Legal base	—
Document originated	1 June 2007
Deposited in Parliament	6 June 2007
Department	Trade and Industry
Basis of consideration	EM of 25 June 2007
Previous Committee Report	None; but see (27525) 9707/06: HC 34-xxxi (2005-06), para 26 (14 June 2006) and (27570) 10248/06: HC 34-xxxv (2005-06), para 8 (12 July 2006)
To be discussed in Council	To be determined
Committee's assessment	Politically important
Committee's decision	Not cleared; further information requested

Background

2.1 In its introduction, the Commission notes that communications networks and information systems have become an essential factor in economic and social development, and that the security and resilience of communication networks and information systems is of increasing concern to society. It recalls the importance attached to network and information security in the Commission i2010 strategy "A European Information Society for growth and employment"[4] for the creation of a single European information space and, more recently, its review of the current state of threats to the Information Society in its Communication "A strategy for a Secure Information Society — Dialogue, partnership and empowerment", which "presented an updated policy strategy, highlighting the positive impact of technological diversity on security and the importance of openness and interoperability".[5]

2.2 With these concerns in mind, the European Network and Information Security Agency (ENISA) was established in 2004, for a period of five years. Its main goal is "ensuring a high and effective level of network and information security within the Community, (...) in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market.".[6] Its organisation consists of a management board (Member State, Commission and stakeholder representatives), an executive director and a permanent stakeholders' group, to liaise with and offer advice about the Agency work programme.

2.3 The Commission notes that the legal basis for the ENISA Regulation is Article 95 EC, which legal basis "was confirmed by the European Court of Justice (ECJ) following an action brought by the United Kingdom, in which the ECJ confirmed that the Regulation was rightly based on Article 95".[7]

2.4 The Commission also recalls that, following an initial period in Brussels during the start-up phase, on 1 September 2005, the Agency moved to Heraklion, this having "been decided by the Greek Government further to the Decision taken at the European Council meeting on 12-13 December 2003 to locate the Agency in Greece".

2.5 The tasks conferred on the Agency are:

—  analysing current and emerging risks to the resilience of electronic communications networks and on the authenticity, integrity and confidentiality of those communications;

—  developing "common methodologies" to prevent security issues;

—  contribute to raising awareness;

—  promoting exchanges of "current best practices" and "methods of alert" and risk;

—  assessment and management activities;

—  enhancing cooperation between those involved in the area of network and information security;

—  assisting the Commission and the Member States in their dialogue with industry to address security-related problems in hardware and software products;

—  contributing to Community efforts to cooperate with third States and, where appropriate, with international organisations to promote a common global approach to network and information security:

"thereby contributing to the development of a culture of network and information security".[8]

2.6 More recently, the Commission recalls the Resolution of the December 2006 Telecoms Council on a Strategy for a Secure Information Society in Europe, which reiterated the importance of these tasks by calling upon ENISA:

"to continue working in close cooperation with the Member States, the Commission and other relevant stakeholders, in order to fulfil those tasks and objectives that are defined in the Regulation of the Agency and to assist the Commission and the Member States in their efforts to meet the requirements of network and information security, thus contributing to the implementation and further development of the new Strategy for a Secure Information Society in Europe as set out in this Resolution".[9]

Commission Communication

2.7 Article 25 of the ENISA Regulation requires evaluation of the Agency by the Commission before March 2007. To this end, the Commission "shall undertake the evaluation, notably to determine whether the duration of the Agency should be extended beyond the period specified in Article 27" (that is, five years). Furthermore, "the evaluation shall assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices and envisage, if necessary, the appropriate proposals."

2.8 This Communication presents the findings of an evaluation of the Agency by an external panel of experts and the recommendations of the ENISA Management Board regarding the ENISA Regulation. It also makes an appraisal of the evaluation report and launches a public consultation.[10] The Commission says that "evaluation of ENISA is part of the practice of the Commission to systematically evaluate in a cycle of ex ante, intermediate and ex post, all Community activities".

OBJECTIVES AND SCOPE

2.9 The principal objective was "to assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices". It assessed "the potential to impact at national and international levels, together with lessons learnt useful for the work programme development and the possible re-orientation of the Agency scope". The evaluation also "analysed the capacity built by the Agency and the networks built with stakeholders". It focussed on

—  Relevance and utility: the consistency of the Agency's scope, objectives and tasks with the needs of stakeholders;

—  Efficiency and effectiveness and impact: use of budget and human resources, distribution of results; use of external expert knowledge pools, and networking; the added value of the ENISA activities; and

—  Lessons for the future: input and ideas among key stakeholders on what should be the future priority initiatives and tasks; how to optimise synergies with other EU level institutions and activities; how to enhance synergies with stakeholders in Member States and industry.

FINDINGS AND RECOMMENDATIONS

2.10 The evaluation report[11] confirms the validity of the original rationale and goals. All activities are found to be in line with its work programme. However, those activities appear insufficient to achieve the high level of impacts and value added hoped for, and visibility is below expectations. Problems affecting the ability of the Agency to perform at its best concern its organisational structure, the skills mix and the size of its operational staff, the remote location, and the lack of focus on impacts rather than on deliverables. "Many of these problems have roots in the ambiguities or the choices of the original Regulation, and the chances for a successful future for ENISA depend on a renewed political agreement among the Member States, built on the lessons learned and the achievement of the first phase of the Agency".

2.11 ENISA's potential contribution to the functioning of the internal market is appreciated by stakeholders and expected to grow, especially regarding the duplication of activities in the network and information security (NIS) field between the Member States (MS) and the Commission and the harmonisation of policy and regulations. Most stakeholders feel that closing the Agency when the mandate expires in 2009 would represent a significant missed opportunity for Europe, and have negative consequences for NIS and the smooth functioning of the internal market. On the other hand, they also believe that change is needed in the Agency's strategic direction and structure.

2.12 The overall picture is set out most vividly in the SWOT Analysis reproduced below:

STRENGTHS	WEAKNESSES
MS and Commission mandate Good start in building relationships Staff competence	Lack of vision, focus and flexibility Uneasy relationship between Management Board and Agency Location problem for recruitment and networking
OPPORTUNITIES	THREATS
Increasing importance of security in the EU Unique position to respond to security coordination needs Global alliances look for EU counterpart Launching new projects with high relevance in the security field Becoming a reference point for all the MS	If effectiveness is not improved, rapid weakening and loss of reputation High turnover is weakening the staff Contradictory expectations from MS and between MS and stakeholders Misperception of role and goals by external stakeholders

2.13 The Commission summarises the evaluation panel recommendations on the future of ENISA after 2009 as follows:

—  the mandate of the Agency should be extended after 2009, maintaining its original main objectives and policy rationale, but taking into account the current experience;

—  the Regulation should be revised, to reflect ENISA's original strategic role and to clear ambiguities about its profile. The Regulation should not define in detail the operational tasks of the Agency to allow for flexibility in adapting to the evolution of the security environment;

—  the Agency's size and resources should be increased (up to 100 persons approximately) in order to reach the necessary critical mass;

—  the role of the Management Board should be revised in order to improve governance;

—  the appointment of a high-profile figure, well recognised in the NIS environment, who could act as an ambassador, to help increase ENISA's visibility; and

—  "recommendations regarding the location of the Agency in Heraklion".

2.14 The Panel discusses the location question in depth. It says the negative consequences of the location on networking activities should be examined closely. In the short term, it would like to see improved flight connections and greater support from local authorities to counter the negative consequences on recruitment and retention. But "these decisions should be taken without preventing in any way the possibility to make a more radical choice about the location after 2009". Here, it recommends that:

—  the feasibility be seriously considered of moving the Agency from Heraklion to Athens or "another EU city with an international environment and greater proximity to the security environment main knowledge centres";

—  as an alternative, opening a liaison office in Brussels or a city "with high relevance for the security environment" should be considered;

—  the concept of a "networked agency" with small headquarters and a few distributed offices "hosted by some of the main actors of security" be explored; and

—  examples of successful organizations with networking and think tank activities be examined to learn from their management practices, even if they are not EU agencies. An example cited is EIPA (European Institute for Public Administration), "which, in addition to its main headquarters has antennas in other cities, acting as competence centres".

2.15 The Commission says that it largely agrees with the overall findings. It notes that a number of important difficulties seem to be of a structural nature "stemming from ambiguity in the interpretation of its Regulation and the suboptimal level of human resources available to the Agency". It goes on to say that "the misalignment between the interpretation of the Regulation by the Agency staff and by the Management Board may ... hinge on the lack of a shared vision of ENISA among the Member States". Here, the evaluation report is very clear "and highlights the diverse needs of Member States concerning network and information security". The 2004 and 2007 enlargements are seen as having "exposed ENISA and its operation to higher expectations and demands than those that had been anticipated when the agency was established". The advent and convergence of more sophisticated and advanced communication and wireless technologies and the fast evolving nature of threats have also contributed to transform the environment in which ENISA operates. These developments need to be given due consideration when reflecting on the future of ENISA and deciding how the EU member States and stakeholders should cooperate to cope with new challenges for network and information security.

2.16 The importance of enhancing ENISA's contacts and working relations with stakeholders and Member States' centres of expertise is "a key finding": in particular, "the lack of regular and effective networking activities with the existing European scientific, technical and industrial communities and sectors is considered as a main impediment for ENISA to position itself in this area and exercise its role as defined in its Regulation". The Commission recalls that "the seat has been established by decisions of the Heads of State and Government and of the Greek Government". But, for the external panel of experts, "the current location is, in this regard, not helping ENISA as it makes it more difficult to establish regular and continuous working contacts with scientific, technical and industrial communities and sectors as well as to attract and keep key domain experts who may have the profile and personality to establish these contacts. Similar arguments hold for what concerns the working relations and contacts with Member States laboratories and/or technical centres".

NEXT STEPS

2.17 The Commission says its public consultation and impact assessment, including a cost/benefit analysis, on the extension and the future of the Agency will "complete the inputs and comments needed to fully and transparently decide on a possible extension of ENISA". The Commission will then inform the Council and the European Parliament of the results and "further specify its overall evaluation findings, in particular its decision whether or not to introduce a proposal for the extension of the duration of the Agency".

2.18 The avenues to be explored will include whether to extend the mandate of the Agency or to replace the Agency by another mechanism, such as a permanent forum of stakeholders or a network of security organisations. Regarding extending the mandate, the consultation will focus on:

—  what decisions need to be taken on the optimal operational size in order to enhance its networking capability and take on more tasks;

—  how to make its remit more precise, so as to support the NIS components of the electronic communication regulatory framework, in the context of the current overall review;

—  clarifying how the Agency should work with National Regulatory Agencies, other MS centres of expertise and the private sector, to define requirements and responses to current and future electronic networks security and integrity challenges; and

—  ensuring focus on impacts rather than deliverables in order to achieve a maximum added value for the internal market.

2.19 The 7 detailed questions related to these topics are included in the Communication.

The Government's view

2.20 An unusually thin and uninformative Explanatory Memorandum from the then Minister of State for Industry and the Regions (Margaret Hodge) tells us nothing of the above. All she has to say is that the Government has supported the Agency and believes "it is vitally important that the EU continues to improve the way it manages the security of networks and the information that is transmitted through or is stored on them". She describes the UK as "one of several Member States that were cautious that the Agency should not impact on national sovereignty in relation to security", which caution "is reflected in the review clause that is unique to this Agency". She concludes thus:

"The Government welcomes the wider public involvement in considering the continued need for and direction of the Agency. The Government will consider its position on the future of the Agency, in the light of the results of this exercise and the Commission proposals that will emerge in due course".

Conclusions

2.21 The story that unfolds in the Communication strongly suggests that this agency was created on an unsound basis, which was compounded by it then being sited in the wrong place for the wrong reasons. The then Minister's response thus far is disappointing and unsatisfactory: it is as if the UK had no interest in the question, but was content to let the Commission and others take the lead and then react, notwithstanding the present unsatisfactory state of affairs. What we need to know are the Government's views now, not when the consultation is over and the Commission has decided what to do.

2.22 We should like to know in particular what the Government's understanding is of the structural difficulties to which the Commission refers, and more about what is contained in the somewhat Delphic references to ambiguities in the interpretation of the Regulation, the "suboptimal level of human resources available to the Agency", "the misalignment between the interpretation of the Regulation by the Agency staff and by the Management Board" and "the lack of a shared vision of ENISA among the Member States".

2.23 We should also like to know the Government's views on the Report's recommendations, particularly on the location of the Agency and the suggestion that it might need another 100 staff.

2.24 In short, we should like to know what the Government thinks should be done about ENISA and the challenges posed for network information security in the EU.

2.25 Until then we shall retain the Communication under scrutiny.

5   (27570) 10248/06: see HC 34-xxxv (2005-06), para 8 (12 July 2006) for the Committee's consideration of this Communication. Back

6   Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency - OJ No. L 77, 13.3.04, p.1. Back

7   Judgment of 2 May 2006 in Case C-217/04. Back

8   As reiterated in the judgment of the ECJ, sections 56 and 57. Back

9   Document 15900/06 (Presse 343), 2772nd Council Meeting, Transport, Telecommunications and Energy, Brussels, 11-12 December 2006, p. 13. Back

10   The full report is at http://ec.europa.eu/dgs/information_society/evaluation/studies/s2006_enisa/docs/final_report.pdf. Back

11   The report is available at the following website:

http://ec.europa.eu/dgs/information_society/evaluation/studies/index_en.htm Back