DigitalIndustryResearch & Innovation

A revamped ENISA – the EU’s cybersecurity agency

Europe is under attack. Not physically, of course, but virtually. Every day cyber threats are detected and cyber-attacks thwarted.

Keeping European citizens safe in the connected world is a priority for the European Commission, and ENISA, the EU’s cybersecurity agency, has an increasingly important and central role in this endeavour.

The European Union Agency for Network and Information Security, or ENISA for short, was originally set up in 2004 to help ensure a high level of network and information security within the EU.

Based in Greece, ENISA supports the European institutions, the Member States and the business community in addressing, responding to and especially in preventing network and information security problems.

Originally created as a relatively small agency with a limited budget and mandate, new EU-level cybersecurity legislation is beefing up ENISA’s role and mandate significantly.

Already the 2016 Network and Information Systems (NIS) Directive gave additional tasks to the agency. That Directive created for the first time a network of the Member States’ Computer Security Incident Response Teams (CSIRTs), in order to promote swift and effective operational cooperation on specific cybersecurity incidents and share information about potential risks.

ENISA acts as the secretariat to the CSIRT network. Similarly, ENISA has a less proactive but equally important role to play as a member of the NIS Cooperation Group, also created by the NIS Directive and providing advice and expertise and facilitating information sharing among Member States.

The need for a truly pan-European cybersecurity agency is clear.

Exposure to various cyber threats in the EU remains high. According to ENISA’s own 2018 Cyber Threat Landscape report, which focuses on the 15 top cyber-threats from malware to denials of service, the number of attacks has remained relatively stable over the last few years (although the exact figures are hard to calculate because the baseline is continuously shifting as ever more attacks are automatically detected and defended against).

What has changed dramatically though is the level of sophistication of many of the attacks, meaning that our responses have to become increasingly sophisticated as well.

Hence, as the number of cyber threats has risen, there was a clear political wish to enhance ENISA’s remit, along with its budget and its mandate.

In the Cybersecurity Act, a regulation proposed in 2017, which will come into force in spring 2019, the European Commission, put forward a number of new initiatives to further improve EU cyber resilience, deterrence and defence, including significantly expanding and strengthening the mandate and role of ENISA.

This includes a permanent mandate for the agency (previously, ENISA’s mandate had to be renewed every seven years) and a much greater operational budget (more than doubling from the current €11m per year), as well as handing ENISA a clear operational and not only advisory role in European cybersecurity.

Moreover, the Cybersecurity Act also entails the creation of a European Cybersecurity Certification Framework in which ENISA will play a key role.

For businesses and consumers to be certain that their online information is safe, they need to use products, services and processes that they trust, but the lack of a single EU-wide scheme to certify this trustworthiness is a major problem.

Today, products sometimes have to be certified in several different countries following different processes, which limits cross-border trade within the EU and implies big cost for the consumers.

The new framework sets out the rules, requirements, standards and procedures with which EU-wide certification schemes will have to comply.

It is for ENISA to organise the development of such (for the time being voluntary but this may also change with time) schemes for a wide variety of ICT products and services, from smart cards to cloud computing.

At the same time, the Cybersecurity Act maintains ENISA’s advisory role; In addition to expanding on its existing remit, the agency will for example assist EU and national authorities on priority setting in research and development.

It will also work closely with the proposed new European Cybersecurity Industrial, Technology and Research Competence Centre. The latter’s task would be to help the EU retain and develop the cybersecurity capacities that underpin the continued development of the EU’s Digital Single Market.

The challenge to keep European citizens and businesses safe and secure in today’s connected world will continue to require our attention and investments for many years to come.

Europe has kicked into a higher gear already, boosting its cybersecurity capabilities through legislation such as the NIS Directive or the Cybersecurity Act, and carrying out joint manoeuvres through increasing coordination and cooperation between national and EU players.

The new certification framework will bolster Europe’s civil defence mechanisms, reassuring users that they can continue to operate safely.

Moreover, the new European Cybersecurity Competence Centre will ensure that the next generations of secure products and services but also of the engineers and programmers to create them will be available.

ENISA is there with a new permanent mandate to support the EU and EU Member States in sharing vital cybersecurity information, to assist in coordinating the key players and to give the right advice.

We may never be entirely free from the threat of cyber-attacks but our new comprehensive framework should provide the additional and necessary guarantees to live and work in a safer environment.