EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52021BP1606

Resolution (EU) 2021/1606 of the European Parliament of 29 April 2021 with observations forming an integral part of the decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) (before 27 June 2019: European Union Agency for Network and Information Security (ENISA)) for the financial year 2019

OJ L 340, 24.9.2021, p. 304–306 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

ELI: http://data.europa.eu/eli/res/2021/1606/oj

24.9.2021   

EN

Official Journal of the European Union

L 340/304


RESOLUTION (EU) 2021/1606 OF THE EUROPEAN PARLIAMENT

of 29 April 2021

with observations forming an integral part of the decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) (before 27 June 2019: European Union Agency for Network and Information Security (ENISA)) for the financial year 2019

THE EUROPEAN PARLIAMENT,

having regard to its decision on discharge in respect of the implementation of the budget ENISA (European Union Agency for Cybersecurity) for the financial year 2019,

having regard to Rule 100 of and Annex V to its Rules of Procedure,

having regard to the report of the Committee on Budgetary Control (A9-0085/2021),

A.

whereas, according to its statement of revenue and expenditure (1), the final budget of the ENISA (European Union Agency for Cybersecurity) (the ‘Agency’) for the financial year 2019 was EUR 16 932 952, representing an increase of 47,58 % compared to 2018; whereas that increase results mainly from an increase in expenditure on staff, ICT and core operational activities, related to the adoption of the Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (2); whereas the budget of the Agency derives mainly from the Union budget;

B.

whereas the Court of Auditors (the ‘Court’), in its report on the Agency’s annual accounts for the financial year 2019 (the ‘Court's report’), states that it has obtained reasonable assurance that the Agency’s annual accounts are reliable and that the underlying transactions are legal and regular;

Budget and financial management

1.

Notes that the budget monitoring efforts during the financial year 2019 resulted in a budget implementation rate of 96,80 %, representing a decrease of 3,18 % compared to 2018; notes furthermore that the payment appropriations execution rate was 70,12 %, representing a decrease of 18,44 % compared to 2018;

Performance

2.

Notes that the Agency uses certain key performance indicators (KPIs) to measure the added value provided by its activities and to enhance its budget management, notes that the Agency implemented quantitative and qualitative KPIs to measure the impact of activities more efficiently, and that it has also been implemented a specific set of KPIs to monitor stakeholders’ expectations; welcomes the addition of specific KPIs related to the new mandate given by the Cybersecurity Act;

3.

Welcomes the fact that the Agency has signed a service level agreement with the European Centre for the Development of Vocational Training, in order to obtain more efficiency through services sharing, knowledge sharing and exchange of best practices, especially in the fields of IT tools, human resources management, procurement and business continuity;

Staff policy

4.

Notes with concern that, on 31 December 2019, the establishment plan was 79,66 % implemented, with 47 temporary agents appointed out of 59 temporary agents authorised under the Union budget (compared to 48 authorised posts in 2018); notes that, in addition, 26 contract agents and two seconded national experts worked for the Agency in 2019; notes the increased establishment plan is due to the new Agency’s mandate that conferred greater competencies and resources following the adoption of the Cybersecurity Act;

5.

Is very concerned by the lack of gender balance reported for 2019 for senior managers and the management board; invites the Agency to increase its efforts to achieve a better gender balance at all levels; asks the Commission and the Member States to take into account the importance of ensuring gender balance when nominating their members to the Agency’s management board;

6.

Notes that the Agency has some difficulties in recruiting, attracting and retaining suitably qualified staff, mainly due to the low correction coefficients applied to the staff’s salaries in Greece and the deficit of professionals in the IT security market in the Union; welcomes the Agency’s social measures implemented to increase attractiveness and notes that the Agency’s new establishment plan allows to propose higher contract positions;

7.

Notes that the review of the handover procedures to new staff members is ongoing; notes also that the handover procedures are considered to be included in the sensitive posts policy; calls on the Agency to report on the future development and on the adoption of the sensitive posts policy;

8.

Notes from the Court’s report that the Agency used temporary or interim workers to perform tasks within the Agency, those workers represent the 29 % of the total work force, an increase from the previous year, and according to the Court, that number indicates the increased dependency on interim workers; notes that in 2019 the Agency paid approximately EUR 923 000 for those services, representing 5,60 % of the Agency’s budget; notes, moreover, that the Court refrained from making observations regarding the application of the Directive 2008/104/EC (3) on temporary agency workto Union agencies, as there is a case pending before the Court of Justice;

Procurement

9.

Notes with concern from the Court’s report the observed weakness in the procurement procedures, where, in three out of four cases audited, an overlap was observed between selection criteria and award criteria, and a lack of separation constituting a procedural flaw, exposing the Agency to the risk of tendering procedures being annulled; further notes that the Agency did not comply with Financial Regulation deadlines for the publication of the award notice in the Official Journal;

10.

Notes from the Court’s report that in two out of four framework services contracts audited, the tender specifications did not provide precise information on the method for comparing the financial offers based on case-scenarios, not ensuring the most economical implementation; notes from the Court’s report that the Agency has set an incorrect threshold sum for three contracts given the scope and the value of the contracts and that it did not carried out any assessment on the risks related to the actual implementation and financial dependency to the Agency tied to a fixed sum offered for the contract; notes the Agency’s reply to the Court’s findings and the measures taken by the Agency to prevent a recurrence of these failures;

Prevention and management of conflicts of interest and transparency

11.

Notes the Agency’s existing measures and ongoing efforts to secure transparency, prevention and management of conflicts of interest and notes that the CVs of the members of the management board and their declaration of conflicts are being published on its website; notes that the Agency does not publish the declarations of conflicts of interest and CVs of senior management on its website, with the exception of those of the executive director; calls the Agency to publish the declarations of conflicts of interest and the CVs of its senior management and to report to the discharge authority on the measures taken in that regard;

Internal controls

12.

Notes that the Agency has planned to adopt a new sensitive posts policy in 2020;

13.

Notes regarding the audit of the Commission’s internal audit service (IAS) on ‘Stakeholders’ involvement in the production of deliverables in ENISA’ that one important recommendation is still pending as relevant procedures needed to be revised and approved internally;

14.

The internal audit service released a report on human resources management and ethics in 2019, four important and three very important recommendations were issued; notes that an action plan to address the recommendations has been agreed with the IAS and calls the Agency to report on their implementation status;

Other comments

15.

Notes with concern that the Agency has not yet developed a formal and comprehensive environmental management policy to ensure an environmentally friendly working place; calls on the Agency to act upon this;

16.

Notes the Agency has produced 55 reports and has been active in raising awareness regarding cybersecurity issues;

17.

Calls upon the Agency to focus on disseminating the results of its research to the general public;

18.

Refers, for other observations of a cross-cutting nature accompanying its decision on discharge, to its resolution of 29 April 2021 (4) on the performance, financial management and control of the agencies.

(1)  OJ C 120, 29.03.2019, p. 67.

(2)  Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013, OJ L 151, 7.6.2019, p. 15.

(3)  Directive 2008/104/EC of the European Parliament and of the Council of 19 November 2008 on temporary agency work, OJ L 327, 5.12.2008, p. 9.

(4)  Texts adopted, P9_TA(2021)0215.


Top