Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52023BP1905

Resolution (EU) 2023/1905 of the European Parliament of 10 May 2023 with observations forming an integral part of the decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) for the financial year 2021

OJ L 242, 29.9.2023, p. 360–364 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

ELI: http://data.europa.eu/eli/res/2023/1905/oj

29.9.2023   

EN

Official Journal of the European Union

L 242/360


RESOLUTION (EU) 2023/1905 OF THE EUROPEAN PARLIAMENT

of 10 May 2023

with observations forming an integral part of the decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) for the financial year 2021

THE EUROPEAN PARLIAMENT,

having regard to its decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) for the financial year 2021,

having regard to Rule 100 of and Annex V to its Rules of Procedure,

having regard to the report of the Committee on Budgetary Control (A9-0115/2023),

A.

whereas, according to its statement of revenue and expenditure (1), the final budget of ENISA (the ‘Agency’) for the financial year 2021 was EUR 23 473 060, including a contribution of EUR 640 000 from the Hellenic authorities for the rent of the office building, representing an increase of 8,26 % compared to 2020; whereas the budget of the Agency derives mainly from the Union budget;

B.

whereas the Court of Auditors (the ‘Court’), in its report on the Agency’s annual accounts for the financial year 2021 (the ‘Court’s report’), states that the Court has obtained reasonable assurance that the Agency’s annual accounts are reliable and that the underlying transactions are legal and regular;

Budget and financial management

1.

Notes that the budget monitoring efforts during the financial year 2021 resulted in a budget implementation of current year commitment appropriations rate of 99,51 %, representing an increase of 2,16 % compared to 2020; notes, furthermore, that the current year payment appropriations execution rate was 77,40 % (short of the Agency’s planned target of 85 %), representing an increase of 8,77 % compared to 2020;

Performance

2.

Notes that the Agency uses key performance indicators (KPIs) to assess its activities and the results achieved in respect of the objectives of the work programme, such as added value to Union institutions, bodies, offices and agencies and Member States in providing support for policymaking and policy implementation and the ability to contribute to Union’s cyber resilience through the provision of timely and effective information and knowledge; appreciates the fact that the KPIswere fulfilled and that the Agency has drawn attention to measures that can improve the efficiency and effectiveness of its work; however, recommends that the Agency takes note of the KPIs that have not yet been achieved or that are lagging behind;

3.

Notes that the Agency was examining the possibility to contribute, by means of shared services, in the implementation of the upcoming Cybersecurity Regulation for Union institutions, bodies and agencies, in collaboration with Computer Emergency Response Team for the Union and the EU Agencies network; calls on the Agency to report any developments in that regard to the discharge authority;

Staff policy

4.

Notes that, on 31 December 2021, the establishment plan was 90,79 % implemented, with 69 temporary agents appointed out of 76 temporary agents authorised under the Union budget (compared to 69 authorised posts in 2020); notes that, in addition, 27 contract agents and 10 seconded national experts worked for the Agency in 2021;

5.

Reiterates its concern about the lack of gender balance within the Agency’s senior management, namely five men (71 %) and two women (29 %); notes with concern the lack of gender balance on the Agency’s management board, with 24 out of 28 (86 %) being men; further, notes the gender balance within the Agency’s overall staff, with 57 out of 106 (54 %) being men; calls on the Agency and the Member States to observe gender balance when nominating and appointing members of the senior management or of the management board; asks the Agency to report back to the discharge authority about the concrete measures to improve gender balance;

6.

Notes that the Agency has a policy on protecting the dignity of the person and preventing harassment, including a dedicated intranet page, specific annual training, confidential counsellors, and that the Agency has put in place a memorandum of understanding to share confidential counsellors with the European Centre for the Development of Vocational training (Cedefop);

7.

Notes that the Agency relied heavily on delivering its services through interim agents, who supported the day-to-day administrative burden, considering that increased support was also needed following the reorganisation and preparation of the new building, putting additional strain on the financial and procurement team; notes with appreciation, moreover, that the Agency’s revised recruitment policy has led to a reduction of interim staff; notes, furthermore, from the Court’s report, that the increase in staff numbers in 2021 is due to the Agency’s success in filling in several long-term vacancies; understands that the cybersecurity and the information communication technology sectors are highly competitive with regard to finding skilled and committed workforce;

8.

Recalls the importance of developing a long-term human resources policy on work-life balance, lifelong guidance and the offering of specific training possibilities for career development, gender balance at all staff levels, teleworking, the right to disconnect, the enhancement of geographical balance to have an appropriate representation from all Member States, and the recruitment and integration of people with disabilities as well as ensuring that they are treated equally and that their opportunities are widely promoted; reminds the Agency to further develop staff policy and working culture in order to more efficiently answer to the feedback received in staff surveys;

Procurement

9.

Notes that, in 2021, the Agency concluded a total of 58 public procurement procedures, including two jointly with Cedefop;

10.

Notes with concern, from the Court’s report, that the Agency systematically awards low-value contracts without the relevant award decision approved and signed by the authorising officer, which is not in line with points 30.3 to 30.4 of Annex I to Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (2); notes the Agency’s reply that it has already taken the necessary steps to address this concern; calls on the Agency to report any developments in that regard to the discharge authority;

11.

Notes from the Court’s report that in order to decide whether to outsource a particular service or to provide it in-house, the Agency has developed and uses a cost-benefit analysis methodology, and that that methodology has design deficiencies which can affect the objectivity of the decision-making process and exposes the Agency to financial risks; takes note of the Agency’s reply that it has already taken the necessary steps to address this concern; calls on the Agency to report any developments in that regard to the discharge authority;

12.

Notes, from the Court’s report, that the Agency in two procurement procedures used, as an award criterion, the technical capacity of the company, which clearly relates to the evaluation of the tenderer, not the tender, and that such overlap between selection and award criteria undermines the legal certainty and exposes the Agency to reputational and legal risks; takes note of the Agency’s reply that it has already taken the necessary steps to address this concern; calls on the Agency to report any developments in that regard to the discharge authority;

13.

Recalls the importance for all procurement procedures to ensure fair competition between tenderers and to procure goods and services at the best price, respecting the principles of transparency, proportionality, equal treatment and non-discrimination; asks for the implementation of the e-procurement information technology (IT) tools developed by the Commission; calls for an updated clarification of the procedures and templates in the procurement guidelines; notes with concern the Court’s observation regarding the public procurement weaknesses which are increasing and remain the largest source of irregular payments for most of agencies;

Prevention and management of conflicts of interest, and transparency

14.

Notes the Agency’s existing measures and ongoing efforts to secure transparency, prevention and management of conflicts of interest, and notes that the CVs of the members of the management board, and their declaration of commitment and declarations of interests are being published on its website;

15.

Notes from the Court’s report that between 2019 and 2021 the Agency assessed three cases of a potential conflicts of interest in relation to a senior member of staff taking up a new job elsewhere, and that in one case reviewed by the Court the Agency did not consult the joint committee, in contravention of Article 16 of the Staff Regulations; notes from the Agency’s reply that the Agency will formally constitute a joint committee to comply with the applicable legal framework; calls on the Agency to report any developments in that regard to the discharge authority;

16.

Insists on the need to put in place more systematic rules on transparency, incompatibilities, conflicts of interest, illegal lobbying and revolving doors; calls on the Agency to strengthen its internal control mechanisms, including the setting up of an internal anticorruption mechanism;

Internal control

17.

Notes that the internal audit service’s (IAS) audit report on human resources management and ethics issued three very important and four important recommendations in 2019; notes that, although four recommendations were closed by the IAS, three important recommendations remained open at the end of 2021 and were not fully implemented within the set time frame; calls on the Agency to report any developments in that regard to the discharge authority;

18.

Notes that the IAS conducted an audit on strategic planning programming and performance management in 2021 and issued its final audit report in April 2022, with three important recommendations; calls on the Agency to report any developments in that regard to the discharge authority;

19.

Notes that the Agency adopted a sensitive functions policy in 2021, entering into force in May 2022;

20.

Notes that the internal controls assessment in 2021 shows that internal controls provide reasonable assurance that policies, processes, tasks and behaviours of the agency, taken together, facilitate its effective and efficient operation, help to ensure the quality of internal and external reporting, and help to ensure compliance with its regulations, and that however, some improvements are needed in certain principles, including the refinement of the Agency’s internal control framework indicators, the establishment of an enterprise risk management framework, the revision of the IT governance and underlying policy and procedural framework, the revision of the Agency’s recruitment policy, as well the update of the Agency’s business continuity plan; calls on the Agency to report any developments in that regard to the discharge authority;

21.

Notes that the Agency’s policy conflicts of interest and its anti-fraud strategy were updated and adopted in 2021;

22.

Recalls the importance of strengthening the management and control systems to ensure the proper functioning of the Agency; strongly insists on the requirement of an effective management and control systems to avoid potential cases of conflicts of interest, missing ex ante/ex post controls, inadequate management of budgetary and legal commitments, and failures to report issues in the register of exceptions;

Digitalisation and the green transition

23.

Notes the tasks assigned to the Agency in relation to the Cybersecurity Act, aiming to promote a high common level of cybersecurity across the Union, including actively supporting Member States, and the Union institutions, bodies, offices and agencies, in improving cybersecurity; notes, moreover, the support of the Agency to the development of new policy files such as network and information security, digital operational resilience, electronic identification, authentication and trust services, European electronic communications code, 5G, digital wallets, artificial intelligence and the Network CODE on cyber security; welcomes the fact that the Agency would be in charge of evaluating whether a product presents a significant cybersecurity risk under the proposed Cyber Resilience Act; underlines the need of ensuring adequate staffing reflecting the Agency’s increased tasks;

24.

Notes that the Agency has a cybersecurity policy in place, and that, in particular, it applies the ‘defence in depth’ approach; notes, moreover, that in 2021 the Agency started the revision of its IT policy and procedural framework, including its information security policy; notes, furthermore, that data protection training and cybersecurity awareness courses are provided annually to all members of staff;

25.

Recalls the importance of increasing the digitalisation of the Agency in terms of internal operation and management but also in order to speed up the digitalisation of procedures; stresses the need for the Agency to continue to be proactive in this regard in order to avoid a digital gap between the agencies; draws attention, however, to the need to take all the necessary security measures to avoid any risk to the online security of the information processed;

26.

Notes that the Agency is developing an environmental management system which is intended to lead to the certification of the EU Eco-Management and Audit Scheme; notes, furthermore, that the Greek authorities concluded a lease agreement on behalf of the Agency for its headquarters building in Athens, fully operational from 1 July 2021, and that this will enable the Agency to set a wider set of green measures to be implemented;

Business continuity during the COVID-19 crisis

27.

Notes that since the start of the COVID-19 pandemic and during 2021, the Agency introduced and maintained permanent teleworking options while maintaining and enhancing employee motivation, efficiency and development; notes with appreciation, in particular, that during the pandemic, daily updates were sent to all staff members via a designated functional mailbox, detailing the number of cases and the most recent developments in the world, in order to update members of staff with regard to developments; encourages the Agency to put the lessons learned regarding remote and hybrid working methods into practice, in order to better organise what meetings and tasks could be carried out more efficiently remotely than in-person in the future;

Other comments

28.

Notes that the Agency adopted its international strategy in November 2021, and that this has allowed the Agency to engage with a selective number of third countries and international organisations, in particular in working towards cooperation arrangements with Ukraine, the United States of America and the North Atlantic Treaty Organization;

29.

Calls on the Agency to continue to develop its synergies (for instance human resources, building management, IT services and security), and to reinforce its cooperation, its exchange of good practices and its discussions regarding areas of mutual interest with other Union agencies with a view to improving efficiency;

30.

Refers, for other observations of a cross-cutting nature accompanying its decision on discharge, to its resolution of 10 May 2023 (3) on the performance, financial management and control of the agencies.

(1)   OJ C 141, 29.3.2022, p. 84.

(2)  Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).

(3)  Texts adopted, P9 TA(2023)0190.


Top