European agencies play a supporting and coordinating role in European cybersecurity. However, with reference to specific EU regulations, every member state can establish its own organ to safeguard both private and national interests.
In recent years, The European Agency for Cybersecurity (ENISA) has become an increasingly important asset in addressing the growing challenges in this sector. The European Union’s cybersecurity remit derives from Article 5 of the Treaty on European Union (TEU), which provides for shared competence in areas where there is no exclusive competence.
The EU (and by extension ENISA) should thus limit itself to issues that cannot be resolved by individual member states. For this reason, along with this European agency, each member state has adopted its own institutional framework and bodies for dealing with cybersecurity. The remit of ENISA is therefore to assist member states and the Commission, and to facilitate cooperation and exchange of information.
While the main regulatory reference point for European cybersecurity is currently the NIS directive , an updated text is under discussion and is expected to lead to the approval of NIS 2 .
Given the nature of European directives (Article 288 of the Treaty on the Functioning of the European Union, TFEU ), the text limits itself to indicating to member states the desired results, leaving them with ample autonomy to structure their own cybersecurity agencies.
Among the obligations set out for member states is the identification of specific agencies that can coordinate adopted policies to maintain a high level of cybersecurity. These are the competent national authorities, the single points of contact and the CSIRTs (Computer Security Incident Response Team).
Already established in 1990, CSIRTs are organisations in charge of colle