Electronic communications, infrastructure and services are essential factors, both directly and indirectly, in economic and societal development. They play a vital role for society and have in themselves become ubiquitous utilities in the same way as electricity or water supplies, and also constitute vital factors in the delivery of electricity, water and other critical services. Communications networks function as social and innovation catalysts, multiplying the impact of technology and shaping consumer behaviours, business models, industries, as well as citizenship and political participation. Their disruption has the potential to cause considerable physical, social and economic damage, underlining the importance of measures to increase protection and resilience aimed at ensuring continuity of critical services. The security of electronic communications, infrastructure and services, in particular their integrity, availability and confidentiality, faces continuously expanding challenges which relate, inter alia, to the individual components of the communications infrastructure and the software controlling those components, the infrastructure overall and the services provided through that infrastructure. This is of increasing concern to society not least because of the possibility of problems due to system complexity, malfunctions, systemic failures, accidents, mistakes and attacks that may have consequences for the electronic and physical infrastructure which delivers services critical to the well-being of European citizens.
(2)
The threat landscape is continuously changing and security incidents can undermine the trust that users have in technology, networks and services, thereby affecting their ability to exploit the full potential of the internal market and widespread use of information and communications technologies (ICT).
(3)
Regular assessment of the state of network and information security in the Union, based on reliable Union data, as well as systematic forecast of future developments, challenges and threats, both at Union and global level, is therefore important for policy makers, industry and users.
(4)
By Decision 2004/97/EC, Euratom (3), adopted at the meeting of the European Council on 13 December 2003, the representatives of the Member States decided that the European Network and Information Security Agency (ENISA), that was to be established on the basis of the proposal submitted by the Commission, would have its seat in a town in Greece to be determined by the Greek Government. Following that Decision, the Greek Government determined that ENISA should have its seat in Heraklion, Crete.
(5)
On 1 April 2005, a Headquarters Agreement (‘Seat Agreement’) was concluded between the Agency and the host Member State.
(6)
The Agency’s host Member State should ensure the best possible conditions for the smooth and efficient operation of the Agency. It is imperative for the proper and efficient performance of its tasks, for staff recruitment and retention and to enhance the efficiency of networking activities that the Agency be based in an appropriate location, among other things providing appropriate transport connections and facilities for spouses and children accompanying members of staff of the Agency. The necessary arrangements should be laid down in an agreement between the Agency and the host Member State concluded after obtaining the approval of the Management Board of the Agency.
(7)
In order to improve the operational efficiency of the Agency, the Agency has established a branch office in the metropolitan area of Athens, which should be maintained with the agreement and support of the host Member State, and where the operational staff of the Agency should be located. Staff primarily engaged in the administration of the Agency (including the Executive Director), finance, desk research and analysis, IT and facilities management, human resources, training, and communications and public affairs, should be based in Heraklion.
(8)
The Agency has the right to determine its own organisation in order to ensure the proper and efficient performance of its tasks, while respecting the provisions on the seat and Athens branch office laid down in this Regulation. In particular, in order to carry out tasks involving interaction with key stakeholders such as the Union institutions, the Agency should make the necessary practical arrangements to enhance such operational efficiency.
(9)
In 2004 the European Parliament and the Council adopted Regulation (EC) No 460/2004 (4) establishing ENISA with the purpose of contributing to the goals of ensuring a high level of network and information security within the Union and developing a culture of network and information security for the benefit of citizens, consumers, enterprises and public administrations. In 2008, the European Parliament and the Council adopted Regulation (EC) No 1007/2008 (5) extending the mandate of the Agency until March 2012. Regulation (EC) No 580/2011 (6) extends the mandate of the Agency until 13 September 2013.
(10)
The Agency should succeed ENISA as established by Regulation (EC) No 460/2004. Within the framework of the Decision of the Representatives of the Member States, meeting in the European Council of 13 December 2003, the host Member State should maintain and further develop the current practical arrangements in order to ensure the smooth and efficient operation of the Agency, including its Athens branch office, and facilitate the recruitment and retention of highly qualified staff.
(11)
Since ENISA was set up, the challenges of network and information security have changed with technology, market and socioeconomic developments and have been the subject of further reflection and debate. In response to the changing challenges, the Union has updated its priorities for network and information security policy. This Regulation aims to strengthen the Agency to successfully contribute to the efforts of the Union institutions and the Member States to develop a European capacity to cope with network and information security challenges.
(12)
Internal market measures in the field of security of electronic communications and, more generally, network and information security require different forms of technical and organisational applications by the Union institutions and the Member States. The heterogeneous application of those requirements can lead to inefficiencies and can create obstacles to the internal market. This makes a centre of expertise at Union level necessary, providing guidance, advice and assistance on issues related to network and information security, which may be relied upon by the Union institutions and the Member States. The Agency can respond to those needs by developing and maintaining a high level of expertise and assisting the Union institutions, the Member States, and the business community in order to help them meet the legal and regulatory requirements of network and information security and to determine and address network and information security issues, thereby contributing to the proper functioning of the internal market.
(13)
The Agency should carry out the tasks conferred on it by legal acts of the Union in the field of electronic communications and, in general, contribute to an enhanced level of security of electronic communications as well as of privacy and personal data protection by, among other things, providing expertise and advice, and promoting the exchange of best practices, and offering policy suggestions.
(14)
Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) (7) requires that providers of public electronic communications networks or publicly available electronic communications services take appropriate measures to safeguard the integrity and security thereof, and introduces an obligation for the national regulatory authorities, where appropriate, to inform, inter alia, the Agency about any security breach or integrity loss that has had a significant impact on the operation of networks or services and to submit to the Commission and to the Agency an annual summary report on the notifications received and the action taken. Directive 2002/21/EC further calls on the Agency, by providing opinions, to contribute to the harmonisation of appropriate technical and organisational security measures.
(15)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (8) requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard the security of its services and also requires that the confidentiality of the communications and related traffic data be maintained. Directive 2002/58/EC introduces personal data breach information and notification requirements for electronic communication services providers. It also requires the Commission to consult the Agency on any technical implementing measures to be adopted concerning the circumstances or format of and procedures applicable to information and notification requirements. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (9) requires Member States to provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing.
(16)
The Agency should contribute to a high level of network and information security, to better protection of privacy and personal data, and to the development and promotion of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the Union, thus contributing to the proper functioning of the internal market. In order to achieve this, the necessary budgetary funds should be allocated to the Agency.
(17)
Given the increasing significance of electronic networks and communications, which now constitute the backbone of the European economy, and the actual size of the digital economy, the financial and human resources allocated to the Agency should be increased to reflect its enhanced role and tasks, and its critical position in defending the European digital ecosystem.
(18)
The Agency should operate as a point of reference establishing trust and confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operation, and its diligence in carrying out its tasks. The Agency should build on national and Union efforts and therefore carry out its tasks in full cooperation with the Union institutions, bodies, offices and agencies and the Member States, and be open to contacts with industry and other relevant stakeholders. In addition, the Agency should build on input from and cooperation with the private sector, which plays an important role in securing electronic communications, infrastructures and services.
(19)
A set of tasks should indicate how the Agency is to accomplish its objectives while allowing flexibility in its operations. The tasks carried out by the Agency should include the collection of appropriate information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services and to assess, in cooperation with Member States, the Commission and, where appropriate, with relevant stakeholders, the state of network and information security in the Union. The Agency should ensure coordination and collaboration with the Union institutions, bodies, offices and agencies and Member States, and enhance cooperation between stakeholders in Europe, in particular by involving in its activities competent national and Union bodies and high-level private sector experts in relevant areas, in particular providers of electronic communications networks and services, network equipment manufacturers and software vendors, taking into account that network and information systems comprise combinations of hardware, software and services. The Agency should provide assistance to the Union institutions and to the Member States in their dialogue with industry to address security-related problems in hardware and software products, thereby contributing to a collaborative approach to network and information security.
(20)
Network and information security strategies made public by a Union institution, body, office or agency or a Member State should be provided to the Agency for its information and to avoid duplication of effort. The Agency should analyse the strategies and promote their presentation in a format that facilitates comparability. It should make the strategies and its analyses available to the public through electronic means.
(21)
The Agency should assist the Commission by means of advice, opinions and analyses on all the Union matters related to policy development in the area of network and information security, including Critical Information Infrastructure Protection and resilience. The Agency should also assist the Union institutions, bodies, offices and agencies and where relevant, the Member States, at their request, in their efforts to develop network and information security policy and capability.
(22)
The Agency should take full account of the ongoing research, development, and technological assessment activities, in particular those carried out by the various Union research initiatives to advise the Union institutions, bodies, offices and agencies and where relevant, the Member States, at their request, on research needs in the area of network and information security.
(23)
The Agency should assist the Union institutions, bodies, offices and agencies as well as the Member States in their efforts to build and enhance cross-border capability and preparedness to prevent, detect and respond to network and information security problems and incidents. In this regard, the Agency should facilitate cooperation among the Member States and between the Commission and other Union institutions, bodies, offices and agencies and the Member States. To this end, the Agency should support the Member States in their continuous efforts to improve their response capability and to organise and run European exercises on security incidents and, at the request of a Member State, national exercises.
(24)
To understand better the challenges in the network and information security field, the Agency needs to analyse current and emerging risks. For that purpose the Agency should, in cooperation with Member States and, as appropriate, with statistical bodies and others, collect relevant information. Furthermore, the Agency should assist the Union institutions, bodies, offices and agencies and the Member States and in their efforts to collect, analyse and disseminate network and information security data. The collection of appropriate statistical information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services should take place on the basis of the information provided by the Member States and the Agency’s insight to the Union institutions’ ICT infrastructures in accordance with Union provisions and national provisions in compliance with Union law. On the basis of that information, the Agency should maintain awareness of the latest state of network and information security and related trends in the Union for the benefit of Union institutions, bodies, offices and agencies and the Member States.
(25)
In performing its tasks, the Agency should facilitate cooperation between the Union and the Member States to improve awareness of the state of network and information security in the Union.
(26)
The Agency should facilitate cooperation among the Member States’ competent independent regulatory authorities, in particular supporting the development, promotion and exchange of best practices and standards for education programmes and awareness-raising schemes. Increased information exchange between Member States will facilitate such action. The Agency should contribute towards raising the awareness of individual users of electronic communications, infrastructure and services, including by assisting Member States, where they have chosen to use the public interest information platform provided for in Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users’ rights relating to electronic communications networks and services (Universal Service Directive) (10), to produce relevant public interest information regarding network and information security, and also by assisting in the development of such information to be included with the supply of new devices intended for use on public communications networks. The Agency should also support cooperation between stakeholders at Union level, partly by promoting information sharing, awareness-raising campaigns and education and training programmes.
(27)
The Agency should, inter alia, assist the relevant Union institutions, bodies, offices and agencies and the Member States in public education campaigns to end users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice.
(28)
To ensure that it fully achieves its objectives, the Agency should liaise with relevant bodies, including those dealing with cybercrime such as Europol, and privacy protection authorities to exchange know-how and best practices and provide advice on network and information security aspects that might have an impact on their work. The Agency should aim to achieve synergies between the efforts of those bodies and its own efforts to promote advanced network and information security. Representatives of national and Union law enforcement and privacy protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
(29)
The Commission has launched a European Public-Private Partnership for Resilience as a flexible Union-wide cooperation platform for resilience of ICT infrastructure, in which the Agency should play a facilitating role, bringing together stakeholders to discuss public policy priorities, economic and market dimensions of challenges and measures for the resilience of ICT.
(30)
In order to promote network and information security and its visibility, the Agency should facilitate cooperation among the Member States’ competent public bodies, in particular by supporting the development and exchange of best practices and awareness-raising schemes and by enhancing their outreach activities. The Agency should also support cooperation between stakeholders and the Union institutions, partly by promoting information sharing and awareness-raising activities.
(31)
In order to enhance an advanced level of network and information security in the Union, the Agency should promote cooperation and the exchange of information and best practices between relevant organisations, such as Computer Security Incident Response Teams (CSIRTs) and Computer Emergency Response Teams (CERTs).
(32)
A Union system of properly functioning CERTs should constitute a cornerstone of the Union’s network and information security infrastructure. The Agency should support Member State CERTs and the Union CERT in the operation of a network of CERTs, including the members of the European Governmental CERTs Group. In order to assist in ensuring that each of the CERTs has sufficiently advanced capabilities and that those capabilities correspond as far as possible to the capabilities of the most developed CERTs, the Agency should promote the establishment and operation of a peer-review system. Furthermore, the Agency should promote and support cooperation between the relevant CERTs in the event of incidents, attacks on or disruptions of networks or infrastructure managed or protected by the CERTs and involving or potentially involving at least two CERTs.
(33)
Efficient network and information security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are used at different levels with no common practice regarding how to apply them efficiently. Promoting and developing best practices for risk assessment and for interoperable risk management solutions in public- and private-sector organisations will increase the security level of networks and information systems in the Union. To this end, the Agency should support cooperation between stakeholders at Union level, facilitating their efforts relating to the establishment and take-up of European and international standards for risk management and for measurable security of electronic products, systems, networks and services which, together with software, comprise the network and information systems.
(34)
Where appropriate and useful for fulfilling its objectives and tasks, the Agency should share experience and general information with Union institutions, bodies, offices and agencies dealing with network and information security. The Agency should contribute to identifying research priorities, at Union level, in the areas of network resilience and network and information security, and should convey knowledge of industry needs to relevant research institutions.
(35)
The Agency should encourage Member States and service providers to raise their general security standards so that all internet users take the necessary steps to ensure their own personal cyber security.
(36)
Network and information security problems are global issues. There is a need for closer international cooperation to improve security standards, including the definition of common norms of behaviour and codes of conduct, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies.
(37)
The Agency should operate in accordance with the principle of subsidiarity, ensuring an appropriate degree of coordination between the Member States on matters relating to network and information security and improving the effectiveness of national policies, thus adding value to them and in accordance with the principle of proportionality, not going beyond what is necessary in order to achieve the objectives set out by this Regulation. The exercise of the Agency’s tasks should reinforce, but not interfere with, the competences, nor should it pre-empt, impede or overlap with the relevant powers and tasks, of the national regulatory authorities as set out in the Directives relating to electronic communications networks and services, as well as those of the Body of European Regulators for Electronic Communications (BEREC) established by Regulation (EC) No 1211/2009 (11) and the Communications Committee referred to in Directive 2002/21/EC, of the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC (12) and the independent supervisory authorities of the Member States as set out in Directive 95/46/EC.
(38)
It is necessary to implement certain principles regarding the governance of the Agency in order to comply with the Joint Statement and Common Approach agreed upon in July 2012 by the Inter-Institutional Working Group on EU decentralised agencies, the purpose of which statement and approach is to streamline the activities of agencies and improve their performance.
(39)
The Joint Statement and Common Approach should also be reflected, as appropriate, in the Agency’s Work Programmes, evaluations of the Agency, and the Agency’s reporting and administrative practice.
(40)
In order for the Agency to function properly, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise. The Commission and the Member States should also make efforts to limit the turnover of their respective Representatives on the Management Board, in order to ensure continuity in its work.
(41)
It is essential that the Agency establish and maintain a reputation for impartiality, integrity and high professional standards. Accordingly, the Management Board should adopt comprehensive rules covering the entire Agency for the prevention and management of conflicts of interest.
(42)
Given the unique circumstances of the Agency and the difficult challenges facing it, the organisational structure of the Agency should be simplified and strengthened to ensure greater efficiency and effectiveness. Therefore, among other things, an Executive Board should be established in order to enable the Management Board to focus on issues of strategic importance.
(43)
The Management Board should appoint an Accounting Officer in accordance with rules adopted under Regulation (EU, Euratom) No 966/2012 (13) (the ‘Financial Regulation’).
(44)
In order to ensure that the Agency is effective, the Member States and the Commission should be represented on the Management Board, which should define the general direction of the Agency’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, adopt the Agency’s work programme, adopt its own rules of procedure and the Agency’s internal rules of operation, appoint the Executive Director, decide on the extension of the Executive Director’s term of office after obtaining the views of the European Parliament, and decide on the termination thereof. The Management Board should set up an Executive Board to assist it with its administrative and budgetary tasks.
(45)
The smooth functioning of the Agency requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security, and that the duties of the Executive Director be carried out with complete independence as to the organisation of the internal functioning of the Agency. To this end, the Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission, and take all necessary steps to ensure the proper execution of the work programme of the Agency. The Executive Director should prepare an annual report to be submitted to the Management Board, draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget.
(46)
The Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical or legal or socioeconomic nature. In setting up ad hoc Working Groups the Executive Director should seek input from and draw on the relevant external expertise needed to enable the Agency to have access to the most up-to-date information available regarding security challenges posed by the developing information society. The Executive Director should ensure that the ad hoc Working Groups’ members are selected according to the highest standards of expertise, taking due account of a representative balance, as appropriate according to the specific issues in question, between the public administrations of the Member States, the Union institutions and the private sector, including industry, users, and academic experts in network and information security. The Executive Director should be able, as appropriate, to invite individual experts recognised as competent in the relevant field to participate in the Working Groups’ proceedings, on a case-by-case basis. Their expenses should be met by the Agency in accordance with its internal rules and in accordance with rules adopted under the Financial Regulation.
(47)
The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency. The Executive Director should, where appropriate and according to the agenda of the meetings, be able to invite representatives of the European Parliament and other relevant bodies to take part in meetings of the Group.
(48)
Since there is provision for ample representation of stakeholders in the Permanent Stakeholders Group, and that group is to be consulted in particular regarding the draft Work Programme, there is no longer any need to provide for representation of stakeholders in the Management Board.
(49)
The Agency should apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council (14). The information processed by the Agency for purposes relating to its internal functioning as well as the information processed in carrying out its tasks should be subject to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (15).
(50)
The Agency should comply with the provisions applicable to the Union institutions, and with national legislation regarding the treatment of sensitive documents.
(51)
In order to guarantee the full autonomy and independence of the Agency and to enable it to perform additional and new tasks, including unforeseen emergency tasks, the Agency should be granted a sufficient and autonomous budget whose revenue comes primarily from a contribution from the Union and contributions from third countries participating in the Agency’s work. The majority of the Agency staff should be directly engaged in the operational implementation of the Agency’s mandate. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union’s budgetary procedure should remain applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the Court of Auditors should audit the Agency’s accounts to ensure transparency and accountability.
(52)
In view of the continually changing threat landscape and the evolution of Union policy on network and information security, and in order to align to the multiannual financial framework, the duration of the mandate of the Agency should be set to a limited period of seven years with a possibility of extending the duration.
(53)
The Agency’s operations should be evaluated independently. The evaluation should have regard to the Agency’s effectiveness in achieving its objectives, its working practices and the relevance of its tasks, in order to determine the continuing validity, or otherwise, of the objectives of the Agency and, based thereon, whether and for what period the duration of its mandate should be further extended.
(54)
If, towards the end of the duration of the mandate of the Agency, the Commission has not introduced a proposal for an extension of the mandate, the Agency and the Commission should take the relevant measures, addressing in particular issues relating to staff contracts and budget arrangements.
(55)
Since the objective of this Regulation, namely to establish a European Union Agency for Network and Information Security for the purpose of contributing to a high level of network and information security within the Union and in order to raise awareness and develop and promote a culture of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organisations in the Union, thus contributing to the establishment and proper functioning of the internal market, cannot be sufficiently achieved by the Member States and can therefore be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(56)
Regulation (EC) No 460/2004 should be repealed.
(57)
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and adopted his opinion on 20 December 2010 (16),