European Network and Information Security Agency (ENISA)

Communication networks and information systems have become ubiquitous utilities and their security is of increasing concern to society. To guarantee users the best possible security, the European Union (EU) has set up a European Network and Information Security Agency (ENISA) to advise the Commission and EU countries, as well as to coordinate the measures they are taking to secure their networks and information systems.

ACT

Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency [See amending act(s)].

SUMMARY

Computing and networking * have become an essential part of the daily lives of European citizens. The exponential development of communication networks and information systems * inevitably raises the question of their security, which has become a subject of growing concern to society.

The growing number of security breaches * has already generated substantial financial damage, undermined user confidence and been detrimental to the development of e-commerce. An attack on key information systems could have major consequences for the provision of services essential for the well-being of European citizens. The proliferation of internet connections and increased networking are making security requirements ever more pressing.

Individuals, public administrations and businesses have reacted by deploying security technologies and security management procedures. However, apart from certain administrative networks, there is no systematic cross-border cooperation on this issue between EU countries.

Objectives

The European Network and Information Security Agency’s (ENISA) aim is to enhance the capability of the European Union (EU), EU countries and business community to prevent, address and respond to network and information security problems.

In addition, ENISA provides assistance and delivers advice to the Commission and EU countries. It may also be called upon to assist the Commission in the technical preparatory work for updating and developing EU legislation.

Furthermore, ENISA facilitates and enhances cooperation between different actors operating in the public and private sectors in order to achieve a sufficiently high level of security in EU countries.

Tasks

To achieve the objectives set out above, ENISA:

collects appropriate information to analyse current and emerging risks, and provides the results to EU countries and the Commission;
provides advice and, if appropriate, assistance to the European Parliament, the Commission and the competent European and national bodies;
enhances cooperation between different players in the sector (e.g. through consultations and networking);
facilitates cooperation between the Commission and EU countries in the development of common methodologies to prevent security problems;
contributes to awareness raising and the availability of rapid, objective and comprehensive information on network and information security issues for all users (e.g. by promoting exchanges of best practice, including methods of alerting users, and by seeking synergy between the public and private sectors);
assists the Commission and EU countries in their dialogue with industry to address security-related problems in hardware and software products;
tracks the development of standards for security products and services and promotes risk assessment and management activities;
contributes to EU level efforts to cooperate with non-EU countries and international organisations to promote a global approach to security issues;
gives its own conclusions, guidelines and advice.

Organisation

ENISA comprises:

a management board composed of representatives of EU countries and of the Commission, as well as business representatives, academics and consumers with no voting entitlement;
an executive director appointed by the management board on the basis of a list of candidates proposed by the Commission;
a permanent stakeholders' group established by the executive director. The group is composed of representatives of information and communication technology businesses, consumers and academic experts. It gives ENISA access to the most recent information available so that it can respond to network security challenges.

Requests to ENISA

Requests for advice and assistance from ENISA are to be addressed to the executive director, accompanied by explanatory background information. The European Parliament, the Commission or any competent body appointed by an EU country (such as a national regulatory authority) may make requests to ENISA.

Independence

For ENISA’s advice and opinions to be accepted by individuals, public administrations and businesses, its independence must be guaranteed and recognised. Accordingly, the members of the management board, the executive director and the external experts participating in ad hoc working groups must declare the absence of any interest that might place their independence in question.

Transparency

ENISA must ensure that the public and any interested parties are given objective, reliable and easily accessible information, in particular with regard to the results of its work. Access to ENISA’s documents is in line with the general conditions of Regulation (EC) No 1049/2001.

Seat and duration

ENISA is based in Heraklion, Greece. It will operate from 14 March 2004 for a period of 9 years and 6 months.

Key terms used in the act

“Network” refers to transmission systems and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed and mobile terrestrial networks, networks used for radio and television broadcasting, and cable TV networks.
“Information system” is understood to mean computers and electronic communication networks, as well as electronic data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.
"Network and information security" is defined as the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services that may be offered by these networks and systems.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Regulation (EC) No 460/2004	14.3.2004	-	OJ L 77 of 13.3.2004

Amending act(s)	Entry into force	Deadline for transposition in the Member States	Official Journal
Regulation (EC) No 1007/2008	1.11.2008	-	OJ L 293 of 31.10.2008
Regulation (EC) No 580/2011	25.6.2011	-	OJ L 165 of 24.6.2011

RELATED ACTS

Communication from the Commission to the European Parliament and the Council of 1 June 2007 on the evaluation of the European Network and Information Security Agency (ENISA) [COM(2007) 285 final – Not published in the Official Journal]. ENISA is undergoing an evaluation by an external group of experts who, with ENISA’s management board, will present recommendations on extending its term of running, functions, resources and location. To complement this, the Commission has also decided to launch a public consultation and an impact assessment.

Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions of 31 May 2006: A strategy for a Secure Information Society – “Dialogue, partnership and empowerment” [COM(2006) 251 final – Not published in the Official Journal]. The Commission aims to give new momentum to the European political approach to network and information security. Current challenges should be identified and measures and initiatives to meet them proposed. The Commission’s proposed approach is based on a multipartite schema that brings together all interested parties. This approach is based on dialogue, partnership and empowerment.

See also