Annexes to COM(2007)285 - Evaluation of the European Network and Information Security Agency (ENISA) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2007)285 - Evaluation of the European Network and Information Security Agency (ENISA). |
|---|---|
| document | COM(2007)285  |
| date | June 1, 2007 |
It should be emphasised that the evaluation has been carried out after the Agency had only been operational for a year. The potential contribution of the Agency for the functioning of the internal market is appreciated by the stakeholders and expected to grow, especially concerning the reduction of the duplication of activities in the NIS field between the MS and the Commission and the harmonisation of policy and regulations.
According to the opinion of most stakeholders, closing the Agency when the mandate expires in 2009 would represent a significant missed opportunity for Europe, and would have negative consequences for network and information security and the smooth functioning of the internal market. On the other hand, they also believe that change is needed in the Agency’s strategic direction and structure.
‘SWOT’ table from the Evaluation Report of the external panel of experts, p. 72 |
STRENGTHS | WEAKNESSES |
Member States and Commission Mandate Good start in building relationships Staff competence | Lack of vision, focus and flexibility Uneasy relationship between Management Board and Agency Location problem for recruitment and networking Lack of critical mass of the operational staff Early phase of learning curve |
OPPORTUNITIES | THREATS |
Increasing importance of security in the EU Unique position to respond to security coordination needs Global alliances look for EU counterpart Launching new projects with high relevance in the security field Becoming a reference point for all the MS | If effectiveness is not improved, rapid weakening and loss of reputation High turnover is weakening the staff Contradictory expectations from MS and between MS and stakeholders Misperception of role and goals by external stakeholders |
4.2. Recommendations of the Evaluation Panel
In addition to the findings and the analysis of the data collected, the report of the evaluation panel contains some recommendations on the future of ENISA after 2009 briefly summarised in the following:
- The mandate of the Agency should be extended after 2009, maintaining its original main objectives and policy rationale, but taking into account the current experience.
- The Regulation of the Agency should be revised, to reflect ENISA’s original strategic role and to clear ambiguities about its profile. The Regulation should not define in detail the operational tasks of the Agency to allow for flexibility in adapting to the evolution of the security environment.
- The Agency’s size and resources should be increased (up to 100 persons approximately) in order to reach the necessary critical mass.
- The role of the Management Board should be revised in order to improve the governance of ENISA.
- The appointment of a high-profile figure, well recognised in the NIS environment, who could act as an ambassador, could help increase ENISA’s visibility.
- The Panel also makes recommendations regarding the location of the Agency in Heraklion.[14]
Finally, the evaluation panel recommends a number of short terms actions to improve the performance of ENISA. The Commission has invited the Management Board and the Executive Director of ENISA to duly consider these short-term recommendations and to take the necessary steps.
5. APPRAISAL OF THE RESULTS OF THE EXTERNAL EVALUATION
The evaluation of the external panel of experts has produced many valuable findings on specific aspects that are critical for both the good functioning of ENISA and its impact on the situation of network and information security, in particular its internal market dimension. The Commission largely agrees with these findings that, altogether, highlight the validity of the original policy rationale and goals but underline also how the current size of the Agency and the organisation of its work do not appear to be adequate for its future challenges.
There is a valuable lesson to be learnt, as a number of important difficulties encountered by ENISA seem to be of a structural nature stemming from ambiguity in the interpretation of its Regulation and the suboptimal level of human resources available to the Agency. The misalignment between the interpretation of the Regulation by the Agency staff and by the Management Board may have additional causes that hinge on the lack of a shared vision of ENISA among the Member States. The evaluation report is, in this respect, very clear and highlights the diverse needs of Member States concerning network and information security. The enlargement to 25 countries on 1 May 2004 (and to 27 on 1 January 2007) has exposed ENISA and its operation to higher expectations and demands than those that had been anticipated when the agency was established.
The advent and convergence of more sophisticated and advanced communication and wireless technologies together with the fast evolving nature of threats have also contributed to transform the environment in which ENISA operates. The potential impact of these developments on the network and information security challenges for the EU has been highlighted by the Commission in its Communication on a strategy for a secure Information Society.[15] It is important to take these developments in due consideration when reflecting on the future of ENISA and deciding how the EU member States and stakeholders should cooperate to cope with new challenges for network and information security.
A key finding of the evaluation report is the importance for ENISA to enhance contacts and working relations with stakeholders and Member States centres of expertise. In particular, the lack of regular and effective networking activities with the existing European scientific, technical and industrial communities and sectors is considered as a main impediment for ENISA to position itself in this area and exercise its role as defined in its Regulation. According to the report of the external panel of experts, the current location is, in this regard, not helping ENISA as it makes it more difficult to establish regular and continuous working contacts with scientific, technical and industrial communities and sectors as well as to attract and keep key domain experts who may have the profile and personality to establish these contacts. Similar arguments hold for what concerns the working relations and contacts with Member States laboratories and/or technical centres.
6. RECOMMENDATIONS OF THE ENISA MANAGEMENT BOARD
At the meetings of the ENISA Management Board on 26 January 2007 in Brussels and 22-23 March 2007 in Heraklion, the Commission reported on the evaluation and the Management Board discussed the report of the external experts. On 23 March, the Management Board formulated recommendations on the future of the Agency and on changes to the ENISA Regulation.[16]
Recommendations of the ENISA Management Board:
4. The Regulation should be revised to extend the mandate. That mandate should again have a review point.
5. The scope of Agency should not be materially changed.
6. The Regulation should be revised to combine Articles 2 and 3[17] to set outcome-based key objectives that are realistic and within the scope of the Agency.
7. The Agency should maintain the capability to respond to specific requests for advice and assistance but the nature of these requests and the process for receiving and considering them should be more clearly stated in the Regulation.
8. The governance structure of a Management Board, Executive Director and Permanent Stakeholders’ Group should not be changed.
9. The Executive Director should be required to appoint – in consultation with the Management Board - a stakeholder to chair the Permanent Stakeholders’ Group. In addition to its role in relation to the Work Programme, the Group should be more clearly tasked to contribute to the two way flow of ideas between the Agency (both Board and Executive Director) and the stakeholder community as well as encouraging the commitment of resource by the stakeholder community in support of the Agency’s aims.
7. THE WAY FORWARD
7.1. Further consultation and analysis
At this stage, the Commission considers it appropriate to initiate a public consultation and an impact assessment, including a cost/benefit analysis, on the extension and the future of the Agency, in line with the Commission’s Better Regulation strategy.[18] The Commission will inform the European Parliament and the Council of the overall findings and results thereof.
For the purposes of the public consultation and the impact assessment (including the cost/benefit analysis), there are several avenues to be explored. First of all, the choice needs to be made whether to extend the mandate of the Agency or to replace the Agency by another mechanism, such as a permanent forum of stakeholders or a network of security organisations. If the mandate is to be extended, decisions need to be taken on the optimal operational size of the Agency in view of the need to enhance its networking capability and a possible expansion of its tasks.
If the mandate of the Agency is to be extended, its remit would need to be made more precise to support the networks and information security components of the electronic communication regulatory framework being revised under the 2006 review. The goal would be to clarify how the Agency should work with National regulatory bodies, other centres of expertise in the Member States, and the private sector to define requirements and guide their implementations to meet security and integrity challenges related to current and future electronic networks. In doing so, it will be crucial for ENISA to focus on impacts rather than deliverables in order to achieve a maximum added value for the internal market.
7.2. Questions to guide further discussions
To guide further discussions, the Commission has formulated a number of questions.
10. What are currently the most important challenges to network and information security? What has changed since 2004, when ENISA was established? To which issues is a European response most needed? Is an Agency still the right instrument or would another mechanism be better suited to deal with these issues?
11. How should ENISA adapt its activities to the current requirements of network and information security? What should be changed in the remit of the Agency in order to ensure maximum added value for the EU institutions and Member States? How should the strategic role of the Agency be reflected? How could its profile as an expertise centre providing assistance and advice be clarified? With which activities does the Agency most contribute to the smooth functioning of the internal market?
12. How can effective interaction between the Agency and its stakeholders be enhanced? In its networking activities, to what networks should the Agency give priority to achieve maximum value? How can the agency capitalise on the wealth of experience of national bodies and communities of stakeholders in the security environment? How could the results of the work of the Agency be best valorised for both the public and the private sectors thus enhancing the visibility of the Agency?
13. Without changing the current objectives and scope of ENISA, which additional activities may help the Agency to become more effective, deliver significant added value to Member States and stakeholders and, last but not least, ensure a higher impact?
14. Would it be useful and feasible to foresee extended objectives and activities, either more operational or regulatory oriented, for the Agency? What kind of tasks would add significant European value for the Member States or stakeholders? How should in this case the objectives and scope be changed?
15. What would be the critical mass and the optimum size of the Agency’s staff and budget to allow it to act effectively and allow for an appropriate mix of skills and competences?
16. How could the issues related to the networking and staff retention capabilities as a result of the location of ENISA that have been identified by the external panel of experts be best addressed?
8. CONCLUSION
The Commission values the findings and analyses of the evaluation report of the external panel of experts and the recommendations of the ENISA Management Board on the future of the Agency and changes to the ENISA Regulation. A public consultation and an impact assessment that will include a cost/benefit analysis will complete the inputs and comments needed to fully and transparently decide on a possible extension of ENISA. The Commission will inform the European Parliament and the Council of the results of the public consultation and the impact assessment as well as further specify its overall evaluation findings, in particular its decision whether or not to introduce a proposal for the extension of the duration of the Agency.
[1] http://europa.eu.int/information_society/eeurope/i2010/index_en.htm
[2] COM(2006) 251, 31.5.2006
[3] Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency - OJ L 77, 13.3.2004, p. 1 (hereinafter “ENISA Regulation”)
[4] See Article 25 of the ENISA Regulation
[5] Available at: http://ec.europa.eu/dgs/information_society/evaluation/studies/index_en.htm
[6] Available at: http://enisa.europa.eu/pages/03_02.htm
[7] In accordance with Article 25(3) of the ENISA Regulation.
[8] COM(2003) 63, 11.2.2003
[9] Judgment of 2 May 2006 in Case C-217/04
[10]. As reiterated in the judgment of the ECJ, sections 56 and 57
[11] Document 15900/06 (Presse 343), 2772nd Council Meeting, Transport, Telecommunications and Energy, Brussels, 11-12 December 2006, p. 14.
[12] See http://enisa.europa.eu/
[13] The report is available at the following website: http://ec.europa.eu/dgs/information_society/evaluation/studies/index_en.htm
[14] It should be recalled that the seat has been established by decisions of the Heads of State and Government and of the Greek Government.
[15] COM(2006) 251, 31.5.2006.
[16] As foreseen in article 25 of the ENISA Regulation. The full text of the document adopted by the ENISA Management Board, which also contains the Boards considerations, is available at the following website: http://enisa.europa.eu/pages/03_02.htm
[17] On, respectively, Objectives and Tasks.
[18] See, inter alia, “Better Regulation for Growth and Jobs in the European Union,” Communication from the Commission to the Council and the European Parliament, COM(2005)97, 16.3.2005.