The ENISA urges the EU and its Member States to strengthen its mandate and budget as expectations exceed resources.
Cybersecurity is a global challenge as attacks may take place anywhere and target anyone across any Member State. Government entities across the globe struggle to maintain the confidentiality, integrity and availability of their systems and data. Recent reports show that the total number of data records lost or stolen since 2013 is 9.19 billion and counting – that is approximately five million records every day. This surge in cyber criminality is a strong incentive to improve online security.
Since the adoption of the EU Cybersecurity Strategy in 2013, the European Commission has stepped up its efforts to better protect Europeans online. On 20 December 2017 EU institutions took an important step in strengthening their cooperation in the fight against cyber-attacks: the Commission has earmarked €600 million of EU investment for research and innovation in cybersecurity projects during the 2014- 2020 period.
During the Cybersecurity Act public hearing held in Brussels on 9 January 2018, it was announced that the budget for the European Union Agency for Network and Information Security (ENISA) – a centre of expertise for cybersecurity – was to be doubled, going from €11 to €22 million. However, the Greece-based agency says this might not be enough. It suggested that ENISA should be developed and made into a permanent institution. The agency recommended the establishment of a European-level certification framework for online services and products, endowed with more resources.
Udo Helmbrecht, head of ENISA, warned that without additional resources, the agency may need to take a “bare minimum” approach with the tasks proposed under the directive on security of network and information systems, or NIS directive. “We will fulfil everything which is in the [proposed] regulation. Full stop. But the regulation is very, let’s say, ‘generic’,” said Helmbrecht. He also noted that as it is, the agency had to be selective about its agenda.
When the European Commission proposed the regulation in September 2017, it itself admitted that ENISA “was not equipped with proportionally sufficient resources” and that it already had a “broad mandate”. The Cybersecurity Act is to be discussed and adopted at the European Economic and Social Committee (EESC) plenary session in February 2018.
This post is also available in: FR (FR)