Protecting Europe against large-scale cyber-attacks - European Union Committee Contents


CHAPTER 5: ENISA

Functions of the agency

99.  ENISA, the European Network and Information Security Agency, was set up by Regulation in March 2004.[44] This was prior to the merger of the first and third pillars by the Treaty of Lisbon, and the Regulation emphasises that ENISA deals only with first pillar matters, and in any case is without prejudice to "activities concerning public security, defence, State security (including the economic well-being of the State when the issues relate to State security matters) and the activities of the State in areas of criminal law."[45] This gave ENISA a relatively limited mandate. We consider below whether, when its mandate is next renewed, it should be extended to some former third pillar matters.

100.  EU agencies are often established with grandiose and high-sounding purposes. In the case of ENISA this was "for the purpose of ensuring a high and effective level of network and information security within the Community and in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, thus contributing to the smooth functioning of the internal market."[46]

101.  More realistically, Dr Udo Helmbrecht, the Executive Director, told us: "The benefits: what we try to do is to have added value for the Member States and for the Commission, so that there are two directions. One is that we provide guidance to the European Commission in the process, for example, of their legislation via European projects or research areas. On the other hand, we work together with the Member States, for example in building up CERTs and having reports which they can use in their own Member States. So I want to try to do those things on a European level with cross-border activities or cross-border needs in this area" (Q 177). Another matter the work programme concentrated on was the resilience framework within the Critical Information Infrastructure Protection (CIIP). Over the next year they would be starting a new activity on identity and trust (Q 190).

102.  Dr Chantzos summarised ENISA's current mandate: "ENISA has been designed to be a centre of excellence and has been designed to be a platform for exchange of information, exchange of best practice, of brokerage, of co-operation and exchange of views. It has not been designed to be an operational agency" (Q 170).

Management and staff

103.  The Executive Director of ENISA is appointed for a term of up to 5 years.[47] Dr Helmbrecht is the second Director, and took up his appointment on 16 October 2009, two months before giving evidence to us. The relationship between the Director and the Chairman of the Management Board is important for the smooth functioning of the agency. Over the last two years we have conducted inquiries into two other EU agencies, Frontex and Europol, and in both cases have looked at the relationship between the Director and the Management Board.[48] In the case of Frontex the Chairman of the Management Board is elected for a period of two years, renewable once. The Executive Director and the Chairman therefore had an opportunity to establish a good working relationship, and had done so. By contrast, we were highly critical of the fact that the Chairman of the Management Board of Europol was the representative of the Presidency, and therefore changed every six months. Even under the Europol Decision, which came into force on 1 January 2010, the Chairman of the Management Board is to be selected "by and from within" the Member States holding the current Presidency and the two succeeding Presidencies. We are glad therefore that the Chairman of ENISA's Management Board is appointed for two and a half years renewable.[49] Dr Helmbrecht said that ENISA had been lucky in its current Chairman, Dr Reinhard Posch, who was the Austrian Chief Information Officer. It was useful that he overlapped the change of Director (Q 193).

104.  ENISA currently has a staff of around 65 (Q 178). Mr Smith described ENISA as "small" (Q 3), Lord West as "very small". He added: "I am not saying that big is best because quite often big is worse, but I think that needs looking at quite closely to make sure it is able to do the things the EU wants it to do" (Q 289). Intellect, the United Kingdom trade association for the IT industry, thought that the scale of national endeavours greatly exceeded the present capacity of ENISA. "If ENISA is to have a role as a serious centre of excellence and creator of policy, then it needs to be more substantial than is currently the case" (p 138).

105.  We agree that a staff of 65 is a very small number to be responsible for its current programmes; when the Commission asked for an analysis by an independent consultant, they said it was almost not worth having an agency of less than 100 people (Q 46). We believe the problems with the location of ENISA, to which we refer below, may affect recruitment. We consider below whether ENISA's mandate should be extended. Even if there is no extension of ENISA's mandate, we believe that consideration should be given to increasing the number of staff to enable it to perform all its tasks satisfactorily.

Assessments of ENISA's work

106.  Mr Smith thought that the creation of ENISA was "not the biggest success story of all time", but that it had had some impact in drawing people together in the European Union (Q 3). Other assessments of ENISA have been rather more positive. The Payments Council were "highly supportive" of ENISA, believing that it has the potential to be a powerful force for good in promoting the development of CERTs in Europe. It could however be "awkward in its execution" (p 157). Mr Cormack was even more supportive: "One of the things that has been seen by the community as very positive is the establishment and involvement of ENISA … there was a very strong welcome given to the members of ENISA staff who, like me, are now personal members of FIRST, so they are very much involved there" (Q 96). And Symantec told us: "Since its creation in 2004, ENISA has played a valuable role in bringing together government, industry and academia to share experience, knowledge and good practice" (p 56).

The impact of the Communication on ENISA's mandate

107.  ENISA was initially established only for five years up to 13 March 2009,[50] but its mandate was subsequently extended for three further years to 13 March 2012.[51] The amending Regulation makes no changes to ENISA's constitution, functions or powers, and it is clear from the recitals that this is a temporary expedient, pending decisions on the changes needed. Mr Servida explained the view of the Commission: "In terms of effectiveness or impact of ENISA we think that there is a need to reform this body which was established under different conditions" (Q 135).

108.  The Communication was published less than a month after the extension of ENISA's mandate. Section 4 on The Way Forward states: "It is necessary to strengthen the existing instruments for cooperation, including ENISA ..." This will indeed be necessary if the Communication is implemented, given that major new roles are envisaged for ENISA under the first three of the five sections of the Action Plan.[52]

109.  Dr Helmbrecht saw no formal role for ENISA in formulating the agency's new mandate, which he saw as solely a political process and a political decision. He explained that the procedure for changing the mandate started with a Communication from the Commission and then co-decision between the Council and Parliament. But he agreed that there would be informal discussion before the process started officially in the first half of this year (Q 187).

110.  We hope that ENISA, though not formally involved in the EU legislative process, will through its Executive Director, its Management Board and its Permanent Stakeholders Group have an important voice in the drafting of the new mandate.

111.  The entry into force of the Treaty of Lisbon, not of course mentioned in the Communication, means that the mandate would no longer necessarily be limited to matters related to the functioning of the internal market, as currently required by having Article 95 TEC as its legal base, but could be extended to some of what previously were third pillar matters. We agree with the Payments Council (p 157) that ENISA's current place within the pillar structure appears to be hampering its scope for action. We hope that agreement can be reached, well before the expiry of the current mandate, on extending the work of ENISA to matters such as police and judicial cooperation over criminal use of the Internet, with a commensurate increase in resources.

Location

112.  Prior to the adoption of the Regulation setting up ENISA, the European Council decided at the meeting on 12-13 December 2003 to locate the Agency in Greece. Subsequently, and perhaps surprisingly, the Greek government decided to locate it, not in Athens as might have been expected, but at Heraklion in Crete. The process was described by Mr Smith: "The agency came at the end of a big log-jam of agencies that did not have homes ... ENISA came towards the back of that queue … As we approached enlargement, it suddenly became crucial that we solve this problem … It was a surprise to everyone when ENISA was given to Greece and the terms under which it was given were that Greece would decide the location of the agency. It chose to locate in Crete and that was the decision of the Greek government, and I have no reason to challenge that decision" (Q 46).

113.  The Greek government believed it had sound reasons for its decision, since Heraklion is the location of the Greek Foundation of Research and Technology (FORTH). ENISA (p 74) and Dr Helmbrecht (Q 212) pointed to the advantages of being close to a university campus and a research institute working on computer science and intelligence. Nevertheless, this decision has caused many problems and been the subject of widespread adverse comment. The panel of experts appointed by the Commission to carry out the mid-term evaluation of ENISA, as required by Article 25(1) of the Regulation, examined the location and made some scathing criticisms.

BOX 4
ENISA Evaluation Report: Location

Taking Brussels as a reference point, ENISA is the most distant agency, about 2,400 km away. This is 600 km further than CEDEFOP,[53] which is based in Greece too but in Thessalonica (and has a liaison office in Brussels). ENISA is approximately 1,000 km further than OHIM[54] in Alicante or EMCDDA[55] in Lisbon.
The problem is not distance by itself, but its impact on the mission of the agency, which requires continuous interaction with the main IT and security policy research centres.
Heraklion is not a capital city and flight schedules, especially in winter, are limited, requiring a stopover in another city (usually Athens). Travel time is between 7 to 10 hours each way, which results in an average time of up to 3 days for each event or meeting attended by an agency employee, as well as for members of the Management Board and experts cooperating with ENISA such as members of the Permanent Stakeholders Group (who are not even paid for their time).
The agency is very far from the main knowledge centres of security, mainly located in northern Europe. This reduces the opportunities for spontaneous interactions, short meetings, and keeping in touch with evolving policy priorities and new ideas.[56]

114.  These criticisms were made over three years ago, but those of our witnesses who referred to the location made it clear that these difficulties persist. Mr Smith told us: "I have seen a lot of Athens Airport over the last few years" (Q 47). ENISA told us that in 2009 their staff spent 85 nights in stopovers in Athens while on mission—and this excluded meetings in Athens itself. And the Payments Council noted: "Even in the Internet world personal contacts are important, particularly in the security field. [ENISA's] location is also likely to affect its access to the resources and skills that it requires in order to be effective" (p 157).

115.  The location of ENISA also gives rise to problems of recruiting and retaining staff. All staff live in Crete because that is a condition of their contract. Dr Helmbrecht told us that the agency has no difficulty recruiting staff of the right calibre, but "it is currently a difficult situation for families with children because you do not have a well-established European School in Heraklion, so if you have parents with children from the ages of, say, 12 to 18 it is nearly impossible currently" (QQ 211, 213).

116.  Professor Anderson was, as we have said, in no doubt that the EU had a significant role to play in Internet policy, and that it should have an organisation like ENISA; but he was highly critical of its current location. Ideally he thought it should be in Brussels where its expertise would be available on tap, but he also mentioned Cambridge or Munich where there was a well-established existing technical culture. If policy dictated that it had to be in Greece, then it should be within a 20-minute taxi ride of Athens airport. "There is not just an issue of convenience ... there is also an issue of recruitment and retention of high grade technical staff. Good software people like to be in places where there are other good software people ... if you cannot attract and retain top class technical people, you cannot run an agency like that" (Q 263).

117.  The Management Board meets twice a year. Although some meetings have been held in Crete there have been meetings in Brussels, Vienna, Madrid, Paris and London, the clearest testimony of their views on the location. But there has been one recent improvement. In autumn 2009 ENISA opened a branch office in Athens paid for by the Greek government, so that meetings can be held there. In 2010 the Management Board will be meeting there twice, and maybe also the Permanent Stakeholders Group (QQ 212, 221). If the headquarters cannot be in Athens, an office there is the next best thing. ENISA will continue to be a centre of excellence only if the best brains in the business can be attracted to meetings; whenever possible a meeting in Athens should be preferred to one held in Crete.

118.  From the evidence we have received (though not that of the Executive Director) we are convinced that the decision to site ENISA at Heraklion was not taken on the basis of a careful cost/benefit analysis, and that it has led and continues to lead to problems over the recruitment and retention of staff, and over the scheduling of meetings.

119.  We welcome the fact that, to meet some of these problems, the government of Greece has recently made facilities available in Athens for ENISA meetings. We hope that any conference facilities which ENISA may need there will be provided so that it can function as efficiently as possible.

120.  We urge the Government to ensure that, when the question of location of EU agencies arises in the future, the Member State in which the agency is to be located should take into account the views of other Member States on the choice of site within that country, and that all such decisions should be taken only on the basis of a rigorous cost/benefit analysis.


44   Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L77, 13 March 2004, p.1). Back

45   Ibid, Article 1(3). Back

46   Ibid, Article 1(1). The reference at the end to "the smooth functioning of the internal market" is needed to give the Regulation a sound legal basis in Article 95 TEC. Back

47   Ibid, Article 7(3). Back

48   FRONTEX: the EU external borders agency (9th Report, Session 2007-08, HL Paper 60), paragraphs 82-91; EUROPOL: coordinating the fight against serious and organised crime (29th Report, Session 2007-08, HL Paper 183), Chapter 5. Back

49   Regulation, Article 6(3). Back

50   Ibid, Article 27. Back

51   Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency (OJ L293, 31 October 2008, p.1). Back

52   See paragraph 48 above. Back

53   European Centre for the Development of Vocational Training Back

54   Office for Harmonisation in the Internal Market (Trade Marks and Designs) Back

55   European Monitoring Centre for Drugs and Drug Addiction Back

56   Extracted from section 3.2 of Evaluation of the European Network and Information Security Agency: Final Report by the Experts Panel, IDC EMEA, 8 January 2007. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2010