Public Services > Central Government

ENISA bids to lead EU cybersecurity programme

Matteo Natalucci Published 02 August 2017

Agency report outlines proposal to establish a centralised EU operation promoting stronger concerted EU action to contrast cybersecurity

The European Union Agency for Network and Information Security (ENISA) wants to become the EU’s centre of expertise for cyber security.

The agency currently helps the EU and its member states be better equipped and prepared to prevent, detect and respond to information security breaches. Now, as the EU attempts to beef up its cyber security response to attacks, ENISA wants to be the Union’s go-to cyber player.

ENISA has asked the European Commission to expand its mandate in enhancing European cybersecurity, including provisions to increase the level of cooperation between civil and military cyber authorities to contrast trans-national cybersecurity breaches.

"There is ... a place for a European body such as ENISA to be positioned with a cyber-security mandate that is resourced to address the cyber challenges of today and tomorrow and that facilitates and complements the activities of Member States towards harmonisation." ENISA report said. 

ENISA wants to take a more relevant role in promoting stronger EU action to counter cybersecurity attacks and support member states in the resolution of new societal issues such as insecure voting systems and fake news.

ENISA's executive director Udo Helmbrecht said, "We see specialised institutions and bodies investing in activities related to cyber security ... However, given the limited resources and budgets a co-ordinated approach is required to make sure we do not fail in our mission. Now it is a good moment to ask ourselves some questions, and based on the replies to see how we can improve the context and go to the next stage/level of preparedness and readiness to address the emerging challenges".

ENISA's pitch for ‘top dog’ status in the report says, "Cyber coordination at EU level needs to be enhanced. There is a need to revise the current EU governance on cyber security, especially due to existing fragmentation of governance structure. There should be one entity that takes the lead on coordinating cyber security issues at an European level."

The agency recommends the establishment of cyber security standards coordination body to ensure a coherent approach to the development of European cybersecurity standards, and of a ‘fast track’ process for standardising technology areas that are evolving rapidly. It also supports the development of a pan EU Certification framework for cyber security products, services and skills, which would include different certification schemes appropriate to the level of application (from lightweight certification for a IoT devices to complex certification for high security applications).

The agency also supports the creation of an NIS Info hub for exchanging high-level information on cybersecurity across different communities and foster situation awareness based on information shared voluntarily by member states. Because of its strategic role in the CSIRT Network, ENISA is the favourite candidate to deliver this activity.

ENISA proposes, "that at an EU level, an examination is carried out to address the increasing importance of the security of software, software liability, responsible disclosure of identified risks and their mitigation, the possible mandatory obligation to disclose security vulnerabilities in software and the management of personal data be carried out as soon as possible. This approach should address the unilateral power of the software manufacturers to impose their terms and conditions on the end user/consumer of the products."

"ENISA recommends that lock in / dependency between various online applications (where to access the services of a provider login details and cross references to other applications are mandatory) should be avoided", the report added.

Helmbrecht has repeatedly supported the establishment of a legally binding certification system that covers all member states.

However, EU vice-president Andrus Ansip has not yet announced whether the new EU cybersecurity strategy will include a piece of legally binding legislation, or the introduction of a fully centralised integrated pan-EU system.

Member states remain touchy about beefing up the EU agency, perceiving cybersecurity to be more of a national defence priority, and not a European Union-wide activity.

There are several other EU offices that also work on cybersecurity, including the EU aviation agency EASA, the Commission’s cybersecurity response team CERT-EU and a policy unit within the Commission. These are all likely to bid for a key cyber role. 

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.