The European Network and Information Security Agency - ENISA

What does network and information security stands for?

Network and Information Security is becoming increasingly important as information and communication technologies become the backbone of modern societies and economies.

Network and information security can be viewed from various standpoints. These include their technical robustness, the ways in which businesses and citizens use them, and how their use is governed. Challenges to network and information security are manifold and Internet security is at the heart of the discussion.

Whereas, only a couple of years ago, governments regarded security - including network and information security - as purely a national domain, security has now entered the political mainstream of the European Union's activities.

Access to the network is now possible from anywhere at any time and the tendency is to connect to the infrastructure (e.g., Internet) almost any device or service, ranging from printers to remote home appliances, from banking services to ticket reservations.

As information flows freely across national borders, so do network and information security problems. The security policy issues faced by all countries are therefore essentially the same. However, individual EU Member States have taken varying approaches to them and are at very different stages in their work.

What is ENISA for?

The need to get the solutions right justifies the joint decision by the European Parliament and the Council to create a centre of expertise at European level, providing guidance and, when called upon, assistance to the European Parliament, Commission and any competent body appointed by Member States.

The challenge for ENISA is to help achieve high EU-wide level of security in electronic communications, and to build the "culture of security" necessary for the single market to deliver its full benefits to European citizens, consumers, enterprises and public sector bodies. This culture should combine the rapid and effective take-up of technical innovation with good security practices.

Among its activities, the Agency should pay particular attention to small and medium-sized enterprises and ultimately serve as a centre of expertise where Member States, EU institutions and industry can seek advice on network and information security matters.

ENISA's independence will help promote trust and favour the direct involvement of industry, in both identifying and solving security problems in Europe.

How is the Agency structured?

On an organisational level, the Agency consists of:

a Management Board,

composed of one member per Member State, three representatives appointed by the Commission and three representatives of different stakeholder groups proposed by the Commission and appointed by the Council,

an Executive Director,

responsible for the day-to-day management of the Agency, and

a Permanent Stakeholders Group,

composed of experts representing stakeholders. This group advises the Executive Director in the performance of his duties.

The Agency is managed by its Executive Director, who is appointed by the Management Board from a list of candidates proposed by the Commission after an open competition, notice of which is published in the EU Official Journal. The Executive Director is responsible, inter alia, for:

• the drawing up and execution of the Agency's work programme,
• the Agency's draft statement of estimates of revenue and expenditure and the execution of its budget,
• all staff matters,
• developing and maintaining contact with institutions, the business community and consumer organisations, and
• establishing and chairing the Permanent Stakeholders Group.

Tasks of the Management Board include adopting the budget, verifying its execution, adopting appropriate financial rules, establishing transparent working procedures for decision-making by the Agency, approving the Agency's work programme, adopting its own rules of procedure and Agency's internal rules of operation, and appointing or removing the Executive Director. The Management Board adopts the Agency's internal rules of operation on the basis of a proposal by the Commission.

The Permanent Stakeholders Group provides advice to the Executive Director in drawing up a proposal for the Agency's work programme and ensuring communication with relevant players in the field. The composition, number and operation of the Group must be specified and made public in the Agency's internal rules of operation.

What will the Agency's budget be ?

The Agency's budget will be relatively modest: enough to cover running costs plus the possibility of launching three or four studies per year.

The number of staff is estimated to 44 people when fully functional. The Executive Director will be able to set up ad hoc working groups for specific areas. The budget amounts to € 34,3 million for five years.

In 2007 the Agency's activities are to be evaluated in order to decide whether it has achieved its objectives and tasks and whether it will continue to function after its initial 5 years duration.

What will the Agency do?

In general terms, ENISA will be:

• advising and assisting the Commission and the Member States on network and information security and in their dialogue with industry to address security-related problems,
• collecting and analysing data on security incidents in Europe and emerging risks,
• promoting risk assessment and risk management methods to enhance our capability to deal with information security threats, and
• raising awareness and promoting co-operation between different actors by developing public/private partnerships in this field.

In performing these tasks, the Agency will:

• analyse current and emerging risks that could impact on the resilience and availability of electronic communications networks,
• facilitate co-operation and information exchange between all stakeholders in the area of network and information security,
• contribute to awareness-raising and the availability of information on network and information security, follow the development of standards in this area and promote risk assessment activities,
• assist the Commission and Member States in their dialogue with industry to address security related problems in hard- and software products, and
• contribute to the Community efforts to co-operate with third countries and international organisations.

When will ENISA be operational?

Following the appointment of the Executive Director, recruitment for temporary agent posts will begin soon. Fifteen temporary agents are foreseen under the 2004 budget and a total of 38 temporary agents are foreseen for 2005.

ENISA started basic operations on the 14th Mars 2004, which is the day after the publication of the Regulation in the Official Journal; it will become operational in the middle of 2005; it will be fully operational at the end of 2005, when recruitment is expected to be completed.

The selection procedure and the conditions for recruitment will always be clearly set out for all the Agency vacancy notices and will be published on the Agency's website. All recruitment will be based on applications linked to the published vacancy notices.  

---

Last Version - $Revision: 1.1 $ / $Date: 2004/12/07 13:55:09 $
Maintained by Jaap-Henk Hoepman
Email: