Procedure : 2010/0275(COD)
Document stages in plenary
Document selected : A7-0056/2013

Texts tabled :

A7-0056/2013

Debates :

PV 15/04/2013 - 20
CRE 15/04/2013 - 20

Votes :

PV 16/04/2013 - 8.1

Texts adopted :

P7_TA(2013)0103

REPORT     ***I
PDF 589kDOC 563k
28 February 2013
PE 470.059v02-00 A7-0056/2013

on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

(COM(2010)0521 – C7-0302/2010 – 2010/0275(COD))

Committee on Industry, Research and Energy

Rapporteur: Giles Chichester

AMENDMENTS
DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION
 EXPLANATORY STATEMENT
 OPINION of the Committee on Budgets
 OPINION of the Committee on Civil Liberties, Justice and Home Affairs
 PROCEDURE

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

(COM(2010)0521 – C7-0302/2010 – 2010/0275(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

–   having regard to the Commission proposal to Parliament and the Council (COM(2010)0521),

–   having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C7-0302/2010),

–   having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–   having regard to the opinion of the European Economic and Social Committee of 17 February 2011(1),

–   having regard to the undertaking given by the Council representative by letter of XX Xxxx 2013 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–   having regard to Rules 55 of its Rules of Procedure,

–   having regard to the report of the Committee on Industry, Research and Energy, the opinions of the Committee on Budgets and of the Committee on Civil Liberties, Justice and Home Affairs (A7-0056/2013),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it intends to amend its proposal substantially or replace it with another text;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

AMENDMENTS BY PARLIAMENT(2)*

to the Commission proposal

---------------------------------------------------------

PE-CONS No/YY - 2010/0275(COD)

REGULATION (EU) NO .../2013

OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of…

Concerning the European Union Agency for Network and Information Security ▌(ENISA)

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

Having regard to the opinion of the European Economic and Social Committee(3),

Having regard to the opinion of the Committee of the Regions(4),

After transmission of the proposal to the national Parliaments,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)  Electronic communications, infrastructure and services are an essential factor, both directly and indirectly, in economic and societal development. They play a vital role for society and have in themselves become ubiquitous utilities in the same way that electricity or water supplies are, and also constitute vital factors in the delivery of electricity, water and other critical services. Communications networks function as social and innovation catalysts, multiplying the impact of technology and shaping consumer behaviours, business models, industries, as well as citizenship and political participation. Their disruption has the potential to cause considerable physical, social and economic damage, underlining the importance of measures to increase protection and resilience aimed at ensuring continuity of critical services. The security of electronic communications, infrastructure and services, in particular their integrity, availability and confidentiality, faces continuously expanding challenges which relate inter alia to the individual components of the communications infrastructure and the software controlling those components, the infrastructure overall and the services provided through that infrastructure. This is of increasing concern to society not least because of the possibility of problems due to system complexity, malfunctions, systemic failures, accidents, mistakes and attacks that may have consequences for the electronic and physical infrastructure which delivers services critical to the well-being of European citizens.

(2)  The threat landscape is continuously changing and security incidents can undermine the trust that users have in technology, networks and services, thereby affecting their ability to exploit the full potential of the internal market and widespread use of ICT.

(3)         Regular assessment of the state of network and information security in Europe, based on reliable European data, as well as systematic forecast of future developments, challenges and threats, both at European and global level, is therefore important for policy makers, industry and users.

(4)         The representatives of the Member States, meeting in the European Council on 13 December 2003, decided that the European Network and Information Security Agency (ENISA), that was to be established on the basis of the proposal submitted by the Commission, would have its seat in a town in Greece to be determined by the Greek Government. Following that decision (2004/97/EC(5)), the Greek Government determined that ENISA should have its seat in Heraklion, Crete.

(4a)       On 1 April 2005, a Headquarters Agreement (“Seat Agreement”) was concluded between the Agency and the Host Member State.

(4b)       The Agency’s host Member State should ensure the best possible conditions for the smooth and efficient operation of the Agency. It is imperative for the proper and efficient performance of its tasks, for staff recruitment and retention and to enhance the efficiency of networking activities that the Agency should be based in an appropriate location, among other things providing appropriate transport connections and facilities for accompanying spouses and children. The necessary arrangements should be laid down in an agreement between the Agency and that Member State concluded after obtaining the approval of the Management Board.

(4c)       Therefore, in order to improve the operational efficiency of the agency, the Agency has established an office in the metropolitan area of Athens, which should be maintained with the agreement and support of the host Member State, and where operational staff of the Agency should be located. Staff primarily engaged in administration of the Agency (including the Executive Director), finance, desk research and analysis, IT and facilities management, human resources, training, and communications and public affairs, should be based in Heraklion.

(4d)  The Agency has the right to determine its own organisation in order to ensure the proper and efficient performance of its tasks, while respecting the provisions on the seat and Athens office laid down in this Regulation. In particular, to carry out those tasks involving interaction with key stakeholders such as Union institutions, the Agency should make the necessary practical arrangements to enhance such operational efficiency.

(5)         In 2004 the European Parliament and the Council adopted a Regulation (EC) No 460/2004(6) establishing ENISA with the purpose of contributing to the goals of ensuring a high level of network and information security within the Union and developing a culture of network and information security for the benefit of citizens, consumers, enterprises and public administrations. In 2008, the European Parliament and the Council adopted a Regulation (EC) No 1007/2008(7) extending the mandate of the Agency until March 2012. Regulation (EC) No 580/2011 of the European Parliament and of the Council of 8 June 2011 establishing the European Network and Information Security Agency as regards its duration(8)extends the mandate of the Agency until 13 September 2013.

(6)  Since ENISA was set up, the challenges of network and information security have changed with technology, market and socio-economic developments and have been the subject of further reflection and debate. In response to the changing challenges, the Union has updated its priorities for network and information security policy in a number of documents, including the 2006 Commission Communication A strategy for a Secure Information Society — Dialogue, partnership and empowerment, the Council Resolution of 2007 on a Strategy for a Secure Information Society in Europe, the 2009 Communication Critical Information Infrastructure Protection – ‘Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience’, the 2009 Presidency Conclusions of the Ministerial Conference on Critical Information Infrastructure Protection (CIIP) in Tallinn, the Council Resolution of 2009 on a collaborative European approach to Network and Information Security, the 2011 Presidency Statement following the Ministerial Conference on CIIP in Balatonfüred and the 2011 Council conclusions on Critical Information Infrastructure Protection "Achievements and next steps: towards global cyber-security"(9).

The Digital Agenda for Europe(10) recognized the need ▌to modernise the Agency. The European Parliament resolution of 6 July 2011 on European Broadband: investing in digitally driven growth(11) further underlines the importance of network and information security. The present proposal aims to strengthen the Agency to successfully contribute to the efforts of the Union's institutions and the Member States to develop a European capacity to cope with network and information security challenges. ▌(6a)  The European Data Protection Supervisor was consulted and adopted its opinion on 20 December 2010(12),

(7)  Internal market measures in the field of security of electronic communications, and, more generally, network and information security require different forms of technical and organisational applications by the Member States and the Union institutions. The heterogeneous application of these requirements can lead to inefficiencies and can create obstacles to the internal market. This calls for a centre of expertise at European level providing guidance, advice and ▌assistance on issues related to network and information security, which may be relied upon by the Member States and the Union institutions. The Agency can respond to these needs by developing and maintaining a high level of expertise and assisting the Member States, the Union institutions and the business community in order to help them to meet the legal and regulatory requirements of network and information security and to determine and address network and information security issues, thereby contributing to the smooth functioning of the internal market.

(8)  The Agency should carry out the tasks conferred on it by ▌Union legislation in the field of electronic communications and, in general, contribute to an enhanced level of security of electronic communications as well as of privacy and personal data protection by, among other things, providing expertise and advice, and promoting the exchange of good practices, and offering policy suggestions.

(9)         Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)(13) ▌ requires that providers of public electronic communications networks or publicly available electronic communications services take appropriate measures to safeguard their integrity and security and introduces ▌the obligation for the national regulatory authorities, where appropriate, to inform inter alia, the Agency about a security breach and integrity loss that has had a significant impact on the operation of networks or services and to submit to the Commission and the Agency an annual summary report on the notifications received and the action taken. Directive 2002/21/EC further calls on the Agency to contribute to the harmonisation of appropriate technical and organisational security measures by providing opinions.

(10)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)(14) requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard the security of its services and also requires confidentiality of the communications and related traffic data. Directive 2002/58/EC introduces personal data breach information and notification requirements for electronic communication services providers. It also requires the Commission to consult the Agency on any technical implementing measures to be adopted concerning the circumstances or format of and procedures applicable to information and notification requirements. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(15) requires Member States to provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing.

(11)       The Agency should contribute to a high level of network and information security within the Union, to better protection of privacy and personal data, and to the development and promotion of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market. In this regard, necessary budgetary funds should be allocated to the Agency.

(11a)     Given the increasing significance of electronic networks and communications, which by now constitute the backbone of the European economy, and the actual size of the digital economy, an increase in the financial and human resources allocated to the Agency should be made, corresponding to its enhanced role and tasks, and its critical position in defending the European digital ecosystem.

(11b)     The Agency should operate as a point of reference ▌establishing trust and confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operation, and its diligence in carrying out the tasks assigned to it. The Agency should build on national and Union efforts and therefore carry out its tasks in full cooperation with the Member States and Union Institutions, bodies, offices and agencies and be open to contacts with industry and other relevant stakeholders. In addition, the Agency should build on the input from and cooperation with the private sector, which plays an important role in securing electronic communications, infrastructures and services.

(12)  A set of tasks should indicate how the Agency is to accomplish its objectives while allowing flexibility in its operations. The tasks carried out by the Agency should include the collection of appropriate information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services and to assess, in cooperation with Member States, the Commission and, where appropriate, with relevant stakeholders, the state of network and information security in Europe. The Agency should ensure coordination and collaboration with Member States and the Union institutions and enhance cooperation between stakeholders in Europe, in particular by involving in its activities competent national and Union bodies and high-level private sector experts in relevant areas, in particular providers of electronic communications networks and services, network equipment manufacturers and software vendors, taking into account that network and information systems comprise combinations of hardware, software and services. The Agency should provide assistance to the Union institutions and the Member States in their dialogue with industry to address security-related problems in hardware and software products, thereby contributing to a collaborative approach to network and information security.

(12a)     Network and information security strategies made public by a Member State or Union institution or body, office or agency should be provided to the Agency in order to inform the Agency and to avoid duplication of effort. The Agency should analyse the strategies and promote their presentation in a format facilitating comparability. It should make the strategies and its analyses accessible to the public through electronic means.

(12b)     The Agency should assist the Commission by means of advice, opinions and ▌ analyses ▌on all the Union matters related to policy development in the area of network and information security, including CIIP and resilience. The Agency should also assist, the Member States, where relevant, at their request, ▌and the Union institutions and bodies set up by Union law in their efforts to develop network and information security policy and capability.

(12c)     The Agency should utilise the ongoing research, development, and technological assessment activities, in particular those carried out by the different Union research initiatives to advice the Union and, where relevant, at their request, the Member States on research needs in the area of network and information security.

(13)       The Agency should assist the Member States as well as Union institutions, bodies, offices and agencies in their efforts to build and enhance cross-border capability and preparedness to prevent, detect ▌and respond to network and information security problems and incidents; in this regard, the Agency should facilitate cooperation among the Member States and between the Member States, the Commission and Union institutions, bodies, offices and agencies. To this end, the Agency should support the Member States in their continuous efforts to improve their response capability and to organise and run national, at the request of a Member State, and European exercises on security incidents.

▌(18)    To understand better the challenges in the network and information security field, the Agency needs to analyse current and emerging risks. For that purpose the Agency should, in cooperation with Member States and, as appropriate, statistical bodies and others, collect relevant information. Furthermore, the Agency should assist the Member States and the Union institutions and bodies in their efforts to collect, analyse and disseminate network and information security data. The collection of appropriate statistical information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services should take place on the basis of the information provided by the Member States and the Agency's insight to the Union's Institutions's ICT infrastructures in accordance with the Union provisions and national provisions in compliance with the Union law. On the basis of this information, the Agency should maintain awareness of the latest state of network and information security and related trends in Europe for the benefit of the Member States and the Union's institutions.

(19)       In perfoming its tasks, the Agency should facilitate cooperation between the Union and the Member States to improve awareness on ▌ the state of network and information security in ▌ the Union.

(20)       The Agency should facilitate cooperation among the Member States’ competent independent regulatory authorities, in particular supporting the development, promotion and exchange of good practices and standards for education programmes and awareness-raising schemes. Increased information exchange between Member States will facilitate such action. The Agency should contribute towards raising awareness by individual users of electronic communications, infrastructure and services, including by assisting Member States, where they chose to use the public interest information platform provided for in Article 21(4) of Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive)(16), to produce relevant public interest information regarding network and information security, and also by assisting in the development of such information to be included with the supply of new devices intended for use on public communications networks. The Agency should also support cooperation between public and private stakeholders at the Union level, partly by promoting information sharing, awareness-raising campaigns and education and training programmes.

(20a)     The Agency should, inter alia, assist the relevant Union institutions and the Member States in public education campaigns to end users, aiming at promoting safer individual online behaviour and raising awareness on potential threats in cyberspace (cybercrimes such as phishing attacks, botnets, financial and banking fraud, but also basic authentification and data protection advice).

(20b)     To ensure full achievement of its objectives, the Agency should liaise with relevant bodies, including those dealing with cybercrime such as Europol, and privacy protection authorities to exchange know how and best practices and provide advice on network and information security aspects that might have an impact on their work aiming to deliver synergies between their efforts and the Agency's efforts to promote advanced network and information security. Representatives of national and Union law enforcement and privacy protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies on network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.

(20c)     The Commission has launched a European Public-Private Partnership for Resilience as a flexible Europe-wide cooperation platform for resilience of ICT infrastructure, in which the Agency should play a facilitating role, bringing together public and private sector stakeholders to discuss public policy priorities, economic and market dimensions of challenges and measures for resilience of ICT.

(20d)     To promote network and information security and its visibility the Agency should facilitate cooperation among the Member States’ competent public bodies, in particular by supporting the development and exchange of good practices and awareness-raising schemes and by enhancing their outreach activities. The Agency should also support cooperation between public and private stakeholders and the Union's institutions, partly by promoting information sharing and awareness-raising activities.

(20e)     To enhance an advanced level of network and information security in the Union the Agency should promote cooperation and exchange of information and good practices between relevant organisations e.g. Computer Security Incident Response Teams (CSIRTs)/Computer Emergency Response Teams (CERTs).

(20f)     A Union system of well-functioning computer emergency and response teams (CERTs) should constitute a cornerstone of the Union's network and information security infrastructure. The Agency should support Member State CERTs and the EU CERT in the operation of a network of CERTs, including the members of the European Governmental CERTs Group. To assist in ensuring that each of the CERTs has sufficiently advanced capabilities and that those capabilities correspond as far as possible to the capabilities of the most developed CERTs, the Agency should promote the establishment and operation of a peer-review system. The Agency should furthermore promote and support cooperation between the relevant CERTs in the event of incidents, attacks or disruptions on networks or infrastructure managed or protected by them and involving or potentially involving at least two of them.

(21)  Efficient security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are used at different levels with no common practice on their efficient application. The promotion and development of best practice for risk assessment and for interoperable risk management solutions in public and private sector organisations will increase the security level of networks and information systems in Europe. To this end, the Agency should support cooperation between public and private stakeholders at Union level, facilitating their efforts relating to the establishment and take-up of European and international standards for risk management and for measurable security of electronic products, systems, networks and services which, together with software, comprise the network and information systems.

(23)  Where appropriate and useful for fulfilling its ▌objectives and tasks, the Agency should share experience and general information with bodies and agencies created under European Union law and dealing with network and information security. The Agency should contribute to identifying research priorities, on a European level, in the areas of network resilience and network and information security, and should convey knowledge of industry needs to potential research institutions.

(23a)     The Agency should encourage Member States and service providers to raise their general security standards so that all internet users take the necessary steps to ensure their own personal cyber security.

(26)  Network and information security problems are global issues. There is a need for closer international cooperation to improve security standards, including the definition of common norms of behaviour and codes of conduct, and information sharing, promoting a swifter international collaboration in response to, as well as a common global approach to, network and information security issues. To this end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, ▌the necessary expertise and analysis to the relevant Union bodies and institutions.

(27)       The Agency should operate according to, respectively, (i) the principle of subsidiarity, ensuring an appropriate degree of coordination between the Member States on NIS-related matters and improving the effectiveness of national policies, thus adding value to them and (ii) the principle of proportionality, not going beyond what is necessary in order to achieve the objectives set out by this Regulation. The exercise of the Agency’s tasks should reinforce and should not interfere with the competencies, nor pre-empt, impede or overlap with the relevant powers and tasks, of: the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as of the Body of European Regulators for Electronic Communications (BEREC) established by Regulation 1211/2009(17) of the European Parliament and the Council and the Communications Committee referred to in Directive 2002/21/EC, the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations(18) and of rules on Information Society Services and the independent supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data.

(27a)     It is necessary to implement certain principles regarding the governance of the Agency in order to comply with the Joint Statement and Common Approach agreed by the Inter-Institutional Working Group on EU decentralised agencies in July 2012, the purpose of which is to streamline the activities of agencies and improve their performance.

(27b)     The Joint Statement and Common Approach should also be reflected, as appropriate, in the Agency's Work Programmes, evaluations of the Agency, and the Agency’s reporting and administrative practice.

(27c)     In order for the Agency to function properly, Member States and the Commission should ensure appropriate professional expertise when nominating members to the Management Board. They should make efforts to limit turnover of their Representative on the Management Board, in order to ensure continuity of the Management Board’s work.

(27d)     It is essential that the Agency establishes and maintains a reputation for impartiality, integrity and high professional standards. Accordingly, the Management Board should adopt comprehensive rules for the prevention and management of conflicts of interest covering the entire Agency.

(27e)     Given the unique circumstances of the Agency and the difficult challenges facing it, the organisational structure of the Agency should be simplified and strengthened to ensure greater efficiency and effectiveness. Therefore, among other things, an Executive Board should be established in order to enable the Management Board to focus on issues of strategic importance.

(27f)     The Management Board should appoint an Accounting Officer in accordance with rules adopted under the Financial Regulation 966/2012(19).

(28)  In order to ensure that the Agency is effective, the Member States and the Commission should be represented on a Management Board, which should define the general direction of the Agency’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the necessary powers to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, adopt the Agency’s work programme, adopt its own rules of procedure and the Agency’s internal rules of operation, appoint the Executive Director, decide on the extension of his/her mandate after obtaining the views of the European Parliament, and decide on termination of his/her mandate ▌. The Management Board should ▌set up an Executive Board to assist it with its tasks on administrative and budgetary matters. ▌

(29)       The smooth functioning of the Agency requires its Executive Director to be appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security, and that he/she performs his/her duties with complete independence as to the organisation of the internal functioning of the Agency. To this end, the Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission ▌, and take all necessary steps to ensure the proper execution of the work programme of the Agency. He/she should prepare an annual report to be submitted to the Management Board, ▌ draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget.

(30)       The Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical or ▌legal or socio-economic nature. In setting up ▌ad hoc Working Groups the Executive Director should seek input from and draw on the relevant external expertise needed to enable the Agency to have access to the most up-to-date information available on security challenges posed by the developing information society.

The Executive Director should ensure that the ad hoc Working Groups’ membership is selected according to the highest standards of expertise, taking due account of a representative balance, as appropriate according to the specific issues, between the public administrations of the Member States, the Union institutions, the private sector, including industry, the users, and academic experts in network and information security. The Executive Director may, as appropriate, invite individual experts recognised as competent in the relevant field to participate in the Working Groups’ proceedings, on a case-by-case basis. Their expenses should be met by the Agency in accordance with its internal rules and in accordance with rules adopted under the ▌ Financial Regulation 966/2012.

(31)       The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to ▌stakeholders and bring them to the attention of the Agency. The Executive Director may, where appropriate and according to the agenda of the meetings, invite representatives of the European Parliament and other relevant bodies to take part in meetings of the Group.

(31a)     Since there is ample representation of stakeholders in the Permanent Stakeholders Group, and the PSG is consulted in particular regarding the draft Work Programme, there is no need of represenation of stakeholders in the Management Board.

(33)  The Agency should apply the relevant Union legislation concerning public access to documents as set out in Regulation (EC) No 1049/2001(20) of the European Parliament and of the Council ▌. The information processed by the Agency for purposes relating to its internal functioning as well as the information processed during the performance of its tasks should be subject to the Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(21).

(34)       Within its scope, in its objectives and in the fulfilment of its tasks, the Agency should comply in particular with the provisions applicable to the Union' institutions, and with national legislation regarding the treatment of sensitive documents. ▌(34a)  The Agency should succeed ENISA as established by Regulation No 460/2004. Within the framework of the decision of the Representatives of the Member States, meeting in the European Council of 13 December 2003, the host Member State should maintain and further develop the current practical arrangements in order to ensure the smooth and efficient operation of the Agency, including its Athens office, and facilitate recruitment and retention of highly qualified staff.

(35)       In order to guarantee the full autonomy and independence of the Agency and to enable it to perform additional and new tasks, including unforeseen emergency tasks, it is considered necessary to grant it a sufficient and autonomous budget whose revenue comes primarily from a contribution from the Union and contributions from third countries participating in the Agency’s work. The majority of the Agency staff should be directly engaged in the operational implementation of the Agency's mandate. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union’s budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the Court of Auditors should undertake the auditing of accounts to ensure transparency and accountability.

(35a)  In view of the continuingly changing threat landscape and the evolution of Union policy on network and information security, and in order to align to the multiannual financial framework, the duration of the mandate of the Agency should be set to a limited period of seven years with a possibility for an extension of the duration.

(37)       The Agency's operations should be evaluated independently. The evaluation should have regard to the Agency's effectiveness in achieving its objectives ▌, its working practices and the relevance of its tasks, in order to determine the continuing validity, or otherwise, of the objectives of the Agency and, based on this, whether and for what period the duration of its mandate should be further extended.

(37a)     If towards the end of the duration of the mandate of the Agency, the Commission has not introduced a proposal for an extension of the mandate, the Agency and the Commission should take the relevant measures, addressing in particular issues related to staff contracts and budget arrangements.

(37b)     Since the objectives of this Regulation, namely to establish a European Union Agency for Network and Information Security, cannot be sufficiently achieved by the Member States and can therefore be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives,

HAVE ADOPTED THIS REGULATION:

SECTION 1, SCOPE OBJECTIVES AND TASKS

Article 1Subject matter and Scope

1.          This Regulation establishes a European Union Agency for Network and Information Security ▌ (ENISA, hereinafter "the Agency") to undertake the tasks assigned to it for the purpose of contributing to a high level of network and information security within the Union and in order to raise awareness and develop and promote a culture of network and information security in society for the benefit of ▌ citizens, consumers, enterprises and public sector organisations in the Union, thus contributing to the establishment and smooth functioning of the internal market.

2.          The objectives and the tasks of the Agency shall be without prejudice to the competencies of the Member States regarding network and information security and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the issues relate to State security matters) and the activities of the State in areas of criminal law.

3.  For the purposes of this Regulation "network and information security" shall mean the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems.

Article 2Objectives

- 1.        The Agency shall develop and maintain a high level of expertise.

1.          The Agency shall assist the Union's institutions, bodies, offices and agencies in developing policies in network and information security.

1a.        The Agency shall assist the Member States and the Union's institutions, bodies, offices and agencies in implementing the policies necessary to meet the legal and regulatory requirements of network and information security in present and future Union legislation, thus contributing to the smooth functioning of the internal market.

2.          The Agency shall assist in enhancing and strengthening the capability and preparedness of the Union and of the Member States to prevent, detect and respond to network and information security problems and incidents.

3.          The Agency shall ▌ use its expertise to stimulate broad cooperation between actors from the public and private-sectors.

Article 3

Tasks

1.          Within the purpose set out in Article 1, and in order to attain the objectives set out in Article 2, whilst respecting Article 1(2), the Agency shall perform the following tasks:

             (a)     Support the ▌development of Union policy and legislation, by:

(i)       Assisting and advising on all matters related to Union network and information security policy and legislation;

(ii)      Providing preparatory work, advice and analyses related to the development and update of Union network and information security policy and legislation;

(iii)     Analysing publicly available network and information security strategies and promoting their publication.

(aa)  Support capability building by:

(i)       Supporting Member States at their request in their efforts to develop and improve network and information security prevention, detection, analysis and response capability, and providing them with the necessary knowledge;

(ii)      Promoting and facilitating voluntary cooperation among the Member States and between the Member States and the Union's institutions, bodies, offices and agencies in their efforts to prevent, detect and respond to network and information security problems and incidents where these have an impact across borders;

(iii)     Assisting the Union's institutions, bodies, offices and agencies in their efforts to develop network and information security prevention, detection, analysis and response capability, in particular by supporting the operation of a Computer Emergency Response Team (CERT) for them;

(iv)  Supporting the raising of the level of capabilities of national, governmental and Union CERTs, including by promoting dialogue and exchange of information, towards ensuring that, having regard to the state of the art, each CERT meets a common set of minimum capabilities and that they operate according to best practices;

(v)       Supporting the organisation and running of Union network and information security exercises, and, at their request, advising Member States on national exercises;

(vi)      Assisting the Member States and the Union's institutions, bodies, offices and agencies in their efforts to collect, analyse and, in line with Member States' security requirements, disseminate relevant network and information security data; and on the basis of information provided by the Member States and the Union's institutions, bodies, offices and agencies in accordance with Union provisions and national provisions in compliance with Union law, maintaining awareness of the latest state of network and information security in the Union for the benefit of the Member States and the Union's institutions, bodies, offices and agencies;

(vii)    Supporting the development of a European early warning mechanism that is complementary to Member States' mechanisms;

(viii)   Offering network and information security training for relevant public bodies, where appropriate in cooperation with stakeholders.

(ab)  Support voluntary co-operation among competent public bodies, and between public and private stakeholders, including universities and research centres in the Union, and awareness raising, inter alia, by:

(i)   Promoting cooperation between national and governmental CERTs or Computer Security Incident Response Teams (CSIRTs), including the CERT for the Union institutions, bodies, offices and agencies;

(ii)  Promoting the development and sharing of best practice with the aim to arrive at an advanced level of network and information security;

(iii) Facilitating dialogue and efforts to develop and exchange good practices;

(iv)  Promoting best practice in information sharing and awareness raising;

(v)   Supporting the Member States, at their request, and the Union and their respective institutions, bodies, offices and agencies in organising awareness raising, including at the level of individual users, and other outreach activities to increase network and information security and its visibility by providing best practices and guidelines.

(ac)  Support research and development and standardisation, by:

(i)         Facilitating the establishment and take up of European and international standards for risk management and for the security of electronic products, networks and services;

(ii)  Advising the Union and the Member States on research needs in the area of network and information security with a view to enabling effective responses to current and emerging network and information security risks and threats, including with respect to new and emerging ICT technologies, and to using risk prevention technologies effectively.

(ad)  Cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, to address issues of common concern, including by:

(i)   Exchanging know-how and best practice;

(ii)  Providing advice on relevant network and information security aspects in order to develop synergies.

(j)     Contribute to the Union efforts to cooperate with third countries and international organisations ▌to promote international cooperation on network and information security issues, including by:

(i)  Being engaged, where appropriate, as an observer and in the organisation of international exercises, and analysing and reporting on the outcome of such exercises;

(ii)  Facilitating exchange of best practices of relevant organisations;

(iii) Providing the Union's institutions with expertise.

2.  Member State bodies and Union institutions, bodies, offices and agencies may request advice from the Agency in case of breach of security or loss of integrity with a significant impact on the operation of networks and services.

3.          The Agency shall carry out tasks conferred on it by Union legislative acts.

4.      The Agency shall express independently its own conclusions, orientations and advice on matters within the scope and objectives of this Regulation.

SECTION 2 ORGANISATION

Article 4Bodies of the Agency

1.          The Agency shall comprise:

(a)    a Management Board;

(b)    an Executive Director and the staff; and

(c)    a Permanent Stakeholders’ Group.

2.          In order to contribute to enhancing effectiveness and efficiency of the operation of the Agency, the Management Board shall establish an Executive Board.

Article 5Management Board

1.          The Management Board shall define the general direction of the operation of the Agency and ensure that the Agency works in accordance with the rules and principles laid down in this Regulation. It shall also ensure consistency of the Agency’s work with activities conducted by the Member States as well as at Union level.

2.          The Management Board shall adopt ▌the Agency’s annual and strategic multi-annual work programme.

3.  The Management Board shall adopt an annual report on the Agency's activities and send it, by 1 July of ▌the following year, to the European Parliament, the Council, the Commission and the Court of Auditors. The annual report shall include the accounts and describe how the Agency has met its performance indicators. The annual report shall be made public.

3a.        The Management Board shall adopt an anti-fraud strategy, which is proportionate to the fraud risks having regard to cost-benefit of the measures to be implemented.

3b.        The Management Board shall ensure adequate follow-up to the findings and recommendations stemming from investigations of the European Anti-fraud Office (OLAF) and the various internal or external audit reports and evaluations.

3c.        The Management Board shall adopt rules for the prevention and management of conflicts of interest.

3d.        The Management Board shall exercise with respect to the staff of the Agency, the appointing authority powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude Contract of Employment.

The Management Board shall adopt, in accordance with the procedure under Article 110 of the Staff Regulations, a decision based on Article 2 paragraph 1 of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants delegating the relevant appointing authority powers to the Executive Director. The Executive Director is authorised to sub-delegate these powers.

Where exceptional circumstances so require, the Management Board may reclaim the appointing authority powers delegated to the Executive Director and those sub-delegated by the Executive Director. In such a case, the Management Board may delegate them, for a limited period to one of its members or to a staff member other than the Executive Director.

3e.        The Management board ▌shall adopt appropriate implementing rules to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with the procedure provided for in Article 110 of the Staff Regulations.

3f.         The Management Board shall appoint the Executive Director and may extend his term of office or remove him from the office in accordance with Article 21c.

3g.  The Management Board shall adopt the rules of procedure for itself and for the Executive Board after consulting with the Commission. The rules of procedure shall provide for expedited decisions through either written procedure or by remote conferencing.

3h.        The Management Board shall adopt the Agency’s internal rules of operation after consulting the Commission services. These rules shall be made public.

6.          The Management Board shall adopt the financial rules applicable to the Agency. They may not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002 on the framework Financial Regulation for the bodies referred to in Article 185 of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities(22), unless such departure is specifically required for the Agency’s operation and the Commission has given its prior consent.

9.          The Management Board shall adopt the Multi-Annual Staff Policy Plan, after consulting the Commission services and having duly informed the Budgetary Authority.

Article 6Composition of the Management Board

1.          The Management Board shall be composed of one representative of each Member State, and two representatives appointed by the Commission, all with a right to vote.▌1a.  Each member of the Management Board shall have an alternate who will represent the member in his/her absence.

1b.        Members of the Management Board and their alternates shall be appointed in light of their knowledge of the Agency's tasks and objectives, taking into account the managerial, administrative and budgetary skills relevant to fulfil the tasks listed in Article 5. All parties should make efforts to limit turnover of their representatives in the board, in order to ensure continuity of the board's work. All parties shall aim to achieve a balanced representation between men and women on the Management Board.

3.          The term of office of board members and of their alternates shall be four years. That term shall be renewable.

Article 7Chairperson of the Management Board

1.          The Management Board shall elect its Chairperson and a Deputy Chairperson from among its members for a period of three years, which shall be renewable. The Deputy Chairperson shall ex officio replace the Chairperson if the latter is unable to attend to his or her duties.

1a.        The Chairperson may be invited to make a statement before the competent committee(s) of the European Parliament and answer questions from committee members.

Article 8 Meetings

1.          Meetings of the Management Board shall be convened by its Chairperson.

2.          The Management Board shall hold an ordinary meeting at least once a year. It shall also hold extraordinary meetings at the instance of the Chairperson or at the request of at least a third of its members ▌.

3.          The Executive Director shall take part in the meetings of the Management Board, without voting rights.

Article 9Voting

1.          The Management Board shall take its decisions by an absolute majority of its members.

2.          A two-thirds majority of all Management Board members ▌is required for the adoption of its rules of procedure, the Agency’s internal rules of operation, the budget, the annual and multi-annual work programme, ▌the appointment, extension of the term of office or removal of the Executive Director, and the designation of the Chairperson of the Board.

Article 9 a Executive Board

1.          The Management Board shall be assisted by an Executive Board.

2.          The Executive Board shall prepare decisions to be adopted by the Management Board on administrative and budgetary matters only.

Together with the Management Board, it shall ensure adequate follow-up to the findings and recommendations stemming from investigations of OLAF and the various internal or external audit reports and evaluations.

Without prejudice to the responsibilities of the Executive Director, as set out in Article 10, it shall assist and advise him/her in the implementation of the decisions of the Management Board on administrative and budgetary matters.

3.  The Executive Board shall be made up of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who may also chair the Executive Board, and one of the representatives of the Commission.

4.          The term of office of members of the Executive Board shall be the same as that of members of the Management Board.

5.          The Executive Board shall meet at least once every three months. The chairperson of the Executive Board shall convene additional meetings at the request of its members.

Article 10Duties of the

Executive Director

1.          The Agency shall be managed by its Executive Director, who shall be independent in the performance of his/her duties.

7.          The Executive Director shall be responsible for:

(a)   the day-to-day administration of the Agency;

(b)   implementing ▌the decisions adopted by the Management Board;

(ba) following consultation with the Management Board, preparing the annual work programme and the strategic multi-annual work programme and submit them to the Management Board after consultation of the Commission;

(bb) implementing the annual work programme and the strategic multi-annual work programme and reporting to the Management Board on their implementation;

(bc) preparing the annual report on the Agency's activities and presenting it to the Management Board for approval;

(bd) preparing an action plan following-up on the conclusions of the retrospective evaluations and report on progress bi-annually to the Commission;

(be) protecting the financial interests of the Union by the application of preventive measures against fraud, corruption and any other illegal activities, by effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;

(bf) preparing an anti-fraud strategy of the Agency and presenting it to the Management Board for approval;

(c)  ensuring that the Agency performs its activities in accordance with the requirements of those using its services, in particular with regard to the adequacy of the services provided;

(e)   developing and maintaining contact with the European institutions and bodies;

(f)    developing and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;

(g)   other tasks assigned to him/her by this Regulation.

8.          Where necessary and within the Agency’s objectives and tasks, the Executive Director may set up ad hoc Working Groups composed of experts, including from the Member States' competent authorities. The Management Board shall be informed in advance. The procedures regarding in particular the composition, the appointment of the experts by the Executive Director and the operation of the ad hoc Working Groups shall be specified in the Agency’s internal rules of operation.

9.          The Executive Director shall make administrative support staff and other resources available to the Management and Executive Boards whenever necessary.

Article 11Permanent Stakeholders’ Group

1.          The Management Board shall set up a Permanent Stakeholders’ Group on a proposal by the Executive Director, composed of recognised experts representing the relevant stakeholders, such as the information and communication technologies industry, providers of electronic communications networks or services available to the public, consumer groups, academic experts in network and information security, and representation of national regulatory authorities notified under Directive 2002/21 as well as of law enforcement and privacy protection authorities.

2.          Procedures for, in particular, the number, composition, and appointment of the members by the Management Board, proposal by the Executive Director and the operation of the Group shall be specified in the Agency’s internal rules of operation and shall be made public.

3.          The Group shall be chaired by the Executive Director or by any person he or she appoints on a case-by-case basis.

4.          The term of office of the Group’s members shall be two-and-a-half years. Members of the Management Board may not be members of the Group. Commission staff and experts from the Member States shall be entitled to be present at the meetings and participate in the work of the Group. If they are not members, representatives of other bodies deemed relevant by the Executive Director may be invited to be present at the meetings and participate in the work of the Group.

5.  The Group shall advise the Agency in the performance of its activities. The Group shall in particular advise the Executive Director on drawing up a proposal for the Agency’s work programme, and on ensuring communication with the relevant stakeholders on all issues related to the work programme.

SECTION 3 OPERATION

Article 12Work Programme

1.          The Agency shall carry out its operations in accordance with its annual and multi-annual work programme, which shall contain all of its planned activities. ▌

1a.        The work programme shall include tailored performance indicators allowing for effective assessment of the results achieved in terms of objectives.

2.          The Executive Director shall be responsible for drawing up the Agency’s draft work programme after prior consultation with the Commission services. Before 15 March each year the Executive Director shall submit the draft work programme for the following year to the Management Board.

3.          Before 30 November each year, the Management Board shall adopt the Agency’s work programme for the following year, after having received the opinion of the Commission. The work programme shall include a multi-annual outlook. The Management Board shall ensure that the work programme is consistent with the Agency’s objectives and with the Union's legislative and policy priorities in the area of network and information security.

4.          The work programme shall be organised in accordance with the Activity-Based Management ▌principle. The work programme shall be in line with the statement of estimates of the Agency’s revenue and expenditure and the Agency’s budget for the same financial year.

5.          The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall have it published. At the invitation of the European Parliament's competent committee, the Executive Director shall present and hold an exchange of views on the adopted annual work programme.

Article 14Requests to the Agency

1.          Requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed to the Executive Director and accompanied by background information explaining the issue to be addressed. The Executive Director shall inform the Management and Executive Boards of the requests received, the potential resource implications, and, in due course, of the follow-up given to the requests. If the Agency refuses a request, justification shall be given.

2.          Requests referred to in paragraph 1 may be made by:

(a)     the European Parliament;

(b)     the Council;

(c)     the Commission;

(d)     any competent body appointed by a Member State, such as a national regulatory authority as defined in Article 2 of Directive 2002/21/EC.

3.  The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow up and information of the Management and Executive Boards on the requests to the Agency, shall be laid down by the Management Board in the Agency’s internal rules of operation.

Article 15Declaration of interest

1.          Members of the Management Board, the Executive Director and officials seconded by Member States on a temporary basis shall make a ▌declaration of commitments and a declaration indicating the absence or presence of any direct or indirect interest which might be considered prejudicial to their independence. The declarations shall be accurate and complete, made annually in writing and updated whenever necessary

2.  Members of the Management Board, the Executive Director, and external experts participating in ad hoc Working Groups shall accurately and completely declare at the latest at the start of each meeting any interest which might be considered prejudicial to their independence in relation to the items on the agenda, and abstain from participating in the discussions and the voting on such points.

3.          In its internal rules of operation, the Agency shall lay down the practical arrangements for the rules on declarations of interest referred to in paragraphs 1 and 2.

Article 16Transparency

1.          The Agency shall ensure that it carries out its activities with a high level of transparency and in accordance with Article 17 and 18.

2.          The Agency shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information, in particular with regard to the results of its work ▌. It shall also make public the declarations of interest made in accordance with Article 15.

3.          The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of the Agency’s activities.

4.          In its internal rules of operation, the Agency shall lay down the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.

Article 17Confidentiality

1.          Without prejudice to Article 18, the Agency shall not divulge to third parties information that it processes or receives for which a reasoned request for confidential treatment, in whole or in part, has been made.

2.          Members of the Management Board, the Executive Director, the members of the Permanent Stakeholders Group, external experts participating in ad hoc Working Groups, and members of the staff of the Agency including officials seconded by Member States on a temporary basis are subject to confidentiality requirements under Article 339 of the Treaty even after their duties have ceased.

3.          The Agency shall lay down in its internal rules of operation the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.

4.          If required for the performance of the Agency's tasks, the Management Board shall decide to allow the Agency to handle classified information. In that case the Management Board shall, in agreement with the ▌Commission services, adopt internal rules of operation applying the security principles contained in Commission Decision 2001/844/EC, ECSC, Euratom of 29 November 2001 amending its internal rules of procedure(23). This shall cover, inter alia, provisions for the exchange, processing and storage of classified information.

Article 18Access to documents

1.          Regulation (EC) No 1049/2001 shall apply to documents held by the Agency.

2.          The Management Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001 within six months of the establishment of the Agency.

3.          Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Union, under Articles 228 and 263 of the Treaty respectively.

SECTION 4 FINANCIAL PROVISIONS

Article 19

Adoption of the budget

1.          The revenues of the Agency shall consist of a contribution from the European Union budget, contributions from third countries participating in the work of the Agency as provided for in Article 29, and voluntary contributions from Member States in money or in kind. Member States that provide voluntary contributions may not claim any specific right or service as a result thereof.

2.          The expenditure of the Agency shall include staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts entered into with third parties.

3.  By 1 March each year at the latest, the Executive Director shall draw up a draft statement of estimates of the Agency’s revenue and expenditure for the following financial year, and shall forward it to the Management Board, together with a draft establishment plan.

4.          Revenue and expenditure shall be in balance.

5.          Each year, the Management Board, on the basis of a draft statement of estimates of revenue and expenditure drawn up by the Executive Director, shall produce a statement of estimates of revenue and expenditure for the Agency for the following financial year.

6.  This statement of estimates, which shall include a draft establishment plan together with the draft work programme, shall, by 31 March at the latest, be sent by the Management Board to the Commission and the States with which the European Union has concluded agreements in accordance with Article 28.

7.          This statement of estimates shall be forwarded by the Commission to the European Parliament and the Council (both hereinafter ‘the budgetary authority’) together with the draft general budget of the European Union.

8.          On the basis of this statement of estimates, the Commission shall enter in the draft general budget of the European Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall submit to the budgetary authority in accordance with Article 314 of the Treaty.

9.          The budgetary authority shall authorise the appropriations for the subsidy to the Agency.

10.  The budgetary authority shall adopt the establishment plan for the Agency.

11.        Together with the work programme, the Management Board shall adopt the Agency’s budget. It shall become final following final adoption of the general budget of the European Union. Where appropriate, the Management Board shall adjust the Agency’s budget and work programme in accordance with the general budget of the European Union. The Management Board shall forward it without delay to the Commission and the budgetary authority.

Article 20Combating fraud

1.          In order to facilitate combating fraud, corruption and other unlawful activities under Regulation (EC) No 1073/1999(24), within six months from the day the Agency becomes operational, it shall accede to the Interinstitutional Agreement of 25 May 1999 ▌concerning internal investigations by the European Anti-fraud Office (OLAF) and adopt the appropriate provisions applicable to all the employees of the Agency using the template set out in the Annex to that Agreement.

2.          The European Court of Auditors shall have the power of audit, on the basis of documents and on the spot, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the Agency.

3.  OLAF may carry out investigations, including on-the-spot checks and inspections, in accordance with the provisions and procedures laid down in Regulation (EC) No 1073/1999 and Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities' financial interests against fraud and other irregularities(25) with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by the Agency.

4.          Without prejudice to paragraphs 1, 2 and 3, cooperation agreements with third countries and international organisations, contracts, grant agreements and grant decisions of the Agency shall contain provisions expressly empowering the European Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.

Article 21Implementation of the budget

1.          The Executive Director shall be responsible for the implementation of the Agency’s budget.

2.          The Commission’s internal auditor shall exercise the same powers over the Agency as over Commission departments.

3.          By 1 March at the latest following each financial year, the Agency’s accounting officer shall send the provisional accounts to the Commission’s accounting officer together with a report on the budgetary and financial management for that financial year. The Commission’s accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 128 of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities(26) (hereinafter ‘the general Financial Regulation’).

4.  No later than 31 March following each financial year, the Commission’s accounting officer shall send the Agency’s provisional accounts to the Court of Auditors, together with a report on the budgetary and financial management for that financial year. The report on the budgetary and financial management for the financial year shall also be sent to the budgetary authority.

5.          On receipt of the Court of Auditor’s observations on the Agency’s provisional accounts, pursuant to Article 129 of the general Financial Regulation, the Executive Director shall draw up the Agency’s final accounts under his/her own responsibility and send them to the Management Board for an opinion.

6.          The Management Board shall deliver an opinion on the Agency’s final accounts.

7.  The Executive Director shall, no later than 1 July following each financial year, transmit the final accounts, including the report on the budgetary and financial management for that financial year and the Court of Auditor’s observations, to the European Parliament, the Council, the Commission and the Court of Auditors, together with the Management Board’s opinion.

8.          The Executive Director shall publish the final accounts.

9.          The Executive Director shall send the Court of Auditors a reply to its observations by 30 September at the latest. He/she shall also send this reply to the Management Board.

10.  The Executive Director shall submit to the European Parliament, at the latter’s request, all the information necessary for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 146(3) of the general Financial Regulation.

11.        The European Parliament, acting on a recommendation from the Council, shall, before 30 April of year N+2, give a discharge to the Executive Director in respect of the implementation of the budget for the year N.

SECTION 4a STAFF

Article 21aGeneral provisions

The Staff Regulations of the European Union and the Conditions of Employment of Other Servants of the European Union[1] and the rules adopted by agreement between the institutions of the European Union for giving effect to those Staff Regulations shall apply to the staff of the Agency.

Article 21bPrivileges and immunity

The Protocol on the Privileges and Immunities of the European Union shall apply to the Agency and its staff.

Article 21c

Executive Director

1.          The Executive Director shall be engaged as a temporary agent of the Agency under Article 2(a) of the Conditions of Employment of Other servants.

2.          The Executive Director shall be appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.

             For the purpose of concluding the contract of the Executive Director, the Agency shall be represented by the Chair of the Management Board.

             Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee of the European Parliament and to answer questions by its members.

3.          The term of office of the Executive Director shall be five years. By the end of this period, the Commission shall undertake an assessment which takes into account the evaluation of the performance of the Executive Director and the Agency's future tasks and challenges.

4.         The Management Board, acting on a proposal from the Commission which takes into account the assessment referred to in paragraph 3, may extend once the term of office of the Executive Director for no more than five years after obtaining the views of the European Parliament.

5.         The Management Board shall inform the European Parliament about its intention to extend the Executive Director's term of office. Within three months before any such extension, the Executive Director shall, if invited, make a statement before the competent committee of the Parliament and answer questions put by its members.

6.  An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.

7.         The Executive Director may be removed from the office only upon a decision of the Management Board.

Article 21d

Seconded national experts and other staff

1.          The Agency may also make use of Seconded national experts or other staff not employed by the Agency. The Staff Regulations and the Conditions of Employment of Other Servants shall not apply to such staff.

2.          The Management Board shall adopt a decision laying down rules on the secondment to the agency of national experts.

SECTION 5 GENERAL PROVISIONS

Article 22 Legal status▌

1.          The Agency shall be a body of the Union. It shall have legal personality.

2.          In each of the Member States the Agency shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.

3.          The Agency shall be represented by its Executive Director.

4.          A branch office has been established and shall be maintained in the metropolitan area of Athens in order to improve the operational efficiency of the Agency.

Article 25Liability

1.          The contractual liability of the Agency shall be governed by the law applicable to the contract in question.

The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.

2.          In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by it or its servants in the performance of their duties.

The Court of Justice shall have jurisdiction in any dispute relating to compensation for such damage.

3.          The personal liability of its servants towards the Agency shall be governed by the relevant conditions applying to the staff of the Agency.

Article 26 Languages

1.          The provisions laid down in Regulation No 1 of 15 April 1958 determining the languages to be used in the European Economic Community(27) shall apply to the Agency. The Member States and the other bodies appointed by them may address the Agency and receive a reply in the European Union language of their choice.

2.          The translation services required for the functioning of the Agency shall be provided by the Translation Centre for the Bodies of the European Union.

Article 27 Protection of personal data

1.          When processing data relating to individuals, in particular while performing its tasks, the Agency shall observe the principles of personal data protection in, and be subject to, the provisions of Regulation (EC) No 45/2001.

1a.        The Management Board shall adopt implementing measures referred to in Article 24(8) of Regulation 45/2001. The Management Board may adopt additional measures necessary for the application of Regulation 45/2001 by the Agency.

Article 28Participation of third countries

1.          The Agency shall be open to the participation of third countries which have concluded agreements with the European Union by virtue of which they have adopted and applied Union legislation in the field covered by this Regulation.

2.          Arrangements shall be made under the relevant provisions of those agreements, specifying in particular the nature, extent and manner in which these countries will participate in the Agency’s work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff.

Article 28a

Security Rules on the protection of classified information

The Agency shall apply the security principles contained in the Commission's security rules for protecting European Union Classified Information (EUCI) and sensitive non-classified information, as set out in the annex to Decision 2001/844/EC. This shall cover, inter alia, provisions for the exchange, processing and storage of such information.

SECTION 6 FINAL PROVISIONS

Article 29

Evaluation and review

1.          No later than 5 years from the day of entry into force of this Regulation, the Commission shall commission an evaluation to assess particularly the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.

1a.        The evaluation shall take into account any feedback made to the Agency in response to its activities.

2.          The Commission shall forward the evaluation report together with its conclusions to the European Parliament, the Council and the Management Board. The findings of the evaluation shall be made public.

3.  On the occasion of the evaluation, there shall also be an assessment of the results achieved by the Agency having regard to its objectives, mandate and tasks. If the Commission considers that the continuation of the Agency is justified with regard to its assigned objectives, mandate and tasks, it may propose that the duration of the Agency set out in Article 33 be extended.

Article 30Cooperation of the host

Member State

The Agency’s host Member State shall provide the best possible conditions to ensure the proper functioning of the Agency, including the accessibility of the location, the existance of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses.

Article 31Administrative control

The operations of the Agency are subject to the supervision of the Ombudsman in accordance with Article 228 of the Treaty.

Article 32Repeal and succession

1.          Regulation (EC) No 460/2004 is repealed.

References to Regulation (EC) No 460/2004 and to ENISA shall be construed as references to this Regulation and to the Agency.

2.          The Agency succeeds the Agency that was established by Regulation (EC) No 460/2004 as regards all ownership, agreements, legal obligations, employment contracts, financial commitments and liabilities.

Article 33 Duration

The Agency shall be established from the day of entry into force of this Regulation for a period of seven years.

Article 34

Entry into force

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union. ▌This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at […],

For the European Parliament                      For the Council

The President                                              The President

(1)

OJ C 107, 6.4.2011, p. 58.

(2)

* Amendments: new or amended text is highlighted in bold italics; deletions are indicated by the symbol ▌.

(3)

          OJ C , , p. .

(4)

          OJ C , , p. .

(5)

        2004/97/EC,Euratom: Decision taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level, of 13 December 2003 on the location of the seats of certain offices and agencies of the European Union (OJ L 29, 3.2.2004, p. 15).

(6)

       Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L 77, 13.3.2004, p. 1).

(7)

       Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration (OJ L 293, 31.10.2008, p. 1).

(8)

       OJ L 165, 24.6.2011, p. 3.

(9)

         Council Conclusions of 27 May 2011, doc. 10299/11.

(10)

          COM(2010)245, 19.5.2010.

(11)

        Text adopted, P7_TA(2011)0322.

(12)

         OJ C 101, 1.4.2011, p. 20.

(13)

         OJ L 108, 24.4.2002, p. 33.

(14)

         OJ L 201, 31.7.2002, p. 37.

(15)

         OJ L 281, 23.11.1995, p. 31.

(16)

         OJ L 108, 24.4.2002, p. 51.

(17)

     Regulation (EC) No 1211/2009 of the European Parliament and of the Council of 25 November 2009 establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office OJ L 337, 18.12.2009, p. 1.

(18)

     OJ L 204, 21.7.1998, p. 37.

(19)

     Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012, p. 1).

(20)

       Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).

(21)

       OJ L 8, 12.1.2001, p. 1.

(22)

         OJ L 357, 31.12.2002, p. 72.

(23)

         OJ L 317, 3.12.2001, p. 1.

(24)

     Regulation (EC) No 1073/1999 of the European Parliament and of the Council of 25 May 1999 concerning investigations conducted by the European Anti-Fraud Office (OLAF) (OJ L 136, 31.5.1999, p. 1).

(25)

        OJ L 292, 15.11.1996, p. 2.

(26)

         OJ L 248, 16.9.2002, p. 1.

(27)

         OJ 17, 6.10.1958, p. 385. Regulation as last amended by the 1994 Act of Accession.


EXPLANATORY STATEMENT

ENISA - the European Network and Information Security Agency "the Agency" - was established in March 2004 for a five year period which was subsequently extended in 2008 until March 2012. In September 2010 the Commission came forward with two proposals, the first was to further extend the Agency's period of establishment by a period of 18 months until September 2013, and the second was a more substantive proposal to modernise and streamline the agency. With unanimous support from the Parliament it was decided to first approve the extension of the Agency's mandate to secure the immediate future of the agency and allow Parliament more time to launch a thorough debate and analysis on the longer term future of the Agency.

When looking at the Commission's second proposal, to update the role of the Agency, we first had to consider the question of whether there is still a need for the agency. In its relatively short lifetime the Agency has made a valuable contribution to network and information security, but it is clear to your rapporteur that the continuation of the agency in its current form would not be a viable proposition to face the new challenges of a continually evolving cyber world. Having considered all the arguments it is evident that the Agency does fulfil specific needs at EU level, coordinating stakeholders more effectively and efficiently than inter-Member State cooperation might be able to achieve.

The ITRE Committee of the European Parliament decided to hold a hearing and requested an up-to-date, independent study to be conducted to look into various aspects of the current functioning of the Agency, including how the agency can effectively contribute to network and information security in the EU and internationally. The brief for the study called for it to consider all practical arrangements conducive to the effective running of the agency, including staff issues and budgetary aspects. The study was conducted in great detail within the Parliament's brief and returned with twelve recommendations for improving the functioning of the Agency. Among these were recommendations to provide the Agency with a longer period of establishment, reduced ambiguity over role and objectives within the Regulation and an increased budget to carry out its tasks.

Furthermore there should be additional roles for the Agency regarding CERTs (Computer and Emergency Response Teams), ensuring that all Member State and Union CERTs have sufficiently advanced capabilities and that those correspond to the most advanced teams. Additionally, the Agency should liaise with national data and privacy protection authorities so that the network and information security aspects of fighting cybercrime are properly addressed, and it should be able to take on a coordinating role to fill gaps in areas where there is no other EU-level body responsible and which fall within the Agency's remit.

One recent example, touching both on network security and privacy and data protection, is the case of collection of wi-fi data through identical methods in several Member States. Despite harmonised EU law on data protection, there was no EU-level body able to assist in coordinating a common analysis and response, resulting in very different national approaches and thus different levels of protection of citizens as well as unnecessary uncertainty and complexity for operators concerned.

Network and information security often assumes a more global dimension as recent events have demonstrated, the Agency must therefore be enabled to establish dialogue and cooperation with third countries and international organisations to develop a more common approach to potential threats.

Furthermore, the 2009 changes to the Telecoms Framework introduced a platform for providing standardised public interest information to all internet users. Given that network security overall - a common good - ultimately and to a very large extent depends on the actions of individual users and how they protect their devices against threats, and considering the risk to individual users themselves from those threats, the opportunity should be taken to now activate that platform. The Agency is well-positioned to assist Member States in producing the necessary information which could then be distributed to individual users.

In addition to the study a number of other sources have highlighted an element of ambiguity surrounding the proper role of the Agency There appear to be divergent views amongst Member States on what the Agency is meant to do as per its charter and these differences have served to complicate the work of the agency. It is important that the scope, tasks and objectives of the agency are made clearer so that we can best use its valuable resources. While attempting to reduce the ambiguities and provide a clearer definition of the Agency's roles it is important that we do not then make the Regulation too rigid.

The network and information security sphere changes so rapidly that what is appropriate now may not be in the near future, the agency must therefore be given a management structure with an element of flexibility to allow it to adapt to this environment. This rapidly changing environment also has implications for the duration of the agency. It has been regularly suggested that the Agency should have an unlimited duration to give it greater certainty and effectiveness in long term planning. While these are sound arguments experience has shown that the first the Agency Regulation needed to be rethought quite soon in order to keep pace with developments. Having a time limited mandate means that we must regularly review whether the Agency continues to fulfill its objectives and update them if necessary or close it down if no longer fit for purpose.

Finally, the location of the Agency in Heraklion on the Greek island of Crete has been a controversial issue. While advances in technologies have made working in remote locations more feasible, there is no substitute for meeting face to face. A number of observers have emphasised the importance of trust in this world and one could say it is necessary to network in person in order to better protect network security. Statistics on the Agency staff travel are particularly alarming; both in terms of cost and time spent travelling. A review of the Agency travel statistics alone suggests that Brussels would be a far better location than any other. Being based in Brussels would enhance the capabilities of the agency in a number of ways, such as responding to urgent last minute requests from EU institutions, maintaining networks of key contacts, attending key events and also ensure that the Agency has a higher profile than is currently the case.

This Regulation, which provides for an agency formally succeeding the original the Agency as established through the 2004 Regulation, provides a good opportunity to consider the location afresh. Furthermore, Parliament, being co-legislator, should clearly exercise that responsibility in also having a role in deciding the seat of bodies it agrees to create, rather than leaving the issue as a matter solely for deals between the Member States with no public debate. Your Rapporteur therefore recommends that the agency is based in Brussels.


OPINION of the Committee on Budgets (16.6.2011)

for the Committee on Industry, Research and Energy

on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

(COM(2010)0521 – C7-0302/2010 – 2010/0275(COD))

Rapporteur: Jutta Haug

SHORT JUSTIFICATION

The proposed Regulation aims to strengthen and modernise the European Network and Information Security Agency (ENISA), and to establish a new mandate for a period of five years. The assessment of the proposed mandate for ENISA falls under the only remit of the ITRE Committee.

Budgetary elements of the proposal

As a preliminary remark, since the new mandate is technically taking the form of a completely new regulation for the agency, your Rapporteur would like to highlight that the legislative financial statement does not present, as is usually the case, the difference in resources between its current set of tasks and its new upcoming tasks, but the absolute amounts necessary for the agency's operation (in case the new regulation is adopted as proposed by the Commission).

From a budgetary point of view, the budgetary impact as compared to the current set of tasks (reference 2011) is an additional EUR 1 to 1.5 million, and +4 staff member (3 establishment plan post and 1 contractual). Within the agency, your Rapporteur does not object to this moderate increase, all the more that previous studies and analyses tend to show that ENISA is below its critical mass in terms of organisational structure, with consequences on its ability to achieve real impact and too big a proportion of resources devoted to administrative and support tasks.

Conversely, your Rapporteur would need some further information in view of the following before proposing any final position on this proposal to the BUDG and ITRE Committee:

-Within the Commission, 3.5 full time equivalent are expected to be assigned to dealing with the agency (442 000 EUR yearly). No benchmark is available for the current situation, nor is there any explanation of the reason why more than one liaison officer is needed, as is common practice.

- The financial allocation per objectives of the agency only concerns Title 3 (operational expenditure, i.e. some EUR 2.5 million), not the bulk of the agency's budget (more than 8 million with Titles 1 and 2, staff and administration). This is contradictory with the ABB principles and methodology, according to which also staff and administrative expenditure should be assigned to the tasks and objectives.

Besides, the proposal is said to be compatible with the MFF but this is hard to say (even with such limited additional amounts) when the flexibility instrument was just used for some 34 Mio under Heading 1a for 2011. Therefore the usual warning that any budgetary decision will be taken in the context in the annual budgetary procedure is particularly relevant.

The seat issue

Concerning the Seat of the agency, currently Heraklion, your Rapporteur would like to recall the costs of such remote location for the operation of the agency, not only from a financial point of view, but also in terms of attractiveness for staff and weak accessibility for the meetings of the Management Board or other stakeholders. According to an external study of 2009, such seat was said to lead to the highest relative travel cost of all agencies – in terms of both direct travel costs and time spent on travelling. ENISA is indeed one of the most remote agencies measured in distance from Brussels. The practice of holding meetings in the Athens bureau (the funding of which, also by the Greek government, was approved in 2008) is in this respect a second best solution, but also a syndrome of the drawbacks of the choice by Member States of not accessible locations for EU agencies.

Other general elements, including the interinstitutional working group on agencies

Your Rapporteur takes the view that the advancement of the works of the IWG also makes it possible to integrate its first conclusions on governance issues already in the present opinion. These conclusions have already been endorsed by the three institutions on their last meeting of 23 March 2011. They have resulted in the amendments below dealing with:

- enhancing Parliament's scrutiny powers on the agency's multi-annual strategy (opinion) and annual work programme (presentation),

- monitoring tasks of the management Board, and the corresponding required skills of its members,

- the setting-up of an executive Board,

- preventing any conflict of interest within the Management Board,

- standardisation of the duration of the Management Board members,

- the establishment of tailored indicators to assess the agency's performance.

Finally, your Rapporteur believes that further reflection may be needed on the duration of the agency's mandate (5 years), as well as on that of the timing for the evaluation of the Agency (3 years). Given the time needed for the agency to reach cruising speed on the accomplishment of its tasks, a possible extension of such time sequence may deserve some further attention. This would nevertheless fall under the sole remit of the ITRE Committee.

It may also be further investigated why the new regulation does not explicitly exclude, as did Regulation (EC) No 460/2004, the participation of agency's staff or Management Board members in the working groups foreseen in Article 10, paragraph 8, but rather leaves that to the Agency’s internal rules of operation.

The rationale behind each proposed amendment is presented in the justifications.

AMENDMENTS

The Committee on Budgets calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:

Amendment  1

Draft legislative resolution

Paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. Stresses that point 47 of the Interinstitutional Agreement of 17 May 2006 between the European Parliament, the Council and the Commission on budgetary discipline and sound financial management1 should apply for the renewal of the European Network and Information Security Agency's mandate; emphasises that any decision of the legislative authority in favour of such a renewal shall be without prejudice to the decisions of the budgetary authority in the context of the annual budgetary procedure;

 

_____________

 

1 OJ C 139, 14.6.2006, p. 1.

Justification

Reiterating Parliament's budgetary prerogatives.

Amendment  2

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11) The Agency should contribute to a high level of network and information security within the Union and to the development of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market.

(11) The Agency should contribute to a high level of network and information security within the Union and to the development of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market. In this regard, necessary budgetary provisions should be allocated to the Agency so that it can propose, by the end of the second year of its new mandate and after consulting all relevant stakeholders, a comprehensive analysis related to the drawing-up of a European strategy on cyber-security;

Justification

Cyber-security is a very important and dynamic area that concerns the whole spectrum of our society: industry, citizens and governments. As this horizontal issue includes number of sensitive aspects (crime-related activities, financial and/or personal data protection, data retention, critical information infrastructure protection and network information security), all of which are of ENISA's direct competence, financial provisions must be provided for analysing EU's preparedness in preventing and/or reacting to such offences.

Amendment  3

Proposal for a regulation

Recital 35

Text proposed by the Commission

Amendment

(35) In order to guarantee the full autonomy and independence of the Agency, it is considered necessary to grant it an autonomous budget whose revenue comes primarily from a contribution from the Union and contributions from third countries participating in the Agency's work. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union's budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the Court of Auditors should undertake the auditing of accounts.

(35) In order to guarantee the full autonomy and independence of the Agency and to enable it to perform additional and new tasks, it is considered necessary to grant it a sufficient and autonomous budget whose revenue comes primarily from a contribution from the Union and contributions from third countries participating in the Agency's work. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union's budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the European Court of Auditors should undertake the auditing of accounts to ensure transparency and accountability.

Justification

Such added tasks as set out in the Commission's proposal significantly expand the mandate of ENISA and will have a budgetary impact that needs to be taken into account.

Amendment  4

Proposal for a regulation

Article 5 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a. The Management Board shall perform its duties in relation to the Agency's budget pursuant to Articles 19 and 21 and monitor and give adequate follow-up to the findings and recommendations stemming from various audit reports and evaluations, whether internal or external;

Justification

The Management Board's responsibilities in respect of the adoption and implementation of the budget should be explicitly referred to as a task of the Management Board. For a better ownership and follow-up of audit and evaluations findings, the Management Board, to whom the Director is accountable, should explicitly be entrusted with their monitoring (IWG).

Amendment  5

Proposal for a regulation

Article 5 – paragraph 8

Text proposed by the Commission

Amendment

8. The Management Board may set up working bodies composed of its members to assist it in carrying out its tasks, including drafting its decisions and monitoring the implementation thereof.

8. The Management Board shall set up an Executive Board composed of its members to assist it in carrying out its tasks, including drafting its decisions and monitoring the implementation thereof.

Justification

An executive board should be set up with the aim of reinforcing supervision of administrative and budgetary management through the preparation of Management Board decisions (IWG).

Amendment  6

Proposal for a regulation

Article 6 – paragraph 2

Text proposed by the Commission

Amendment

2. Board members and their alternates shall be appointed on the basis of their degree of relevant experience and expertise in the field of network and information security.

2. Board members and their alternates shall be appointed on the basis of their degree of relevant experience and expertise in the field of network and information security. They shall also have the necessary managerial, administrative and budgetary skills to fulfil the tasks listed in Article 5.

 

Management Board members shall make a written declaration of commitments and a written declaration indicating any direct or indirect interest which might be considered prejudicial to their independence. They shall declare at each meeting any interest which might be considered prejudicial to their independence in relation to the items on the agenda and abstain from participating in the discussions and voting on such points.

Justification

The skills of the members of the Management Board should be in line with the functions assigned to them. Besides, there should be a provision aimed at preventing any conflict of interest and the duration of their mandate should be aligned with other agencies' (IWG).

Amendment  7

Proposal for a regulation

Article 6 – paragraph 3

Text proposed by the Commission

Amendment

3. The term of office of the representatives of the groups referred to in paragraph 1(a), (b) and (c) shall be four years. This term of office may be extended once. If a representative ceases his/her affiliation with the respective interest group, the Commission shall appoint a replacement.

3. The term of office of Management Board members shall be four years. This term of office may be extended once. If a representative ceases his/her affiliation with the respective interest group, the Commission shall appoint a replacement.

Justification

All Board members should have a mandate of the same duration, whenever they are appointed by the Commission or by the Member States. The duration of the mandate of the representatives of Member States was not specified (IWG).

Amendment  8

Proposal for a regulation

Article 9 a (new)

Text proposed by the Commission

Amendment

 

Article 9a

 

Executive Board

 

1. An Executive Board, composed of members of the Management Board including two representatives of the Commission, shall be set up. Its size shall not exceed one third of that of the Management Board. It shall meet at least on a quarterly basis.

 

2. The Executive Board shall have a clear formal mandate from the Management Board. Its tasks shall include monitoring the implementation of the Management Board's decisions, tackling administrative and budgetary issues on behalf of the Management Board and preparing decisions, programmes and activities to be adopted by the Management Board. The Executive Board shall be accountable to the Management Board; in this context it shall submit an activity report to each Management Board meeting.

Justification

An executive board should be set up with the aim of reinforcing supervision of administrative and budgetary management through the preparation of Management Board decisions (IWG).

Amendment  9

Proposal for a regulation

Article 10 – paragraph 2

Text proposed by the Commission

Amendment

2. The Executive Director shall be appointed and dismissed by the Management Board. The appointment shall be done from a list of candidates proposed by the Commission for a period of five years, on grounds of merit and documented administrative and managerial skills, as well as specific competence and experience. Before appointment, the candidate selected by the Management Board may be invited to make a statement before the competent committee of the European Parliament and answer questions put by its members.

2. The Executive Director shall be appointed and dismissed by the Management Board. The appointment shall be done from a list of candidates proposed by the Commission for a period of five years, on grounds of merit and documented administrative and managerial skills, as well as specific competence and experience. Before appointment, the candidate selected by the Management Board may be invited to make a statement before the competent committee of the European Parliament and answer questions put by its members. Any opinion by that committee shall be taken into consideration before any appointment is made.

Justification

It should be made explicit that any opinion given by Parliament on the selected candidate must be taken into consideration before its appointment.

Amendment  10

Proposal for a regulation

Article 10 – paragraph 4

Text proposed by the Commission

Amendment

4. The Management Board, acting on a proposal from the Commission, taking into account the evaluation report and only in those cases where it can be justified by the duties and requirements of the Agency, may extend the term of office of the Executive Director for no more than three years.

4. The Management Board, acting on a proposal from the Commission, taking into account the evaluation report and only in those cases where it can be justified by the duties and requirements of the Agency, may extend the term of office of the Executive Director for no more than five years.

Justification

The renewal of the Director's mandate should be for the same duration as for the first mandate.

Amendment  11

Proposal for a regulation

Article 12 – paragraph 4

Text proposed by the Commission

Amendment

4. The work programme shall be organised in accordance with the Activity-Based Management (ABM) principle. The work programme shall be in line with the statement of estimates of the Agency’s revenue and expenditure and the Agency’s budget for the same financial year.

4. The work programme shall be organised in accordance with the Activity-Based Management (ABM) principle, with an indication of the expected human and financial resources allocated to each activity. To this end, the Executive Director shall establish, in agreement with the Commission, tailored performance indicators allowing for an effective assessment of the results achieved. The work programme shall include both the virtual and non-virtual aspects of the Agency's operations, activities and commitments. The work programme shall be in line with the statement of estimates of the Agency’s revenue and expenditure and the Agency’s budget for the same financial year.

Justification

In line with the principles of Activity based management and Activity based budgeting (ABM-ABB), the Agency's work programme and annual activity report should provide information on the resources allocated to the activities which are necessary to reach the Agency's objectives and on the overall performance in achieving these objectives (IWG).

Amendment  12

Proposal for a regulation

Article 12 – paragraph 5

Text proposed by the Commission

Amendment

5. The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall have it published.

5. The Executive Director shall, following adoption by the Management Board, forward the work programme to the European Parliament, the Council, the Commission and the Member States and shall have it published. He/she shall accept any invitation by the competent committee of the European Parliament to present and hold an exchange of views on the annual work programme.

Justification

This aims at formalising the practice of having exchange of views between the Director and the competent committee on the annual work programme.

Amendment  13

Proposal for a regulation

Article 12 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a. The Executive Director shall prepare the Agency's multi-annual strategy and submit it to the Management Board, after consulting the European Parliament and the Commission, at least eight weeks before the relevant Management Board meeting;

Justification

This amendment aims at enshrining in the regulation that the Parliament should be consulted for the adoption of the agencies' multi-annual strategy (IWG).

Amendment  14

Proposal for a regulation

Article 13 – paragraph 1

Text proposed by the Commission

Amendment

1. Each year, the Executive Director shall submit to the Management Board a draft general report covering all the activities of the Agency in the previous year.

1. Each year, the Executive Director shall submit to the Management Board a draft general report covering all the activities of the Agency in the previous year. That general report shall include tailored performance indicators allowing for an effective assessment of the results achieved.

Justification

In line with the principles of Activity based management and Activity based budgeting (ABM-ABB), the Agency's work programme and annual activity report should provide information on the resources allocated to the activities which are necessary to reach the Agency's objectives and on the overall performance in achieving these objectives (IWG).

Amendment  15

Proposal for a regulation

Article 29 – paragraph 1

Text proposed by the Commission

Amendment

1. Within three years from the date of establishment referred to in Article 34, the Commission, taking into account the views of all relevant stakeholders, shall carry out an evaluation on the basis of terms of reference agreed with the Management Board. The evaluation shall assess the impact and the effectiveness of the Agency in achieving the objectives set out in Article 2, and the effectiveness of the Agency’s working practices. The Commission shall undertake the evaluation notably in order to determine whether an Agency is still an effective instrument and whether the duration of the Agency should be further extended beyond the period specified in Article 34.

1. Within three years from the date of establishment referred to in Article 34, the Commission, taking into account the views of all relevant stakeholders, shall carry out an evaluation on the basis of terms of reference agreed with the Management Board. The evaluation shall assess the impact and the effectiveness of the Agency in achieving the objectives set out in Article 2, and the effectiveness of the Agency’s working practices. The Commission shall undertake the evaluation notably in order to determine whether an Agency is still an effective instrument and whether the duration of the Agency should be further extended beyond the period specified in Article 33.

Justification

Correction of an erroneous reference.

PROCEDURE

Title

European Network and Information Security Agency (ENISA)

References

COM(2010)0521 – C7-0302/2010 – 2010/0275(COD)

Committee responsible

       Date announced in plenary

ITRE

19.10.2010

 

 

 

Committee(s) asked for opinion(s)

       Date announced in plenary

BUDG

19.10.2010

 

 

 

Rapporteur(s)

       Date appointed

Jutta Haug

20.10.2010

 

 

 

Date adopted

15.6.2011

 

 

 

Result of final vote

+:

–:

0:

37

1

0

Members present for the final vote

Damien Abad, Alexander Alvaro, Marta Andreasen, Francesca Balzani, Reimer Böge, Lajos Bokros, Andrea Cozzolino, Jean-Luc Dehaene, Isabelle Durant, James Elles, Göran Färm, José Manuel Fernandes, Eider Gardiazábal Rubial, Salvador Garriga Polledo, Jens Geier, Ivars Godmanis, Estelle Grelier, Jutta Haug, Monika Hohlmeier, Sidonia Elżbieta Jędrzejewska, Anne E. Jensen, Sergej Kozlík, Jan Kozłowski, Alain Lamassoure, Giovanni La Via, Vladimír Maňka, Barbara Matera, Claudio Morganti, Nadezhda Neynsky, Miguel Portas, László Surján, Helga Trüpel, Angelika Werthmann, Jacek Włosowicz

Substitute(s) present for the final vote

Frédéric Daerden, Edit Herczog, Jan Mulder, María Muñiz De Urquiza


OPINION of the Committee on Civil Liberties, Justice and Home Affairs (11.10.2011)

for the Committee on Industry, Research and Energy

on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

(COM(2010)0521 – C7-0302/2010 – 2010/0275(COD))

Rapporteur: Alexander Alvaro

SHORT JUSTIFICATION

Information and communication technologies are an integral part of the public and private life in Europe.

In the light of the importance of Network and Information Security, based on the gained experience and the growing cross-border challenges in this field, ENISA’s mandate and resources need to be increased to ensure and promote a high level of data security and protection.

To this end, further to the Commission's proposal, the Agency should establish an early warning system, collect, analyse and coordinate privacy and security data breaches and cooperate closer with Member States, European institutions as well as law enforcement and judicial authorities at their request or on its own initiative.

In addition, in order to ensure full transparency, the democratic oversight of the Agency needs to be strengthened.

AMENDMENTS

The Committee on Civil Liberties, Justice and Home Affairs calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:

Amendment  1

Proposal for a regulation

Recital 1

Text proposed by the Commission

Amendment

(1) Electronic communications, infrastructure and services are an essential factor in economic and societal development. They play a vital role for society and have become ubiquitous utilities in the same way that electricity or water supplies are. Their disruption has the potential to cause considerable economic damage, underlining the importance of measures to increase protection and resilience aimed at ensuring continuity of critical services. The security of electronic communications, infrastructure and services, in particular their integrity and availability, faces continuously expanding challenges. This is of increasing concern to society not least because of the possibility of problems due to system complexity, accidents, mistakes and attacks that may have consequences for the physical infrastructure which delivers services critical to the well-being of European citizens.

(1) Electronic communications, infrastructure and services are an essential factor in economic and societal development. They play a vital role for society and have become ubiquitous utilities in the same way that electricity or water supplies are. Their disruption has the potential to cause considerable economic and social damage, underlining the importance of measures to increase protection and resilience aimed at ensuring continuity of critical services. The security of electronic communications, infrastructure and services, in particular their integrity and availability, faces continuously expanding challenges. This is of increasing concern to society not least because of the possibility of problems due to system complexity, accidents, mistakes and attacks that may have consequences for the physical infrastructure which delivers services critical to the well-being of European citizens.

Amendment  2

Proposal for a regulation

Recital 4

Text proposed by the Commission

Amendment

(4) The representatives of the Member States, meeting in the European Council on 13 December 2003, decided that the European Network and Information Security Agency (ENISA), that was to be established on the basis of the proposal submitted by the Commission, would have its seat in a town in Greece to be determined by the Greek Government.

(4) The representatives of the Member States, meeting in the European Council on 13 December 2003, decided that the European Network and Information Security Agency (ENISA), that was to be established on the basis of the proposal submitted by the Commission, would have its seat in a town in Greece to be determined by the Greek Government. The seat of the Agency is in Heraklion, Crete.

Amendment  3

Proposal for a regulation

Recital 7

Text proposed by the Commission

Amendment

(7) Internal market measures in the field of security of electronic communications, and, more generally, network and information security require different forms of technical and organisational applications by the Member States and the Commission. The heterogeneous application of these requirements can lead to inefficiencies and can create obstacles to the internal market. This calls for a centre of expertise at European level providing guidance, advice, and when called upon, assistance on issues related to network and information security, which may be relied upon by the Member States and the European institutions. The Agency can respond to these needs by developing and maintaining a high level of expertise and assisting the Member States, the Commission and as a consequence the business community in order to help them to meet the legal and regulatory requirements of network and information security, thereby contributing to the smooth functioning of the internal market.

(7) Internal market measures in the field of security of electronic communications, and, more generally, network and information security require different forms of technical and organisational applications by the Member States and the Commission. The heterogeneous application of these requirements can lead to inefficiencies and can create obstacles to the internal market. This calls for a centre of expertise at European level providing guidance, advice, and when called upon, assistance on issues related to network and information security, which may be relied upon by the Member States and the European institutions. The Agency can respond to these needs by developing and maintaining a high level of expertise and assisting the Member States, the Commission and as a consequence the business community in order to help them to meet the legal and regulatory requirements of network and information security, and to determine and address network and information security issues, thereby contributing to the smooth functioning of the internal market.

Amendment  4

Proposal for a regulation

Recital 8

Text proposed by the Commission

Amendment

(8) The Agency should carry out the tasks conferred on it by present Union legislation in the field of electronic communications and, in general, contribute to an enhanced level of security of electronic communications by, among other things, providing expertise and advice, and promoting the exchange of good practices.

(8) The Agency should carry out the tasks conferred on it by present Union legislation in the field of electronic communications and, in general, contribute to an enhanced level of security of electronic communications as well as privacy and personal data protection by, among other things, providing expertise and advice, and promoting the exchange of good practices. Furthermore, the Agency should establish confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, and the transparency of its procedures and methods of operating.

Amendment  5

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11) The Agency should contribute to a high level of network and information security within the Union and to the development of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market.

(11) The Agency should contribute to a high level of network and information security within the Union, to better protection of privacy and personal data, and to the development of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market.

Amendment  6

Proposal for a regulation

Recital 12

Text proposed by the Commission

Amendment

(12) A set of tasks should indicate how the Agency is to accomplish its objectives while allowing flexibility in its operations. The tasks carried out by the Agency should include the collection of appropriate information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services and to assess, in cooperation with Member States, the state of network and information security in Europe. The Agency should ensure coordination with Member States and enhance cooperation between stakeholders in Europe, in particular by involving in its activities competent national bodies and private sector experts in the area of network and information security. The Agency should provide assistance to the Commission and the Member States in their dialogue with industry to address security-related problems in hardware and software products, thereby contributing to a collaborative approach to network and information security.

(12) A set of tasks should indicate how the Agency is to accomplish its objectives while allowing flexibility in its operations. The tasks carried out by the Agency should include the collection of appropriate information and data needed to carry out analyses of the risks to the security and resilience of electronic communications, infrastructure and services and to assess, in cooperation with Member States, the state of network and information security in Europe. The Agency should ensure coordination with Member States and enhance cooperation between stakeholders in Europe, in particular by involving in its activities competent national bodies and private sector experts in the area of network and information security. The Agency should provide assistance to the Union institutions and the Member States in their dialogue with industry to address security-related problems in hardware and software products, thereby contributing to a collaborative approach to network and information security.

Amendment  7

Proposal for a regulation

Recital 14 a (new)

Text proposed by the Commission

Amendment

 

(14a) The Agency should support a European Forum for Member States (EFMS) aimed at fostering discussion and exchanges on good policy practices, with the aim of sharing policy objectives and priorities on security and resilience of ICT infrastructure, and play a more active role in its work.

Amendment  8

Proposal for a regulation

Recital 20

Text proposed by the Commission

Amendment

(20) The Agency should facilitate cooperation among the Member States’ competent public bodies, in particular supporting the development and exchange of good practices and standards for education programmes and awareness-raising schemes. Increased information exchange between Member States will facilitate such action. The Agency should also support cooperation between public and private stakeholders at the Union level, partly by promoting information sharing, awareness-raising campaigns and education and training programmes.

(20) The Agency should facilitate cooperation among the Member States’ competent independent regulatory authorities, in particular supporting the development and exchange of good practices and standards for education programmes and awareness-raising schemes. Increased information exchange between Member States will facilitate such action. The Agency should also support cooperation between public and private stakeholders at the Union level, partly by promoting information sharing, awareness-raising campaigns and education and training programmes.

Amendement  9

Proposal for a regulation

Recital 23 a (new)

Texte proposé par la Commission

Amendement

 

(23a) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users take the necessary steps to ensure their own personal cyber security.

Amendement  10

Proposal for a regulation

Recital 25

Texte proposé par la Commission

Amendement

(25) To ensure full achievement of its objectives, the Agency should liaise with law enforcement bodies and privacy protection authorities to highlight and properly address the network and information security aspects of fighting cybercrime. Representatives of these authorities should become fully fledged stakeholders of the Agency and should be represented in the Agency’s Permanent Stakeholders Group.

(25) To ensure full achievement of its objectives, the Agency should liaise and cooperate with law enforcement bodies and privacy and personal data protection authorities to highlight and properly address the network and information security aspects of fighting cybercrime and protecting personal data. Representatives of these authorities should become fully fledged stakeholders of the Agency and should be represented in the Agency’s Permanent Stakeholders Group.

Amendment  11

Proposal for a regulation

Recital 27

Text proposed by the Commission

Amendment

(27) The exercise of the Agency's tasks should not interfere with the competencies nor pre-empt, impede or overlap with the relevant powers and tasks of: the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as on the Body of European Regulators for Electronic Communications (BEREC) established by Regulation 1211/2009 of the European Parliament and the Council and the Communications Committee referred to in Directive 2002/21/EC, the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society Services and the supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data.

(27) The exercise of the Agency's tasks should not interfere with the competencies nor pre-empt, impede or overlap with the relevant powers and tasks of: the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as on the Body of European Regulators for Electronic Communications (BEREC) established by Regulation 1211/2009 of the European Parliament and the Council and the Communications Committee referred to in Directive 2002/21/EC, the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society Services and the independent supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data.

Amendement  12

Proposal for a regulation

Article 2 – paragraph 1

Texte proposé par la Commission

Amendement

1. The Agency shall assist the Commission and the Member States to meet the legal and regulatory requirements of network and information security in present and future Union legislation, thus contributing to the smooth functioning of the internal market.

1. The Agency shall assist the Commission, the other Union institutions and the Member States to meet the legal and regulatory requirements of network and information security, as well as privacy and personal data protection, in present and future Union legislation, thus contributing to the smooth functioning of the internal market.

Amendment  13

Proposal for a regulation

Article 2 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a. The Agency shall ensure a high level of data protection and security.

Amendment  14

Proposal for a regulation

Article 3 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) Assist the Commission, at its request or on its own initiative, on network and information security policy development by providing it with advice and opinions and with technical and socio-economic analyses, and with preparatory work for developing and updating Union legislation in the field of network and information security;

(a) Assist the Commission, at its request or on its own initiative, on network and information security policy development by providing it with advice and opinions and with technical, legal and socio-economic analyses, and with preparatory work for developing and updating Union legislation in the field of network and information security, as well as privacy and personal data protection, with particular reference to the online aspects;

Amendement  15

Proposal for a regulation

Article 3 – paragraph 1 – point b

Texte proposé par la Commission

Amendement

(b) Facilitate the cooperation among the Member States and between the Member States and the Commission in their efforts with a cross-border dimension to prevent, detect and respond to network and information security incidents;

(b) Facilitate the cooperation among the Member States and between the Member States and the Union institutions, at their request or on its own initiative, in their efforts to prevent, detect and respond to network and information security incidents where this has an impact across borders;

Amendment  16

Proposal for a regulation

Article 3 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c) Assist the Member States and the European institutions and bodies in their efforts to collect, analyse and disseminate network and information security data;

(c) Assist the Member States and the European institutions and bodies, at their request or on its own initiative, in their efforts to collect, analyse and disseminate network and information security data;

Amendment  17

Proposal for a regulation

Article 3 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d) Regularly assess, in cooperation with the Member States and the European institutions, the state of network and information security in Europe;

(d) On the basis of the information provided by the Member States and by the Union institutions in accordance with Union provisions and national provisions in compliance with Union law, maintain awareness of the latest state of network and information security in the Union for the benefit of the Member States and the Union institutions;

Amendment  18

Proposal for a regulation

Article 3 – paragraph 1 – point e

Text proposed by the Commission

Amendment

(e) Support cooperation among competent public bodies in Europe, in particular supporting their efforts to develop and exchange good practices and standards;

(e) Support cooperation among the competent public bodies and between public and private stakeholders in the Union, at their request or on its own initiative, facilitate dialogue and efforts to develop and exchange good practices, and promote and ensure their full independence, promote information sharing and awareness raising, and facilitate the establishment and take up of European and international standards for risk management and for the security of electronic products, networks and services;

Amendment  19

Proposal for a regulation

Article 3 – paragraph 1 – point f a (new)

Text proposed by the Commission

Amendment

 

(fa) Support law enforcement and judicial authorities, at their request or on its own initiative, with expertise in fighting cybercrime and responding to cyber incidents;

Amendment  20

Proposal for a regulation

Article 3 – paragraph 1 – point f aa (new)

Text proposed by the Commission

Amendment

 

(faa) Support law enforcement and judicial authorities, at their request or on its own initiative, with expertise in fighting cybercrime and responding to cyber incidents. The Agency shall however not initiate specific criminal investigations and shall not routinely be called to provide operational assistance to law enforcement and judicial authorities, such as cybercrime investigations or computer forensics;

Amendment  21

Proposal for a regulation

Article 3 – paragraph 1 – point f c (new)

Text proposed by the Commission

Amendment

 

(fc)Promote good practices in relation to the security of data processing by applying internally the most effective and advanced security procedures and their methods of operation and at the same time minimising as much as possible the impact on privacy and act as a point of reference in the practical implementation of best available techniques in the field of security;

Amendment  22

Proposal for a regulation

Article 3 – paragraph 1 – point i

Text proposed by the Commission

Amendment

(i) Assist the Member States and the European institutions and bodies, at their request, in their efforts to develop network and information security detection, analysis and response capability;

(i) Assist the Union institutions and bodies set up by Union law in their efforts to develop prevention, detection, analysis and response capability in respect to network and information security;

Amendment  23

Proposal for a regulation

Article 3 – paragraph 1 – point k

Text proposed by the Commission

Amendment

(k) Carry out tasks conferred on the Agency by Union legislative acts.

(k) Carry out tasks conferred on the Agency by Union legislative acts, as adopted by the European Parliament and the Council.

Amendment  24

Proposal for a regulation

Article 3 a (new)

Text proposed by the Commission

Amendment

 

Article 3a

 

Computer Emergency Response Teams (CERTs)

 

1. The Agency shall support national CERTs in Member States and at Union level and the establishment and operation of a network of national and Union CERTs, including the members of the European Governmental CERTs Group. To assist in ensuring that each of the national and Union CERTs have sufficiently advanced capabilities and that those capabilities correspond as far as possible to the capabilities of the most advanced CERTs, the Agency shall assist in benchmarking the teams and shall promote dialogue and exchange of information and best practices between the CERTs and the European Governmental CERTs Group. The Agency shall promote and support cooperation between the relevant national and Union CERTs in the event of incidents involving or potentially involving several of them.

 

2. The Agency shall facilitate contacts and exchanges of information and best practices with relevant state and other CERTs, groups and fora in third countries.

 

3. The Agency shall function as the EU CERTs' coordination body.

Amendment  25

Proposal for a regulation

Article 7 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee(s) of the European Parliament and answer questions from committee members. After this statement, the European Parliament shall adopt an opinion setting out its view of the selected candidate. The Management Board shall inform the European Parliament of the manner in which that opinion has been taken into account.

Amendment  26

Proposal for a regulation

Article 10 – paragraph 2

Text proposed by the Commission

Amendment

2. The Executive Director shall be appointed and dismissed by the Management Board. The appointment shall be done from a list of candidates proposed by the Commission for a period of five years, on grounds of merit and documented administrative and managerial skills, as well as specific competence and experience. Before appointment, the candidate selected by the Management Board may be invited to make a statement before the competent committee of the European Parliament and answer questions put by its members.

2. The Executive Director shall be appointed and dismissed by the Management Board. The appointment shall be done from a list of candidates proposed by the Commission for a period of five years, on grounds of merit and documented administrative and managerial skills, as well as specific competence and experience. Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee(s) of the European Parliament and answer questions from committee members. After this statement, the European Parliament shall adopt an opinion setting out its view of the selected candidate. The Management Board shall inform the European Parliament of the manner in which this opinion has been taken into account.

Amendment  27

Proposal for a regulation

Article 10 – paragraph 5

Text proposed by the Commission

Amendment

5. The Management Board shall inform the European Parliament about its intention to extend the Executive Director's term of office. Within a month before the extension of his/her term of office, the Executive Director may be invited to make a statement before the competent committee of the Parliament and answer questions put by its members.

5. The Management Board shall inform the European Parliament about its intention to extend the Executive Director's term of office. Within a month before the extension of his/her term of office, the Executive Director shall be invited to make a statement before the competent committee of the Parliament and answer questions put by its members.

Amendment  28

Proposal for a regulation

Article 11 – paragraph 1

Text proposed by the Commission

Amendment

1. The Management Board shall set up a Permanent Stakeholders’ Group on a proposal by the Executive Director, composed of experts representing the relevant stakeholders, such as the information and communication technologies industry, consumer groups, academic experts in network and information security, and law enforcement and privacy protection authorities.

1. The Management Board shall set up a Permanent Stakeholders’ Group on a proposal by the Executive Director, composed of experts representing the relevant stakeholders, such as the information and communication technologies industry, consumer groups, academic experts in network and information security, and law enforcement and data protection authorities.

Amendment                29

Proposal for a regulation

Article 27 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. The Management Board shall establish measures for the application of Regulation (EC) No 45/2001 by the Agency, including those concerning the Data Protection Officer of the Agency.

PROCEDURE

Title

European Network and Information Security Agency (ENISA)

References

COM(2010)0521 – C7-0302/2010 – 2010/0275(COD)

Committee responsible

       Date announced in plenary

ITRE

19.10.2010

 

 

 

Committee(s) asked for opinion(s)

       Date announced in plenary

LIBE

19.10.2010

 

 

 

Rapporteur(s)

       Date appointed

Alexander Alvaro

9.12.2010

 

 

 

Discussed in committee

24.5.2011

19.9.2011

11.10.2011

 

Date adopted

11.10.2011

 

 

 

Result of final vote

+:

–:

0:

48

1

0

Members present for the final vote

Jan Philipp Albrecht, Sonia Alfano, Alexander Alvaro, Roberta Angelilli, Vilija Blinkevičiūtė, Rita Borsellino, Emine Bozkurt, Simon Busuttil, Carlos Coelho, Rosario Crocetta, Hélène Flautre, Kinga Gál, Kinga Göncz, Nathalie Griesbeck, Sylvie Guillaume, Anna Hedh, Sophia in ‘t Veld, Lívia Járóka, Teresa Jiménez-Becerril Barrio, Timothy Kirkhope, Juan Fernando López Aguilar, Monica Luisa Macovei, Véronique Mathieu, Nuno Melo, Claude Moraes, Jan Mulder, Antigoni Papadopoulou, Georgios Papanikolaou, Jacek Protasiewicz, Carmen Romero López, Birgit Sippel, Csaba Sógor, Renate Sommer, Rui Tavares, Kyriacos Triantaphyllides, Wim van de Camp, Axel Voss, Tatjana Ždanoka, Auke Zijlstra

Substitute(s) present for the final vote

Edit Bauer, Anna Maria Corazza Bildt, Cornelis de Jong, Dimitrios Droutsas, Ioan Enciu, Nadja Hirsch, Ádám Kósa, Hubert Pirker, Bogusław Sonik, Cecilia Wikström


PROCEDURE

Title

European Network and Information Security Agency (ENISA)

References

COM(2010)0521 – C7-0302/2010 – 2010/0275(COD)

Date submitted to Parliament

30.9.2010

 

 

 

Committee responsible

       Date announced in plenary

ITRE

19.10.2010

 

 

 

Committee(s) asked for opinion(s)

       Date announced in plenary

BUDG

19.10.2010

IMCO

19.10.2010

LIBE

19.10.2010

 

Not delivering opinions

       Date of decision

IMCO

11.10.2010

 

 

 

Rapporteur(s)

       Date appointed

Giles Chichester

10.11.2010

 

 

 

Discussed in committee

27.1.2011

31.3.2011

5.10.2011

20.10.2011

Date adopted

20.2.2013

 

 

 

Result of final vote

+:

–:

0:

48

2

0

Members present for the final vote

Amelia Andersdotter, Josefa Andrés Barea, Zigmantas Balčytis, Bendt Bendtsen, Jan Březina, Reinhard Bütikofer, Maria Da Graça Carvalho, Giles Chichester, Jürgen Creutzmann, Pilar del Castillo Vera, Christian Ehler, Gaston Franco, Adam Gierek, Norbert Glante, Robert Goebbels, Fiona Hall, Jacky Hénin, Kent Johansson, Romana Jordan, Krišjānis Kariņš, Lena Kolarska-Bobińska, Béla Kovács, Angelika Niebler, Jaroslav Paška, Herbert Reul, Teresa Riera Madurell, Michèle Rivasi, Paul Rübig, Amalia Sartori, Salvador Sedó i Alabart, Francisco Sosa Wagner, Konrad Szymański, Patrizia Toia, Evžen Tošenovský, Ioannis A. Tsoukalas, Marita Ulvskog, Adina-Ioana Vălean, Kathleen Van Brempt

Substitute(s) present for the final vote

Ioan Enciu, Satu Hassi, Roger Helmer, Jolanta Emilia Hibner, Seán Kelly, Bernd Lange, Marian-Jean Marinescu, Zofija Mazej Kukovič, Pavel Poc, Vladimír Remek, Algirdas Saudargas, Silvia-Adriana Ţicău

Date tabled

28.2.2013

Last updated: 3 April 2013Legal notice