A European Commission official confirmed to EUobserver that Jean-Claude Juncker’s proposal to set up a European Cybersecurity Agency is in fact about increasing the mandate of an already existing agency.
The Commission president proposed to set up a European Cybersecurity Agency on Wednesday (13 September), without mentioning that the EU already has an agency dealing with that subject.
In his annual State of the European Union speech, Juncker noted that Europe faced 4,000 ransomware attacks per day last year and that the new agency should “defend” the bloc against these attacks.
“Cyberattacks know no borders and no one is immune. This is why, today, the commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks,” he said.
He did not mention the European Union Agency for Network and Information Security (Enisa), an EU agency that was set up in 2004.
Enisa, which is based in Greece, issues opinions and recommendations and recently received additional tasks.
Under a directive adopted last year, Enisa was tasked with assisting national governments in developing national cybersecurity strategies, if they asked for it.
The agency was also given the task of organising the secretariat of a new pan-EU cooperation group. However, it has no mandate to fend off cyberattacks.
Juncker meant to say that Enisa should be beefed up, rather than that a new agency should be set up.
The EU commission has previously announced that, by this month, it would “review the mandate of Enisa to define its role in the changed cybersecurity ecosystem”.
The commission official said Enisa “will be reinforced so that it can assist EU countries which face cyberattacks and prepare them with annual cyber exercises”, the official said.