When the European Union Agency for Cybersecurity (ENISA) was founded back in 2004, Facebook had just been set up and the word ‘cyber’ was more commonly heard in science fiction. Its initial mandate was only for five years, a term limit which the European Commission kicked into the long grass until 2019, when it finally made it a permanent agency. On top of these early difficulties, its headquarters were based in the Greek cities of Heraklion and Athens, the antipodes of Europe.
Despite all this, ENISA has become a cohesive element in a common cybersecurity strategy. In fact, although it has maintained its old acronym from its days as the European Network and Information Security Agency, its last restructuring changed its name to the European Union Agency for Cybersecurity with the new purpose of “achieving a higher level of common cybersecurity in the whole Union, particularly through the active support of Member States, institutions and organisms of the Union”.
It is, in other words, the point of reference, the crux of the European plan for network and information security. Without a common defence strategy, without Union-wide protection, the EU would be an easy target for cybercriminals, and this is why the Commission proposed the creation of ENISA: to count on an agency whose first commitment is to secure the continent, to tie up loose ends and ensure that there are no unimplemented directives that leave countries vulnerable to attack. Furthermore, the agency works closely with Europol and the European Cybercrime Centre.
In 2004, the organisation represented a slightly premature project, a step ahead of the internet’s explosion into the daily life of its citizens, but as information and communications technology (ICT) grew, the risks associated with it grew exponentially as well. Protection against cybercrime was not a visionary precaution but a necessity, and now the work of ENISA has proved to be crucial.
Without their work, cyberattacks like the one that hit the University Hospital of Brno (Czechia) in March 2020 which caused it, in the midst of the pandemic, to postpone urgent operations and relocate severely ill patients, would be seen much more frequently. The pandemic has complicated things: in accelerating the digital transformation of society and the economy, the threats have multiplied. From water supply to control over our homes, each becoming more and more connected, the scope of cybercriminals has no limits.
A progressive rise
ENISA was conceived as a small agency with a specific task: help institutions and organisations within the EU and Member States to protect their connectivity. One year before it surpassed its initial mandate, in 2008, the European Parliament and European Council decided, as proposed by the Commission, to renew its term until 2012 as the evaluation and improvement of protection for European networks had hardly even begun.
In 2011, the mandate was extended once again, this time to 2013 and then again , once this date was reached, to 2020. In contrast to previous extensions, the last one came accompanied by an enlargement of its brief. Coinciding with the publication of the EU’s first Cybersecurity Strategy, the European institutions also modernised the agency, which required assistance in certain areas of its new brief. Among them, the most important was a future network of teams to handle cyber emergencies (EU CERT), spread across all European capitals.
Yet it was in 2019, with the passing of the Cybersecurity Act, when ENISA received its definitive brief. As well as increasing its resources, the new legislation made its 2004 mandate permanent, changed its name to the European Union Agency for Cybersecurity, expanded its advisory role and gave it clear operative instructions for the first time .
Therefore, among other things, the agency also began to help Member States to establish priorities in research and development funding and, most importantly, worked to create a system of security certification for ICT products and services in the EU.
In order for businesses and consumers to trust that their online information is safe, they need to use secure devices, but the lack of a unified certification system in the EU undermines this confidence and limits cross-border trade. To this end, ENISA must establish common criteria and unify the national mechanisms to award cybersecurity certification, a hallmark that is needed from smart cards – credit cards, bus passes, SIM cards – to cloud services.
As far as financing is concerned, ENISA has had its budget increased year on year up to nearly €22m in 2020 , five times more than its initial budget. The vast majority of money comes from the European Commission, while EEA countries- Iceland, Liechtenstein, Norway and Switzerland- and the Greek government- which rents its premises- also contribute a small portion. In 2019, ENISA had seventy-five employees .
The growing role of ENISA in the EU’s cybersecurity strategy has made the European Commission aware of the need to have the organisation closer to its centre of power. To this end, rather than changing its headquarters, last June they authorised the opening of a third office in Brussels with the intention of maintaining “regular and systematic cooperation” between the agency and the European institutions.
Incarnation to incarnation, the European Network and Information Security Agency has remained a pillar of European cybersecurity since its foundation in 2004. The culmination of this process was realised with its new office in Brussels the consolidation of its operational functions, a change that marks the EU’s intent to tackle cyberattacks head-on and become the number one enemy of cybercriminals across the world.