Established in 2004 by the EU regulation 460/2004 (repealed by Regulation (EU) No 526/2013), ENISA is one of the many agencies of the European Union and it is tasked with the important responsibility to foster an EU-wide culture of IT security, digital proficiency, cyber-resilience and cyber-readiness.

The information and security network that the agency contributes to is designed for the benefits of EU societies as a whole, with reference to citizens, businesses, public sector and labour market.

Since its formal establishment, and following the Cybersecurity Act, ENISA’s role is to assist the European Commission, Member States and the EU communities in embracing and adopting the newest cybersecurity standards in view of present and future threats.

As per Regulation (EU) 2019/881, ENISA is composed by the following bodies:

• Management Board: it ensures the agency’s compliance with its statue and founding regulation

• Executive Board: it represent the decision-making body and instructs the management board on decisions to be adopted

• Executive Director: the ED manages the agency and he/she’s responsible for his/her duties independently

• National Liaison Officers Networks: the NLOs bridges and mediate the communication between the agency and each member state

• Advisory Group: it includes an external group of experts that sustains ENISA in the planning and development of work programmes, STKH management and strategic objectives

• Ad hoc working groups: the ED selects external experts to tackle specific scientific/technical matters (i.e., draft and consolidation of a multinational scale assessment)

ENISA’s areas of interest are many, but they can be essentially broken-down into 7 main clusters of activities:

• Empowering Communities – ENISA brings together national and international STKH that are of relevance for cybersecurity and enhances their synergies so as to upscale more easily new cybersecurity models

• Cybersecurity policy – ENISA provides for evidence-based qualitative and quantitative phenomena that can better inform new policies on IT, innovation and development

• Operational Cooperation – ENISA strengthen the axis between the many socio-economic actors that can have an impact (or are impacted by) new ground breaking development in the domain of ICT, and most importantly, cybersecurity.

• Capacity Building – ENISA provides for user friendly and intuitive on cybersecurity at free disposal for all citizens, and/or private businesses

• Trusted Solutions – ENISA monitors and evaluates new digital products and services tackling cybersecurity solutions for societies, markets and economies

• Foresight – ENISA contributes to develop new mitigations strategies the exposure of EU societies and economies to cyberthreats

• Knowledge – ENISA represent a vibrant hub for professionals and experts to exchange best practices

As a formal representative of the private sector, why should you even bother with ENISA?

Please, take your time to explore the platform and familiarize with all available resources.

The European Cybersecurity Organization (ESCO) is among the top EU stakeholders in the domain of IT security and cyber-readiness. The main goal of the organization remains to promote an EU-ecosystem devoted to foster research and awareness in the domain of cybersecurity.

• ESCO is a privileged partner of both the European Commission and ENISA, bridging private an public institutions operating at international and national level

• ESCO supports the implementation of key cybersecurity strategies aimed at sustain the “cyber-transition” of public and private organizations

• ESCO assists EU bodies and agencies in developing new policies and recommendations that find application at national level

ESCO’s areas of interest are allocated to specific working groups (WG):

• WG1 – Standardization, certification and supply chain management

• WG2 – Market deployment, investments and international collaboration

• WG3 – Cyber resilience of economy, infrastructures and services

• WG4 – Support to SMEs, coordination with countries and regions

• WG5 – Education, training, awareness and cyber ranges

• WG6 – SRIA and cybersecurity technologies

Each WG is responsible for the publication and promotion of an extensive number of reports providing for numerous useful information.

ESCO’s analysis are robust and reliable, users can access them for free and gain some really useful insights and the many different interest areas tackled by ESCO.

Please, feel free to navigate the Publications section as well as all the other activities carried out by the organization.

On December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy launched the new EU’s Cybersecurity Strategy for the Digital Decade (2019-2024).

The strategy represent a key component of three other EU long-term priorities (Shaping Europe's Digital Future, the Recovery Plan for Europe  and the EU Security Union Strategy) responding to the need of fostering technological readiness and competitiveness of EU societies and economies.

EU’s cyber resilience is at the very core of the new cybersecurity strategy and allows EU’s Member States to adopt, embrace and implement new performance standards to guarantee a safe digital environment for their citizens and businesses. The strategy rests on three key pillars: resilience, operational capacity, international cooperation

RESILIENCE

Resilience, technological sovereignty and leadership is the very first strand of the new cybersecurity strategy.

With that, the European Commission wants to promote new quality standards for the security of IT networks of critical national infrastructures and services such as financial and public health systems.

Of particular interest is the education and training dimension as under this pillar the European Commission foreseen dedicated support measures to SMEs and private organisations such as:

OPERATIONAL CAPACITY

By operational capacity we mean the adequacy and effectiveness of EU’s Members States in assessing, preventing/discouraging and responding to cyberthreats.

In that sense, both the European Commission and the High Representatives remarks with particular emphasis the primary objective to safeguard from malicious attacks all critical infrastructures of modern societies and ones impacting of democratic processes, supply chains infrastructures, etc.

New transnational capacity building programmes are also encouraged among Member States as one of those instrumental means to build a new EU cyber ecosystem.

INTERNATIONAL COOPERATION

A renewed strategy on cybersecurity will be tackled and implemented in cooperation with international stakeholders in view of a global stability.

The European Commission plans to intensify the dialogue with third countries and large international organizations that can be of paramount support to establish a global community-centered agenda for IT security.

These groups of interest will represent the institutional partners of the European Commission throughout this unprecedented 7-year programming of actions and support means.

The NIS directive is one of the most important piece of legislation regulating for a high common level of cybersecurity and information system across the European Union.

Adopted in 2016, the directive gives each Member State certain degrees of “autonomy” for its application at national level, in consideration of specific circumstances and contextual factors.

Citizens can monitor the status of implementation of the directive by consulting the state-of-play of its transposition.

The pillars of NIS directive 

EU’s Members States are required to develop certain standards of cybersecurity performance in terms both of capabilities and support networks (i.e., National CSIRT - Computer Security Incident Response Team).

• CROSS-BORDER COLLABORATION

EU’s Member States are required to establish robust and long-term institutional collaborations with external parties of interest such as CSIRTs and the NIS cooperation group – of which ENISA is a part of.

• NATIONAL SUPERVISION OF CRITICAL SECTORS

EU’s Member States are required to perform in-depth ex-post and ex-ante supervision of the cyber-readiness of critical services and infrastructures.

At the beginning of 2021, the European Commission launched the proposal to revise the NIS directive as a way to address concretely the new wave of cyberthreats that impacted global markets and societies in the last few years.

Cyber-attacks, besides being among the fastest-growing form of crime worldwide, are also growing in scale, cost and sophistication. The latest forecast is that global ransomware damage costs would reach US$20 billion by 2021, 57 times more their amount in 2015 […] Given the growing number and cost of cyber-attacks, spending on information security is also increasing worldwide. The global security market is currently worth around US$150 billion, a figure that many predict will rise to US$208 billion in 2023 and US$400 billion in 2026.

Source: European Parliament, the NIS2 directive

At the moment, the NIS2 directive is going through the ordinary policy making process of EU institutions (an on-going revision of carried out by influential groups of interest and policy makers).

The EU’s strategic programme for the 2019-2024 period includes six main priorities (i.e., “pillars”):

• A European Green Deal

• A Europe fit for the digital age

• An economy that work for people

• A stronger Europe in the world

• Promoting our European way of life

• A new push for European democracy

Specific sub-actions are envisioned for each one of these pillars, cybersecurity falls under A Europe fit for the digital age for both pillar’s strands: Shaping Europe’s digital future and Europe’s Digital Decade: digital targets for 2030.

Research, innovation and IT development in the field of cybersecurity is a top concern of the Horizon Europe programme for the period 2021-2027 – the largest EU programme for research and innovation with a total budget of €95.5 billion

Cybersecurity falls under the cluster of Civil Security for Society, along with disaster-resilient societies, protection & security. Projects under this strand of co-financing are expected to meet one (or more) of the following impacts (pp. 114-115 of the guide):

• Strengthened EU cybersecurity capacities and European Union sovereignty in digital technologies

• More resilient digital infrastructures, systems and processes

• Increased software, hardware and supply chain security

• Secured disruptive technologies

• Smart and quantifiable security assurance and certification shared across the EU

• Reinforced awareness and a common cyber security management and culture

Cybersecurity represents a major area of interest of the DIGITAL Europe Programme.

The programme tackles both the need of new and technologically advanced infrastructures, skill-gaps and human development of professionals deployed in the sector. Concrete objectives are as follows:

Source: Cybersecurity in the DIGITAL Europe programme – Operational Objectives

• Research and innovation: Horizon EUROPE   Capacity building: Digital EUROPE