Legal base	—
Department	Business, Enterprise and Regulatory Reform
Basis of consideration	Minister's letter of 24 July 2007
Previous Committee Report	HC-41 xxviii (2006-07), para 2 (4 July 2007)
To be discussed in Council	To be determined
Committee's assessment	Politically important
Committee's decision	Cleared

Background

9.1 With communications networks and information systems an essential factor in economic and social development, and the security and resilience of communication networks and information systems of increasing concern to society, the European Network and Information Security Agency (ENISA) was established in 2004, for a period of five years. Its main goal is "ensuring a high and effective level of network and information security within the Community, (...) in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market."[52] Its organisation consists of a management board (Member State, Commission and stakeholder representatives), an executive director and a permanent stakeholders' group, to liaise with and offer advice about the Agency work programme.

9.2 The Commission recalls that, following an initial period in Brussels during the start-up phase, on 1 September 2005, the Agency moved to Heraklion, this having "been decided by the Greek Government further to the Decision taken at the European Council meeting on 12-13 December 2003 to locate the Agency in Greece".

9.3 The tasks conferred on the Agency are:

—  analysing current and emerging risks to the resilience of electronic communications networks and on the authenticity, integrity and confidentiality of those communications;

—  developing "common methodologies" to prevent security issues;

—  contribute to raising awareness;

—  promoting exchanges of "current best practices" and "methods of alert" and risk;

—  assessment and management activities;

—  enhancing cooperation between those involved in the area of network and information security;

—  assisting the Commission and the Member States in their dialogue with industry to address security-related problems in hardware and software products; and

—  contributing to Community efforts to cooperate with third States and, where appropriate, with international organisations to promote a common global approach to network and information security:

"thereby contributing to the development of a culture of network and information security".[53]

9.4 Article 25 of the ENISA Regulation requires evaluation of the Agency by the Commission before March 2007. To this end, the Commission "shall undertake the evaluation, notably to determine whether the duration of the Agency should be extended beyond the period specified in Article 27" (that is, five years). Furthermore, "the evaluation shall assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices and envisage, if necessary, the appropriate proposals."

The Commission Communication

9.5 The Communication presents the findings of an evaluation of the Agency by an external panel of experts and the recommendations of the ENISA Management Board regarding the ENISA Regulation. It also makes an appraisal of the evaluation report and launches a public consultation.[54]

OBJECTIVES AND SCOPE

9.6 The principal objective was "to assess the impact of the Agency on achieving its objectives and tasks, as well as its working practices". It assessed "the potential to impact at national and international levels, together with lessons learnt useful for the work programme development and the possible re-orientation of the Agency scope". The evaluation also "analysed the capacity built by the Agency and the networks built with stakeholders". It focussed on:

—  Relevance and utility: the consistency of the Agency's scope, objectives and tasks with the needs of stakeholders;

—  Efficiency and effectiveness and impact: use of budget and human resources, distribution of results; use of external expert knowledge pools, and networking; the added value of the ENISA activities; and

—  Lessons for the future: input and ideas among key stakeholders on what should be the future priority initiatives and tasks; how to optimise synergies with other EU level institutions and activities; how to enhance synergies with stakeholders in Member States and industry.

FINDINGS AND RECOMMENDATIONS

9.7 The evaluation report[55] confirms the validity of the original rationale and goals. All activities are found to be in line with its work programme. However, those activities appear insufficient to achieve the high level of impacts and value added hoped for, and visibility is below expectations. Problems affecting the ability of the Agency to perform at its best concern its organisational structure, the skills mix and the size of its operational staff, the remote location, and the lack of focus on impacts rather than on deliverables. "Many of these problems have roots in the ambiguities or the choices of the original Regulation, and the chances for a successful future for ENISA depend on a renewed political agreement among the Member States, built on the lessons learned and the achievement of the first phase of the Agency".

9.8 ENISA's potential contribution to the functioning of the internal market is appreciated by stakeholders and expected to grow, especially regarding the duplication of activities in the network and information security (NIS) field between the Member States (MS) and the Commission and the harmonisation of policy and regulations. Most stakeholders feel that closing the Agency when the mandate expires in 2009 would represent a significant missed opportunity for Europe, and have negative consequences for NIS and the smooth functioning of the internal market. On the other hand, they also believe that change is needed in the Agency's strategic direction and structure.

9.9 The overall picture is set out most vividly in the SWOT Analysis reproduced below:

9.10 The Commission summarises the evaluation panel recommendations on the future of ENISA after 2009 as follows:

—  the mandate of the Agency should be extended after 2009, maintaining its original main objectives and policy rationale, but taking into account the current experience;

—  the Regulation should be revised, to reflect ENISA's original strategic role and to clear ambiguities about its profile. The Regulation should not define in detail the operational tasks of the Agency to allow for flexibility in adapting to the evolution of the security environment;

—  the Agency's size and resources should be increased (up to 100 persons approximately) in order to reach the necessary critical mass;

—  the role of the Management Board should be revised in order to improve governance;

—  the appointment of a high-profile figure, well recognised in the NIS environment, who could act as an ambassador, to help increase ENISA's visibility; and

—  "recommendations regarding the location of the Agency in Heraklion".

9.11 The Panel discusses the location question in depth. It says the negative consequences of the location on networking activities should be examined closely. In the short term, it would like to see improved flight connections and greater support from local authorities to counter the negative consequences on recruitment and retention. But "these decisions should be taken without preventing in any way the possibility to make a more radical choice about the location after 2009. Here, it recommends that:

—  the feasibility be seriously considered of moving the Agency from Heraklion to Athens or "another EU city with an international environment and greater proximity to the security environment main knowledge centres";

—  as an alternative, opening a liaison office in Brussels or a city "with high relevance for the security environment" should be considered;

—  the concept of a "networked agency" with small headquarters and a few distributed offices "hosted by some of the main actors of security" be explored; and

—  examples of successful organizations with networking and think-tank activities be examined to learn from their management practices, even if they are not EU agencies. An example cited is EIPA (European Institute for Public Administration), "which, in addition to its main headquarters has antennas in other cities, acting as competence centres".

9.12 The Commission says that it largely agrees with the overall findings. It notes that a number of important difficulties seem to be of a structural nature "stemming from ambiguity in the interpretation of its Regulation and the suboptimal level of human resources available to the Agency". It goes on to say that "the misalignment between the interpretation of the Regulation by the Agency staff and by the Management Board may … hinge on the lack of a shared vision of ENISA among the Member States". Here, the evaluation report is very clear "and highlights the diverse needs of Member States concerning network and information security". The 2004 and 2007 enlargements are seen as having "exposed ENISA and its operation to higher expectations and demands than those that had been anticipated when the agency was established". The advent and convergence of more sophisticated and advanced communication and wireless technologies and the fast evolving nature of threats have also contributed to transform the environment in which ENISA operates. These developments need to be given due consideration when reflecting on the future of ENISA and deciding how the EU member States and stakeholders should cooperate to cope with new challenges for network and information security.

9.13 The importance of enhancing ENISA's contacts and working relations with stakeholders and Member States' centres of expertise is "a key finding": in particular, "the lack of regular and effective networking activities with the existing European scientific, technical and industrial communities and sectors is considered as a main impediment for ENISA to position itself in this area and exercise its role as defined in its Regulation".

9.14 The Commission recalls that "the seat has been established by decisions of the Heads of State and Government and of the Greek Government". But, for the external panel of experts, "the current location is, in this regard, not helping ENISA as it makes it more difficult to establish regular and continuous working contacts with scientific, technical and industrial communities and sectors as well as to attract and keep key domain experts who may have the profile and personality to establish these contacts. Similar arguments hold for what concerns the working relations and contacts with Member States laboratories and/or technical centres."

NEXT STEPS

9.15 The Commission said that its public consultation and impact assessment, including a cost/benefit analysis, on the extension and the future of the Agency would "complete the inputs and comments needed to fully and transparently decide on a possible extension of ENISA". It would then inform the Council and the European Parliament of the results. The avenues to be explored would include whether to extend the mandate of the Agency or to replace it by another mechanism, such as a permanent forum of stakeholders or a network of security organisations. Regarding extending the mandate, the consultation will focus on:

—  what decisions need to be taken on the optimal operational size in order to enhance its networking capability and take on more tasks;

—  how to make its remit more precise, so as to support the networks and information security components of the electronic communication regulatory framework, in the context of the current overall review;

—  clarifying how the Agency should work with National Regulatory Agencies, other MS centres of expertise and the private sector, to define requirements and responses to current and future electronic networks security and integrity challenges; and

—  ensuring focus on impacts rather than deliverables in order to achieve a maximum added value for the internal market.

9.16 The 7 detailed questions related to these topics are included in the Communication.

Previous consideration

9.17 We considered the Communication on 4 July on the basis of an unusually thin and uninformative Explanatory Memorandum from the then Minister of State for Industry and the Regions (Margaret Hodge). All she had to say was that the Government had supported the Agency and believed it to be "vitally important that the EU continues to improve the way it manages the security of networks and the information that is transmitted through or is stored on them". She described the UK as "one of several Member States that were cautious that the Agency should not impact on national sovereignty in relation to security", which caution "is reflected in the review clause that is unique to this Agency". She concluded by saying that the Government welcomed the wider public involvement in considering the continued need for and direction of the Agency, and that the Government would consider its position on the future of the Agency, in the light of the results of this exercise and whatever Commission proposals emerged in due course.

9.18 We concluded that the picture painted in the Communication was of an agency created on an unsound basis, which was compounded by it then being sited in the wrong place for the wrong reasons. We found the then Minister's response thus far disappointing and unsatisfactory, suggesting that the UK had no interest in the question, but was content to let the Commission and others take the lead and then react, notwithstanding the present unsatisfactory state of affairs. We felt that what we needed to know are the Government's views now, not when the consultation was over and the Commission had decided what to do. We asked to know in particular what the Minister's understanding was of the structural difficulties to which the Commission referred, and more about what was contained in the somewhat Delphic references to ambiguities in the interpretation of the Regulation, the "suboptimal level of human resources available to the Agency", "the misalignment between the interpretation of the Regulation by the Agency staff and by the Management Board" and "the lack of a shared vision of ENISA among the Member States". We also asked for the Minister's views on the Report's recommendations, particularly on the location of the Agency and the suggestion that it might need another 100 staff.

9.19 In short, we asked what the Government thinks should be done about ENISA and the challenges posed for network information security in the EU.

9.20 In the meantime, we retained the Communication under scrutiny.

The Minister's letter

9.21 The new Minister has responded in his letter of 24 July 2007, which he hopes will address our concerns so that the document can be cleared from scrutiny. He continues as follows:

"I noted your conclusion that the Agency was created on an unsound basis and that the problem was compounded by the choice of location. The basis of the Agency is the Regulation (460/2004) which sets out its objectives and tasks. While we objected strongly to the legal base of Article 95 of the Treaty and in my previous time in this Department I had to abstain from voting for the Regulation for this reason — we were content that the focus of the Agency was appropriate for this important subject. While I will not pretend that Crete would have featured in our thinking for a location, it was, nevertheless, the clear decision of the Heads of State and Government in deciding on the location of Agencies that the Government of Greece should be responsible for selecting the location of ENISA. You will note from the footnote on page 8 of the Communication that the Commission implicitly accept that this is not an issue that can be addressed in the review process. I believe that to the extent that the location poses challenges for the operation of the Agency, these have to be addressed by the Agency's management in the normal course of business.

"I was also surprised by the suggestion that the UK was not playing a role in the review of the Agency and had no interest. Perhaps it was not clear from the Communication but the structure of the Agency and the review process has enabled us to play a full role. First, the UK's Board Member — an official in my Department — was interviewed at length by the review team from IDC who have reported to the Commission. Secondly, the Board itself has to both give operational orientations to the Agency as well as its views on possible changes to the founding Regulation. This work has been done and the UK Board Member was asked to lead that work on behalf of the Board. Both pieces of work draw on the good field work done by IDC but they cannot be seen as accepting all of the IDC recommendations. The orientations seek to address concerns, also highlighted by IDC, about the prioritisation of activities and the relatively high proportion of resources in the Agency devoted to administrative matters. The orientations also suggest a new approach to the way in which professional resources are applied and suggest a more project-oriented approach to achieving goals.

"The Board's report on the longer-term future of the Agency reflected a consensus that the need for an Agency had not been effectively challenged to date, that the management structure was basically sound but that the Regulation could move to a more outcome-based approach and give greater direction on how to engage stakeholders. The Board would not — for the reasons outlined above — make recommendations on the location of the Agency. Nor would it make recommendations on the future resources. The Board noted IDC's ideas for increasing the staff numbers but felt that such an increase could only be justified through a proposal that clearly outlined what the added value would be of such an increase. The Board could not accept the idea that there was some sort of minimum critical mass for a European Agency.

"Your letter asks for my views on some quotes from the Communication that derive from views expressed in the IDC report. I have covered the question of resources. The idea that there is a 'lack of a shared vision of ENISA among the Member States' reflects the fact that many Member States have joined the EU since the Agency was created and might have favoured a more operational role for the Agency. This may be an issue to be addressed when and if we come to renegotiate the Regulation. The IDC report does helpfully set out our position on this point: 'It is well known that some of these MS were wary of possible interference and overlapping of competencies by the Agency, particularly because of the closeness of the NIS themes with national security activities, which are firmly in the national domain. Their vision of the role of ENISA is more articulated than that of the other MS, and they are more demanding of in terms of the value added which should be created by the Agency.'

"The quote about 'the misalignment between the interpretation of the Regulation by the Agency staff and by the Management Board' was a mystery to us. There have been robust discussions between the Board and the Executive Director, but this is indicative that the management structure works. We have not detected any fundamental disagreement on what the Regulation means. We have told the Commission that we were surprised that they should have made this point.

"In conclusion, I think Margaret Hodge presented you with a concise description of our position on the Agency and the relevance of this document. It is, after all, an interim report designed to increase the stakeholder input to the consideration of the future of the Agency. I will, of course, submit a more detailed EM when the Commission make substantive recommendations on the future of the Agency".

Conclusion

9.22 Though seeking loyally to defend his predecessor's "concise description of our position on the Agency and the relevance of this document", the Minister's reply contains the sort of comprehensive statement of the Government's position that was initially absent.

9.23 Lamentable as it might seem, the evaluation report's main concern, i.e., ENISA's inappropriate location, is plainly off limits, for the same reason that it was put there in the first place, i.e., its political nature. It is important that any future such decision is not left to one Member State to determine when the interests of all Member States are concerned.

9.24 In the meantime, we note that there is no appetite for more staff, and that the Government will resist any move to make ENISA more operational. What is needed now are proposals that show how ENISA, despite its unhelpful location, can be developed so as to fulfil its tasks efficiently, effectively and economically. We note with approval the government's wariness of possible interference with and overlapping of competencies by the Agency with national security activities which are firmly in the national domain, and its position among those who are "more demanding of in terms of the value added which should be created by the Agency", and trust that it will be reflected in proposals for the Agency's future.

9.25 We note that the Minister will submit a detailed EM when the Commission make substantive recommendations on the future of the Agency. We trust that, unlike his predecessor's, it will summarise and assess the Commission's proposals, and outline the Government's views, fully.

9.26 We now clear the document.

53   As reiterated in the judgment of the ECJ, sections 56 and 57. Back

54   The full report is at http://ec.europa.eu/dgs/information_society/evaluation/studies/s2006_enisa/docs/final_report.pdf. Back

55   The report is available at the following website: http://ec.europa.eu/dgs/information_society/evaluation/studies/index_en.htm Back