CHAPTER 5: ENISA
Functions of the agency
99. ENISA, the European Network and Information
Security Agency, was set up by Regulation in March 2004.
This was prior to the merger of the first and third pillars by
the Treaty of Lisbon, and the Regulation emphasises that ENISA
deals only with first pillar matters, and in any case is without
prejudice to "activities concerning public security, defence,
State security (including the economic well-being of the State
when the issues relate to State security matters) and the activities
of the State in areas of criminal law."
This gave ENISA a relatively limited mandate. We consider below
whether, when its mandate is next renewed, it should be extended
to some former third pillar matters.
100. EU agencies are often established with grandiose
and high-sounding purposes. In the case of ENISA this was "for
the purpose of ensuring a high and effective level of network
and information security within the Community and in order to
develop a culture of network and information security for the
benefit of the citizens, consumers, enterprises and public sector
organisations of the European Union, thus contributing to the
smooth functioning of the internal market."
101. More realistically, Dr Udo Helmbrecht,
the Executive Director, told us: "The benefits: what we try
to do is to have added value for the Member States and for the
Commission, so that there are two directions. One is that we provide
guidance to the European Commission in the process, for example,
of their legislation via European projects or research areas.
On the other hand, we work together with the Member States, for
example in building up CERTs and having reports which they can
use in their own Member States. So I want to try to do those things
on a European level with cross-border activities or cross-border
needs in this area" (Q 177). Another matter the work
programme concentrated on was the resilience framework within
the Critical Information Infrastructure Protection (CIIP). Over
the next year they would be starting a new activity on identity
and trust (Q 190).
102. Dr Chantzos summarised ENISA's current
mandate: "ENISA has been designed to be a centre of excellence
and has been designed to be a platform for exchange of information,
exchange of best practice, of brokerage, of co-operation and exchange
of views. It has not been designed to be an operational agency"
Management and staff
103. The Executive Director of ENISA is appointed
for a term of up to 5 years.
Dr Helmbrecht is the second Director, and took up his appointment
on 16 October 2009, two months before giving evidence to us. The
relationship between the Director and the Chairman of the Management
Board is important for the smooth functioning of the agency. Over
the last two years we have conducted inquiries into two other
EU agencies, Frontex and Europol, and in both cases have looked
at the relationship between the Director and the Management Board.
In the case of Frontex the Chairman of the Management Board is
elected for a period of two years, renewable once. The Executive
Director and the Chairman therefore had an opportunity to establish
a good working relationship, and had done so. By contrast, we
were highly critical of the fact that the Chairman of the Management
Board of Europol was the representative of the Presidency, and
therefore changed every six months. Even under the Europol Decision,
which came into force on 1 January 2010, the Chairman of the Management
Board is to be selected "by and from within" the Member
States holding the current Presidency and the two succeeding Presidencies.
We are glad therefore that the Chairman of ENISA's Management
Board is appointed for two and a half years renewable.
Dr Helmbrecht said that ENISA had been lucky in its current
Chairman, Dr Reinhard Posch, who was the Austrian Chief Information
Officer. It was useful that he overlapped the change of Director
104. ENISA currently has a staff of around 65
(Q 178). Mr Smith described ENISA as "small"
(Q 3), Lord West as "very small". He added: "I
am not saying that big is best because quite often big is worse,
but I think that needs looking at quite closely to make sure it
is able to do the things the EU wants it to do" (Q 289).
Intellect, the United Kingdom trade association for the IT industry,
thought that the scale of national endeavours greatly exceeded
the present capacity of ENISA. "If ENISA is to have a role
as a serious centre of excellence and creator of policy, then
it needs to be more substantial than is currently the case"
105. We agree that a staff of 65 is a very small
number to be responsible for its current programmes; when the
Commission asked for an analysis by an independent consultant,
they said it was almost not worth having an agency of less than
100 people (Q 46). We believe the problems with the location
of ENISA, to which we refer below, may affect recruitment. We
consider below whether ENISA's mandate should be extended. Even
if there is no extension of ENISA's mandate, we believe
that consideration should be given to increasing the number of
staff to enable it to perform all its tasks satisfactorily.
Assessments of ENISA's work
106. Mr Smith thought that the creation
of ENISA was "not the biggest success story of all time",
but that it had had some impact in drawing people together in
the European Union (Q 3). Other assessments of ENISA have
been rather more positive. The Payments Council were "highly
supportive" of ENISA, believing that it has the potential
to be a powerful force for good in promoting the development of
CERTs in Europe. It could however be "awkward in its execution"
(p 157). Mr Cormack was even more supportive: "One
of the things that has been seen by the community as very positive
is the establishment and involvement of ENISA
a very strong welcome given to the members of ENISA staff who,
like me, are now personal members of FIRST, so they are very much
involved there" (Q 96). And Symantec told us: "Since
its creation in 2004, ENISA has played a valuable role in bringing
together government, industry and academia to share experience,
knowledge and good practice" (p 56).
The impact of the Communication
on ENISA's mandate
107. ENISA was initially established only for
five years up to 13 March 2009,
but its mandate was subsequently extended for three further years
to 13 March 2012.
The amending Regulation makes no changes to ENISA's constitution,
functions or powers, and it is clear from the recitals that this
is a temporary expedient, pending decisions on the changes needed.
Mr Servida explained the view of the Commission: "In
terms of effectiveness or impact of ENISA we think that there
is a need to reform this body which was established under different
conditions" (Q 135).
108. The Communication was published less than
a month after the extension of ENISA's mandate. Section 4 on The
Way Forward states: "It is necessary to strengthen the existing
instruments for cooperation, including ENISA ..." This will
indeed be necessary if the Communication is implemented, given
that major new roles are envisaged for ENISA under the first three
of the five sections of the Action Plan.
109. Dr Helmbrecht saw no formal role for
ENISA in formulating the agency's new mandate, which he saw as
solely a political process and a political decision. He explained
that the procedure for changing the mandate started with a Communication
from the Commission and then co-decision between the Council and
Parliament. But he agreed that there would be informal discussion
before the process started officially in the first half of this
year (Q 187).
110. We hope that ENISA, though not formally
involved in the EU legislative process, will through its Executive
Director, its Management Board and its Permanent Stakeholders
Group have an important voice in the drafting of the new mandate.
111. The entry into force of the Treaty of Lisbon,
not of course mentioned in the Communication, means that the mandate
would no longer necessarily be limited to matters related to the
functioning of the internal market, as currently required by having
Article 95 TEC as its legal base, but could be extended to some
of what previously were third pillar matters. We agree with the
Payments Council (p 157) that ENISA's current place within
the pillar structure appears to be hampering its scope for action.
We hope that agreement can be reached, well before the expiry
of the current mandate, on extending the work of ENISA to matters
such as police and judicial cooperation over criminal use of the
Internet, with a commensurate increase in resources.
112. Prior to the adoption of the Regulation
setting up ENISA, the European Council decided at the meeting
on 12-13 December 2003 to locate the Agency in Greece. Subsequently,
and perhaps surprisingly, the Greek government decided to locate
it, not in Athens as might have been expected, but at Heraklion
in Crete. The process was described by Mr Smith: "The
agency came at the end of a big log-jam of agencies that did not
have homes ... ENISA came towards the back of that queue
As we approached enlargement, it suddenly became crucial that
we solve this problem
It was a surprise to everyone when
ENISA was given to Greece and the terms under which it was given
were that Greece would decide the location of the agency. It chose
to locate in Crete and that was the decision of the Greek government,
and I have no reason to challenge that decision" (Q 46).
113. The Greek government believed it had sound
reasons for its decision, since Heraklion is the location of the
Greek Foundation of Research and Technology (FORTH). ENISA (p 74)
and Dr Helmbrecht (Q 212) pointed to the advantages of being
close to a university campus and a research institute working
on computer science and intelligence. Nevertheless, this decision
has caused many problems and been the subject of widespread adverse
comment. The panel of experts appointed by the Commission to carry
out the mid-term evaluation of ENISA, as required by Article 25(1)
of the Regulation, examined the location and made some scathing
ENISA Evaluation Report: Location
|Taking Brussels as a reference point, ENISA is the most distant agency, about 2,400 km away. This is 600 km further than CEDEFOP, which is based in Greece too but in Thessalonica (and has a liaison office in Brussels). ENISA is approximately 1,000 km further than OHIM in Alicante or EMCDDA in Lisbon.
The problem is not distance by itself, but its impact on the mission of the agency, which requires continuous interaction with the main IT and security policy research centres.
Heraklion is not a capital city and flight schedules, especially in winter, are limited, requiring a stopover in another city (usually Athens). Travel time is between 7 to 10 hours each way, which results in an average time of up to 3 days for each event or meeting attended by an agency employee, as well as for members of the Management Board and experts cooperating with ENISA such as members of the Permanent Stakeholders Group (who are not even paid for their time).
The agency is very far from the main knowledge centres of security, mainly located in northern Europe. This reduces the opportunities for spontaneous interactions, short meetings, and keeping in touch with evolving policy priorities and new ideas.
114. These criticisms were made over three years
ago, but those of our witnesses who referred to the location made
it clear that these difficulties persist. Mr Smith told us: "I have
seen a lot of Athens Airport over the last few years" (Q 47).
ENISA told us that in 2009 their staff spent 85 nights in stopovers
in Athens while on missionand this excluded meetings in
Athens itself. And the Payments Council noted: "Even in the
Internet world personal contacts are important, particularly in
the security field. [ENISA's] location is also likely to affect
its access to the resources and skills that it requires in order
to be effective" (p 157).
115. The location of ENISA also gives rise to
problems of recruiting and retaining staff. All staff live in
Crete because that is a condition of their contract. Dr Helmbrecht
told us that the agency has no difficulty recruiting staff of
the right calibre, but "it is currently a difficult situation
for families with children because you do not have a well-established
European School in Heraklion, so if you have parents with children
from the ages of, say, 12 to 18 it is nearly impossible currently"
(QQ 211, 213).
116. Professor Anderson was, as we have
said, in no doubt that the EU had a significant role to play in
Internet policy, and that it should have an organisation like
ENISA; but he was highly critical of its current location. Ideally
he thought it should be in Brussels where its expertise would
be available on tap, but he also mentioned Cambridge or Munich
where there was a well-established existing technical culture.
If policy dictated that it had to be in Greece, then it should
be within a 20-minute taxi ride of Athens airport. "There
is not just an issue of convenience ... there is also an issue
of recruitment and retention of high grade technical staff. Good
software people like to be in places where there are other good
software people ... if you cannot attract and retain top class
technical people, you cannot run an agency like that" (Q 263).
117. The Management Board meets twice a year.
Although some meetings have been held in Crete there have been
meetings in Brussels, Vienna, Madrid, Paris and London, the clearest
testimony of their views on the location. But there has been one
recent improvement. In autumn 2009 ENISA opened a branch office
in Athens paid for by the Greek government, so that meetings can
be held there. In 2010 the Management Board will be meeting there
twice, and maybe also the Permanent Stakeholders Group (QQ 212,
221). If the headquarters cannot be in Athens, an office there
is the next best thing. ENISA will continue to be a centre of
excellence only if the best brains in the business can be attracted
to meetings; whenever possible a meeting in Athens should be preferred
to one held in Crete.
118. From the evidence we have received (though
not that of the Executive Director) we are convinced that the
decision to site ENISA at Heraklion was not taken on the basis
of a careful cost/benefit analysis, and that it has led and continues
to lead to problems over the recruitment and retention of staff,
and over the scheduling of meetings.
119. We welcome the fact that, to meet some
of these problems, the government of Greece has recently made
facilities available in Athens for ENISA meetings. We hope that
any conference facilities which ENISA may need there will be provided
so that it can function as efficiently as possible.
120. We urge the Government to ensure that,
when the question of location of EU agencies arises in the future,
the Member State in which the agency is to be located should take
into account the views of other Member States on the choice of
site within that country, and that all such decisions should be
taken only on the basis of a rigorous cost/benefit analysis.
44 Regulation (EC) No 460/2004 of the European Parliament
and of the Council of 10 March 2004 establishing the European
Network and Information Security Agency (OJ L77, 13 March 2004,
Ibid, Article 1(3). Back
Ibid, Article 1(1). The reference at the end to "the smooth
functioning of the internal market" is needed to give the
Regulation a sound legal basis in Article 95 TEC. Back
Ibid, Article 7(3). Back
FRONTEX: the EU external borders agency (9th Report, Session
2007-08, HL Paper 60), paragraphs 82-91; EUROPOL: coordinating
the fight against serious and organised crime (29th Report,
Session 2007-08, HL Paper 183), Chapter 5. Back
Regulation, Article 6(3). Back
Ibid, Article 27. Back
Regulation (EC) No 1007/2008 of the European Parliament and of
the Council of 24 September 2008 amending Regulation (EC) No 460/2004
establishing the European Network and Information Security Agency
(OJ L293, 31 October 2008, p.1). Back
See paragraph 48 above. Back
European Centre for the Development of Vocational Training Back
Office for Harmonisation in the Internal Market (Trade Marks and
European Monitoring Centre for Drugs and Drug Addiction Back
Extracted from section 3.2 of Evaluation of the European Network
and Information Security Agency: Final Report by the Experts Panel,
IDC EMEA, 8 January 2007. Back