COUNCIL OFBrussels, 28 November 2011
THE EUROPEAN UNION
TELECOM 187 MI 607 DATAPROTECT 140 JAI 867 CAB 53 INST 582 CODEC 2191 -
No. Cion prop.: 14358/10 TELECOM 99 MI 346 DATAPROTECT 70 JAI 794 CAB 16 INST
361 CODEC 943
Subject: PREPARATIO OF THE TTE COU CIL MEETI G (TRA SPORT, TELECOMMU ICATIO S, E ERGY) O 12 A D 13 DECEMBER 2011
Proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)
2.The proposal has been examined in numerous meetings of the Working Party on
Telecommunications and the Information Society. A first progress report was presented by
the Presidency to the TTE Council of 3 December 2010. A second progress report was
presented to the TTE Council on 27 May 2011. A Presidency compromise text on the draft
Regulation, attached to the second progress report, was broadly supported in principle by
delegations. However, the duration of the agency was signalled as an outstanding issue and
no compromise proposal was presented at that point. During the discussions several
delegations agreed in principle to a mandate limited in time, including a longer mandate
than that proposed by the Commission. On the other hand, several delegations supported an
3.The European Parliament has started its first reading and Mr Giles Chichester, rapporteur in
the ITRE Committee of the European Parliament, presented his draft report on 5 October
2011. The vote in the ITRE Committee, initially scheduled to take place on 10 November
2011, was postponed and is now scheduled in the early part of 2012.
4.With the aim of achieving progress, the Working Party on Telecommunications and the
Information Society continued the examination of the proposal under the Polish Presidency
and collected the views of delegations on several issues related to, among others, the
duration, the tasks and the structure of the ENISA. The Presidency believes that the
Presidency Compromise Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
Concerning the European Network and Information Security Agency (ENISA)23
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114
Having regard to the proposal from the European Commission,
Having regard to the opinion of the European Economic and Social Committee4,
After consulting the Committee of the Regions,
After transmission of the proposal to the national Parliaments,
Electronic communications, infrastructure and services are an essential factor in economic
and societal development. They play a vital role for society and have become ubiquitous
utilities in the same way that electricity or water supplies are. Their disruption has the
potential to cause considerable economic damage, underlining the importance of measures to
increase protection and resilience aimed at ensuring continuity of critical services. The
security of electronic communications, infrastructure and services, in particular their integrity,
and availability and confidentiality faces continuously expanding challenges. This is of
increasing concern to society not least because of the possibility of problems due to system
complexity, accidents, mistakes and attacks that may have consequences for the physical
infrastructure which delivers services critical to the well-being of European citizens.
The threat landscape is continuously changing and security incidents can undermine the trust
and confidence that users have in technology, networks and services, thereby affecting their
ability to exploit the full potential of the internal market and widespread use of ICT.
The representatives of the Member States, meeting in the European Council on 13 December
2003, decided that the European Network and Information Security Agency (ENISA), that
was to be established on the basis of the proposal submitted by the Commission, would have
its seat in a town in Greece to be determined by the Greek Government. The Greek
Government decided to asign the seat of the Agency to Heraklion.
In 2004 the European Parliament and the Council adopted a Regulation (EC) No 460/20045
(5) In response to the changing challenges of network and information security, the Union has
updated its priorities for network and information security policy in a number of documents,
including the 2006 Commission Communication A Strategy for a Secure Information Society
-- Dialogue, partnership and empowerment ,8 the Council Resolution of 2007 on a Strategy
for a Secure Information Society in Europe9, the 2009 Communication Critical Information
Infrastructure Protection `Protecting Europe from large scale cyber-attacks and
disruptions: enhancing preparedness, security and resilience' 10 , the 2009 Presidency
Conclusions of the Ministerial Conference on Critical Information Infrastructure Protection
(CIIP) in Tallinn, the Council Resolution of 2009 on a collaborative European approach to
Network and Information Security11, the 2011 Presidency Statement following the Ministerial
Conference on CIIP in Balatonfüred and the 2011 Council Conclusions on the Critical
Information Infrastructure Protection "Achievements and next steps: towards global cyber-
security" 12 . The Digital Agenda for Europe13 recognized the need to modernise the Agency.
The present proposal aims to strengthen the Agency to successfully contribute to the efforts of
the Union's institutions and the Member States to develop a European capacity to cope with
network and information security challenges.
(6) The European Data Protection Supervisor was consulted and adopted its opinion on 20
Internal market measures in the field of security of electronic communications, and, more
generally, network and information security require different forms of technical and
organisational applications by the Member States and the Commission. The heterogeneous
application of these requirements can lead to inefficiencies and can create obstacles to the
internal market. This calls for a centre of expertise at European level providing guidance,
advice, and when called upon, assistance on issues related to network and information
security, which may be relied upon by the Member States and the Union's institutions. The
Agency can respond to these needs by developing and maintaining a high level of expertise
and assisting the Member States, the Commission and as a consequence the business
community to meet the legal and regulatory requirements of network and information
security, thereby contributing to the smooth functioning of the internal market.
The Agency should carry out the tasks conferred on it by Union legislation in the field of
electronic communications and, in general, contribute to an enhanced level of security of
electronic communications by, among other things, providing expertise and advice, and
promoting the exchange of good practices.
Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services
(Framework Directive)15 requires that providers of public electronic communications
networks or publicly available electronic communications services take appropriate measures
(10) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications)16 requires a
provider of a publicly available electronic communications service to take appropriate
technical and organisational measures to safeguard the security of its services and also
requires confidentiality of the communications and related traffic data. Directive 2002/58/EC
introduces personal data breach information and notification requirements for electronic
communication services providers. It also requires the Commission to consult the Agency on
any technical implementing measures to be adopted concerning the circumstances or format
of and procedures applicable to information and notification requirements. Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of
such data 17requires Member States to provide that the controller must implement appropriate
technical and organisational measures to protect personal data against accidental or unlawful
destruction or accidental loss, alteration, unauthorised disclosure or access, in particular
where the processing involves the transmission of data over a network and against all other
unlawful forms of processing.
(11) The Agency should operate as a point of reference establishing trust and confidence by
virtue of its independence, the quality of the advice it delivers and the information it
(12) A set of tasks should indicate how the Agency is to accomplish its objectives while allowing
flexibility in its operations.
(15) The Agency should utilise the ongoing research, development and technological assessment
activities, in particular those carried out by the different Union research initiatives to advice
the Union and, at their request, the Member States on research needs in the area of network
and information security.
(13) The Agency should assist the Commission by means of advice, opinions and analyses on all
the Union matters related to policy development in the area of network and information
security, including CIIP and resilience. The Agency should also assist, the Member States, at
their request, and the Union institutions and bodies set up by Union law in their efforts to
develop network and information security policy and capability.
(14) The Agency should utilise the ongoing research, development, and technological
assessment activities, in particular those carried out by the different Union research
initiatives to advice the Union and, at their request, the Member States on research
needs in the area of network and information security.
(15) The Agency should assist the Member States, at their request, as well as the Union's
(16) To understand better the challenges in the network and information security field, the Agency
needs to analyse current and emerging risks. For that purpose the Agency should, in
cooperation with Member States, Union bodies and, as appropriate, statistical bodies, collect
relevant information. Furthermore, the Agency should assist the Member States and the
Union' s institutions and bodies set up by Union law in their efforts to collect, analyse and
disseminate network and information security data. The collection of appropriate statistical
information and data needed to carry out analyses of the risks to the security and resilience of
electronic communications, infrastructure and services should take place on the basis of the
information provided by the Member States and the Agency's insight to the Union's
Institutions's ICT infrastructures in accordance with the Union provisions and national
provisions in compliance with the Union law. On the basis of this information, the Agency
should maintain awareness of the latest state of network and information security and related
trends in Europe for the benefit of the Member States and the Union's institutions. -
(17) To ensure full achievement of its objectives, the Agency should liaise with bodies set up by
Union law, including those dealing with cybercrime and privacy protection authorities to
exchange know how and best practices and provide advice on network and information
security aspects that might have an impact on their work aiming to deliver synergies between
their efforts and the Agency's efforts to promote advanced network and information security.
Representatives of Union law enforcement and privacy protection authorities should be
(19) To promote network and information security and its visibility the Agency should facilitate
cooperation among the Member States' competent public bodies, in particular by supporting
the development and exchange of good practices and awareness-raising schemes and by
enhancing their outreach activities. The Agency should also support cooperation between
public and private stakeholders and the Union's institutions, partly by promoting information
sharing and awareness-raising activities.
(20) To enhance an advanced level of network and information security in the Union the Agency
shall support and promote voluntary cooperation and exchange of good practices between
relevant organisations e.g. Computer Security Incident Response Teams
(CSIRTs)/Computer Emergency Response Teams (CERTs).
(21) Efficient security policies should be based on well-developed risk assessment methods, both
in the public and private sector. Risk assessment methods and procedures are used at different
levels with no common practice on their efficient application. The promotion and
development of best practice for risk assessment and for interoperable risk management
solutions in public and private sector organisations will increase the security level of networks
and information systems in Europe. To this end, the Agency should support cooperation
between public and private stakeholders at Union level, facilitating their efforts relating to the
establishment and take-up of European and international standards for risk management and
(23) The Agency should operate according to, respectively, (i) the principle of subsidiarity,
ensuring an appropriate degree of coordination between the Member States on NIS-related
matters and improving the effectiveness of national policies, thus adding value to them and
(ii) the principle of proportionality, not going beyond what is necessary in order to achieve the
objectives set out by this Regulation. The exercise of the Agency's tasks should not interfere
with the competencies nor pre-empt, impede or overlap with the relevant powers and tasks of:
the national regulatory authorities as set out in the Directives relating to the electronic
communications networks and services, as well as on the Body of European Regulators for
Electronic Communications (BEREC) established by Regulation 1211/200918 of the European
Parliament and the Council and the Communications Committee referred to in Directive
2002/21/EC, the European standardisation bodies, the national standardisation bodies and the
Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the
Council of 22 June 1998 laying down a procedure for the provision of information in the field
of technical standards and regulations and of rules on Information Society Services19 and the
supervisory authorities of the Member States relating to the protection of individuals with the
regard to the processing of personal data and on the free movement of such data.
(24) In order to ensure that the Agency is effective, the Member States and the Commission should
be represented on a Management Board, which should define the general direction of the
operation of the Agency and ensure that it carries out its tasks in accordance with this
(26) The Agency should have a Permanent Stakeholders' Group as an advisory body, to ensure
regular dialogue with the private sector, consumers' organisations, providers of electronic
communications networks or services available to the public and other relevant stakeholders.
(27) The Agency should apply the relevant Union legislation concerning public access to
documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the
Council20 . The information processed by the Agency for purposes relating to its internal
functioning as well as the information processed during the performance of its tasks should be
subject to the Regulation (EC) No 45/2001 of the European Parliament and of the Council of
18 December 2000 on the protection of individuals with regard to the processing of personal
data by the Community institutions and bodies and on the free movement of such data.21
(28) Within its scope, in its objectives and in the fulfilment of its tasks, the Agency should comply
in particular with the provisions applicable to the Union' institutions, and with national
legislation regarding the treatment of sensitive documents.
(29) In order to guarantee the full autonomy and independence of the Agency, it is considered
necessary to grant it an autonomous budget whose revenue comes primarily from a
contribution from the Union and contributions from third countries participating in the
Agency's work. The host Member State, or any other Member State, should be allowed to
(30) The Agency should succeed ENISA as established by Regulation No 460/2004. Within the
framework of the decision of the Representatives of the Member States, meeting in the
European Council of 13 December 2003, the host Member State should maintain and develop
the current practical arrangements in order to ensure the smooth and efficient operation of the
Agency. Further to this, the Agency should be able to establish branch offices insofar as it is
necessary to achieve the objectives set out in Article 2 of this Regulation and taking due
account of the budgetary implications. When taking such a decision, the scope of the activities
of the functional office and the resources should be determined.
(31) The Agency should be established for a limited period. By....and every five four years
thereafter,its operations should be evaluated independently with regard to the effectiveness of
achieving the objectives, of its working practices and the relevance of the activities pursued,
in order to determine the continuing validity, or otherwise, of the objectives of the Agency
and, based on this, whether and for which period the duration of its operations should be
SECTION 1 SCOPE, OBJECTIVES AND TASKS
Subject matter and Scope
2.The objectives and the tasks of the Agency shall be without prejudice to the competencies of
the Member States regarding network and information security and in any case to activities
concerning public security, defence, State security (including the economic well-being of the
State when the issues relate to State security matters) and the activities of the State in areas of
3.For the purposes of this Regulation "network and information security " shall mean the ability
of a network or an information system to resist, at a given level of confidence, accidental
events or unlawful or malicious actions that compromise the availability, authenticity,
integrity and confidentiality of stored or transmitted data and the related services offered by or
accessible via these networks and systems.
1.The Agency shall develop and maintain a high level of expertise.
2.The Agency shall assist the Union's institutions to develop the necessary policies in network
and information security.
1.Within the purpose set out in Article 1, and for the objectives referred to in Article 2, the
Agency shall perform the following tasks: -
(a) Assist the Commission, at its request or on its own initiative, on all matters related to
network and information security policy by providing it with advice, opinions and
analyses, and with preparatory work for developing and updating Union legislation in
the field of network and information security;
(b) Advice the Union and, at their request, the Member States on research needs in the area
of network and information security with a view to enabling effective responses to
current and emerging network and information security risks and threats and to using
risk prevention technologies effectively;
(c) Facilitate the cooperation among the Member States and between the Member States
and the Union's Institutions in their efforts to prevent, detect and respond to network
and information security problems and incidents where thisese hasve an impact across
(f) Support the Member States, at their request, and the Union's Institutions to organise
awareness raising and other outreach activities to increase network and information
security and its visibility;
(g) Assist the Union's institutions and bodies set up by Union law in their efforts to develop
network and information security prevention, detection, analysis and response
(h) Assist the Member States and the Union's institutions and bodies set up by Union law in
their efforts to collect, analyse and disseminate network and information security data;
(i) On the basis of information provided by the Member States and the Union's Institutions
in accordance with the Union provisions and national provisions in compliance with the
Union law, maintain awareness of the latest state of network and information security in
the Union for the benefit of the Member States and the Union's Institutions;
(j) Liaise, exchange know how and best practices with bodies set up by Union law,
including those dealing with cybercrime and data protection, and provide advice on
network and information security aspects that might have an impact on their work
aiming to deliver synergy between their efforts and the Agency's efforts to promote
improved network and information security;
(l) Contribute to the Union efforts to cooperate with third countries and international
organisations, where appropriate with the EEAS, to promote international cooperation
and a global common approach to network and information security issues for instance
by supporting cooperation with the relevant organisations e.g. CSIRTs/CERTs and
by participating promoting involvement in international cyber network and
information security exercises in particular;
(m) Provide Member States, at their request, with the necessary knowledge, training and
other resources needed available to strengthen their network and information security
(n) Express independently its own conclusions, orientations and give advice on matters
within the scope and objectives of this Regulation.
2.The Agency shall carry out tasks conferred on it by Union legislative acts.
SECTION 2 ORGANISATION
1.The Management Board shall define the general direction of the operation of the Agency and
ensure that the Agency works in accordance with the rules and principles laid down in this
Regulation. It shall also ensure consistency of the Agency's work with activities conducted by
the Member States as well as by the Union's Institutions and bodies set up by Union law.
2.The Management Board shall adopt its rules of procedure after consulting the Commission.
3.The Management Board shall adopt the Agency's internal rules of operation after consulting
the Commission. These rules shall be made public.
4.The Management Board shall appoint the Executive Director in accordance with Article 10(2)
and may dismiss the Executive Director.
5.The Management Board shall be consulted by the Executive Director on the main activities,
priorities and objectives that the Agency shall be focusing on for the next year. The first draft
of the Agency's work programme shall be based on the result of this consultation.
6.The Management Board shall adopt the Agency's work programme in accordance with
7.Without prejudice to the respective competences of the Member States and the Union's
institutions, the Management Board may decide on administrative arrangements with the
competent authorities of the third countries and with international organisations. Those
9.The Management Board shall adopt the financial rules applicable to the Agency. They may
not depart from Commission Regulation (EC, Euratom) No 2343/2002 of 19 November 2002
on the framework Financial Regulation for the bodies referred to in Article 185 of Council
Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the
general budget of the European Communities, unless such departure is specifically required
for the Agency's operation and the Commission has given its prior consent.
10.The Management Board shall adopt appropriate implementing rules, in accordance with Article
110 of the Staff Regulations of officials of the European Union.
11.The Management Board may set up working bodies composed of its members to assist it in
carrying out its tasks, including drafting its decisions and monitoring the implementation
13.Insofar as it is necessary to achieve the objectives set out in Article 2 of this Regulation and
taking due account of the budgetary implications, including a contribution which the host
Member State might provide, the Management Board, in exceptional cases, may decide, with
the agreement of the host Member State, upon the establishment of [functional] offices in the
host Member State, subject to its consent. When taking such a decision, the Management
Board shall define the precise scope of the activities of the functional office. -
2.Management Board members and their alternates shall be appointed on the basis of their
degree of relevant experience and expertise in the field of network and information security.
3.The term of office of the representatives of the groups referred to in points (a) to (d) of
paragraph 1 shall be four years. This term of office may be extended once. If a
representative ceases his/her affiliation with the respective interest group, the Commission
shall appoint a replacement.
Chair of the Management Board
The Management Board shall elect its Chair and a Deputy Chair from among its members for
a period of three years, which shall be renewable once. The Deputy Chair shall ex officio
replace the Chair if the latter is unable to attend to his or her duties. -
1.Meetings of the Management Board shall be convened by its Chair.
2.The Management Board shall hold an ordinary meeting twice a year. It shall also hold
1.The presence of at least two thirds of the Management Board members with the right to vote
or of their alternates is required to enable the Management Board to vote. A member of the
Management Board who is prevented from attending a meeting may arrange to be represented
in accordance with the rules of procedure of the Management Board. The Management Board
shall take its decisions by a majority of its members with the right to vote.
2.A two-thirds majority of all Management Board members with the right to vote is required for
the adoption of its rules of procedure, the Agency's internal rules of operation, the budget, the
annual work programme, the establishment of [functional] offices in the host Member States
and the appointment, extension of the term of office or dismissal of the Executive Director.
1.The Agency shall be managed by its Executive Director, who shall be independent in the
performance of his/her duties and demonstrate on an ongoing basis commitment to good and
2.The Executive Director shall be appointed by the Management Board from a list of candidates
3.In the course of the nine months preceding the end of the Executive Director's term of office
referred to in paragraph 2 and without prejudice to Article 23 (1) and (2), the Commission
shall draw up an evaluation report. In the evaluation report, the Commission shall assess in
-the performance of the Executive Director and
-the Agency's duties and requirements in the coming years.
4.The Management Board, acting on a proposal from the Commission, taking into account the
evaluation report and only in those cases where it can be justified by the duties and
requirements of the Agency, may extend the term of office of the Executive Director for a
period not longer than three years.
5.The Management Board shall inform the European Parliament about its intention to extend
the Executive Director's term of office. Within three months before the extension of his/her
term of office, the Executive Director shall, if invited, make a statement before the competent
committee of the Parliament and answer questions put by its members.
(e) developing and maintaining contact with the Union's institutions and bodies set up by Union law;
(f) developing and maintaining contact with the business community and consumers' organisations to ensure regular dialogue with relevant stakeholders;
(g) other tasks assigned to him/her by this Regulation.
8.Where necessary and within the Agency's objectives and tasks, the Executive Director may
set up ad hoc Working Groups composed of experts, including from the Member States
authorities. The Management Board shall be informed in advance. The procedures regarding
in particular the composition, the appointment of the experts by the Executive Director and
the operation of the ad hoc Working Groups shall be specified in the Agency's internal rules
9.The Executive Director shall make administrative support staff and other resources available
to the Management Board whenever necessary.
Permanent Stakeholders' Group
1.The Management Board shall set up a Permanent Stakeholders' Group on a proposal by the
3.The Group shall be chaired by the Executive Director. On a proposal of the Executive
Director, the Management Board may decide to delegate the task of the Chair of the
Group to a Member of the Group.
4.The term of office of the Group's members shall be two-and-a-half years. Members of the
Management Board may not be members of the Group. Commission staff and experts from
the Member States shall be entitled to be present at the meetings and participate in the work of
the Group. If they are not members, other relevant bodies set up by Union law may be invited
to be present at the meetings and participate in the work of the Group.
5.The Group shall advise the Agency in the performance of its activities. The Group shall in
particular advise the Executive Director on drawing up a proposal for the Agency's work
programme, and on ensuring communication with the relevant stakeholders on all issues
related to the work programme.
SECTION 3 OPERATION
3.Before 1 March each year the Executive Director shall submit the first draft of the Agency's
work programme for the following year to the Management Board.
Before 30 November each year, the Management Board shall adopt the Agency's work
programme for the following year in consultation with the Commission. The work programme
shall include a multi-annual outlook, which shall cover main aspects of the Agency's
operations, activities and commitments. The Management Board shall ensure that the work
programme clearly states the objectives to be achieved, the resources to be allocated, how the
results of the Agency's activities shall be measured and that the work programme is consistent
with the Agency's objectives and with the Union's legislative and policy priorities in the area
of network and information security.
The work programme shall be organised in accordance with the Activity-Based Management
(ABM) principle, with an indication of the anticipated human and financial resources
allocated to each activity. The work programme shall be in line with the statement of
estimates of the Agency's revenue and expenditure and the Agency's budget for the same
financial year covered by the programme.
Each year, the Executive Director shall submit to the Management Board a draft general
Requests to the Agency
1.Requests for advice and assistance falling within the Agency's objectives and tasks shall be
addressed to the Executive Director and accompanied by background information explaining
the issue to be addressed. The Executive Director shall inform the Management Board of the
requests received, the potential resource implications and in due course, of the follow-up
given to the requests. If the Agency refuses a request, justification shall be given.
2.Requests referred to in paragraph 1 may be made by:
(a) the European Parliament;
(b) the Council;
(c) the Commission;
(d) any competent body appointed by a Member State, such as a national regulatory
authority as defined in Article 2 of Directive 2002/21/EC.
3.The practical arrangements for applying paragraphs 1 and 2, regarding in particular
submission, prioritisation, follow up and information of the Management Board on the
requests to the Agency, shall be laid down by the Management Board in the Agency's internal
rules of operation.
2.Members of the Management Board, external experts participating in ad hoc Working Groups
and the Executive Director, shall declare at the latest at each meeting any interest which might
be considered prejudicial to their independence in relation to the items on the agenda. The
procedure related to the replacement of a member in the meeting or its abstention from
participating in the discussions on such points shall be laid down by the Management Board
in the Agency's internal rules of operation.
1.The Agency shall ensure that it carries out its activities with a high level of transparency and
in accordance with Article 14 and 15.
2.The Agency shall ensure that the public and any interested parties are given, objective,
reliable and easily accessible information, in particular with regard to the results of its work,
where appropriate. It shall also make public the declarations of interest made in accordance
with Article 15.
3.The Management Board, acting on a proposal from the Executive Director, may authorise
interested parties to observe the proceedings of some of the Agency's activities.
2.Members of the Management Board, the Executive Director, the members of the Permanent
Stakeholders Group, external experts participating in ad hoc Working Groups, and members
of the staff of the Agency including officials seconded by Member States on a temporary
basis are subject to confidentiality requirements under Article 339 of the Treaty even after
their duties have ceased.
3.The Agency shall lay down in its internal rules of operation the practical arrangements for
implementing the confidentiality rules referred to in paragraphs 1 and 2.
4.The Management Board may decide to allow the Agency to handle classified information. In
that case the Management Board shall, in agreement with the Commission, adopt internal
rules of operation applying the security principles contained in Commission Decision
2001/844/EC, ECSC, Euratom of 29 November 2001 amending its internal rules of
procedure22. This shall cover, inter alia, provisions for the exchange, processing and storage
of classified information.
Access to documents
1.Regulation (EC) No 1049/2001 shall apply to documents held by the Agency.
SECTION 4 FINANCIAL PROVISIONS
Adoption of the budget
1.The revenues of the Agency shall consist of a contribution from the European Union budget,
contributions from third countries participating in the work of the Agency as provided for in
Article 28, and voluntary contributions from Member States, in money or in kind. Member
States providing voluntary contributions cannot claim any specific right or service as a result
of this contribution.
2.The expenditure of the Agency shall include staff, administrative and technical support,
infrastructure and operational expenses, and expenses resulting from contracts entered into
with third parties.
3.By 1 March each year at the latest, the Executive Director shall draw up a draft statement of
estimates of the Agency's revenue and expenditure for the following financial year, and shall
forward it to the Management Board, together with a draft establishment plan.
7.This statement of estimates shall be forwarded by the Commission to the European Parliament
and the Council (both hereinafter `the budgetary authority') together with the draft general
budget of the European Union.
8.On the basis of this statement of estimates, the Commission shall enter in the draft general
budget of the European Union the estimates it deems necessary for the establishment plan and
the amount of the subsidy to be charged to the general budget, which it shall submit to the
budgetary authority in accordance with Article 314 of the Treaty.
9.The budgetary authority shall authorise the appropriations for the subsidy to the Agency.
10.The budgetary authority shall adopt the establishment plan for the Agency.
11.Together with the work programme, the Management Board shall adopt the Agency's budget.
It shall become final following final adoption of the general budget of the European Union.
Where appropriate, the Management Board shall adjust the Agency's budget and work
programme in accordance with the general budget of the European Union. The Management
Board shall forward it without delay to the Commission and the budgetary authority.
2.The Agency shall accede to the Interinstitutional Agreement of 25 May 1999 between the
European Parliament and the Council of the European Union and the Commission of the
European Communities concerning internal investigations by the European Anti-fraud Office
(OLAF)24 and shall issue, without delay, the relevant provisions applicable to all the
employees of the Agency.
Implementation of the budget
1.The Executive Director shall implement the Agency's budget.
2.The Commission's internal auditor shall exercise the same powers over the Agency as over
3.By 1 March at the latest following each financial year, the Agency's accounting officer shall
send the provisional accounts to the Commission's accounting officer together with a report
on the budgetary and financial management for that financial year. The Commission's
accounting officer shall consolidate the provisional accounts of the institutions and
decentralised bodies in accordance with Article 128 of Council Regulation (EC, Euratom) No
1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of
5.On receipt of the Court of Auditor's observations on the Agency's provisional accounts,
pursuant to Article 129 of the general Financial Regulation, the Executive Director shall draw
up the Agency's final accounts under his/her own responsibility and send them to the
Management Board for an opinion.
6.The Management Board shall deliver an opinion on the Agency's final accounts.
7.The Executive Director shall, no later than 1 July following each financial year, transmit the
final accounts to the European Parliament, the Council, the Commission and the Court of
Auditors, together with the Management Board's opinion.
8.The Executive Director shall publish the final accounts.
9.The Executive Director shall send the Court of Auditors a reply to its observations by
30 September at the latest. He/she shall also send this reply to the Management Board.
10.The Executive Director shall submit to the European Parliament, at the latter's request, all the
information necessary for the smooth application of the discharge procedure for the financial
year in question, as laid down in Article 146(3) of the general Financial Regulation.
SECTION 5 GENERAL PROVISIONS
1.The Agency shall be a body of the Union. It shall have legal personality.
2.In each of the Member States the Agency shall enjoy the most extensive legal capacity
accorded to legal persons under their laws. It may in particular, acquire and dispose of
movable and immovable property and be a party to legal proceedings.
3.The Agency shall be represented by its Executive Director.
4.The Agency may establish [functional] offices in accordance with Article 5(13).
1.The rules and regulations applicable to officials and other staff of the Union shall apply to the
staff of the Agency, including its Executive Director.
In respect of the Executive Director, the Management Board shall exercise all the powers
Privileges and immunities
The Protocol on the Privileges and Immunities of the European Communities shall apply to the
Agency and its staff.
1.The contractual liability of the Agency shall be governed by the law applicable to the contract
The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant
to any arbitration clause contained in a contract concluded by the Agency.
2.In the case of non-contractual liability, the Agency shall, in accordance with the general
principles common to the laws of the Member States, make good any damage caused by it or
its servants in the performance of their duties.
The Court of Justice shall have jurisdiction in any dispute relating to compensation for such
1.The provisions laid down in Regulation No 1 of 15 April 1958 determining the languages to
be used in the European Economic Community26 shall apply to the Agency. The Member
States and the other bodies appointed by them may address the Agency and receive a reply in
the European Union language of their choice.
2.The translation services required for the functioning of the Agency shall be provided by the
Translation Centre for the Bodies of the European Union.
Protection of personal data
When processing data relating to individuals, in particular while performing its tasks, the Agency
shall observe the principles of personal data protection in, and be subject to, the provisions of
Participation of third countries
SECTION 6 FINAL PROVISIONS
Review clause and evaluation
1.By [....] and every four years thereafter, the Commission, taking into account the views of all
relevant stakeholders, shall request an independent third party evaluation on the basis of terms
of reference agreed with the Management Board.
2.The evaluation shall assess the effectiveness of the Agency in achieving the objectives set out
in Article 2, the relevance of the activities pursued and their relationship and/or
complementarity with existing national and Union policies, and the effectiveness of the
Agency's working practices.
3.The evaluation shall serve as a basis in order to determine whether an Agency is still an
effective instrument, whether its budget planning for the following years is still appropriate
and whether and for which period the duration of the Agency should be further extended
beyond the period specified in Article 33.
4.The evaluation report shall be forwarded by the Commission to the European Parliament and
Cooperation of the host Member State
The Agency's host Member State shall ensure the best possible conditions for the smooth and
efficient operation of the Agency.
The operations of the Agency are subject to the supervision of the Ombudsman in accordance with
Article 228 of the Treaty. -
Repeal and succession
1.Regulation (EC) No 460/2004 is repealed.
References to Regulation (EC) No 460/2004 and to ENISA shall be construed as references to
this Regulation and to the Agency.
2.The Agency succeeds the Agency that was established by Regulation (EC) No 460/2004 as
Entry into force
This Regulation shall enter into force on the day following that of its publication in the Official
Journal of the European Union , and shall apply with effect from [14 March 2012] or from the day
following that of its publication, whichever comes later.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at [...],
For the European Parliament For the Council
The President The President