Chapter III – Organisation of ENISA (Art. 13-28)
Art. 13 CSA - Structure of ENISA arrow_right_alt
The administrative and management structure of ENISA shall be composed of the following:
-
- a Management Board;
- an Executive Board;
- an Executive Director;
- an ENISA Advisory Group;
- a National Liaison Officers Network.
- 56
Recital 56
It is sensible and recommended to implement certain principles regarding the governance of ENISA in order to comply with the Joint Statement and Common Approach agreed upon in July 2012 by the Inter-Institutional Working Group on EU decentralised agencies, the purpose of which is to streamline the activities of decentralised agencies and improve their performance. The recommendations in the Joint Statement and Common Approach should also be reflected, as appropriate, in ENISA’s work programmes, evaluations of ENISA, and ENISA’s reporting and administrative practice.
Art. 14 CSA - Composition of the Management Board arrow_right_alt
1. The Management Board shall be composed of one member appointed by each Member State, and two members appointed by the Commission. All members shall have the right to vote.
2. Each member of the Management Board shall have an alternate. That alternate shall represent the member in the member’s absence.
3. Members of the Management Board and their alternates shall be appointed on the basis of their knowledge in the field of cybersecurity, taking into account their relevant managerial, administrative and budgetary skills. The Commission and the Member States shall make efforts to limit the turnover of their representatives on the Management Board, in order to ensure continuity of the Management Board’s work. The Commission and the Member States shall aim to achieve gender balance on the Management Board.
4. The term of office of the members of the Management Board and their alternates shall be four years. That term shall be renewable.
- 57
- 58
Recital 57
The Management Board, composed of the representatives of the Member States and of the Commission, should establish the general direction of ENISA’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify the execution of the budget, adopt appropriate financial rules, establish transparent working procedures for decision making by ENISA, adopt ENISA’s single programming document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension and termination of the Executive Director’s term of office.
Recital 58
In order for ENISA to function properly and effectively, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise and experience. The Commission and the Member States should also make efforts to limit the turnover of their respective representatives on the Management Board in order to ensure continuity in its work.
Art. 15 CSA - Functions of the Management Board arrow_right_alt
- The Management Board shall:
- establish the general direction of the operation of ENISA and ensure that ENISA operates in accordance with the rules and principles laid down in this Regulation; it shall also ensure the consistency of ENISA’s work with activities conducted by the Member States as well as at Union level;
- adopt ENISA’s draft single programming document referred to in Article 24, before its submission to the Commission for an opinion;
- adopt ENISA’s single programming document, taking into account the Commission opinion;
- supervise the implementation of the multiannual and annual programming included in the single programming document;
- adopt the annual budget of ENISA and exercise other functions in respect of ENISA’s budget in accordance with Chapter IV;
- assess and adopt the consolidated annual report on ENISA’s activities, including the accounts and a description of how ENISA has met its performance indicators, submit both the annual report and the assessment thereof by 1 July of the following year, to the European Parliament, to the Council, to the Commission and to the Court of Auditors, and make the annual report public;
- adopt the financial rules applicable to ENISA in accordance with Article 32;
- adopt an anti-fraud strategy that is proportionate to the fraud risks, having regard to a cost-benefit analysis of the measures to be implemented;
- adopt rules for the prevention and management of conflicts of interest in respect of its members;
- ensure adequate follow-up to the findings and recommendations resulting from investigations of the European Anti-Fraud Office (OLAF) and the various internal or external audit reports and evaluations;
- adopt its rules of procedure, including rules for provisional decisions on the delegation of specific tasks, pursuant to Article 19(7);
- with respect to the staff of ENISA, exercise the powers conferred by the Staff Regulations of Officials (the ‘Staff Regulations of Officials’) and the Conditions of Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (24) on the appointing authority and on the Authority Empowered to Conclude a Contract of Employment (‘appointing authority powers’) in accordance with paragraph 2 of this Article;
- adopt rules implementing the Staff Regulations of Officials and the Conditions of Employment of Other Servants in accordance with the procedure provided for in Article 110 of the Staff Regulations of Officials;
- appoint the Executive Director and where relevant extend his or her term of office or remove him or her from office in accordance with Article 36;
- appoint an accounting officer, who may be the Commission’s accounting officer, who shall be wholly independent in the performance of his or her duties;
- take all decisions concerning the establishment of ENISA’s internal structures and, where necessary, the modification of those internal structures, taking into consideration ENISA’s activity needs and having regard to sound budgetary management;
- authorise the establishment of working arrangements with regard to Article 7;
- authorise the establishment or conclusion of working arrangements in accordance with Article 42.
- In accordance with Article 110 of the Staff Regulations of Officials, the Management Board shall adopt a decision based on Article 2(1) of the Staff Regulations of Officials and Article 6 of the Conditions of Employment of Other Servants, delegating the relevant appointing authority powers to the Executive Director and determining the conditions under which that delegation of powers can be suspended. The Executive Director may sub-delegate those powers.
- Where exceptional circumstances so require, the Management Board may adopt a decision to temporarily suspend the delegation of appointing authority powers to the Executive Director and any appointing authority powers sub-delegated by the Executive Director and instead exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.
- 57
Recital 57
The Management Board, composed of the representatives of the Member States and of the Commission, should establish the general direction of ENISA’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify the execution of the budget, adopt appropriate financial rules, establish transparent working procedures for decision making by ENISA, adopt ENISA’s single programming document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension and termination of the Executive Director’s term of office.
Art. 16 CSA - Chairperson of the Management Board arrow_right_alt
The Management Board shall elect a Chairperson and a Deputy Chairperson from among its members, by a majority of two thirds of the members. Their terms of office shall be four years, which shall be renewable once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date. The Deputy Chair shall replace the Chairperson ex officio if the Chairperson is unable to attend to his or her duties.
Art. 17 CSA - Meetings of the Management Board arrow_right_alt
- Meetings of the Management Board shall be convened by its Chairperson.
- The Management Board shall hold at least two ordinary meetings a year. It shall also hold extraordinary meetings at the request of its Chairperson, at the request of the Commission, or at the request of at least one third of its members.
- The Executive Director shall take part in the meetings of the Management Board but shall not have the right to vote.
- Members of the ENISA Advisory Group may take part in the meetings of the Management Board at the invitation of the Chairperson, but shall not have the right to vote.
- The members of the Management Board and their alternates may be assisted at the meetings of the Management Board by advisers or experts, subject to the rules of procedure of the Management Board.
- ENISA shall provide the secretariat of the Management Board.
Art. 18 CSA - Voting rules of the Management Board arrow_right_alt
- The Management Board shall take its decisions by a majority of its members.
- A majority of two-thirds of the members of the Management Board shall be required for the adoption of the single programming document and of the annual budget and for the appointment, extension of the term of office or removal of the Executive Director.
- Each member shall have one vote. In the absence of a member, their alternate shall be entitled to exercise the member’s right to vote.
- The Chairperson of the Management Board shall take part in the voting.
- The Executive Director shall not take part in the voting.
- The Management Board’s rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member.
Art. 19 CSA - Executive Board arrow_right_alt
- The Management Board shall be assisted by an Executive Board.
- The Executive Board shall:
- prepare decisions to be adopted by the Management Board;
- together with the Management Board, ensure the adequate follow-up to the findings and recommendations stemming from investigations of OLAF and the various internal or external audit reports and evaluations;
- without prejudice to the responsibilities of the Executive Director set out in Article 20, assist and advise the Executive Director in implementing the decisions of the Management Board on administrative and budgetary matters pursuant to Article 20.
- The Executive Board shall be composed of five members. The members of the Executive Board shall be appointed from among the members of the Management Board. One of the members shall be the Chairperson of the Management Board, who may also chair the Executive Board, and another shall be one of the representatives of the Commission. The appointments of the members of the Executive Board shall aim to ensure gender balance on the Executive Board. The Executive Director shall take part in the meetings of the Executive Board but shall not have the right to vote.
- The term of office of the members of the Executive Board shall be four years. That term shall be renewable.
- The Executive Board shall meet at least once every three months. The Chairperson of the Executive Board shall convene additional meetings at the request of its members.
- The Management Board shall lay down the rules of procedure of the Executive Board.
- When necessary because of urgency, the Executive Board may take certain provisional decisions on behalf of the Management Board, in particular on administrative management matters, including the suspension of the delegation of the appointing authority powers and budgetary matters. Any such provisional decisions shall be notified to the Management Board without undue delay. The Management Board shall then decide whether to approve or reject the provisional decision no later than three months after the decision was taken. The Executive Board shall not take decisions on behalf of the Management Board that require the approval of a majority of two-thirds of the members of the Management Board.
- 60
Recital 60
The Executive Board should contribute to the effective functioning of the Management Board. As part of its preparatory work related to Management Board decisions, the Executive Board should examine relevant information in detail, explore available options and offer advice and solutions to prepare the decisions of the Management Board.
Art. 20 CSA - Duties of the Executive Director arrow_right_alt
- ENISA shall be managed by its Executive Director, who shall be independent in the performance of his or her duties. The Executive Director shall be accountable to the Management Board.
- The Executive Director shall report to the European Parliament on the performance of his or her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his or her duties.
- The Executive Director shall be responsible for:
- the day-to-day administration of ENISA;
- implementing the decisions adopted by the Management Board;
- preparing the draft single programming document and submitting it to the Management Board for approval before its submission to the Commission;
- implementing the single programming document and reporting to the Management Board thereon;
- preparing the consolidated annual report on ENISA’s activities, including the implementation of ENISA’s annual work programme, and presenting it to the Management Board for assessment and adoption;
- preparing an action plan that follows up on the conclusions of the retrospective evaluations, and reporting on progress every two years to the Commission;
- preparing an action plan that follows up on the conclusions of internal or external audit reports, as well as on investigations by OLAF and reporting on progress biannually to the Commission and regularly to the Management Board;
- preparing the draft financial rules applicable to ENISA as referred to in Article 32;
- preparing ENISA’s draft statement of estimates of revenue and expenditure and implementing its budget;
- protecting the financial interests of the Union by the application of preventive measures against fraud, corruption and any other illegal activities, by effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;
- preparing an anti-fraud strategy for ENISA and presenting it to the Management Board for approval;
- developing and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;
- exchanging views and information regularly with Union institutions, bodies, offices and agencies regarding their activities relating to cybersecurity to ensure coherence in the development and the implementation of Union policy;
- carrying out other tasks assigned to the Executive Director by this Regulation.
- Where necessary and within ENISA’s objectives and tasks, the Executive Director may set up ad hoc working groups composed of experts, including experts from the Member States’ competent authorities. The Executive Director shall inform the Management Board in advance thereof. The procedures regarding in particular the composition of the working groups, the appointment of the experts of the working groups by the Executive Director and the operation of the working groups shall be specified in ENISA’s internal rules of operation.
- Where necessary, for the purpose of carrying out ENISA’s tasks in an efficient and effective manner and based on an appropriate cost-benefit analysis, the Executive Director may decide to establish one or more local offices in one or more Member States. Before deciding to establish a local office, the Executive Director shall seek the opinion of the Member States concerned, including the Member State in which the seat of ENISA is located, and shall obtain the prior consent of the Commission and the Management Board. In cases of disagreement during the consultation process between the Executive Director and the Member States concerned, the issue shall be brought to the Council for discussion. The aggregate number of staff in all local offices shall be kept to a minimum and shall not exceed 40 % of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located. The number of the staff in each local office shall not exceed 10 % of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located.
The decision establishing a local office shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of ENISA.
- 59
Recital 59
The smooth functioning of ENISA requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant to cybersecurity. The duties of the Executive Director should be carried out with complete independence. The Executive Director should prepare a proposal for ENISA’s annual work programme, after prior consultation with the Commission, and should take all steps necessary to ensure the proper implementation of that work programme. The Executive Director should prepare an annual report to be submitted to the Management Board, covering the implementation of ENISA’s annual work programme, draw up a draft statement of estimates of revenue and expenditure for ENISA, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc working groups to address specific matters, in particular matters of a scientific, technical, legal or socioeconomic nature. In particular, in relation to the preparation of a specific candidate European cybersecurity certification scheme (‘candidate scheme’), the setting up of an ad hoc working group is considered to be necessary. The Executive Director should ensure that the members of ad hoc working groups are selected according to the highest standards of expertise, aiming to ensure gender balance and an appropriate balance, according to the specific issues in question, between the public administrations of the Member States, the Union institutions, bodies, offices and agencies and the private sector, including industry, users, and academic experts in network and information security.
Art. 21 CSA - ENISA Advisory Group arrow_right_alt
- The Management Board, acting on a proposal from the Executive Director, shall establish in a transparent manner the ENISA Advisory Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, SMEs, operators of essential services, consumer groups, academic experts in the field of cybersecurity, and representatives of competent authorities notified in accordance with Directive (EU) 2018/1972, of European standardisation organisations, as well as of law enforcement and data protection supervisory authorities. The Management Board shall aim to ensure an appropriate gender and geographical balance as well as a balance between the different stakeholder groups.
- Procedures for the ENISA Advisory Group, in particular regarding its composition, the proposal by the Executive Director referred to in paragraph 1, the number and appointment of its members and the operation of the ENISA Advisory Group, shall be specified in ENISA’s internal rules of operation and shall be made public.
- The ENISA Advisory Group shall be chaired by the Executive Director or by any person whom the Executive Director appoints on a case-by-case basis.
- The term of office of the members of the ENISA Advisory Group shall be two-and-a-half years. Members of the Management Board shall not be members of the ENISA Advisory Group. Experts from the Commission and the Member States shall be entitled to be present at the meetings of the ENISA Advisory Group and to participate in its work. Representatives of other bodies deemed to be relevant by the Executive Director, who are not members of the ENISA Advisory Group, may be invited to attend the meetings of the ENISA Advisory Group and to participate in its work.
- The ENISA Advisory Group shall advise ENISA in respect of the performance of ENISA’s tasks, except of the application of the provisions of Title III of this Regulation. It shall in particular advise the Executive Director on the drawing up of a proposal for ENISA’s annual work programme, and on ensuring communication with the relevant stakeholders on issues related to the annual work programme.
- The ENISA Advisory Group shall inform the Management Board of its activities on a regular basis.
- 44
- 61
Recital 44
In order to ensure that it fully achieves its objectives, ENISA should liaise with the relevant Union supervisory authorities and with other competent authorities in the Union, Union institutions, bodies, offices and agencies, including CERT-EU, EC3, the European Defence Agency (EDA), the European Global Navigation Satellite Systems Agency (European GNSS Agency), the Body of European Regulators for Electronic Communications (BEREC), the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Central Bank (ECB), the European Banking Authority (EBA), the European Data Protection Board, the Agency for the Cooperation of Energy Regulators (ACER), the European Union Aviation Safety Agency (EASA) and any other Union agency involved in cybersecurity. ENISA should also liaise with authorities that deal with data protection in order to exchange know-how and best practices and should provide advice on cybersecurity issues that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the ENISA Advisory Group. In liaising with law enforcement authorities regarding network and information security issues that might have an impact on their work, ENISA should respect existing channels of information and established networks.
Recital 61
ENISA should have an ENISA Advisory Group as an advisory body to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The ENISA Advisory Group, established by the Management Board on a proposal from the Executive Director, should focus on issues relevant to stakeholders and should bring them to the attention of ENISA. The ENISA Advisory Group should be consulted in particular with regard to ENISA’s draft annual work programme. The composition of the ENISA Advisory Group and the tasks assigned to it should ensure sufficient representation of stakeholders in the work of ENISA.
Art. 22 CSA - Stakeholder Cybersecurity Certification Group arrow_right_alt
- The Stakeholder Cybersecurity Certification Group shall be established.
- The Stakeholder Cybersecurity Certification Group shall be composed of members selected from among recognised experts representing the relevant stakeholders. The Commission, following a transparent and open call, shall select, on the basis of a proposal from ENISA, members of the Stakeholder Cybersecurity Certification Group ensuring a balance between the different stakeholder groups as well as an appropriate gender and geographical balance.
- The Stakeholder Cybersecurity Certification Group shall:
- advise the Commission on strategic issues regarding the European cybersecurity certification framework;
- upon request, advise ENISA on general and strategic matters concerning ENISA’s tasks relating to market, cybersecurity certification, and standardisation;
- assist the Commission in the preparation of the Union rolling work programme referred to in Article 47;
- issue an opinion on the Union rolling work programme pursuant to Article 47(4); and
- in urgent cases, provide advice to the Commission and the ECCG on the need for additional certification schemes not included in the Union rolling work programme, as outlined in Articles 47 and 48.
- The Stakeholder Certification Group shall be co-chaired by the representatives of the Commission and of ENISA, and its secretariat shall be provided by ENISA.
- 62
- 84
Recital 62
The Stakeholder Cybersecurity Certification Group should be established in order to help ENISA and the Commission facilitate the consultation of relevant stakeholders. The Stakeholder Cybersecurity Certification Group should be composed of members representing industry in balanced proportions, both on the demand side and the supply side of ICT products and ICT services, and including, in particular, SMEs, digital service providers, European and international standardisation bodies, national accreditation bodies, data protection supervisory authorities and conformity assessment bodies pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council (1), and academia as well as consumer organisations.
(1) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
Recital 84
The Commission should prepare, with the support of the European Cybersecurity Certification Group (the ‘ECCG’) and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.
Following such a request, ENISA should prepare the candidate schemes for specific ICT products, ICT services and ICT processes without undue delay. The Commission should evaluate the positive and negative impact of its request on the specific market in question, especially its impact on SMEs, on innovation, on barriers to entry to that market and on costs to end users. The Commission, on the basis of the candidate scheme prepared by ENISA, should be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives laid down in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject matter, scope and functioning of the individual scheme. Those elements should include, among other things, the scope and object of the cybersecurity certification, including the categories of ICT products, ICT services and ICT processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended assurance level (‘basic’, ‘substantial’ or ‘high’) and the evaluation levels where applicable. ENISA should be able to refuse a request by the ECCG. Such decisions should be taken by the Management Board and should be duly reasoned.
Art. 23 CSA - National Liaison Officers Network arrow_right_alt
- The Management Board, acting on a proposal from the Executive Director, shall set up a National Liaison Officers Network composed of representatives of all Member States (National Liaison Officers). Each Member State shall appoint one representative to the National Liaison Officers Network. The meetings of the National Liaison Officers Network may be held in different expert formations.
- The National Liaison Officers Network shall in particular facilitate the exchange of information between ENISA and the Member States, and shall support ENISA in disseminating its activities, findings and recommendations to the relevant stakeholders across the Union.
- National Liaison Officers shall act as a point of contact at national level to facilitate cooperation between ENISA and national experts in the context of the implementation of ENISA’s annual work programme.
- While National Liaison Officers shall cooperate closely with the Management Board representatives of their respective Member States, the National Liaisons Officers Network itself shall not duplicate the work of the Management Board or of other Union forums.
- The functions and procedures of the National Liaisons Officers Network shall be specified in ENISA’s internal rules of operation and shall be made public.
- 27
Recital 27
ENISA should support Member States in the field of cybersecurity awareness-raising and education by facilitating closer coordination and the exchange of best practices between Member States. Such support could consist in the development of a network of national education points of contact and the development of a cybersecurity training platform. The network of national education points of contact could operate within the National Liaison Officers Network and be a starting point for future coordination within the Members States.
Art. 24 CSA - Single programming document arrow_right_alt
- ENISA shall operate in accordance with a single programming document containing its annual and multiannual programming, which shall include all of its planned activities.
- Each year, the Executive Director shall draw up a draft single programming document containing its annual and multiannual programming with the corresponding financial and human resources planning in accordance with Article 32 of Commission Delegated Regulation (EU) No 1271/2013 (1) and taking into account the guidelines set by the Commission.
- By 30 November each year, the Management Board shall adopt the single programming document referred to in paragraph 1 and shall transmit it to the European Parliament, to the Council and to the Commission by 31 January of the following year, as well as any subsequently updated versions of that document.
- The single programming document shall become final after the definitive adoption of the general budget of the Union and shall be adjusted as necessary.
- The annual work programme shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multiannual work programme referred to in paragraph 7. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year.
- The Management Board shall amend the adopted annual work programme when a new task is assigned to ENISA. Any substantial amendments to the annual work programme shall be adopted by the same procedure as for the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.
- The multiannual work programme shall set out the overall strategic programming including objectives, expected results and performance indicators. It shall also set out the resource programming including multi-annual budget and staff.
- The resource programming shall be updated annually. The strategic programming shall be updated where appropriate and in particular where necessary to address the outcome of the evaluation referred to in Article 67.
(1) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328, 7.12.2013, p. 42).
- 57
- 59
Recital 57
The Management Board, composed of the representatives of the Member States and of the Commission, should establish the general direction of ENISA’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify the execution of the budget, adopt appropriate financial rules, establish transparent working procedures for decision making by ENISA, adopt ENISA’s single programming document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension and termination of the Executive Director’s term of office.
Recital 59
The smooth functioning of ENISA requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant to cybersecurity. The duties of the Executive Director should be carried out with complete independence. The Executive Director should prepare a proposal for ENISA’s annual work programme, after prior consultation with the Commission, and should take all steps necessary to ensure the proper implementation of that work programme. The Executive Director should prepare an annual report to be submitted to the Management Board, covering the implementation of ENISA’s annual work programme, draw up a draft statement of estimates of revenue and expenditure for ENISA, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc working groups to address specific matters, in particular matters of a scientific, technical, legal or socioeconomic nature. In particular, in relation to the preparation of a specific candidate European cybersecurity certification scheme (‘candidate scheme’), the setting up of an ad hoc working group is considered to be necessary. The Executive Director should ensure that the members of ad hoc working groups are selected according to the highest standards of expertise, aiming to ensure gender balance and an appropriate balance, according to the specific issues in question, between the public administrations of the Member States, the Union institutions, bodies, offices and agencies and the private sector, including industry, users, and academic experts in network and information security.
Art. 25 CSA - Declaration of interests arrow_right_alt
- Members of the Management Board, the Executive Director, and officials seconded by Member States on a temporary basis, shall each make a declaration of commitments and a declaration indicating the absence or presence of any direct or indirect interest which might be considered to be prejudicial to their independence. The declarations shall be accurate and complete, shall be made annually in writing, and shall be updated whenever necessary.
- Members of the Management Board, the Executive Director, and external experts participating in ad hoc working groups, shall each accurately and completely declare, at the latest at the start of each meeting, any interest which might be considered to be prejudicial to their independence in relation to the items on the agenda, and shall abstain from participating in the discussion of and voting on such items.
- ENISA shall lay down, in its internal rules of operation, the practical arrangements for the rules on declarations of interest referred to in paragraphs 1 and 2.
- 63
Recital 63
ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council (1). The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council (2). ENISA should comply with the provisions applicable to the Union institutions, bodies, offices and agencies, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).
(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Art. 26 CSA - Transparency arrow_right_alt
- ENISA shall carry out its activities with a high level of transparency and in accordance with Article 28.
- ENISA shall ensure that the public and any interested parties are provided with appropriate, objective, reliable and easily accessible information, in particular with regard to the results of its work. It shall also make public the declarations of interest made in accordance with Article 25.
- The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of ENISA’s activities.
- ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.
- 20
Recital 20
ENISA should develop and maintain a high level of expertise and operate as a reference point, establishing trust and confidence in the single market by virtue of its independence, the quality of the advice it delivers, the quality of information it disseminates, the transparency of its procedures, the transparency of its methods of operation, and its diligence in carrying out its tasks. ENISA should actively support national efforts and should proactively contribute to Union efforts while carrying out its tasks in full cooperation with the Union institutions, bodies, offices and agencies and with the Member States, avoiding any duplication of work and promoting synergy. In addition, ENISA should build on input from and cooperation with the private sector as well as other relevant stakeholders. A set of tasks should establish how ENISA is to accomplish its objectives while allowing flexibility in its operations.
Art. 27 CSA - Confidentiality arrow_right_alt
- Without prejudice to Article 28, ENISA shall not divulge to third parties information that it processes or receives in relation to which a reasoned request for confidential treatment has been made.
- Members of the Management Board, the Executive Director, the members of the ENISA Advisory Group, external experts participating in ad hoc working groups, and members of the staff of ENISA, including officials seconded by Member States on a temporary basis, shall comply with the confidentiality requirements of Article 339 TFEU, even after their duties have ceased.
- ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.
- If required for the performance of ENISA’s tasks, the Management Board shall decide to allow ENISA to handle classified information. In that case ENISA, in agreement with the Commission services, shall adopt security rules applying the security principles set out in Commission Decisions (EU, Euratom) 2015/443 (1) and 2015/444 (2). Those security rules shall include provisions for the exchange, processing and storage of classified information.
(1) Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72, 17.3.2015, p. 41).
(2) Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53).
- 63
Recital 63
ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council (1). The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council (2). ENISA should comply with the provisions applicable to the Union institutions, bodies, offices and agencies, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).
(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Art. 28 CSA - Access to documents arrow_right_alt
- Regulation (EC) No 1049/2001 shall apply to documents held by ENISA.
- The Management Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001 by 28 December 2019.
- Decisions taken by ENISA pursuant to Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint to the European Ombudsman under Article 228 TFEU or of an action before the Court of Justice of the European Union under Article 263 TFEU.
- 63
Recital 63
ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council (1). The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council (2). ENISA should comply with the provisions applicable to the Union institutions, bodies, offices and agencies, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).
(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).