The European Parliament,

–  having regard to the final annual accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2020,

–  having regard to the Court of Auditors’ annual report on EU agencies for the financial year 2020, together with the agencies’ replies(1),

–  having regard to the statement of assurance(2) as to the reliability of the accounts and the legality and regularity of the underlying transactions provided by the Court of Auditors for the financial year 2020, pursuant to Article 287 of the Treaty on the Functioning of the European Union,

–  having regard to the Council’s recommendation of 28 February 2022 on discharge to be given to the Agency in respect of the implementation of the budget for the financial year 2020 (06003/2022 – C9‑0090/2022),

–  having regard to Article 319 of the Treaty on the Functioning of the European Union,

–  having regard to Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012(3), and in particular Article 70 thereof,

–  having regard to Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)(4), and in particular Article 31 thereof,

–  having regard to Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial regulation for the bodies set up under the TFEU and Euratom Treaty and referred to in Article 70 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council(5), and in particular Article 105 thereof,

–  having regard to Rule 100 of and Annex V to its Rules of Procedure,

–  having regard to the report of the Committee on Budgetary Control (A9-0119/2022),

1.  Grants the Executive Director of ENISA (European Union Agency for Cybersecurity) discharge in respect of the implementation of the Agency’s budget for the financial year 2020;

2.  Sets out its observations in the resolution below;

3.  Instructs its President to forward this decision, and the resolution forming an integral part of it, to the Executive Director of ENISA (European Union Agency for Cybersecurity), the Council, the Commission and the Court of Auditors, and to arrange for their publication in the Official Journal of the European Union (L series).

(1) OJ C 439, 29.10.2021, p. 3. ECA annual report on EU agencies for the 2020 financial year: https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=59697. (2) OJ C 439, 29.10.2021, p. 3. ECA annual report on EU agencies for the 2020 financial year: https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=59697. (3) OJ L 193, 30.7.2018, p. 1. (4) OJ L 151, 7.6.2019, p. 15. (5) OJ L 122, 10.5.2019, p. 1.

The European Parliament,

–  having regard to the final annual accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2020,

–  having regard to the Court of Auditors’ annual report on EU agencies for the financial year 2020, together with the agencies’ replies(1),

–  having regard to the statement of assurance(2) as to the reliability of the accounts and the legality and regularity of the underlying transactions provided by the Court of Auditors for the financial year 2020, pursuant to Article 287 of the Treaty on the Functioning of the European Union,

–  having regard to the Council’s recommendation of 28 February 2022 on discharge to be given to the Agency in respect of the implementation of the budget for the financial year 2020 (06003/2022 – C9‑0090/2022),

–  having regard to Article 319 of the Treaty on the Functioning of the European Union,

–  having regard to Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012(3), and in particular Article 70 thereof,

–  having regard to Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)(4), and in particular Article 31 thereof,

–  having regard to Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial regulation for the bodies set up under the TFEU and Euratom Treaty and referred to in Article 70 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council(5), and in particular Article 105 thereof,

–  having regard to Rule 100 of and Annex V to its Rules of Procedure,

–  having regard to the report of the Committee on Budgetary Control (A9-0119/2022),

1.  Approves the closure of the accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2020;

2.  Instructs its President to forward this decision to the Executive Director of ENISA (European Union Agency for Cybersecurity), the Council, the Commission and the Court of Auditors, and to arrange for its publication in the Official Journal of the European Union (L series).

(1) OJ C 439, 29.10.2021, p. 3. ECA annual report on EU agencies for the 2020 financial year: https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=59697. (2) OJ C 439, 29.10.2021, p. 3. ECA annual report on EU agencies for the 2020 financial year: https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=59697. (3) OJ L 193, 30.7.2018, p. 1. (4) OJ L 151, 7.6.2019, p. 15. (5) OJ L 122, 10.5.2019, p. 1.

The European Parliament,

–  having regard to its decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) for the financial year 2020,

–  having regard to Rule 100 of and Annex V to its Rules of Procedure,

–  having regard to the report of the Committee on Budgetary Control (A9-0119/2022),

A.  whereas, according to its statement of revenue and expenditure(1), the final budget of ENISA (European Union Agency for Cybersecurity) (the ‘Agency’) for the financial year 2020 was EUR 21 682 883, representing an increase of 28,05 % compared to 2019; whereas that increase results mainly from an increase in expenditure on staff, information and communications technology and core operational activities, related to the adoption of the Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 (Cybersecurity Act)(2); whereas the budget of the Agency derives mainly from the Union budget;

B.  whereas the Court of Auditors (the ‘Court’), in its report on the Agency’s annual accounts for the financial year 2020 (the ‘Court’s report’), states that it has obtained reasonable assurance that the Agency’s annual accounts are reliable and that the underlying transactions as regards revenue are legal and regular in all material aspects; whereas the Court provides the basis for a qualified opinion on the legality and regularity of the payments underlying the accounts;

Budget and financial management

1.  Notes that the budget monitoring efforts during the financial year 2020 resulted in a budget implementation rate of 97,35 %, representing an increase of 0,55 % compared to 2019; notes furthermore that the payment appropriations execution rate was 68,62 %, representing a decrease of 1,49 % compared to 2019;

2.  Deplores the Court’s observation that forms the basis for a qualified opinion on the legality and regularity of the payments underlying the accounts; notes that the Court found that a temporary delegation granted by the previous executive director to a staff member expired on 31 December 2019 and that that staff member was granted a new delegation by the new executive director on 12 February 2020; notes that the Court found that in the intervening time, that member of staff authorised, in the pursuance of the Agency’s objectives, budgetary commitments amounting to EUR 529 120 and payments amounting to EUR 914 100 without a valid delegation (3,5 % of the total payment appropriations available in 2020); welcomes the observation of the Court that following its audit, the Agency has taken steps to mitigate the identified risks in the future;

Performance

3.  Welcomes, regarding the Agency’s following up of the discharge authority’s observations in its 2019 discharge, the revision of the Agency’s key performance indicators (KPIs) in 2020 with the purpose of better reflecting the new challenges and mandate conferred to the Agency by the Cybersecurity Act;

4.  Notes the Agency’s statement that it responded to the global COVID-19 pandemic by playing a key role in preventing malicious cyber actors from taking advantage of the health crisis and turning it into a large scale cyber pandemic;

Staff policy

5.  Notes that on 31 December 2020 the establishment plan was 89,86 % implemented, with 62 temporary agents appointed out of 69 temporary agents authorised under the Union budget (compared to 59 authorised posts in 2019); notes that, in addition, 26 contract agents and 8 seconded national experts worked for the Agency in 2020; notes the increased establishment plan is due to the new Agency’s mandate that conferred greater competencies and resources following the adoption of the Cybersecurity Act;

6.  Notes with concern the lack of gender balance within the Agency’s senior management, namely eight out of nine (88,9 %) men; notes the gender balance within the Agency’s overall staff, namely 41 out of 79 (51,9 %) men; asks the Agency to make further efforts towards a better gender balance at senior management level; reminds the Agency that in the selection of candidates, competences, knowledge and experience are important, as well as the geographical and gender balance among staff members;

7.  Notes that the Agency has adopted a policy on protecting the dignity of the person and preventing harassment; takes note of the fact that one case of harassment has been reported and investigated in 2020; calls on the Agency to inform the discharge authority on the outcome of the case;

8.  Notes that since 2019 the Agency has a new mandate and tasks entrusted by the Cybersecurity Act; notes that the new activities are supported by the budgetary authority with increased human resources in 2020 and onwards;

9.  Notes, regarding the follow-up of the 2019 discharge report, that the Agency has some difficulties in recruiting, attracting and retaining suitably qualified staff; notes that the main problem with regard to the fulfilment of the Agency´s vacancies is caused by the low correction coefficient applied to the staff’s salaries in Greece and the professionals’ deficit in the IT security market in the Union; welcomes the Agency’s social measures implemented to increase attractiveness and lower annual staff turnover; calls on the Agency to keep this issue on the agenda and where appropriate to address it through the EU Agencies Network;

10.  Notes, with regard to the follow-up of the 2019 discharge report that the review of the handover procedures to new staff members was postponed and is still currently ongoing; notes also that the handover procedures are considered to be included in the sensitive posts policy; calls on the Agency to report on the future development and on the adoption of the sensitive posts policy;

11.  Notes that due to unfilled vacant posts and heavy workload the Agency relies on interim staff to perform some of its tasks of its annual work programme; welcomes the efforts taken by the Agency in 2020 to re-define its recruitment strategy, by reducing its dependency on interim agents; notes that the Agency´s expected costs of interim workers for 2021 should not exceed EUR 700 000, compared to EUR 923 000 for 2019; further welcomes the Agency´s efforts to ensure that interim workers have the same working conditions as directly employed workers; calls on the Agency to report on the developments of interim staff dependency;

Procurement

12.  Notes that the Agency has actively implemented the green public procurement award criteria in its tendering documentation, with relevant procedures launched in 2020 such as the provision of stationery and printing supplies, laptop computers and docking stations, and the production and supply of branded promotional material; calls on the Agency to actively share its experience with green award criteria with other Agencies and, where appropriate, through the EU Agencies Network;

13.  Notes that the Court identified non-critical weaknesses on the Agency’s public procurement procedures; notes that selection and award criteria in the procurement notice could be improved and respect of publishing within the deadlines should be better monitored; calls on the Agency to report on the future developments in this regard;

14.  Notes, regarding the follow-up of the Court´s observations in 2020, that the Agency has implemented corrective actions to ensure compliance with the applicable financial rules in procurement procedures, including a monitoring to respect the deadlines regarding the publication of the award notice to the Official Journal of the European Union;

15.  Notes, with regard to the follow-up of the Court´s observations in 2020, that the price criterion has been specifically re-assessed in the revision of its internal procurement process to ensure the most economical implementation of the financial offers; notes, furthermore, that the Agency has updated its requirements for minimum turnover for future tenders; calls on the Agency to report to the discharge authority on the developments of upcoming procurement procedures;

Prevention and management of conflicts of interest, and transparency

16.  Notes the Agency’s existing measures and ongoing efforts to secure transparency, prevention and management of conflicts of interest and notes that the CVs of the members of the management board and their declaration of conflicts of interests are being published on its website;

17.  Welcomes the further steps taken in order to enhance the transparency of the Authority’s activities by reporting the meetings that the Authority’s staff have with external stakeholders, and their availability on the Authority’s website;

Internal control

18.  Notes that the Agency´s internal control assessment concluded that the structures supporting internal controls and compliance appear to be spread out and weak; notes the suggestion to implement an independent quality control system to reinforce the monitoring of performance assessment in the Agency; further notes the advice to restructure the Agency´s horizontal tasks such as internal controls, ex ante verification, ISO, budget monitoring and quality controls;

19.  Regrets that the Agency has postponed its plans to adopt a new sensitive posts policy for 2020; calls on the Agency to report the developments on this topic;

20.  Notes that the Agency took the necessary actions to close four audit recommendations reported by the Internal Audit Service; notes, however, that three recommendations remain open as further actions are required to be implemented; calls on the Agency to report on their implementation status in the future;

COVID-19 response and business continuity

21.  Acknowledges the Agency’s efforts in the wake of the COVID-19 pandemic when the Agency was called to help coordinate activities of the Member States and Union bodies by issuing recommendations for the critical infrastructure industry, supporting the toolbox of EU tracing apps, and providing advice to small and medium-sized enterprises and guidance to the healthcare sector to support their response to increased phishing campaigns and ransomware attacks;

22.  Welcomes the decisive targeted actions of the Agency prior to the lockdown imposed by the Greek government to counter the COVID-19 outbreak, such as continuing to ensure high health and safety measures in place for its staff (ample supplies of disinfectant, disposable gloves, masks, basic medicine, hand disinfectant); notes that staff guidelines were drawn up and teleworking was authorised for all staff as of 11 March 2020, and that missions and public events were halted;

23.  Notes that the restrictions imposed from March 2020 and for the best part of that year, such as imposed teleworking and heavily restricted travel for work related missions, led to a number of environmental benefits, in particular a significant reduction of the carbon footprint and a reduction of the use of paper due to increased digitalised processes;

Other comments

24.  Notes that the Agency’s new internal structure was established in June 2020, strengthening the ability to build internal and external synergies with the introduction of ‘cross-structural teams’ for tasks that require contributions from other units; notes the creation of four operational units (policy development and implementation unit, capacity building unit, operational coordination unit, and market, certification and standardisation unit), each aiming to implement a specific element from the Cybersecurity Act; calls on the Agency to inform the discharge authority of the benefits and lessons learned from this reorganisation;

25.  Calls for buildings to be modernised in order to meet zero-emission standards, in particular by installing solar panels on all buildings belonging to the Agency;

26.  Notes from the Agency’s replies to the discharge authority’s questions that the Agency is in the process of updating its cybersecurity policy, especially by taking actions on active directory security, windows client security and windows server security assessments, de-commissioning old systems and regular vulnerability scans;

27.  Notes, with regard to the follow-up to the 2019 discharge, that the Agency has increased efforts to improve its focus on key activities and engage with the highest possible number of stakeholders; notes that the Agency’s work is being disseminated through its website and its social media channels where the level of engagement has been increased in 2020;

o
o   o

28.  Refers, for other observations of a cross-cutting nature accompanying its decision on discharge, to its resolution of 4 May 2022(3) on the performance, financial management and control of the agencies.

(1) OJ C 114, 31.3.2021, p. 86. (2) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (OJ L 151, 7.6.2019, p. 15). (3) Texts adopted, P9_TA(2022)0196.