Explanatory Memorandum to COM(2010)520 - Amendment of Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration

Please note

This page contains a limited version of this dossier in the EU Monitor.

1. BACKGROUND

The European Network and Information Security Agency (hereinafter ENISA) was set up in March 2004 for an initial period of five years by Regulation (EC) No 460/2004 i, with the main goal of ‘ ensuring a high and effective level of network and information security within the [Union], […] in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market ’. Regulation (EC) No 1007/2008 i extended ENISA’s mandate until March 2012.

The extension of ENISA’s mandate in 2008 also launched a debate on the general direction of European efforts towards network and information security (NIS), to which the Commission contributed by launching a public consultation on the possible objectives for a strengthened NIS policy at Union level. The public consultation ran from November 2008 to January 2009 and gathered nearly 600 contributions i.

On 30 March 2009, the Commission adopted a Communication on Critical Information Infrastructure Protection i (CIIP) focusing on the protection of Europe from cyber attacks and cyber disruptions by enhancing preparedness, security and resilience, with an Action Plan calling on ENISA to play a role, mainly in support to Member States. The Action Plan was broadly endorsed in the discussion at the Ministerial Conference on Critical Information Infrastructure Protection (CIIP) held in Tallinn, Estonia, on 27 and 28 April 2009 i. The European Union Presidency’s Conference Conclusions stress the importance of ‘ leveraging the operational support’ of ENISA; they state that ENISA ‘ provides a valuable instrument for bolstering Union-wide cooperative efforts in this field ’ and point to the need to rethink and reformulate the Agency’s mandate ‘ to better focus on EU priority and needs; to attain a more flexible response capability; to develop skills and competences; and to bolster the Agency operational efficiency and overall impact ’ in order to render the Agency ‘ a permanent asset for each Member State and the European Union at large ’.

After discussion at the Telecom Council of 11 June 2009, where Member States expressed support for extending the ENISA’s mandate and increasing its resources in the light of the importance of NIS and the evolving challenges in the area, the debate was brought to a conclusion under the Swedish Presidency of the Union. The Council Resolution of 18 December 2009 on a collaborative European approach to NIS i recognises the role and potential of ENISA and the need to ‘ further develop ENISA in an efficient body ’. It also stresses the need to modernise and reinforce the Agency to support the Commission and the Member States in bridging the gap between technology and policy, serving as the Union centre of expertise in NIS matters.

2. GENERAL CONTEXT

Information and communication technologies (ICTs) have become the backbone of the European economy and society as a whole. ICTs are vulnerable to threats which no longer follow national boundaries and which have changed with technology and market developments. As ICTs are global, interconnected and interdependent with other infrastructures, their security and resilience cannot be secured by purely national and uncoordinated approaches. At the same time, challenges related to NIS evolve quickly. Networks and information systems must be effectively protected against all kinds of disruptions and failures, including man-made attacks.

Policies on Network and Information Security (NIS) play a central role in the Digital Agenda for Europe i (DAE), a flagship initiative under the EU 2020 Strategy, to exploit and advance the potential of ICTs and to translate this potential into sustainable growth and innovation. Encouraging the take-up of ICTs and boosting trust and confidence in the information society are key priorities of the DAE. To this end, reform of ENISA is needed to enable the Union, the Member States and stakeholders to develop a high degree of capability and preparedness to prevent, detect and better respond to NIS problems.

3. REASONS FOR ACTION

Along with this proposal, the Commission is proposing a Regulation on ENISA that would replace Regulation (EC) No 460/2004; it thoroughly revises the provisions governing the Agency and establishes the Agency for a period of five years. However, the Commission is aware that the legislative procedure in the European Parliament and in the Council for that proposal may require extensive time for debate, and there is a risk of a legal vacuum if the new mandate of the Agency is not adopted before the expiry of the current mandate.

The Commission therefore proposes this Regulation extending the current mandate of the Agency for 18 months to allow sufficient time for discussion.