Verbatim report of proceedings

Tuesday, 2 September 2008 - Brussels

15. European Network and Information Security Agency (ENISA) (debate)

  President. − The next item is the debate on the oral question to the Commission, by Giles Chichester and Angelika Niebler, on the European Network and Information Security Agency (ENISA), on behalf of the Group of the European People’s Party (Christian Democrats) and European Democrats (O-0060/2008 - B6-0159/2008).

  Angelika Niebler, rapporteur. − (DE) Mr President, Commissioner, ladies and gentlemen, in 2004 the European Network and Information Security Agency, known by the acronym ENISA, was founded. Its task is essentially to improve network and information security in the European Union and to promote closer cooperation among the Member States.

ENISA’s mandate is unquestionably complex. Computer viruses, spam mail, phishing and Trojans are real threats in a world of virtual data. Hacking threatens private and public networks. The damage done to our modern communication society is immense. Security is the Achilles’ heel of our computer systems. This is where we are vulnerable and endangered; when I put it that way, you will understand how important this agency is to us.

On the other hand, this agency does not have a large staff, but it still has this mammoth task to perform. This raises the legitimate question whether ENISA can actually perform its tasks in the way in which it currently operates. We have very often discussed, both in the chamber and in other bodies here, how ENISA might perhaps be further developed. The latest proposal from the Commission was that ENISA be merged with the planned European Authority for Telecommunications Markets. That proposal was not embraced by Parliament or by the Council. Instead, Parliament and the Council decided before the summer recess that ENISA’s mandate should be extended for three years.

The ultimate purpose of our question to the Commission is to ensure that this debate is structured over the next three years. By asking the question, we also want to grasp the nettle and challenge the Commission to state its position on the points we regard as critical. In its present form, can ENISA perform the tasks that are expected of it? Is the Commission thinking about replacing ENISA with another organisation? Is it absolutely essential that these tasks be performed by an EU agency? In the Commission’s view, what general changes to ENISA’s structure should be considered?

I look forward to the Commissioner’s reply. I am keen to find out how far advanced the deliberations are in the corridors of the Commission. We in Parliament, of course, shall subsequently be called upon to form our own opinion on the future shape of ENISA.

  Viviane Reding, Member of the Commission. − Mr President, the honourable Members will know that in accordance with the Regulation of the European Parliament and of the Council establishing the ENISA Agency, the mandate of ENISA automatically expires on 13 March 2009.

However, the Commission believes it is essential to ensure the continuity of network and information security activities. That was a view shared by Parliament and by the Council in the debates on the proposal for an amending regulation extending the mandate of ENISA. Therefore, the measure extending the mandate of ENISA for a further three years is justified.

It is true that the evaluation of ENISA launched by the Commission in 2006 identified a number of problems, but it also identified positive aspects of the Agency’s achievement in the light of the limited means at its disposal. The Commission responded to the concerns identified by bringing forward a proposal for a regulation establishing the Telecoms Authority.

We note today that the Council and Parliament agree that ENISA should be kept separate from a new body to be put in place as an alternative to the Telecoms Authority, and the Commission still sees the need for an efficient body able to monitor security and integrity issues. That is why it is important to continue the work of ENISA.

However, I also strongly believe that network security challenges will require a strong, coordinated European response. Recent cyber-attacks in Estonia and also in Georgia – the serious cyber-attack there during the summer seems to have gone unnoticed – have shown that one country on its own can be very vulnerable indeed.

I therefore call on the European Parliament and the Council to open, early in 2009, an intense debate on Europe’s approach to network security and on how to deal with cyber-attacks, and to include the future of ENISA in those reflections.

During the debate on the prolongation of the ENISA regulation, calls were made both in Parliament and in the Council for a debate on the goals of a possible modernised network and information policy, and on the most adequate means to achieve them. It was explicitly stated that the prolongation of ENISA should not prejudice the outcome of that debate. In order to facilitate such a debate, the Commission services will, in the second half of 2008, develop a questionnaire to be submitted to public online consultation on the possible objectives of a modernised NIS policy at EU level, and on the means to achieve those objectives. This will, of course, be done in consultation with ENISA and its management board.

  Nikolaos Vakalis, on behalf of the PPE-DE Group. – (EL) Mr President, Commissioner, the European Parliament and the Council have approved the extension of ENISA’s operation until the end of 2012. This three-year extension will enable further debate on the future of ENISA and the wider question of increased security of networks and information in Europe.

In my view, the revision procedure ought to begin immediately. It should transform the body from a temporary foundation into a permanent one; above all, this must be accompanied by a simultaneous increase in staff and an updating of the extremely important Articles 2 and 3 in its Rules of Procedure. This solution will allow the body to get to work as soon as possible under an upgraded and improved mandate.

Let me remind you here – and this is the Commission’s view, too – that only a European agency can guarantee the security of networks and information. I should also like to point out that today the overwhelming majority of partners agree that ENISA is the most able and qualified body to develop a new, dynamic European policy for the security of networks and information.

In the past, ENISA was harshly criticised. I must remind you, however, that the evaluation report in 2007 was able to evaluate ENISA only in its first year of operation; as a result, the evaluation is no longer reliable or, of course, timely. Recent evaluation studies by independent bodies have restored the truth. It is essential for appropriate resources to be made available so that the body can operate more effectively.

Finally, let me tell you that the Greek Government wishes to support a viable solution: it has undertaken to cover the maintenance expenses of an ENISA office in Athens in order to facilitate the body’s work and operations.

  Anni Podimata, on behalf of the PSE Group. – (EL) Mr President, Commissioner, ladies and gentlemen, the facts behind today’s debate on the oral question by the Group of the European People’s Party (Christian Democrats) and European Democrats on ENISA are certainly very different from when this question was submitted. For a start, the Council and the European Parliament have agreed to the extension of the body’s operating regulation until 2012.

At the same time, the European Commission’s proposal to establish a European authority for the purchase of electronic communications has been treated with circumspection by the Council and the European Parliament. Instead, the Council and the European Parliament are in fact proposing the BERT recommendation, with fundamental responsibility for better implementation of the regulatory framework for telecommunications services, without getting involved in issues of network security or integrity.

However, these issues are indeed exceptionally important, as you, Commissioner, rightly pointed out a little while ago and in your statement earlier today. You stressed that the recent attacks on Estonian cyberspace and that of other countries show how vital it is that we come up with a convincing and coordinated European response immediately.

Now, this is precisely the role ENISA can and must play, once it is operating under an upgraded and improved mandate with clearly defined duties and aims and, of course, once it has the requisite means and human resources available to it.

This time I hope that the Commission will contribute significantly and genuinely here by assisting ENISA in its work to reinforce the security and integrity of networks. This is vital to boost the confidence of companies and, of course, European citizens in European networks.

IN THE CHAIR: MR COCILOVO
Vice-President

  Jorgo Chatzimarkakis, on behalf of the ALDE Group. – (DE) Mr President, Commissioner, network security – it sounds like a specialised field of knowledge, but the security of networks is influencing more and more aspects of our daily lives: mobile communications, the Internet, which is squeezing its way, rather like an octopus, into more and more areas of everyday activity, ambient intelligence – the computer intelligence that is built into our environments, be it to assist elderly people or to control complex work processes. All of this shows us that we are becoming more and more dependent on such advanced forms of technology. They rule our lives and the growth of our economy.

How dependent we have become was recently demonstrated in Estonia. You mentioned, Commissioner, that Georgia was affected too. People are less aware of that case, but if we had needed a more spectacular example than Estonia, we got it there. We saw how a modern, network-driven economy suddenly became dependent on that factor, on that technology, how it was attacked and how its security really did come under very serious threat. That is also the reason why the Commission, in which Commissioner Liikaanen held the portfolio at that time, rightly recognised the need for a network-security agency. This is why we were taken by surprise when ENISA was evaluated after only a year, before it was fully and properly resourced, and the agency’s very existence was called into question. That certainly shocked us at the time, and I am therefore delighted that we are conducting this debate here.

Why did we call this agency into question after only a year? How do you intend, do we intend, to fashion ENISA’s mandate in such a way that it can operate like an agency that deals on equal terms with the agencies that exist in the United States, Japan and China?

I should like to thank you for your recognition, following the second evaluation, of ENISA’s achievements. Nevertheless, day after day we Members of Parliament discuss this culture shift, this climate change that affects our economies, that forces us to give up our economic dependence on fossil fuels and switch to other energy sources. Every day we put our heart and soul into these efforts here. We all know that changing our systems is the only option. To that end we need intelligent solutions, and we need network security, for security is paramount. This is why I am grateful that we are holding this debate as a building block in the construction of a more robustly resourced ENISA and of greater network security.

  Viviane Reding, Member of the Commission. − Mr President, in conclusion I would like to say that there is unanimous support in the Council, and broad support in the European Parliament, for extending the duration of ENISA for three years. Both arms of the legislature agreed to reach a first-reading agreement as soon as possible, in time before the automatic expiry of the current regulation.

As I understand it, the Council plans to adopt the amending regulation as an ‘A’ point at a forthcoming Council meeting. The problem would then be resolved and, after the Commission has presented a paper on the basic problems underlying the cyber-attacks, Parliament can then take that on board and start a real debate on the future of our responses in that area.

  President. − The debate is closed.