2 European Information and Network Safety
Agency
(a)
(32008)
14322/10
COM(10) 520
(b)
(32010)
14358/10
COM(10) 521
+ ADDs 1-2
|
Draft Council Regulation amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration
Draft Council Regulation concerning the European Network and Information Security Agency
|
Legal base | Article 114 TFEU; QMV; ordinary legislative procedure
|
Department | Business, Innovation and Skills
|
Basis of consideration | EM of 19 October 2010
|
Previous Committee Report | None; but see (29300) 16840/07: HC 16-xxiii (2007-08), chapter 12 (4 June 2008); also see (30528)
8375/09: HC 19- xxi (2008-09), chapter 1( 24 June 2009): HC16-ix (2007-08), chapter 1 (23 January 2008): (28677) 10340/07: HC-41 xxviii (2006-07), chapter 2 (4 July 2007), HC-41 xxxiv (2006-07), chapter 9 (2 October 2007), (29172) 15371/07 (29173) 15379/07 (29174) 15387/07 (29176) 15416/07 (29177) 15422/07 and (29175) 15408/07: HC 16-vi (2007-08), chapters 1 and 2 (12 December 2007)
|
To be discussed in Council | To be determined
|
Committee's assessment | Politically important
|
Committee's decision | (a) Cleared
(b) Not cleared; further information requested
|
Background
2.1 With communications networks and information systems an essential
factor in economic and social development, and the security and
resilience of communication networks and information systems of
increasing concern to society, the European Network and Information
Security Agency (ENISA) was established in 2004, for a period
of five years. As ENISA's website says:
"Operative networks contributes to the smooth functioning
of the Internal Market, and concretely effects the daily lives
of the citizens and business alike, using broadband, online banking,
ecommerce, and mobile phones.
"Therefore, the Agency's Mission is essential to achieve
a high and effective level of Network and Information Security
within the European Union. Together with the EU-institutions and
the Member States, ENISA seeks to develop a culture of Network
and Information Security for the benefit of citizens, consumers,
business and public sector organisations in the European Union."
2.2 The Agency describes its objectives thus:
"ENISA was set up to enhance the capability of the European
Union, the EU Member States and the business community to prevent,
address and respond to network and information security problems.
"In order to achieve this goal, ENISA is a Centre of Expertise
in Network and Information Security and is stimulating the cooperation
between the public and private sectors. As such, the Agency is
a 'pacemaker'."
2.3 The Agency describes its tasks as:
Advising
and assisting the Commission and the Member States on information
security and in their dialogue with industry to address security-related
problems in hardware and software products;
Collecting
and analysing data on security incidents in Europe and emerging
risks;
Promoting
risk assessment and risk management methods to enhance our capability
to deal with information security threats;
Awareness-raising
and co-operation between different actors in the information security
field, notably by developing public/private partnerships with
industry in this field.
2.4 More concretely, ENISA divides its activities
into Computer Emergency Response Teams, Awareness Raising,
Resilience, Risk Management-Risk Assessment, Identity and Trust
and stakeholder relations.[8]
Previous consideration of the future of ENISA
2.5 Article 25 of the ENISA Regulation required evaluation
of the Agency by the Commission before March 2007, to determine
whether the duration of the Agency should be extended beyond the
period specified in Article 27 (that is, five years) and assess
the impact of the Agency on achieving its objectives and tasks,
as well as its working practices and, if necessary, make appropriate
proposals.
2.6 Thus, in autumn 2007, the then Committee considered
a Commission Communication that presented the findings of an evaluation
by an external panel of experts; the recommendations of the ENISA
Management Board regarding the ENISA Regulation; made an appraisal
of the evaluation report; and launched a public consultation.[9]
2.7 Based thereon, the Communication set out to initiate
debate about ENISA's value and future; the Commission would then
inform the Council and European Parliament and further specify
its overall evaluation findings, in particular whether or not
to introduce a proposal for the extension of the duration of the
Agency.
2.8 The overall picture was set out most vividly
in a SWOT Analysis reproduced below:
STRENGTHS
| WEAKNESSES |
MS and Commission mandate
Good start in building relationships
Staff competence
| Lack of vision, focus and flexibility
Uneasy relationship between Management Board and Agency
Location problem for recruitment and networking
|
OPPORTUNITIES | THREATS
|
Increasing importance of security in the EU
Unique position to respond to security coordination needs
Global alliances look for EU counterpart
Launching new projects with high relevance in the security field
Becoming a reference point for all the MS
| If effectiveness is not improved, rapid weakening and loss of reputation
High turnover is weakening the staff
Contradictory expectations from MS and between MS and stakeholders
Misperception of role and goals by external stakeholders
|
2.9 In sum, the Report confirmed the validity of the original
rationale and goals. All activities were found to be in line with
its work programme. However, those activities appeared insufficient
to achieve the high level of impacts and value added hoped for,
and visibility was below expectations. Factors affecting the ability
of the Agency to perform at its best concerned its organisational
structure, the skills mix and the size of its operational staff,
the lack of focus on impacts rather than on deliverables and its
remote location. The chances for a successful future for ENISA
depended on "a renewed political agreement among the Member
States, built on the lessons learned and the achievement of the
first phase of the Agency". Most stakeholders felt that closing
the Agency in 2009 would represent a significant missed opportunity
for Europe, and have negative consequences for NIS and the smooth
functioning of the internal market. But they also believed that
change was needed in the Agency's strategic direction and structure.
2.10 The Commission endorsed the overall findings; enhancing ENISA's
contacts and working relations with stakeholders and Member States'
centres of expertise was "a key finding". But it danced
around the other key issue: its remote location in Heraklion.
The Commission summarised the evaluation panel recommendations
on the future of ENISA after 2009 as follows:
the
mandate of the Agency should be extended after 2009, maintaining
its original main objectives and policy rationale, but taking
into account the current experience;
the
Regulation should be revised, to reflect ENISA's original strategic
role and to clear ambiguities about its profile. The Regulation
should not define in detail the operational tasks of the Agency
to allow for flexibility in adapting to the evolution of the security
environment;
the
Agency's size and resources should be increased (up to 100 persons
approximately) in order to reach the necessary critical mass;
the
role of the Management Board should be revised in order to improve
governance;
the
appointment of a high-profile figure, well recognised in the NIS
environment, who could act as an ambassador, to help increase
ENISA's visibility;
"recommendations
regarding the location of the Agency in Heraklion".
2.11 Although the Commission evaded the location
issue, the Panel discussed the question in depth. It said the
negative consequences on networking activities should be examined
closely. Decisions to implement short-term improvements should
be taken without preventing in any way the possibility to make
a more radical choice about the location after 2009. Here, it
recommended that the feasibility be seriously considered of:
moving
the Agency from Heraklion to Athens or "another EU city with
an international environment and greater proximity to the security
environment main knowledge centres";
opening
a liaison office in Brussels or a city "with high relevance
for the security environment";
a
"networked agency" with small headquarters and a few
distributed offices "hosted by some of the main actors of
security".
In addition, examples of successful organizations
with networking and think tank activities should be examined to
learn from their management practices, even if they were not EU
agencies; an example cited was EIPA (European Institute for Public
Administration), "which, in addition to its main headquarters
has antennas in other cities, acting as competence centres".
2.12 When the then Committee first examined the Communication,
it considered that the then Minister (Margaret Hodge) was as remiss
as the Commission, in that her Explanatory Memorandum contained
none of the foregoing, nor said anything about the report, despite
the picture painted in the Communication strongly suggesting that
ENISA had been created on an unsound basis, which had then been
compounded by situating it in the wrong place, for the wrong reasons.
The then Committee felt that it was entitled to know the Government's
views at that point, not when the consultation was over and the
Commission had decided what to do.
2.13 The response of her successor (Stephen Timms),
which was considered on 2 October 2007, contained the comprehensive
statement of the Government's position that was initially absent.
Lamentable as it seemed to the then Committee, it was made clear
that the evaluation report's main concern, i.e., ENISA's inappropriate
location, was plainly off limits, for the same reason that it
was put there in the first place, i.e., its political nature.
In clearing the Communication, the then Committee noted the importance
of any future such decision not being left to one Member State
to determine when the interests of all Member States were concerned.
They also noted that there was no appetite for more staff, and
that the Government would resist any move to make ENISA more operational,
and that what was needed now were proposals that showed how ENISA,
despite its unhelpful location, could be developed so as to fulfil
its tasks efficiently, effectively and economically. They also
noted that the Minister undertook to submit a detailed EM when
the Commission made substantive recommendations on the future
of the Agency.[10]
2.14 Those were contained in a further package of
proposals that the then Committee considered on 12 December 2007.
They included the notion that a new European Electronic Communications
Market Authority (EECMA) should, among other things, take over
the activities of ENISA. As both the then Minister, in his accompanying
Explanatory Memorandum, and the then Committee made clear, there
were considerable doubts about the proposed EECMA (and therefore
the contingent proposal to wind up ENISA); these were to be further
examined in a debate in the European Standing Committee on the
Commission Communication that set out the Commission's overall
approach to revising the regulatory framework for electronic communications.[11]
The first amendment to the Council Regulation
2.15 In the meantime, with ENISA's existing mandate
due to expire in March 2009, and to ensure continuity, the Commission
proposed this interim measure for the two years between the Agency's
scheduled expiry date and the date when the proposed EECMA was
to take over responsibility for its activities.
2.16 The then Minister (Stephen Timms) said that
at this stage he regarded the extension of ENISA's mandate as
"good housekeeping and essential for the continued conduct
of the Agency's activities." He noted that the EECMA negotiations
had yet to take place and the eventual outcome was unclear: however,
in any event, the EECMA would not be established before 2011 and
therefore some mechanism to ensure ENISA's continued operation
needed to be put in place. What ENISA did remained important and
that there seemed a sound case for this work to continue at a
European level. The Government therefore agreed with the general
tenor of the Commission's Communication of 1 June 2007 ((COM 2007)
285) and also agreed with the ENISA Management Board Recommendations
about the need to extend the mandate and "refresh the focus
given to the Agency" through the amendments to the Regulation.
However, the Commission had "taken a surprising turn in seeming
to have foregone further work on the Review of the Agency"
and "opted instead to roll ENISA into its proposals for a
European Electronic Communications Markets Authority". The
then Government was not convinced that this was the only or best
way to ensure the improved implementation of the European regulatory
framework for communications. But whatever solution was adopted,
they were convinced that expertise would be required to advise
or engage with national regulators on network and service resilience
issues. If the negotiation process set aside the Commission's
idea for a new Authority, then consideration would have to be
given as to how best to agree common approaches to ensuring the
appropriate resilience of networks. In that case, the continuation
of ENISA might return as a viable prospect. If the new Authority
idea prevailed, then it had to be acknowledged that it would be
difficult to argue for two Agencies that had a strong connection
to the regulatory framework.
2.17 For its part, the then Committee noted that,
as the Minister had pointed out, an extension of ENISA's mandate
was contingent on much larger and more contentious questions
whether it should be incorporated in a new authority, the need
for and appropriateness of which is still under examination; or,
if not so incorporated, what should be done to make it more effective
and efficient. That being so, the then Committee continued to
retain the document under scrutiny until the Minister was in a
position to let it have his considered views.[12]
The then Minister's letter of 20 May 2008
2.18 The Minister's successor (Baroness Vadera) wrote
to say that she had "looked afresh" at the issues and
fully understood the then Committee's concern about the location
of the Agency not being addressed in this process. Though the
evaluation concluded that there were problems with the location
in Crete which her predecessor had indicated would not
have been the then government's first choice the decision
to locate the Agency there was taken by the Greek Government,
it having been given the discretion to do so by the Heads of Government.
It would be difficult and would not constitute a welcome
precedent for many Member States to subject that decision
to review and challenge by the European Institutions. The then
Minister therefore believed that in the short term, it was necessary
to continue to see the location as a management challenge and
that a discussion on relocation was not realistic without the
agreement of the Greek Government and they had made clear
through all available channels available that they felt the case
against Crete was not soundly based and were "working hard
to address the most obvious problems".
2.19 Moreover, the then Minister said, any clear
linkage in the Regulation to the outcome of the discussion on
the proposed EECMA had now been rejected, and the rationale for
the extension was now viewed as providing a window of opportunity
for the EU to reassess how it handled the whole issue of network
and information security both how to deliver on the likely
new requirements for communications providers arising from the
Framework Review and whether policy objectives were best delivered
through a small Agency in a remote location. Furthermore, some
Member States thought three years would better enable an incoming
Commission and Parliament to deal with the issue and, through
a longer period of debate and reflection, enable a better longer-term
solution. The then Minister thought it arguable that sufficient
progress could be made in two years but if as seemed likely
the UK found itself in a small minority of Member States
who had doubts on this point and acting against the views of the
Parliament, she was not inclined to pursue her doubts to the point
of voting against the measure.
2.20 With the 16 June Telecoms Council approaching
and the Presidency wishing to get a Common Position, the then
Minister asked that the draft Council Regulation now be cleared.
The then Committee's assessment
2.21 In the debate on 13 March 2008 on the Commission's
overall approach to revising the regulatory framework for electronic
communications, the then Minister for Energy (Malcolm Wicks) said
that the Government continued to analyse the case for establishing
a new EU market authority and was considering whether other methods
could better achieve the objectives. This approach was reflected
in other contributions to the debate.
2.22 It thus seemed clear that the there was little
enthusiasm for the proposed EECMA and that, accordingly, ENISA
was, in one form or another, and in one place or another, likely
to be around for the foreseeable future. In that case, the then
Committee accepted that it made sense to extend ENISA's mandate.
Like the Minister, it was not convinced that an additional year
was needed in order to reach the right conclusions, given that
the problems and solutions had been so fully and convincingly
set out in the evaluation; but reluctantly agreed that it would
be a better outcome than an even longer extension. What was much
more important was that a window of opportunity for the EU to
reassess how it handled the whole issue of network and information
security should not, as the result of a longer period of debate
and reflection, result in continued stagnation.
2.23 In clearing the draft Council Regulation, the
then Committee noted in particular that the Government of Greece
maintained that the case against Crete was not soundly based and
was "working hard to address the most obvious problems",
and looked forward to hearing more about what steps were planned
to address the problems identified in the evaluation.[13]
The draft Council Regulations
2.24 The proposed Commission Regulation (document
(b)) renews ENISA's mandate for a further five years and sets
out the tasks proposed for the Agency as well as its budget and
how it will operate. The Regulation builds on ENISA's current
capabilities as a centre of excellence whose function is to enhance
network and information security (NIS) across Europe and expands
the Agency's tasks to reflect changing needs in this area. The
Regulation also streamlines the Agency's management structures
and sets out a gradual increase to the budget to manage the increased
workload.
2.25 It is published alongside a Commission proposal
to extend the existing ENISA Regulation à l'identique
for 18 months, from March 2012 to September 2013.
2.26 In his Explanatory Memorandum of 19 October
2010, the Minister for Culture, Communications and Creative Industries
(Ed Vaizey) begins by explaining that the EECMA did not take over
ENISA's activities as this proposal did not receive support from
Member States during the negotiations on revising the 2002 telecoms
regulatory framework, which were not completed until November
2009; and that, following this, there was a change of Commissioner,
which further postponed any decision on the future of ENISA. He
continues as follows:
"The Commission has now concluded that there
is a need for ENISA to continue its activities enhancing security
and resilience in the Communications sector. This reflects the
positive view of the Agency in the general review conducted by
the Commission and the Council Conclusions of June 2007[14]
that saw a continued role for the Agency in this important area.
"In our view the Agency has produced some solid
work since it was established. It has a strong standing in the
community that deals with response to security incidents and has
created new communities in areas such as awareness raising and
risk management. It has not had a high impact, but is well regarded
in the expert community and has been successful in bringing together
communities of interest in the EU and in the area of risk management,
CERT (computer emergency response team) co-operation and identifying
best practice on awareness-raising amongst other things. It is
now established to the point that the Commission has developed
new roles for it in the promotion of critical information infrastructure
protection (CIIP) and the Council identified a role for it in
the implementation of the security elements of the new Framework
Regulations."
2.27 The Minister then says that there were two problems
built into the working environment for the Agency:
"firstly, in retrospect the resources allocated
for it were too low. This was compounded by the second problem,
the choice of Crete as the seat of the Agency
Regarding
the location, it is the responsibility of the host Member State
to maintain the arrangements for the operation of the Agency.
The decision to ask Greece to host the Agency was taken by Heads
of Government and discussions on the detail of the seat arrangements
were conducted by the Greek authorities and the Commission. As
this was a political decision the question of location cannot
be revisited during negotiations."
2.28 The Minister then looks at some of the key issues
as follows:
NETWORK AND INFORMATION SECURITY
"Network and Information Security (NIS) is an
issue of critical importance to the UK as well as to all EU Member
States. The increasing reliance on information and communications
technology (ICT) and the need to ensure security and resilience
thereof, is a high priority for the UK reflected in the
creation of the Office of Cyber Security and Information Assurance
(OCSIA) in Cabinet Office and the Cyber Security Operations Centre
(CSOC) in Cheltenham. However, ICT networks are globally interconnected
networks and do not follow national boundaries. This means that
there is significant benefit in having a level of coordination
across Europe to bring together initiatives and information on
NIS.
"For the UK, the Agency has been of benefit
by drawing on EU expertise to enhance security and resilience
of networks across the EU, and has made significant progress in
its original tasks such as facilitating cooperation on NIS between
EU Member States (and the Commission); bringing together stakeholders
(including telecoms companies, and business) to facilitate discussion
and exchange ideas; raising awareness of NIS and spreading good
practice on how to improve and enhance the resilience and security
of networks drawing on efforts across Europe; providing advice
and support to Member States who are enhancing the resilience
and security of their networks."
2.29 The Minister then notes that the Commission
set out its priorities for NIS in its 2009 Communication on Critical
Information Infrastructure Protection (CIIP), "Protecting
Europe from large scale cyber-attacks and disruptions: enhancing
preparedness, security and resilience",[15]
and says:
"ENISA has made a significant contribution in
delivering a number of the objectives, including coordinating
the first pan-European cyber exercise; this will help all participating
European states including the UK enhance their ability to coordinate
an emergency response to a cyber attack.
"Additionally ENISA has taken a leading role
in facilitating discussion between Member States about how to
effectively implement manage the new legislative security requirements
which form part of the Telecommunications Framework Directive
(itself a part of the European Regulatory Framework for Communications).
This legislation also sees ENISA taking on a formal role as a
body which will receive and coordinate information on outages
of communications services across Europe."
AGENCY REMIT
"The new mandate allows ENISA to continue operating
as a centre of excellence and expertise on Network and Information
Security. The Commission has recognised the shifting needs in
this policy area that have developed significantly since the Agency's
inception in 2004, both in terms of technology and the increasingly
high profile of NIS. ENISA will continue to carry out its current
tasks and will expand its work programme to fit better with current
needs. Updated tasks include:
- "Formally taking on the role that ENISA
has been undertaking on Critical Information Infrastructure Protection,
and supporting the EU regulatory Agenda in this area more closely.
- "Finding common ground with the law enforcement
community to establish a role in the fight against cybercrime."
"By supporting the Commission's policy output
in this area ENISA will have a formalised role to continue the
work it is already performing under the CIIP and Framework Directive
banner, and strengthen the Agency's position to develop thinking
and sharing of ideas in this area, which allows for a more harmonised
implementation of measures. Both these are area of work where
ENISA has excelled in bringing together the right stakeholders
to advance the policy debate effectively, despite not having any
official role.
"In undertaking a specific role on the security
aspects of cybercrime ENISA will be working closely with entities
already operational in this arena such as privacy protection and
law enforcement agencies, to address the network security aspects
which are one part of the overall picture of fighting cybercrime.
This proposal should add value in the fight against cybercrime
through the pooling and effective dissemination of knowledge across
different policy areas. This is an area which the Lords sub-Committee
on European Affairs highlighted as being ripe for further collaboration
initiatives between different key players to increase the effectiveness
of policy and recommended the Commission to take forward."
2.30 The Minister then describes other key changes
to the Agency focus on its operational capacity and governance
structures as:
- increased flexibility to focus
on the key issues in this policy area as they develop;
- a streamlined governance structure.
2.31 Of the first, the Minister says:
"It has become clear over the existing lifecycle
of the Agency that ENISA needs the means to respond actively to
new challenges within this policy area. By allowing more scope
for ENISA to focus its resources on issues considered necessary
by the Management Board and key stakeholders, it can provide relevant
and timely support (both through research and position papers
for example) to both the Commission and other stakeholders on
key live issues."
2.32 Of the streamlined governance structure, the
Minister says that it:
"enhances the role of the Management Board (made
up of representatives from EU Member States including the UK),
allowing it more flexibility in managing its workload as well
as discretion in intervening in staff issues, which were previously
the sole responsibility of the Executive Director. The increased
adaptability of the Agency is designed to help ENISA achieve its
goals by allowing it to concentrate on core, critical work as
it arises, alongside the tasks set out in the annual work programme,
which is approved by the Management Board. This reflects the reality
of this fast-moving policy area, where priorities and what is
critical tend to change relatively rapidly."
AGENCY LIFESPAN
"The Agency has been given another limited lifespan
of five years; such existential restrictions are not generally
the norm amongst European Union Agencies. This allows for ongoing
evaluation of the continuing validity and relevance of the work
being undertaken as well as the effectiveness of the Agency. In
line with this there is also a review clause in the Regulation,
to allow for re-evaluation of the Agency and any recommendations
to be made to the Commission on improving the output and functioning
of ENISA."
2.33 The Minister then notes that negotiations and
due process on the new ENISA regulation are expected to take some
time, and there is a risk that they are unlikely to be concluded
before the present mandate expires in March 2012; and that the
Amendment to the original ENISA Regulation, to extend the Agency's
lifespan until September 2013, would allow for full debate and
due process to be completed.
The Government's view
2.34 The Minister says that, overall, the Regulation
extending and amending its mandate increases the momentum already
established by ENISA, supports the high priority accorded to information
security issues, both in the UK as well as in Europe and acknowledges
the importance and changing scope of this policy area.
2.35 The Minister then notes that, as NIS and cyber-security
policy are of such high importance, the UK is represented on the
ENISA Management Board, and BIS, the Office for Cyber Security,
the Centre for the Protection of National Infrastructure have
worked closely with ENISA over the course of its existence, and
continue to do so.
2.36 The Minister then further notes that the new
Regulation does not set out any operational responsibilities for
the Agency:
"Indeed the Commission appears to have demonstrated
sensitivity to the need to ensure that the proposal does not develop
into operational unit that carries out real-time network monitoring
and advice, which would run the risk of not only duplicating work
already carried out by Agencies in Member States, but also potentially
crossing into national security issues. Any concerns relating
to the balance of competence between the EU and UK will be carefully
scrutinised to prevent any mission creep."
2.37 The Minister also draws attention to a report
from our counterparts in the House of Lords into Protecting Europe
from Large Scale Cyber Attacks, whose conclusions, he says:
included
the hope that that agreement can be reached, well before the expiry
of the current mandate, on extending the work of ENISA to matters
such as police and judicial cooperation over criminal use of the
Internet, with a commensurate increase in resources;
as
well as being highly critical of the original location decision,
also welcomed the fact that, to meet some of these problems, the
government of Greece had recently made facilities available in
Athens for ENISA meetings, and hoped that any conference facilities
which ENISA may need there will be provided so that it can function
as efficiently as possible;
supported
consideration being given to increasing the number of staff to
enable it to perform all its tasks satisfactorily;
2.38 The Minister then turns to the Financial
Implications:
"To date the Agency's ability to make a bigger
impact has been affected by the resources it can use to focus
on output. Both the evaluation of the Agency as well as consultation
with stakeholders indicated that the size of ENISA is currently
below its critical mass and requires more resources. This has
now been addressed by the Commission, who plan to give the Agency
the resources required to carry out its existing and new activities
satisfactorily.
"The Impact Assessment accompanying the Regulation
sets out the resources allocated to the Agency. These will gradually
increase over its lifetime of 2012-2016 set out in this Regulation.
The European Commission expects the annual budget to increase
from approximately 8 million to around 19 million
by 2016 (including EFTA contributions).[16]
The majority of ENISA's costs almost two thirds
are made up by staff expenditure. In the event ENISA would continue
under its current remit (à l'identique), it would cost
just over 9 million by 2016. This means that, over the five
year period 2012-2016, increasing the Agency's resources will
cost an extra 21 million.
"Additionally, the Commission are proposing
a review of the Agency's financing after 2013 (less than a year
into the lifespan of the new mandate), which would allow the Commission
to amend the financing of ENISA, therefore it remains unclear
what the exact funding will be post 2013, as no indication has
been given by the Commission.
"Subject to the Agency playing an increasingly
important role in an area key to both the well-being of the UK
and EU, there is some justification for the increase in budget.
The EC has not been able to provide a quantification of benefits
because there is no objective quantitative information available
about the economics of NIS, in particular the impact that NIS
breaches have and therefore how much additional security measures
would save. However, the EC has conducted a qualitative assessment
of the benefits and concluded that the extra investment is both
reasonable and worthwhile (ref Impact Assessment). The Agency's
new activities have also received the support of NIS stakeholders
during the EC's consultation process. However, all additional
resources allocated to the Agency should require solid justification,
and which the UK will insist upon."
Conclusion
2.39 We have set out the history in some detail
to show how difficult it has been from the outset for ENISA, through
no fault of its own, to carry out the important tasks laid upon
it. With a new Commissioner and a new Executive Director, there
are now signs of greater effectiveness; and equally welcome signs
of the host government playing the supportive role that it should
have done from the outset, given its continuing insistence on
ENISA's palpably unsuitable location.
2.40 We accordingly clear the proposed Regulation
extending its mandate à l'identique until September
2013.
2.41 However, as the Minister makes clear, there
is still much uncertainty surrounding the extension of its definitive
mandate, both as to funding and extending ENISA's involvement
into matters such as countering cyber-crime. We shall therefore
retain the main draft Council Regulation under scrutiny.
2.42 We also ask the Minister to provide us with
periodic updates as the negotiations proceed, ahead of any eventual
decision to proceed to political agreement in the Council (in
the first instance, after the 2 December Telecoms Council, should
there be any discussion there and/or any Conclusions adopted).
8 For further information on ENISA, see http://www.enisa.europa.eu/about-enisa.
Back
9
The full report is at http://ec.europa.eu/dgs/information_society/evaluation/studies/s2006_enisa/docs/final_report.pdf. Back
10
See headnote: (28677) 10340/07: HC-41 xxviii (2006-07), chapter
2 (4 July 2007) and HC-41 xxxiii (2006-07), chapter 9 (2 October
2007). Back
11
See headnote: (29172) 15371/07 (29173) 15379/07 (29174) 15387/07
(29176) 15416/07 (29177) 15422/07 and (29175) 15408/07: HC 16-vi
(2007-08), chapters 1 and 2 (12 December 2007). Back
12
See headnote. Back
13
See headnote: (29300) 16840/07: HC 16-xxii (2007-08), chapter
12 (4 June 2008). Back
14
COM(07) 285 final. Back
15
See (30528) 8375/09: HC 19- xxi (2008-09), chapter 1 (24 June
2009) for the previous Committee's consideration of this Communication. Back
16
EFTA contributions amount to about EUR 450,000 by 2016 or just
over 2% of the total budget. Back
|