National governments across the European Union have called on the European Commission to enhance the capacity and mandate of the EU’s cybersecurity agency, ENISA, as part of ongoing efforts to bolster Europe’s cybersecurity resilience. The request comes as the European Commission prepares to review the EU’s Cybersecurity Act (CSA), a key regulatory framework that entered into force in 2019 and tasked ENISA with overseeing the implementation of EU-wide cybersecurity rules.
The request for an upgrade in resources reflects the growing challenges that ENISA faces in the face of an evolving cyber threat landscape, as well as its expanded role under recent cybersecurity initiatives. These include the Network and Information Systems Directive 2 (NIS 2), the Cyber Resilience Act, and the Cyber Solidarity Act—frameworks that place greater demands on the agency’s capacity to support member states and improve Europe’s cybersecurity framework.
The Need for Enhanced Resources
According to draft conclusions from a meeting of EU diplomats in Brussels, which were seen by Euronews, national governments argue that the evaluation of the Cybersecurity Act should serve as an opportunity to assess whether ENISA has the appropriate resources to meet its growing responsibilities. The governments emphasized that this should include adequate human, financial, and technical resources to ensure that the agency can effectively carry out its expanding mandate. The conclusion stressed that these enhancements must be aligned with the EU’s broader financial framework, ensuring that any additional funding does not interfere with existing budgetary negotiations.
ENISA’s role has expanded significantly over the past few years. Originally tasked with overseeing the implementation of the CSA, the agency now plays a more central role in Europe’s cyber defense strategy. In addition to its traditional duties of coordinating cybersecurity efforts across EU member states, ENISA is also responsible for increasing the trustworthiness of information and communication technology (ICT) products, particularly through certification schemes. However, this added responsibility has placed significant strain on its modest staff of just over 100 employees, prompting calls for reinforcements to ensure the agency can meet the growing demands of the digital age.
Cybersecurity Initiatives and Growing Responsibilities
ENISA’s responsibilities have notably grown as a result of several new and upcoming cybersecurity regulations, such as the NIS 2 Directive (which updates the Network and Information Systems Directive to improve security across critical sectors), the Cyber Resilience Act (which introduces cybersecurity requirements for ICT products), and the Cyber Solidarity Act (a proposal to enable faster EU-wide responses to cyber incidents). The cumulative effect of these initiatives has made ENISA’s role increasingly pivotal in shaping the EU’s cyber policy landscape.
In the draft conclusions, governments explicitly highlighted that these new initiatives should be accompanied by the provision of adequate resources to ensure the agency can handle its expanding workload. This is seen as crucial for the agency to effectively support national governments in improving their cybersecurity posture and mitigating increasingly sophisticated cyber threats.
ENISA’s Mandate and Role in Certification
Another critical aspect of the proposed enhancements to ENISA’s role involves a more focused and clearly defined mandate for supporting national governments. Governments have urged the European Commission to ensure that ENISA’s support is targeted towards concrete strategic objectives, helping member states enhance their cybersecurity infrastructure while providing greater clarity on the agency’s functions.
ENISA’s involvement in certification has also been a point of contention in recent years. The agency was tasked with leading the development of the EU Cloud Certification Scheme (EUCS) for cloud services, a voluntary certification designed to provide assurance to users regarding the security of cloud services. However, despite ENISA’s efforts, an agreement on the EUCS scheme has yet to be reached, with the matter expected to be revisited by the European Commission when the new leadership takes office on December 1, 2024.
Incoming Tech Commissioner Henna Virkkunen is expected to lead the debate on cybersecurity and the further development of certification schemes. As outlined in her mission letter from European Commission President Ursula von der Leyen, Virkkunen’s mandate includes strengthening Europe’s cybersecurity, particularly by improving the adoption processes of certification schemes like EUCS.
Next Steps
The draft conclusions will be presented for approval during the EU telecom ministers’ meeting scheduled for December 6, 2024, following their endorsement by diplomats this week. The outcome of this meeting will likely influence the Commission’s final approach to the review of the Cybersecurity Act and ENISA’s role within the EU’s cybersecurity framework.
The ongoing debate surrounding the future of ENISA underscores the EU’s recognition of cybersecurity as a strategic priority. As cyber threats continue to evolve in scale and sophistication, ensuring that ENISA has the necessary resources to support EU-wide efforts will be essential for safeguarding Europe’s digital future.
References:
Kroet, C. (2024, November 22). Governments ask EU Commission to beef up cybersecurity agency Enisa. Euronews. Read the full article
