Cybersecurity Act (CSA)

ENISA should assist the Commission by means of advice, opinions and analyses regarding all Union matters related to policy and law development, updates and reviews in the field of cybersecurity and sector-specific aspects thereof in order to enhance the relevance of Union policies and laws with a cybersecurity dimension and to enable consistency in the implementation of those policies and laws at national level. ENISA should act as a reference point for advice and expertise for Union sector-specific policy and law initiatives where matters related to cybersecurity are involved. ENISA should regularly inform the European Parliament about its activities.

The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top-level domains), and the operation of the root zone.

The underlying task of ENISA is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of Directive (EU) 2016/1148 and other relevant legal instruments containing cybersecurity aspects, which is essential to increasing cyber resilience. In light of the fast evolving cyber threat landscape, it is clear that Member States have to be supported by more comprehensive, cross-policy approach to building cyber resilience.

ENISA should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cyber threats and incidents and in relation to the security of network and information systems. In particular, ENISA should support the development and enhancement of national and Union computer security incident response teams (‘CSIRTs’) provided for in Directive (EU) 2016/1148, with a view to achieving a high common level of their maturity in the Union. Activities carried out by ENISA relating to the operational capacities of Member States should actively support actions taken by Member States to comply with their obligations under Directive (EU) 2016/1148 and therefore should not supersede them.

ENISA should also assist with the development and updating of strategies on the security of network and information systems at Union level and, upon request, at Member State level, in particular on cybersecurity, and should promote the dissemination of such strategies and follow the progress of their implementation. ENISA should also contribute to covering the need for training and training materials, including the needs of public bodies, and where appropriate, to a high extent, ‘train the trainers’, building on the Digital Competence Framework for Citizens with a view to assisting Member States and Union institutions, bodies, offices and agencies in developing their own training capabilities.

ENISA should support Member States in the field of cybersecurity awareness-raising and education by facilitating closer coordination and the exchange of best practices between Member States. Such support could consist in the development of a network of national education points of contact and the development of a cybersecurity training platform. The network of national education points of contact could operate within the National Liaison Officers Network and be a starting point for future coordination within the Members States.

ENISA should assist the Cooperation Group created by Directive (EU) 2016/1148 in the execution of its tasks, in particular by providing expertise, advice and by facilitating the exchange of best practices, inter alia, with regard to the identification of operators of essential services by Member States, as well as in relation to cross-border dependencies, regarding risks and incidents.

With a view to stimulating cooperation between the public and private sector and within the private sector, in particular to support the protection of the critical infrastructures, ENISA should support information sharing within and among sectors, in particular the sectors listed in Annex II to Directive (EU) 2016/1148, by providing best practices and guidance on available tools and on procedure, as well as by providing guidance on how to address regulatory issues related to information sharing, for example through facilitating the establishment of sectoral information sharing and analysis centres.

Whereas the potential negative impact of vulnerabilities in ICT products, ICT services and ICT processes is constantly increasing, finding and remedying such vulnerabilities plays an important role in reducing the overall cybersecurity risk. Cooperation between organisations, manufacturers or providers of vulnerable ICT products, ICT services and ICT processes and members of the cybersecurity research community and governments who find vulnerabilities has been proven to significantly increase both the rate of discovery and the remedy of vulnerabilities in ICT products, ICT services and ICT processes. Coordinated vulnerability disclosure specifies a structured process of cooperation in which vulnerabilities are reported to the owner of the information system, allowing the organisation the opportunity to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. The process also provides for coordination between the finder and the organisation as regards the publication of those vulnerabilities. Coordinated vulnerability disclosure policies could play an important role in Member States’ efforts to enhance cybersecurity.

The support by ENISA for ex-post technical inquiries of incidents having a significant or substantial impact undertaken at the request of the Member States concerned should focus on the prevention of future incidents. The Member States concerned should provide the necessary information and assistance in order to enable ENISA to support the ex-post technical inquiry effectively.

Member States may invite the undertakings concerned by the incident to cooperate by providing necessary information and assistance to ENISA without prejudice to their right to protect commercially sensitive information and information that is relevant to public security.

With a view to increasing Union preparedness in responding to incidents, ENISA should regularly organise cybersecurity exercises at Union level, and, at their request, support Member States and Union institutions, bodies, offices and agencies in organising such exercises. Large-scale comprehensive exercises which include technical, operational or strategic elements should be organised on a biennial basis. In addition, ENISA should be able to regularly organise less comprehensive exercises with the same goal of increasing Union preparedness in responding to incidents.

ENISA should develop and maintain a high level of expertise and operate as a reference point, establishing trust and confidence in the single market by virtue of its independence, the quality of the advice it delivers, the quality of information it disseminates, the transparency of its procedures, the transparency of its methods of operation, and its diligence in carrying out its tasks. ENISA should actively support national efforts and should proactively contribute to Union efforts while carrying out its tasks in full cooperation with the Union institutions, bodies, offices and agencies and with the Member States, avoiding any duplication of work and promoting synergy. In addition, ENISA should build on input from and cooperation with the private sector as well as other relevant stakeholders. A set of tasks should establish how ENISA is to accomplish its objectives while allowing flexibility in its operations.

In order to be able to provide adequate support to the operational cooperation between Member States, ENISA should further strengthen its technical and human capabilities and skills. ENISA should increase its know-how and capabilities. ENISA and Member States, on a voluntary basis, could develop programmes for seconding national experts to ENISA, creating pools of experts and staff exchanges.

ENISA should aggregate and analyse voluntarily shared national reports from CSIRTs and the inter-institutional computer emergency response team for the Union’s institutions, bodies and agencies established by the Arrangement between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU) ⁽¹⁾ in order to contribute to the setting up of common procedures, language and terminology for the exchange of information. In that context ENISA should involve the private sector within the framework of Directive (EU) 2016/1148 which lays down the grounds for the voluntary exchange of technical information at the operational level, in the computer security incident response teams network (‘CSIRTs network’) created by that Directive.

^{(1) OJ C 12, 13.1.2018, p. 1.}

ENISA should contribute to responses at Union level in the case of large-scale cross-border incidents and crises related to cybersecurity. That task should be performed in accordance with ENISA’s mandate under this Regulation and an approach to be agreed by Member States in the context of Commission Recommendation (EU) 2017/1584 ⁽¹⁾ and the Council conclusions of 26 June 2018 on EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises. That task could include gathering relevant information and acting as a facilitator between the CSIRTs network and the technical community, as well as between decision makers responsible for crisis management. Furthermore, ENISA should support operational cooperation among Member States, where requested by one or more Member States, in the handling of incidents from a technical perspective, by facilitating relevant exchanges of technical solutions between Member States, and by providing input into public communications. ENISA should support operational cooperation by testing the arrangements for such cooperation through regular cybersecurity exercises.

^{(1) Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).}

In supporting operational cooperation, ENISA should make use of the available technical and operational expertise of CERT-EU through structured cooperation. Such structured cooperation could build on ENISA’s expertise. Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities.

In performing its task to support operational cooperation within the CSIRTs network, ENISA should be able to provide support to Member States at their request, such as by providing advice on how to improve their capabilities to prevent, detect and respond to incidents, by facilitating the technical handling of incidents having a significant or substantial impact or by ensuring that cyber threats and incidents are analysed. ENISA should facilitate the technical handling of incidents having a significant or substantial impact in particular by supporting the voluntary sharing of technical solutions between Member States or by producing combined technical information, such as technical solutions voluntarily shared by the Member States. Recommendation (EU) 2017/1584 recommends that Member States cooperate in good faith and share among themselves and with ENISA information on large-scale incidents and crises related to cybersecurity without undue delay. Such information would further help ENISA in performing its task of supporting operational cooperation.

As part of the regular cooperation at technical level to support Union situational awareness, ENISA, in close cooperation with the Member States, should prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats, based on publicly available information, its own analysis and reports shared with it by Member States’ CSIRTs or the national single points of contact on the security of network and information systems (‘single points of contact’) provided for in Directive (EU) 2016/1148, both on a voluntary basis, the European Cybercrime Centre (EC3) at Europol, CERT-EU and, where appropriate, the European Union Intelligence and Situation Centre (EU INTCEN) at the European External Action Service. That report should be made available to the Council, the Commission, the High Representative of the Union for Foreign Affairs and Security Policy and the CSIRTs network.

The support by ENISA for ex-post technical inquiries of incidents having a significant or substantial impact undertaken at the request of the Member States concerned should focus on the prevention of future incidents. The Member States concerned should provide the necessary information and assistance in order to enable ENISA to support the ex-post technical inquiry effectively.

Member States may invite the undertakings concerned by the incident to cooperate by providing necessary information and assistance to ENISA without prejudice to their right to protect commercially sensitive information and information that is relevant to public security.

ENISA, in its role as the secretariat of the CSIRTs network, should support Member States’ CSIRTs and the CERT-EU in the operational cooperation in relation to the relevant tasks of the CSIRTs network, as referred to in Directive (EU) 2016/1148. Furthermore, ENISA should promote and support cooperation between the relevant CSIRTs in the event of incidents, attacks or disruptions of networks or infrastructure managed or protected by the CSIRTs and involving or being capable of involving at least two CSIRTs while taking due account of the Standard Operating Procedures of the CSIRTs network.

With a view to increasing Union preparedness in responding to incidents, ENISA should regularly organise cybersecurity exercises at Union level, and, at their request, support Member States and Union institutions, bodies, offices and agencies in organising such exercises. Large-scale comprehensive exercises which include technical, operational or strategic elements should be organised on a biennial basis. In addition, ENISA should be able to regularly organise less comprehensive exercises with the same goal of increasing Union preparedness in responding to incidents.

In order to support the businesses operating in the cybersecurity sector, as well as the users of cybersecurity solutions, ENISA should develop and maintain a ‘market observatory’ by performing regular analyses and disseminating information on the main trends in the cybersecurity market, on both the demand and supply sides.

ENISA should further develop and maintain its expertise on cybersecurity certification with a view to supporting the Union policy in that area. ENISA should build on existing best practices and should promote the uptake of cybersecurity certification within the Union, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level (European cybersecurity certification framework) with a view to increasing the transparency of the cybersecurity assurance of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.

Efficient cybersecurity policies should be based on well-developed risk assessment methods, in both the public and private sectors. Risk assessment methods are used at different levels, with no common practice regarding how to apply them efficiently. Promoting and developing best practices for risk assessment and for interoperable risk management solutions in public-sector and private-sector organisations will increase the level of cybersecurity in the Union. To that end, ENISA should support cooperation between stakeholders at Union level and facilitate their efforts relating to the establishment and take-up of European and international standards for risk management and for the measurable security of electronic products, systems, networks and services which, together with software, comprise the network and information systems.

In cooperation with competent authorities, ENISA should be able to disseminate information regarding the level of the cybersecurity of the ICT products, ICT services and ICT processes offered in the internal market, and should issue warnings targeting manufacturers or providers of ICT products, ICT services or ICT processes and requiring them to improve the security of their ICT products, ICT services and ICT processes, including the cybersecurity.

ENISA should regularly consult standardisation organisations, in particular European standardisation organisations, when preparing the European cybersecurity certification schemes.

To understand better the challenges in the area of cybersecurity, and with a view to providing strategic long-term advice to Member States and Union institutions, bodies, offices and agencies, ENISA needs to analyse current and emerging cybersecurity risks. For that purpose, ENISA should, in cooperation with Member States and, as appropriate, with statistical bodies and other bodies, collect relevant publicly available or voluntarily shared information and perform analyses of emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on network and information security, in particular cybersecurity. ENISA should, furthermore, support Member States and Union institutions, bodies, offices and agencies in identifying emerging cybersecurity risks and preventing incidents, by performing analyses of cyber threats, vulnerabilities and incidents.

In order to increase the resilience of the Union, ENISA should develop expertise in the field of cybersecurity of infrastructures, in particular to support the sectors listed in Annex II to Directive (EU) 2016/1148 and those used by the providers of the digital services listed in Annex III to that Directive, by providing advice, issuing guidelines and exchanging best practices. With a view to ensuring easier access to better-structured information on cybersecurity risks and possible remedies, ENISA should develop and maintain the ‘information hub’ of the Union, a one-stop-shop portal providing the public with information on cybersecurity originating in Union and national institutions, bodies, offices and agencies. Facilitating access to better-structured information on cybersecurity risks and possible remedies could also help Member States bolster their capacities and align their practices, thus increasing their overall resilience to cyberattacks.

ENISA should contribute to raising the public’s awareness of cybersecurity risks, including through an EU-wide awareness-raising campaign by promoting education, and to providing guidance on good practices for individual users aimed at citizens, organisations and businesses. ENISA should also contribute to promoting best practices and solutions, including cyber-hygiene and cyber-literacy at the level of citizens, organisations and businesses by collecting and analysing publicly available information regarding significant incidents, and by compiling and publishing reports and guidance for citizens, organisations and businesses, to improve their overall level of preparedness and resilience. ENISA should also strive to provide consumers with relevant information on applicable certification schemes, for example by providing guidelines and recommendations. ENISA should furthermore organise, in line with the Digital Education Action Plan established in the Commission Communication of 17 January 2018 and in cooperation with the Member States and Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed at end users, to promote safer online behaviour by individuals and digital literacy, to raise awareness of potential cyber threats, including online criminal activities such as phishing attacks, botnets, financial and banking fraud, data fraud incidents, and to promote basic multi-factor authentication, patching, encryption, anonymisation and data protection advice.

ENISA should play a central role in accelerating end-user awareness of the security of devices and the secure use of services, and should promote security-by-design and privacy-by-design at Union level. In pursuing that objective, ENISA should make use of available best practices and experience, especially the best practices and experience of academic institutions and IT security researchers.

Partnerships could be established with academic institutions that have research initiatives in relevant fields, and there should be appropriate channels for input from consumer organisations and other organisations, which should be taken into consideration.

ENISA should take full account of the ongoing research, development and technological assessment activities, in particular those activities carried out by the various Union research initiatives to advise Union institutions, bodies, offices and agencies and where relevant, the Member States at their request, on research needs and priorities in the field of cybersecurity. In order to identify the research needs and priorities, ENISA should also consult the relevant user groups. More specifically, cooperation with the European Research Council, the European Institute for Innovation and Technology and the European Union Institute for Security Studies could be established.

ENISA should be able to respond to ad hoc requests for advice and assistance by Member States and Union institutions, bodies, offices and agencies on matters falling within ENISA’s mandate.