Since its creation in 2004, ENISA has been a reference for cybersecurity expertise in Europe, helping the European Institutions, the Member States and the business community to address, respond to and, most crucially, prevent network and information security problems.
The 2013 ENISA Regulation requires the Commission to conduct an evaluation of the agency by June 2018 and to assess the possible need to modify its mandate, which will come to an end in 2020. In view of the rapid evolution of the EU cybersecurity and digital privacy landscape, both on the threat and policy side, the Commission has brought forward the ENISA evaluation and will review the ENISA Regulation as part of its 2017 Work Programme.
Today's consultation kicks off the review of ENISA. It will start with an assessment of the Agency's past contribution to the security of network and information systems in the EU and then will look at the needs and the gaps still perceived by the cybersecurity community and to which the EU should provide an adequate response.
Andrus Ansip, Vice-President for the Digital Single Market, said: "Network security is essential for the functioning of the Digital Single Market in Europe. Last year's achievements in cybersecurity are all important steps forward, but there is more work to do. The ENISA review will help us address better the main security concerns of the digital community in a time when global cyber-attacks are increasing in volume, and becoming more sophisticated. Cooperation is key for successful responses to these new security challenges. As part of the wider review of the Digital Single Market strategy, we are now looking at further actions to strengthen cybersecurity in the EU."
ENISA has helped to advance network and information security in the EU, by supporting the development and implementation of the EU's policy and law on cybersecurity and delivering advice and solutions to public and private actors. For example, ENISA coordinates pan-European cybersecurity exercises – with Cyber Europe 2016 being the largest EU exercise to date – supports the development of National Cyber Security Strategies and fosters cooperation within the Computer Security Incident Response Teams (CSIRTs) community and provides guidelines, recommendations and training on key cybersecurity issues
ENISA's mandate was last revised in 2013, at the time when the first EU Cybersecurity Strategy set the ground for a comprehensive response to increasing threats posed to network and information systems. Since then, the EU has made major progresses, in particular with the recent adoption of the first EU-wide cyber security legislation (the NIS Directive) and the launch of a € 1.8 billion EU cybersecurity public-private partnership.
In spite of these positive results, cybersecurity capabilities are still uneven across Member States and the EU as a whole remains highly vulnerable to both small and large-scale cyber threats, which are increasingly cross-border and cross-sector. Disruption to the network and information systems on which sectors like health, transport, energy, finance rely on could prevent access to essential services like electricity, healthcare or water and result in hundreds of billions of euros in economic losses each year.
The number of security incidents across all industries worldwide rose by 38% in 2015, compared to 2014. Individuals, industry and even governments are all potential victims of cyber-attacks. In the last two months of 2016 big companies such as Dyn, ThyssenKrupp and Deutsche Telecom have experienced attacks.
The evaluation and review of ENISA offer the opportunity to help shape one element of the next stage of EU response to cyber threats.
The public consultation will feed into both the evaluation of ENISA over the period 2013-2016 and a possible revision of the current mandate. In particular, the Commission seeks views on how ENISA has achieved its objectives, mandate and tasks against criteria of effectiveness, efficiency, relevance, coherence and European added value. Also, with a view of defining future policy options, the Commission is asking for input on the current and future challenges and on how to best address them, including possible roles for an EU body such as ENISA.