In recent years, The European Agency for Cybersecurity (ENISA) has become an increasingly important asset in addressing the growing challenges in this sector. The European Union’s cybersecurity remit derives from Article 5 of the Treaty on European Union (TEU), which provides for shared competence in areas where there is no exclusive competence.

The EU (and by extension ENISA) should thus limit itself to issues that cannot be resolved by individual member states. For this reason, along with this European agency, each member state has adopted its own institutional framework and bodies for dealing with cybersecurity. The remit of ENISA is therefore to assist member states and the Commission, and to facilitate cooperation and exchange of information.

European coordination

While the main regulatory reference point for European cybersecurity is currently the NIS directive , an updated text is under discussion and is expected to lead to the approval of NIS 2 .

Given the nature of European directives (Article 288 of the Treaty on the Functioning of the European Union, TFEU ), the text limits itself to indicating to member states the desired results, leaving them with ample autonomy to structure their own cybersecurity agencies.

Among the obligations set out for member states is the identification of specific agencies that can coordinate adopted policies to maintain a high level of cybersecurity. These are the competent national authorities, the single points of contact and the CSIRTs (Computer Security Incident Response Team).

Already established in 1990, CSIRTs are organisations in charge of collecting and managing reports of incidents and potential software vulnerabilities. Each country has a different number of CSIRTs that can be accredited by various international consortia such as Trusted Introducer , First (Forum of Incident Response and Security Teams) and The European CSIRT Network .

The NIS Directive obliges each member state to designate one or more CSIRT to join the European CSIRT Network. In most cases member states have designated a single CSIRT, but not all; in fact, some countries have designated two or three.

While CSIRTs deal with IT incidents and potential vulnerabilities, the competent NIS authorities operate at the regulatory and management level. These are the national bodies responsible for the security of networks and information systems in the sectors indicated in the directive. In this case too, each state can identify one or more competent bodies. 13 countries nominated a single competent NIS authority.

If only one authority is identified, it automatically becomes the single point of contact. Otherwise the state must indicate which body will play the role of liaison to ensure cooperation with authorities of other member states as well as ENISA and the CSIRT Network.

NIS competent authorities: a look at Germany, France and Italy

As we have seen, each country has the right to structure its own relevant bodies as it sees fit, as long as it respects the obligations of the European directive. Taking the three most populous EU countries as examples, the first fact that emerges is that all three, to date, have identified a single NIS authority.

In Italy’s case, the sole NIS authority is the new Cybersecurity Agency . Before this agency was established in May 2021, there were five nominated authorities, namely the ministries of economic development, infrastructure, economy, health and environment, now defined as “sector authorities” (Article 7 of Legislative Decree 65/2018 ). The Cybersecurity Agency thus represents the single point of contact, while also containing the Italian CSIRT , which was previously included in the department of information for the security of the republic (thus coming under the rubric of intelligence).

The Cybersecurity Agency is in many regards autonomous. However, it is placed under the supervision of the Presidency of the Council, which oversees the management of the sector as well as the appointment of the director (Roberto Baldoni) and vice-director (Nunzia Ciardi). Internally, the agency is structured as eight general services, subdivided in turn into divisions. Currently, the maximum staff envisaged is around 300 people, while the budget for 2022 amounts to 41 million euros. However, for the coming years, a strong increase in resources is expected. 122 million euro is the planned budget for the Italian cybersecurity agency starting in 2026.

In France, the competent authority is the Agence nationale de la sécurité des systèmes d’information (ANSSI). As in Italy, the agency is part of the Council Presidency. Specifically, the French agency is part of the General Secretariat of Defence, a specific body assisting the Prime Minister in the exercise of his responsibilities in matters of defence and national security. Established by law in 2009, ANSSI immediately set itself ambitious goals , including becoming a world leader in cybersecurity. This wording is no longer present in the most recent version of the French cybersecurity strategy.

At the top of ANSSI is a Directorate General , which includes the Director General, Guillaume Poupard, along with the Deputy Director General and the Chief of Staff. Below , there are four sub-directorates, which in turn contain divisions. Excluding salaries, in 2020 ANSSI’s budget amounted to about 21 million euros (excluding personnel costs), while the staff numbered over 500 officers and 100 recruits.

Germany also has a single competent authority, the Federal Cyber Security Authority (BSI). Contrary to France and Italy, this authority is not under the authority of the Prime Minister (Chancellor in this case) but instead part of the Directorate General of Cyber and Information Security in the Ministry of the Interior . The office was already established in 1991, but today its functions are mainly regulated by a law from 2009 . Subsequent measures have then been adopted, one in 2015 , anticipating many elements of the European directive issued the following year, and another only a few months ago. With the latest legislation , the German government intends to further strengthen BSI, especially when it comes to consumer protection, business security, and cell phone networks.

At the top of BSI is the president, Arne Schönbohm, and the vice president. The agency is divided internally into eight divisions, which in turn are divided into 18 branches and several sections. Its budget for 2021 amounted to almost 200 million euro, and its staff numbered 1550 people.

Information on budgets and staffing at these facilities, while interesting, is difficult to compare. This is not only because of the different sources from which the data was collected and the different methodologies used therein, but also because cybersecurity is not in any country the exclusive responsibility of a single organisation. Different structures such as ministries, defence, and intelligence have important roles in this area, and it is therefore very difficult to assess each country’s cybersecurity efforts in these terms.

The relationship between the defence sector and intelligence

As mentioned above, before the birth of the Italian Cybersecurity Agency, the sector fell within the competence of the Department of Information for the Security of the Republic (DIS). The new law , however, has placed the agency outside of the intelligence sector, even though there remain many links between the two sectors. Meanwhile, the government undersecretary in charge of intelligence has now been given the same remit in cybersecurity by law. In addition, coordination with the intelligence sector is ensured by the presence of representatives of intelligence agencies in the cybersecurity core, in which representatives of various ministries also participate. The presence of a representative of the Ministry of Defence is also foreseen, which probably guarantees the link between the Agency and the Network Operations Command (COR), the cybersecurity body under the command of the Chief of The Defence Staff. In the rules published so far, however, there is no explicit link between the agency and the COR.

The German Federal Cyber Security Authority also emerged from the intelligence sector , starting in the early 1990s as an office that dealt with the technological protection of state secrets. Over the years, however, the BSI has become a completely autonomous body. Relations with the intelligence community are maintained through the National Centre for Cyber Defence , an interinstitutional body that includes various federal structures interested in cybersecurity. This body also maintains relations with the military, which is of considerable importance in this sector in Germany. Cyber defence is in fact constitutionally assigned to the armed forces. In 2017 the Kommando Cyber -und Informationsraum (CIR) was established, a body considered on a par with the other commands of the German armed forces , responsible for the security of cyber defence infrastructure and weapon systems. Given the close relationship between defence and cyber security, the CIR provides support to the BSI in case of need. However, given the strict constitutional limits placed on the German military, it can only provide ‘”administrative” assistance. In fact, in the event of the need to deploy military personnel in response to a nationwide cyber attack, prior authorisation by parliament is constitutionally required.

As we have seen, in France ANSSI is established within the General Secretariat of Defence . This structure guarantees coordination with the military and intelligence sectors. In fact, the General Secretariat of Defence has various competences in both defence and intelligence, carrying out for the President of the Council of Ministers the direction, proposal, coordination and regulation of general defence and national security matters. In addition, as we have seen, the General Secretariat of Defence is answerable to the President of the Council of Ministers, who is also responsible for the activities of the domestic and foreign intelligence services, even though these come under the Ministries of the Interior and Defence respectively.

Harald Zwingelberg from Unabhängige Landeszentrum für Datenschutz and Álvaro Merino from El Orden Mundial contributed to this investigation.