In accordance with Regulation (EU) No 526/2013, the Commission presented a report on the evaluation of the European Union Agency for Network and Information Security (ENISA).

Background : ENISA’s mandate, which expires on 19 June 2020, is to contribute to a high level of network and information security within the Union.

In addition, Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the 'NIS Directive') attribute important roles to ENISA in the implementation of the law.

The Agency is located in Greece. It has 84 staff members and an annual operating budget of EUR 11.25 million.

In light of the significant changes that occurred in the cybersecurity landscape since 2013, the Commission announced that it would advance the evaluation and review of ENISA (initially for the 20 of June 2018). The Council confirmed this priority stating that the ENISA Regulation is one of the ‘ core essential elements of an EU cyber resilience framework ’.

Main findings of the evaluation : in order to evaluate the Agency's functioning, the Commission procured an independent study, which was carried out from November 2016 to July 2017, and which constitutes the main source of the evaluation together with internal analysis carried out by the Commission. The following conclusions were reached:

Effectiveness and added value : despite an inadequately detailed mandate limiting its ability to exert great influence, the objectives set for the Agency proved to be relevant during the period 2013-2016 in the light of developments technologies and threats and the pressing need to increase network and information security in the EU.

The Agency managed to achieve good levels of efficiency and showed the added value of acting at the EU level, in particular through key activities, such as the pan-European Cyber Exercises, the support to the CSIRTs community (established to promote swift and effective operational cooperation between Member States), the analyses on the threat landscape.

ENISA’s added value lays primarily in the Agency's ability to enhance cooperation, mainly between Member States but also with related NIS communities.

Reform is needed : in a context where new threats are emerging, where Europe’s dependence on digital infrastructure and services is increasing and the Internet of Things opens new perspectives in the field of energy efficiency, environmental protection, and connected mobility, the evaluation showed that the current mandate does not provide ENISA with the necessary tools to face the current and future cybersecurity challenges.

There is also a clear need for cooperation and coordination across different stakeholders. The need for a coordinating entity at EU level to facilitate information flows, minimise gaps and avoid overlapping of roles and responsibilities becomes ever more acute. ENISA, as a decentralised EU agency and a neutral broker, is in the position to coordinate EU's approach to cyber threats.

On this basis, the Commission has put forward a proposal to reform ENISA , entrusting it with a permanent mandate that builds on the key strengths showed by the Agency and the new priority areas for action, for example in the area of cybersecurity certification.

PURPOSE: to extend and strengthen the tasks of the European Network and Information Security Agency (ENISA).

LEGISLATIVE ACT: Regulation (EU) No 526/2013 of the European Parliament and of the Council concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004.

CONTENT: the European Parliament and the Council adopted a Regulation setting out a new mandate for the European Union Network and Information Security Agency (ENISA). ENISA was set up in 2004 with the goal of ensuring a high level of network and information security across the EU. Since then, the challenges for the security of electronic communications have been continuously expanding, with increasing threats from cyber attacks. Against this background, and also in view of the role ENISA is supposed to play in the forthcoming cyber strategy to be presented by the Commission, the new Regulation aims to strengthen and modernise the agency so as to enhance its efficiency.

To this end, a series of amendments were adopted revising the Agency’s mandate which expires on 13 September 2013.

The main amendments may be summarised as follows:

Length of mandate: the Agency shall be established for a period of seven years from 19 June 2013 with a possibility of extending this duration if this can be justified by an evaluation of the effectiveness of its work.

Objectives of the Agency: the Agency shall develop and maintain a high level of expertise . Among other things, it shall assist the Union institutions, bodies, offices and agencies in:

developing policies in network and information security; implementing the policies necessary to meet the legal and regulatory requirements of network and information security under existing and future legal acts of the Union, thus contributing to the proper functioning of the internal market; enhancing and strengthening their capability and preparedness to prevent, detect and respond to network and information security problems and incidents.

Tasks: the Agency’s tasks are strengthened and more clearly stipulated. As a matter of priority, these should:

support the development of Union policy and legislation, by: assisting and advising on all matters related to (i) the Union network and information security policy and legislation; (ii) publicly available network and information security strategies and promoting their publication; support capability building by: (i) supporting Member States, at their request and assisting the Union institutions, bodies, offices and agencies in their efforts to develop the prevention and analysis of and the capability to respond to network and information security problems and incidents; (ii) supporting the organisation and running of Union network and information security exercises; (iii) supporting the development of a Union early warning mechanism; (iv) offering network and information security training for relevant public bodies; support voluntary cooperation among competent public bodies, and between public and private stakeholders, including universities and research centres in the Union, and assisting Union institutions and bodies in their efforts to develop the prevention, detection and analysis of problems and incidents in relation to network and information security, in particular by supporting the operation of the Computer Emergency Response Team (CERT) ; support research , development and standardisation; cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, to address issues of common concern ; contribute to the Union efforts to cooperate with third countries and international organisations , to promote international cooperation on network and information security issues.

Member State bodies and Union institutions, bodies, offices and agencies may request advice from the Agency in case of breach of security or loss of integrity with a significant impact on the operation of networks and services.

The Agency shall express independently its own conclusions, guidance and advice on matters within the scope and objectives of the Regulation.

Organisation and operation: the tasks of the Management Board are clearly stipulated. Among other things, i t shall adopt the Agency’s annual and strategic multiannual work programme and an annual report on the Agency's activities.

To strengthen the efficiency and the cost-efficiency of the Agency, the Management Board shall be assisted by an Executive Board , which shall prepare decisions to be adopted by the Management Board on administrative and budgetary matters only.

Technical and organisational clarifications were introduced in regard to the Executive Director’s tasks and appointment. Among other things, the Executive Director shall draw up the Agency’s draft work programme which shall be transmitted, following its adoption by the Management Board, to the European parliament, the Council, the Commission and the Member States. At the invitation of the relevant committee of the European Parliament, the Executive Director shall present and hold an exchange of views on the adopted annual work programme.

Headquarters: on 1 April 2005, a Headquarters Agreement was concluded between the Agency and the Greek government to establish the Agency’s headquarters at Heraklion in Crete. It is, however, stipulated that a branch office should be established in the metropolitan area of Athens in order to improve the operational efficiency of the Agency.

Evaluation and review: by 20 June 2018 the Commission shall commission an evaluation to assess, in particular, the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.

ENTRY INTO FORCE: 19.06.2013. Regulation (EC) No 460/2004 is repealed.

he European Parliament adopted by 626 to 45 with 16 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA).

Parliament adopted its position in first reading following the ordinary legislative procedure. It amended the Commission proposal as follows:

Objectives: Parliament considers that the Agency should develop and maintain a high level of expertise and assist the Union's institutions, bodies, offices and agencies in: (i) developing policies in network and information security; (ii) implementing the policies necessary to meet the legal and regulatory requirements of network and information security in present and future Union legislation, thus contributing to the smooth functioning of the internal market.

Tasks: the Agency’s tasks have been clarified. It shall:

· support the development of Union policy and legislation , by: assisting and advising on all matters related to (i) the Union network and information security policy and legislation; (ii) publicly available network and information security strategies and promoting their publication;

· support capability building by: (i) supporting Member States, at their request and assisting the Union institutions, bodies, offices and agencies in their efforts to develop the prevention and analysis of and the capability to respond to network and information security problems and incidents; (ii) supporting the organisation and running of Union network and information security exercises; (iii) supporting the development of a Union early warning mechanism; (iv) offering network and information security training for relevant public bodies;

· support voluntary cooperation among competent public bodies, and between public and private stakeholders, including universities and research centres in the Union, and awareness raising;

· support research, development and standardisation;

· cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, to address issues of common concern ;

· contribute to the Union efforts to cooperate with third countries and international organisations, to promote international cooperation on network and information security issues.

Member State bodies and Union institutions, bodies, offices and agencies may request advice from the Agency in case of breach of security or loss of integrity with a significant impact on the operation of networks and services.

The Agency shall express independently its own conclusions, guidance and advice on matters within the scope and objectives of the Regulation.

Organisation: Members call on the Management Board to adopt the Agency’s annual and strategic multiannual work programme. The Management Board shall adopt an annual report on the Agency's activities and send it, by 1 July of the following year, to the European Parliament, the Council, the Commission and the Court of Auditors.

The Management Board shall: (i) adopt an anti-fraud strategy , as well as rules for the prevention and management of conflicts of interest ; (ii) exercise with respect to the staff of the Agency, the appointing authority powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude Contract of Employment.

In order to strengthen the efficiency of the Agency, Parliament wants the Management Board to be assisted by an Executive Board, which shall prepare decisions to be adopted by the Management Board on administrative and budgetary matters only.

Executive Director : Members seek to clarify the role of the Executive Director who shall be engaged as a temporary agent and appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.

Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee of the European Parliament and to answer questions by its members.

The term of office of the Executive Director shall be five years. By the end of this period, the Commission shall undertake an assessment that takes into account the evaluation of the performance of the Executive Director and the Agency's future tasks and challenges. The term of office of the Executive Director may be extended for no more than five years after obtaining the views of the European Parliament.

The Executive Director shall be responsible for the implementation of the Agency’s budget.

Seat of the Agency : Parliament wants the Agency's host Member State to provide the best possible conditions to ensure the proper functioning of the Agency, which should be based in an appropriate location, among other things providing appropriate transport connections and facilities for spouses and children accompanying members of staff of the Agency. Members recall that on 1 April 2005, a Headquarters Agreement was concluded between the Agency and the Host Member State. The Greek Government determined that ENISA should have its seat in Heraklion, Crete . The resolution calls for a branch office to be established in the metropolitan area of Athens in order to improve the operational efficiency of the Agency.

Evaluation and review : Members ask that no later than 5 years from the day of entry into force of the Regulation, the Commission shall commission an evaluation to assess particularly the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.

The Committee on Industry, Research and Energy adopted the report by Giles CHICHESTER (ECR, UK) on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA).

The committee recommends that the European Parliament’s position, adopted at first reading following the ordinary legislative procedures, should be to amend the Commission proposal as follows:

Objectives : Members consider that the Agency should develop and maintain a high level of expertise and assist the Union's institutions, bodies, offices and agencies in:

developing policies in network and information security; implementing the policies necessary to meet the legal and regulatory requirements of network and information security in present and future Union legislation, thus contributing to the smooth functioning of the internal market; enhancing and strengthening the capability and preparedness of the Union and of the Member States to prevent, detect and respond to network and information security problems and incidents.

Tasks : the Agency’s tasks have been clarified. It shall:

support the development of Union policy and legislation , by: (i) assisting and advising on all matters related to Union network and information security policy and legislation; (ii) providing preparatory work, advice and analyses related to the development and update of Union network and information security policy and legislation; (iii) analysing publicly available network and information security strategies and promoting their publication; assist in strengthening capacities ; support voluntary cooperation among competent public bodies, and between public and private stakeholders, including universities and research centres in the Union, and awareness raising; support research , development and standardisation; cooperate with Union institutions, bodies, offices and agencies, including those dealing with cybercrime and the protection of privacy and personal data, to address issues of common concern ; contribute to the Union efforts to cooperate with third countries and international organisations, to promote international cooperation on network and information security issues.

Member State bodies and Union institutions, bodies, offices and agencies may request advice from the Agency in case of breach of security or loss of integrity with a significant impact on the operation of networks and services.

Organisation : Members call on the Management Board to adopt the Agency’s annual and strategic multiannual work programme. The Management Board shall adopt an annual report on the Agency's activities and send it, by 1 July of the following year, to the European Parliament, the Council, the Commission and the Court of Auditors. The annual report shall include the accounts and describe how the Agency has met its performance indicators.

The Management Board shall: (i) adopt an anti-fraud strategy, which is proportionate to the fraud risks having regard to cost-benefit of the measures to be implemented; (ii) adopt rules for the prevention and management of conflicts of interest ; (ii) exercise with respect to the staff of the Agency, the appointing authority powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude Contract of Employment.

The Staff Regulations of the European Union and the Conditions of Employment of Other Servants of the European Union and the rules adopted by agreement between the institutions of the European Union for giving effect to those Staff Regulations shall apply to the staff of the Agency.

In order to contribute to enhancing effectiveness and efficiency of the operation of the Agency, the Management Board shall establish an Executive Board .

Executive Director : Members seek to clarify the role of the Executive Director who shall be engaged as a temporary agent and appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.

Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee of the European Parliament and to answer questions by its members.

The term of office of the Executive Director shall be five years . By the end of this period, the Commission shall undertake an assessment which takes into account the evaluation of the performance of the Executive Director and the Agency's future tasks and challenges. The term of office of the Executive Director may be extended for no more than five years after obtaining the views of the European Parliament.

The Executive Director shall be responsible for the implementation of the Agency’s budget .

Evaluation and review : no later than 5 years from the day of entry into force of this Regulation, the Commission shall commission an evaluation to assess particularly the impact, effectiveness and efficiency of the Agency and its working practices. The evaluation shall also address the possible need to modify the mandate of the Agency and the financial implications of any such modification.

The text recalls that on 1 April 2005, a Headquarters Agreement was concluded between the Agency and the Host Member State. The Greek Government determined that ENISA should have its seat in Heraklion, Crete. Members call for a branch office to be established in the metropolitan area of Athens in order to improve the operational efficiency of the Agency.

In a public session, the Council took note of the progress report on a draft regulation concerning the European Network and Information Security Agency (ENISA). To recall, the Commission’s proposal aims to strengthen and modernise the ENISA and to establish a new mandate for a period of five years. Its current mandate will expire on 13 September 2013. The Presidency's progress report describes work done on this file during the Polish Presidency. The duration of the agency's mandate is still an outstanding issue; several delegations agree to a mandate which is limited in time (including a mandate longer than the period of five years proposed by the Commission) whereas several others support an indefinite mandate. At this stage, no compromise proposal has been put forward in relation to this issue.

The Polish Presidency proposed new tasks for the agency, in particular to support and promote voluntary cooperation between Computer Security Incident Response Teams/Computer Emergency Response Teams. Furthermore, the ENISA should support the Member States, at their request, and the Union's institutions to organise awareness raising and other outreach activities to increase network and information security and its visibility. On international cooperation, the ENISA should contribute to the Union's efforts to cooperate with third countries and international organisations, for instance by supporting cooperation with the relevant organisations e.g. CSIRTs/CERTs and promoting involvement in international network and information security exercises. These Presidency compromise proposals on the tasks were acceptable in principle to delegations.

The European Parliament is expected to conclude its first reading on this proposal in the early part of 2012.

Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA)

On 30 September 2010, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council concerning ENISA, the European Network and Information Security Agency which aimed to extend the mandate and its activities.

Out of several options the Commission chose to propose an expansion of the tasks of ENISA and to add law enforcement and data protection authorities as fully fledged members of its permanent stakeholders’ group. The new list of tasks does not include operational ones, but updates and reformulates the current tasks.

Main conclusions : the overall assessment of the proposal is positive and the EDPS welcomes the extension of the Agency’s mandate and the expansion of its tasks by the inclusion of data protection authorities and law enforcement bodies as fully fledged stakeholders. The EDPS considers that the continuity of the Agency will encourage at European level professional and streamlined management of security measures for information systems.

The EDPS recommends that in order to avoid any legal uncertainty, the p roposal should be clarified with regard to the expansion of the Agency’s tasks and in particular those that relate to the involvement of law enforcement bodies and data protection authorities . Also, the EDPS draws the attention to the potential loophole created by the inclusion of a provision in the proposal that allows the addition of new tasks to the Agency by any other Union legislative Act without any additional restriction.

The EDPS invites the legislator to clarify whether, and if so which of ENISA’s activities will include the processing of personal data.

It recommends including provisions on the establishment of a security policy for the Agency itself , in order to reinforce the role of the Agency as enabler of excellence in security practices, and as promoter of ‘privacy by design’ (privacy and data protection compliance is designed into systems holding information right from the start) by integrating the use of best available techniques in security with the respect to personal data protection rights.

The EDPS invites the legislator to solve some inconsistencies with regard to the restrictions expressed on Article 14 concerning the capacity to request the assistance of the Agency. In particular, the EDPS recommends that these restrictions are waived and all institutions, bodies, agencies and offices of the Union are empowered to request assistance from the Agency .

Lastly, it recommends that the extended capacities of the Management Board include some concrete aspects that could enhance the assurance that good practices are followed within the Agency with regard to security and data protection. Among others, it is proposed to include the appointment of a data protection officer and the approval of the measures aimed at the correct application of Regulation (EC) No 45/2001.

In a public session, the Council examined progress made on two draft regulations regarding the European Network and Information Security Agency (ENISA).

The Presidency has prepared a progress report which takes stock of the progress made so far on two Commission proposals (see also COD/2010/0274 ). Both proposals were examined by the Council bodies and all delegations welcomed them.

The progress report identified the following main issues to be discussed further in order to prepare a Council's common position for the negotiations with the European Parliament:

ENISA's tasks : although the current list of tasks is in principle welcomed by Delegations, a fine tuning of several tasks should be made. In particular, the role of ENISA in relation to cybercrime should be further discussed. Some Delegations propose the addition of concrete tasks as for example, tasks related to resilience, organisation of regular network security exercises, cooperation between Member States and European institutions and bodies. These proposals would need to be examined in more detail, to determine the Council position for further negotiations; duration of the mandate : the majority of Delegations agree in principle to a mandate limited in time. Some Delegations however support an indefinite mandate or a longer mandate than the one proposed by the Commission; the role and the structure of the Bodies of ENISA : the participation of the law enforcement and privacy protection agencies as fully fledged stakeholders to the Permanent Stakeholders' Group would need further discussion. This issue is linked to the role of ENISA in relation to cybercrime. Some Delegations propose to give the Management Board a role in the establishment of the work programme of the Agency. Others propose minor changes in the management structures in view of ensuring the effectiveness of Management Board; funding : in the current financial climate, some clarification on the contributions from Member States to the revenues of ENISA, as well as to its future budget would be welcomed by the majority of Delegations. The Commission already clarified in the meetings of the Working Party on Telecommunications and Information Society that Member States contribute on a voluntary basis.

PURPOSE: the recast of the Regulation establishing the European Network and Information Security Agency (ENISA) in order to extend its mandate.

PROPOSED ACT: Regulation of the European Parliament and of the Council

BACKGROUND: the European Network and Information Security Agency (ENISA) was set up in March 2004 for an initial period of five years by Regulation (EC) No 460/2004 . Regulation (EC) No 1007/2008 extended ENISA’s mandate until March 2012.

The extension of ENISA’s mandate in 2008 also launched a debate on the general direction of European efforts towards network and information security (NIS), to which the Commission contributed by launching a public consultation (which ran from November 2008 to January 2009 and gathered nearly 600 contributions).

On 30 March 2009, the Commission adopted a Communication on Critical Information Infrastructure Protection (CIIP) focusing on the protection of Europe from cyber attacks and cyber disruptions by enhancing preparedness, security and resilience, with an Action Plan calling on ENISA to play a role, mainly in support to Member States. The Action Plan was broadly endorsed in the discussion at the Ministerial Conference on CIIP held in Tallinn, Estonia, on 27 and 28 April 2009. The European Union Presidency’s Conference Conclusions stress the importance of the need to rethink and reformulate the Agency’s mandate .

ENISA was originally created with the main goal of ensuring a high and effective level of network and information security within the Union. However, given the experience gained with the Agency, as well as the current challenges and threats to network and information security (NIS), it is necessary to modernise its mandate to make it better fit the European Union’s needs. These stem from a variety of factors such as: the fragmentation of national approaches to tackling the evolving challenges; the lack of collaborative models in the implementation of NIS policies; the insufficient level of preparedness also due to the limited European early warning and response capability; the lack of reliable European data and limited knowledge about evolving problems; the low level of awareness of NIS risks and challenges; and the challenge of integrating NIS aspects in policies to fight cybercrime more effectively.

This proposal for the recast of the ENISA Regulation therefore seeks to address these new challenges by revising the Agency’s mandate.

It should be noted that another proposal has been issued in parallel which would extend the current mandate of the Agency until September 2013, the time it is estimated that will be required for the institutions to agree on the text of this proposal.

IMPACT ASSESSMENT: starting from the principle that keeping an Agency had been identified as an appropriate solution for attaining European policy objectives, five policy options were selected for further analysis:

Option 1: no policy; Option 2: carry on as before, i.e., with a similar mandate and the same level of resources; Option 3 : expand the tasks of ENISA, adding law enforcement and privacy protection authorities as fully fledged stakeholders; Option 4: add fighting cyber attacks and response to cyber incidents to its tasks; Option 5 : add supporting law enforcement and judicial authorities in fighting cybercrime to its tasks.

Following a comparative cost-benefit analysis, option 3 was identified as the most cost-effective and efficient way of achieving the policy objectives because ENISA’s role would focus on: i) building and maintaining a liaison network between stakeholders and a knowledge network to ensure that ENISA is comprehensively informed of the European NIS landscape; ii) being the NIS support centre for policy development and policy implementation; iii) supporting the Union CIIP & Resilience policy; iv) setting up an Union framework for the collection of NIS data; v) studying the economics of NIS; vi) stimulating cooperation with third countries and international organisations; vii) performing non-operational tasks related to NIS aspects of cybercrime law enforcement and judicial cooperation.

LEGAL BASE: Article 114 of the Treaty on the Functioning of the European Union (TFEU).

CONTENT: the proposed Regulation aims to strengthen and modernise ENISA and to establish a new mandate for a period of five years.

The proposal includes some key changes as compared to the original Regulation:

Tasks of the Agency:

ENISA’s tasks are updated and reformulated broadly, in order to provide more scope for Agency activities; they are sufficiently precise to depict the means by which the objectives are to be achieved. This would be, among other things, to: assist the Commission with policy development in the area of network and information security by providing it with advice by means of opinions and technical and socio-economic analyses, as well as undertaking preparatory work on the preparation and updating of EU legislation in this field; facilitate cooperation among the Member States and between the Member States and the Commission to prevent, detect, mitigate and respond to network and information security problems and incidents; assist the Member States and the European institutions and bodies in their efforts to collect, analyse and disseminate network and information security data; facilitate cooperation among the Member States’ competent public bodies, in particular supporting the development and exchange of good practices and standards; assist the Union and the Member States in promoting the use of risk management and security good practice and standards for electronic products, systems and services; encourage cooperation among public and private stakeholders and facilitate dialogue and exchanges of best practice at all levels in particular on aspects of the fight against cybercrime; assist the Commission on policy developments that take into account NIS aspects of the fight against cybercrime; carry out tasks conferred on the Agency by Union legislative acts.

The Agency’s new mandate would permit:

The European institutions and bodies could refer to it for assistance and advice which is in line with political and regulatory developments. Law enforcement and privacy protection authorities would become fully fledged stakeholders of the Agency, which would mean it would become a key interface in the fight against cybercrime .

Management : on the organisational level, the main proposed changes relate to the following

- strengthened governance structure . the proposal enhances the supervisory role of the Agency’s Management Board, in which the Member States and the Commission are represented. For example, the Management Board is able to issue general directions on staff matters (previously the sole responsibility of the Executive Director). It may also establish working bodies to assist it in carrying out its tasks, including monitoring the implementation of its decisions.

- streamlining procedures: procedures that have proved to be unnecessarily burdensome are simplified.

simplified procedure for Management Board internal rules; the opinion on the ENISA Work programme is provided by Commission services rather than via a Commission Decision.

In addition, the Management Board is also given adequate resources in case it needs to take executive decisions and implement them (e.g., if a staff member lodges a complaint against the Executive Director or the Board itself).

- gradual increase of resources : to meet the reinforced European priorities and the expanding challenges, without prejudice to the Commission's proposal for the next multi-annual financial framework, a gradual increase of the financial and human resources of the Agency are gradually to be increased between 2012 and 2016 is anticipated (see financial implication below).

- option of extending the term of office of the Executive Director : the Management Board may extend the term of office of the Executive Director for three years.

Review clause : the Regulation provides for an evaluation of the Agency, covering the period since the previous evaluation in 2007. Based on the findings, the Management Board will make recommendations to the Commission regarding changes to this Regulation, the Agency and its working practices. To enable the Commission to draft any proposal for an extension of the mandate in good time, the evaluation will have to be done by the end of the second year of the mandate provided by the Regulation.

FINANCIAL IMPLICATION: The proposal will impact on the Union budget. It is anticipated that the Agency will be given the resources required to carry out its activities satisfactorily. EU funding after 2013 will be examined in the context of a Commission-wide debate on all proposals for the post-2013 period. This means that once the Commission has made its proposal for the next multi-annual financial framework, the Commission will present an amended legislative financial statement taking into account the conclusions of the impact assessment.