakeholders Group is an advisory body composed of experts representing relevant stakeholders in the cyber-security field.
EUROPEAN COMMISSION EVALUATION OF ENISA
Regulation 526/20133 (the "ENISA Regulation") requires the European Commission to conduct an evaluation of ENISA by June 2018 and to assess the possible need to modify or extend its mandate, which expires in 2020. The European Commission has brought forward the ENISA evaluation as a result of the significant evolution of the EU cyber-security landscape from both threat and policy perspectives.
From a threat perspective, cyber-attacks have been increasing in volume and complexity. Illustrating this, in the last two months of 2016 alone, European companies such as Dyn, ThyssenKrupp and Deutsche Telecom were subject to cyber-attacks.4
From a policy perspective, ENISA takes on several new roles as a result of the implementation of the Network and Information Security Directive 2016/1148 (the "NIS Directive").5 First, ENISA provides the secretariat to the Computer Security Incident Response Team ("CSIRT") network, which promotes effective operational cooperation on specific cyber-security incidents and risks. Secondly, ENISA must assist the Cooperation Group, which supports and facilitates cooperation and information-sharing among Member States.
SCOPE OF THE EVALUATION
The public consultation kicks off the evaluation of ENISA and will remain open until 12 April 2017. The evaluation will start with an assessment of ENISA's past contribution to European NIS systems and will then take into consideration emerging needs in the cyber-security and digital privacy context, to which the European Union should respond with policy choices and appropriate actions.
The evaluation shall assess ENISA using the following criteria:
- Effectiveness: has ENISA delivered on its mandate and to what extent have the organisational structure and working practices contributed to this?
- Efficiency: has ENISA been efficient in implementing the tasks set out in its mandate?
- Relevance: are the objectives set out in ENISA's mandate still appropriate given the evolved cyber-security and digital privacy context? This will include assessing the possible need for a revision or extension of ENISA's mandate beyond 2020.
- Coherence: are ENISA activities coherent with the policies,strategy documents and activities of other stakeholders in the cyber-security field?and
- EU added value: has ENISA been more effective than past, existing or alternative national level arrangements?
The purposes of the evaluation are twofold. First, to assess ENISA's performance in achieving its objectives, mandate and tasks, as laid down in the ENISA Regulation and, second, to provide the basis for a possible revision of the current mandate. ENISA's mandate has been extended twice before by the European Commission in 2009 and 2011.
The NIS Directive represents an attempt to legislate for cyber-security, with reference to `operators of essential services' and, to a lesser extent, `digital services providers'. While it remains to be seen whether this legislation-focused attempt to strengthen what might be termed critical national infrastructure in a developed economy will be successful, it is the case that the NIS Directive and the General Data Protection Regulation6 represent a real attempt to improve the position across the EU and EEA in the area of cyber-security in general. In that context, the ENISA review exercise is timely, in order to ensure that ENISA, now an elderly institution, is reengineered to meet the modern cyber-security threat.