EU Policy. Commission evaluating role of ENISA amid deadlock over cyber certificates

Enisa received a bigger mandate under the CSA in 2019.
Enisa received a bigger mandate under the CSA in 2019. Copyright ENISA/Socrates Baltagiannis/Socrates Baltagiannis
Copyright ENISA/Socrates Baltagiannis/Socrates Baltagiannis
By Cynthia Kroet
Share this articleComments
Share this articleClose Button

The assessment comes as EU countries cannot agree on voluntary cybersecurity certification schemes.


The European Commission is seeking feedback from industry and national governments on the functioning, efficiency and scope of work of Europe’s Cyber Security Agency ENISA, according to a consultation sent to companies last week.

The aim of the questionnaire is to evaluate ENISA‘s working practices, as well as the potential need to modify the agency’s mandate and any financial implications.

The move comes as the EU’s Cybersecurity Act (CSA), which entered into force in 2019 and gave ENISA a mandate to oversee the implementation of EU-wide cybersecurity rules, is up for review this summer.

The Athens-based agency, which has just over 100 staff members, is working with the commission and the 27 EU member states to strengthen the bloc’s cyber policy. It’s also tasked to increase the trustworthiness of ICT products through certification.

Under the CSA, ENISA can set up voluntary certification schemes that should demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market. The commission can ask ENISA to look at the certificates, which will be discussed by experts and also require member state approval.

So far, of three certificates proposed since 2019, only one has been approved, on baseline ICT products. One on 5G is still in progress, as is another - which has become highly politicised - on cloud services.

France strived to introduce sovereignty requirements within the text designed to exclude non-EU cloud companies from qualifying for the highest security options. The proposal was strongly resisted by several EU countries and industry, perceiving it as a nakedly protectionist move. No deal appears in sight, with an expert group meeting next foreseen for March.

In its consultation, the EU executive asks whether ENISA has achieved leadership as a centre of expertise on cybersecurity over the past four years, whether it gives enough guidance to member states, and if its size is adequate for the work entrusted to it.

The questionnaire is open for feedback until 27 February.

Share this articleComments

You might also like