18 Sep 2023

Adapting ENISA’s mandate and collaboration in a changing cyber landscape

Executive Summary

The upcoming evaluation of the European Union Agency for Cybersecurity (ENISA) is crucial to assess its performance and explore potential modifications to its mandate, considering its role in the evolving cybersecurity landscape.

ENISA has been successful in promoting network and information security across Europe, but must adapt to address emerging cyber threats and the changing cybersecurity environment. It now faces expanded responsibilities due to new legislative acts, including the new Directive on measures for a high common level of cybersecurity across the Union (NIS2) and the Cyber Resilience Act.

Expanding ENISA’s mandate presents several challenges, including the predominant competence of Member States in national security matters, the diversity in legal frameworks and expertise amongst Member States, and resource allocation constraints.

To enhance the effectiveness of both ENISA and the European cybersecurity certification framework, we suggest various lines of action and reforms:

  • ENISA should further foster coordination and cooperation amongst Member States, facilitating information sharing, best practice dissemination, and harmonisation of cybersecurity policies. It should deepen its sector-specific expertise, prioritising critical sectors and assets and collaborating with sector-specific authorities and organisations, such as information sharing and analysis centres (ISACs);
  • ENISA should play a more prominent role in advising on planned EU legislative initiatives with cybersecurity implications, enhancing the coherence and impact of cybersecurity policymaking in the EU;
  • ENISA’s tasks within the EU’s cybersecurity ecosystem should be further clarified to avoid duplication and ensure efficient resource allocation across the EU. Structured collaboration with the European Cybersecurity Competence Centre (ECCC) and strengthening support to existing bodies like the NIS Cooperation Group, the CSIRTs Network and EU-CyCLONe can streamline ENISA’s role;
  • Collaboration between the public and private sectors is essential to enhance Europe’s resilience against cyber threats. A Joint Public-Private Expert Unit, comprising chief information security officers (CISOs) and leading companies operating in Europe, should be considered to advise on strategies and measures for proactive threat mitigation;
  • To improve the effectiveness of the European cybersecurity certification framework, an evidence-based approach should be adopted, including expert-driven impact assessments. The Union Rolling Work Programme (URWP) should be published promptly to provide stakeholders with foresight on upcoming schemes; and
  • The Stakeholder Cybersecurity Certification Group (SCCG) should be empowered to play a more proactive role by providing non-binding opinions, participating in impact assessments, interacting with the European Cybersecurity Certification Group (ECCG), and promoting enhanced meeting dynamics.

ENISA’s evaluation and adaptation are essential to meet the evolving cybersecurity challenges facing Europe. Expanding its mandate, whilst respecting Member States’ competencies, can be achieved through a multifaceted approach and effective resource allocation. ENISA should collaborate with existing EU bodies, contribute to policymaking, and foster public-private cooperation to strengthen Europe’s cybersecurity resilience.

Download the full position paper
For more information, please contact
Alberto Di Felice
Policy and Legal Counsel
Sid Hollman
Policy Officer for Cybersecurity & Digital Infrastructure
Back to Cybersecurity & Digital Resilience
View the complete Position Paper
PDF
Our resources on Cybersecurity & Digital Resilience
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
05 Sep 2024 Response to Public Consultation
The NIS2 Directive’s transposition: How do Member States make their critical infrastructure cybersecure?
04 Sep 2024 Policy Paper
Developing guidelines for the Cyber Resilience Act
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept