Saturday

21st Apr 2018

Focus

EU cyber chief says expectations exceed resources

  • Hackers don't care about borders, but whether cybersecurity policy should place at national or EU level is heavily contested (Photo: Katy Levinson)

The head of the EU's cybersecurity agency has downplayed what the agency would be able to accomplish under a new mandate - if the new tasks weren't matched with additional funding.

The European Commission last year proposed to double the budget of the European Union Agency for Network and Information Security (Enisa), and rebrand it as the EU Cybersecurity Agency.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

  • Enisa executive director Udo Helmbrecht: 'My biggest challenge as executive director for the last years is prioritisation' (Photo: ITU Pictures)

It proposed that the agency would not only receive more money, but also have more tasks, like organise annual cyber drills and help defend elections from foreign interference.

Udo Helmbrecht, head of Enisa, said on Tuesday (9 January) that while the agency's budget is being doubled, in absolute terms the agency's financial strength will still be limited.

"It's still only from €11 to €22 million, which is not a lot," he said.

Helmbrecht noted that the agency already had to be selective about what it did, due to limited funds.

"My biggest challenge as executive director for the last years is prioritisation," he said.

Helmbrecht cited as an example the tasks assigned to Enisa under the EU's first cybersecurity directive, in force since August 2016.

The directive on security of network and information systems, or NIS directive, gave minimum digital security requirements for essential services and new tasks to Enisa.

"The NIS directive covers drinking water. Maybe we do one workshop on drinking water a year. Nothing more. This means we fulfil the regulation but we don't fulfil, obviously, maybe the expectation."

Without additional resources, the agency may need to take this 'bare minimum' approach with the tasks proposed under the new bill.

"We will fulfil everything which is in the [proposed] regulation. Full stop. But the regulation is very, let's say, 'generic'," said Helmbrecht.

He was speaking at a conference hosted by the European Economic and Social Committee (EESC), a Brussels-based EU body that offers advisory papers on proposed legislation on behalf of civil society.

The author of the draft EESC opinion, Alberto Mazzola, said that he had "doubts" that the increased budget matched the increase in tasks for the Greece-based agency, and that it should be assisted by other EU agencies.

When the European Commission proposed the regulation in September 2017, it itself admitted that Enisa "was not equipped with proportionally sufficient resources" and that it already had a "broad mandate".

Certificates but not checks

There are also other concerns with the proposed legislation.

The commission suggested that the EU set up a system for certification schemes, which could give stamps of approval on the level of cybersecurity of consumer products.

But the system would be voluntary, and national certification authorities would not be scrutinised by the EU.

It was a system of pan-EU certification but national – mostly non-existent – controls that in part led to the Dieselgate emissions scandal.

The EESC's Mazzola also saw that risk, and said that the EU commission should be able to ask Enisa to do audits of national certification authorities.

"If we are introducing certification schemes that are valid all around Europe, and you can get certification in each country, I think it's important that there is this sort of a right of overview and evaluation of activities," he told EUobserver after the event.

But he also said he would expect national governments to resist what they would see as giving up powers to the EU.

"The issue is very sensitive, also for national security," he noted.

Sovereignty

French and German lawmakers have already raised objections to parts of the proposal.

Citing national security and sovereignty, the German senate has objected to a pan-EU certification scheme which superseded national ones.

It said in a text adopted on 15 December 2017 that a complementary European scheme – instead of one that replaced national ones – could strengthen cybersecurity just as well.

The French senate complained that Enisa had "no expertise" to set up certification schemes.

France's national assembly meanwhile said in a motion adopted on 6 December that national authorities, and not Enisa, should remain "the primary guarantors of the protection of European citizens in this field".

On the same day, the Czech senate said Enisa "should primarily complement activities of the member states in the area of cybersecurity and should not be aimed at taking over their competences in this area".

The commission's justification for setting up a pan-EU certification system is that several mechanisms have popped up recently, leading to fragmentation in the internal market.

No donations

Enisa is one of the EU's smallest agencies, and funded mostly by the general EU budget.

The 2013 legal text which underpins Enisa's current mandate said any EU member state "should be allowed to make voluntary contributions".

"Since 2013 it's in the regulation. But no member state does it, full stop. We don't get any donation from the member states," pointed out executive director Helmbrecht.

Germany tells EU to slow down on new cyber rules

'First comes first', said a German government agency official, meaning that previously agreed rules on cybersecurity should be implemented before discussing the EU commission's new proposal.

Interview

EU 'underestimated' cyber-crime

"Cybercrime is growing much, much faster than I think we anticipated," the EU commissioner for security, Julian King, told EUobserver.

EU agency to fight election hacking

A new-model EU cybersecurity agency could help states defend their elections against "hybrid attacks", the Commission has said.

Interview

Greece keen to keep EU cybersecurity agency

Greek official welcomed proposal to give the agency a bigger role, downplayed its kitchen sink problems, and said he was himself the victim of a computer virus.

Opinion

On cybersecurity, Europe must act now

Some governments have closed their eyes, hoping that the menace will go away. It will not - it will only become stronger, according to the former prime minister of Estonia, one of the EU's leading digital states.

Opinion

Cybersecurity and defence for the future of Europe

Cybersecurity is a core element of Europe's strategy to become a global leader in digital technologies and a secure place for its citizens, write EU commissioner Jyrki Katainen and expert Jarno Limnell.

New EU fines will apply to 'old' data breaches

On 25 May, a new general data protection regulation will apply. Data breaches that happened before that date, but were covered up, can be fined under the new regulation.

News in Brief

  1. Audit office: Brexit 'divorce' bill could be billions higher
  2. MEPs urge better protection for journalists
  3. Dieselgate: MEPs back greater role for EU in car approvals
  4. European parliament adopts new organic farming rules
  5. EU granted protection to half million people in 2017
  6. Report: Facebook to carve 1.5bn users out of EU privacy law
  7. Greek court ruling permits migrants to travel to mainland
  8. Commonwealth summit hopes for trade boost after Brexit

Stakeholders' Highlights

  1. Nordic Council of MinistersWorld's Energy Ministers to Meet in Oresund in May to Discuss Green Energy
  2. ILGA EuropeParabéns! Portugal Votes to Respect the Rights of Trans and Intersex People
  3. Mission of China to the EUJobs, Energy, Steel: Government Work Report Sets China's Targets
  4. Martens CentreJoin Us at NET@WORK2018 Featuring Debates on Migration, Foreign Policy, Populism & Disinformation
  5. European Jewish CongressKantor Center Annual Report on Antisemitism Worldwide - The Year the Mask Came Off
  6. UNICEFCalls for the Protection of Children in the Gaza Strip
  7. Mission of China to the EUForeign Minister Wang Yi Highlights Importance of China-EU Relations
  8. Nordic Council of MinistersImmigration and Integration in the Nordic Region - Getting the Facts Straight
  9. Macedonian Human Rights MovementMacedonians in Bulgaria Demand to End the Anti-Macedonian Name Negotiations
  10. Counter BalanceThe EIB Needs to Lead by Example on Tax Justice
  11. ILGA EuropeTrans People in Sweden to be Paid Compensation for Forced Sterilisation
  12. International Partnership for Human RightsThe Danger of Standing Up for Justice and Rights in Central Asia

Latest News

  1. ECJ ruling set to end 10-year 'mouth tobacco' lobbying saga
  2. Whistleblowers, Syria and digital revolution This WEEK
  3. MEP friendship groups offer 'backdoor' for pariah regimes
  4. Macron and Merkel pledge euro reform
  5. Obscurity surrounds EU military fund's expert groups
  6. New EU party finance rules short circuit accountability
  7. Draghi to stay in secretive 'lobby' group
  8. Bulgaria offers lesson in tackling radical-right populists

Stakeholders' Highlights

  1. Mission of China to the EUChina and EU Must Work Together to Promote Global Steel Sector
  2. Swedish EnterprisesEU Tax Proposal on Digital Services Causes Concern for Small Exporting Economies
  3. Europea Jewish CongressCondemns the Horrific Murder of Holocaust Survivor Mireille Knoll in Paris
  4. Mission of China to the EUAn Open China Will Foster a World-Class Business Environment
  5. ECR GroupAn Opportunity to Help Shape a Better Future for Europe
  6. Counter BalanceControversial Turkish Azerbaijani Gas Pipeline Gets Major EU Loan
  7. World VisionSyria’s Children ‘At Risk of Never Fully Recovering', New Study Finds
  8. Macedonian Human Rights MovementMeets with US Congress Member to Denounce Anti-Macedonian Name Negotiations
  9. Martens CentreEuropean Defence Union: Time to Aim High?
  10. UNESDAWatch UNESDA’s President Toast Its 60th Anniversary Year
  11. AJC Transatlantic InstituteAJC Condemns MEP Ana Gomes’s Anti-Semitic Remark, Calls for Disciplinary Action
  12. EPSUEU Commissioners Deny 9.8 Million Workers Legal Minimum Standards on Information Rights