The European Commission launched a public consultation on 18 January 2017 to seek
views on the performance of the European Union Agency for Network and
Information Security (ENISA). The consultation exercise will form part of the
European Commission’s evaluation of ENISA, which will assess whether ENISA’s
mandate and capabilities remain adequate to achieve its mission of supporting
EU Member States in boosting their cyber resilience.
The results of the evaluation will influence
decisions regarding the possible extension of ENISA’s mandate and any
alterations to it. This public consultation gives citizens and organisations the
opportunity to help shape one element of the EU’s response to the increasingly
complex issue of cybersecurity.
What
is ENISA?
ENISA was established in 2004 to contribute
to the overall goal of ensuring a high level of network and information
security within the EU. In this context ‘network and information security’ (NIS)
means the ability of a network or an information system to resist, at a given
level of confidence, accidental events or unlawful or malicious actions that
compromise the availability, authenticity, integrity and confidentiality of
stored or transmitted data and the related services offered by or accessible
via those networks and systems.
ENISA helps the Commission, the Member
States and the private sector to address, respond, and, most crucially, prevent
NIS deficiencies. ENISA supports the development and implementation of the EU’s
law and policy on cybersecurity and delivers advice to public and private
actors. ENISA’s main activities include:
·
collecting and analysing data
on European security incidents and emerging risks;
·
promoting risk assessment and
methods to enhance capability to deal with NIS threats;
·
coordinating pan-European cybersecurity
exercises (for example, Cyber Europe 2016);
·
encouraging the development of
national cybersecurity strategies; and
·
awareness-raising and
cooperation between actors in the NIS field.
Composition
of ENISA
ENISA has approximately 80 staff members and operates from two offices
located in Heraklion and Athens in Greece. ENISA is composed of several bodies:
the Executive Director, the Management Board, the Executive Board, and the
Permanent Stakeholders Group.
The Executive Director is responsible for the administration of ENISA,
including the implementation of decisions adopted by the Management Board and
the preparation of the work programmes in consultation with the Management
Board. The Management Board is composed of representatives of the Member States
and European Commission. Its main responsibilities are to devise and execute the
budget, adopt the work programme and appoint the Executive Director. The Executive
Board is composed of five members of the Management Board. It prepares
decisions on administrative and budgetary matters, which may then be adopted by
the Management Board. The Permanent Stakeholders Group is an advisory body composed
of experts representing relevant stakeholders in the cybersecurity field.
European
Commission Evaluation of ENISA
Regulation 526/2013 (the ENISA Regulation) requires the Commission to
conduct an evaluation of ENISA by June 2018 and to assess the possible need to
modify or extend its mandate, which expires in 2020. The Commission has brought
forward the ENISA evaluation as a result of the significant evolution of the EU
cybersecurity landscape from both threat and policy perspectives.
From a threat perspective, cyberattacks have been increasing in volume
and complexity. Illustrating this, in the last two months of 2016 alone, European
companies such as Dyn, ThyssenKrupp and Deutsche Telecom were subject to
cyberattacks.[1]
From a policy perspective, ENISA takes on several new roles as a result
of the implementation of the Network and Information Security Directive 2016/1148
(the NIS Directive). First, ENISA provides the
secretariat to the Computer Security Incident Response Team (CSIRT) network, which
promotes effective operational cooperation on specific cybersecurity incidents
and risks. Secondly, ENISA must assist the Cooperation Group, which supports
and facilitates cooperation and information-sharing among Member States.
Scope
of the Evaluation
The public consultation kicks off the
evaluation of ENISA and will remain open until 12 April 2017. The evaluation will
start with an assessment of ENISA’s past contribution to European NIS systems
and will then take into consideration emerging needs in the cybersecurity and
digital privacy context, to which the EU should respond with policy choices and
appropriate actions.
The evaluation will assess ENISA using the
following criteria:
Ø Effectiveness: has ENISA delivered on its mandate and to what
extent have the organisational structure and working practices contributed to
this?
Ø Efficiency: has ENISA been efficient in
implementing the tasks set out in its mandate?
Ø Relevance: are the objectives set out in ENISA’s mandate
still appropriate given the evolved cybersecurity and digital privacy context? This
will include assessing the possible need for a revision or extension of ENISA’s
mandate beyond 2020.
Ø Coherence: are ENISA activities coherent
with the policies, strategy documents and activities of other stakeholders in
the cybersecurity field?
Ø EU added value: has ENISA been more
effective than past, existing or alternative national level arrangements?
The purposes of the evaluation are two-fold. First,
to assess ENISA’s performance in achieving its objectives, mandate and tasks,
as laid down in the ENISA Regulation and, second, to provide the basis for a
possible revision of the current mandate. ENISA’s mandate has been extended twice
before by the European Commission, in 2009 and 2011.
Conclusion
The NIS Directive represents an attempt to
legislate for cybersecurity, with reference to ‘operators of essential services’
and, to a lesser extent, ‘digital services providers.’ While it remains to be
seen whether this legislation-focused attempt to strengthen what might be
termed critical national infrastructure in a developed economy will be
successful, it is the case that the NIS Directive and the GDPR represent a real
attempt to improve the position across the EU and EEA in the area of
cybersecurity in general. In that context, the ENISA review exercise is timely,
in order to ensure that ENISA, now an elderly institution, is reengineered to
meet the modern cybersecurity threat.
Pearse Ryan is a partner in the Technology &
Innovation Group of Arthur Cox, specialising in technology projects and
technology innovation.
Andrea Bowdren is a trainee in the Technology &
Innovation Group at Arthur Cox.
[1] “Deutsche Telekom outage blamed on possible cyber attack” Financial
Times 28 November 2016 https://www.ft.com/content/c4779f86-7a2b-3480-96e4-878cf2bd73cb; “ThyssenKrupp reveals data stolen in cyber
attack” Financial Times 8 December 2016 https://www.ft.com/content/7b556fb8-bd43-11e6-8b45-b8b81dd5d080