Executive Summary

digitaleurope – The upcoming evaluation of the European Union Agency for Cybersecurity (ENISA) is crucial to assess its performance and explore potential modifications to its mandate, considering its role in the evolving cybersecurity landscape.

ENISA has been successful in promoting network and information security across Europe, but must adapt to address emerging cyber threats and the changing cybersecurity environment. It now faces expanded responsibilities due to new legislative acts, including the new Directive on measures for a high common level of cybersecurity across the Union (NIS2) and the Cyber Resilience Act.

Expanding ENISA’s mandate presents several challenges, including the predominant competence of Member States in national security matters, the diversity in legal frameworks and expertise amongst Member States, and resource allocation constraints.

To enhance the effectiveness of both ENISA and the European cybersecurity certification framework, we suggest various lines of action and reforms:

• ENISA should further foster coordination and cooperation amongst Member States, facilitating information sharing, best practice dissemination, and harmonisation of cybersecurity policies. It should deepen its sector-specific expertise, prioritising critical sectors and assets and collaborating with sector-specific authorities and organisations, such as information sharing and analysis centres (ISACs);
• ENISA should play a more prominent role in advising on planned EU legislative initiatives with cybersecurity implications, enhancing the coherence and impact of cybersecurity policymaking in the EU;
• ENISA’s tasks within the EU’s cybersecurity ecosystem should be further clarified to avoid duplication and ensure efficient resource allocation across the EU. Structured collaboration with the European Cybersecurity Competence Centre (ECCC) and strengthening support to existing bodies like the NIS Cooperation Group, the CSIRTs Network and EU-CyCLONe can streamline ENISA’s role;
• Collaboration between the public and private sectors is essential to enhance Europe’s resilience against cyber threats. A Joint Public-Private Expert Unit, comprising chief information security officers (CISOs) and leading companies operating in Europe, should be considered to advise on strategies and measures for proactive threat mitigation;
• To improve the effectiveness of the European cybersecurity certification framework, an evidence-based approach should be adopted, including expert-driven impact assessments. The Union Rolling Work Programme (URWP) should be published promptly to provide stakeholders with foresight on upcoming schemes; and
• The Stakeholder Cybersecurity Certification Group (SCCG) should be empowered to play a more proactive role by providing non-binding opinions, participating in impact assessments, interacting with the European Cybersecurity Certification Group (ECCG), and promoting enhanced meeting dynamics.

ENISA’s evaluation and adaptation are essential to meet the evolving cybersecurity challenges facing Europe. Expanding its mandate, whilst respecting Member States’ competencies, can be achieved through a multifaceted approach and effective resource allocation. ENISA should collaborate with existing EU bodies, contribute to policymaking, and foster public-private cooperation to strengthen Europe’s cybersecurity resilience.