How ENISA can be strengthened further

Jochen Michels, Head of Public Affairs, Europe, Kaspersky

In September 2023, Kaspersky took part in the public consultation on the performance and further development of the European Union Agency for Cybersecurity (ENISA). To comply with Regulation (EU) 2019/881, the European Commission wanted to assess how the agency had fulfilled its mandate, objective and tasks. The consultation also addressed the EU cybersecurity certification framework.

According to legal provisions [see article 3(1) of Regulation (EU) 2019/881], repealing Regulation (EU) No 526/2013, and the EU Commission’s Call for Evidence ARES (2023)4919878), “ENISA shall contribute to achieving a “high common level of cybersecurity across the Union”, “act as a reference point for advice and expertise on cybersecurity” and “contribute to reducing the fragmentation of the internal market.” ENISA’s objectives include, in particular:

• assisting in the development and implementation of Union policies in the area of cybersecurity, including sectoral policies; the support of capacity-building and preparedness across the Union;
• promoting cooperation, such as sharing information and coordination at Union level;
• increasing cybersecurity capabilities at Union level in preventing and responding to cyber threats;
• contributing to the establishment and maintenance of the European cybersecurity certification, and
• promoting a high level of cybersecurity awareness.

In its feedback, Kaspersky, to start with, explicitly praised the agency’s achievements in providing guidance and enhancing cybersecurity capabilities. It has contributed to the improvement of collective cyber resilience by strengthening cross-border collaboration between Member States.

In view of the planned extension of competencies and in line with the provisions of the NIS2 Directive and the draft Cyber Resilience Act, the EU now has the duty to provide sufficient resources. To address this challenge, Kaspersky suggested the following measures:

(i) Increased budget allocation/augmentation of ENISA's budget

A financial boost is essential to ensure that ENISA can effectively fulfill its expanded responsibilities which include a broader range of cybersecurity challenges. A larger budget could enable ENISA to invest in state-of-the-art technologies, recruit top-notch talent, and implement comprehensive cybersecurity initiatives, ultimately strengthening the EU's cybersecurity defense.

(ii) Skill enhancement

In the ever-evolving field of cybersecurity, continuous skill development is essential. Kaspersky emphasized the importance of ENISA collaborating with academic and research institutions specializing in cybersecurity. These partnerships will help ensure that ENISA's staff stays up-to-date with the latest cybersecurity knowledge and practices. This proactive approach will enable ENISA to leverage the latest insights, best practices, and innovative solutions to confront emerging threats effectively.

(iii) Strategic collaborations/partnerships

Recognizing the global nature of cyber threats, Kaspersky's recommendations stress the need for ENISA to expand its collaborations and partnerships. This means building stronger relationships with national and international cybersecurity organizations, as well as with key players in the cybersecurity industry. These strategic partnerships will enable resources, expertise, and threat intelligence to be shared. By working together with a variety of stakeholders, ENISA can create a united front against cyber threats, fostering an environment where knowledge and innovation are shared, which ultimately enhances the EU's cyber resilience.

Promoting cybersecurity innovation

What is more, ENISA could take a more proactive approach in promoting cybersecurity innovation. An area that deserves increased attention is the intersection of cybersecurity and Artificial Intelligence (AI). By delving deeper into the realm of AI, ENISA can play a pivotal role in fostering innovative solutions to counter emerging cyber threats. AI has emerged as a powerful tool in the field of cybersecurity. Its ability to rapidly analyze vast datasets, detect anomalies, and adapt to evolving threats makes it a crucial component in defending against cyberattacks. ENISA could take the lead in exploring the latest developments in AI-driven cybersecurity technologies and promoting their adoption within the European Union.

Ad hoc working groups

The participation of industry, research and the public sector in the ad hoc working groups is an excellent measure to prepare results in a practice-oriented manner and with comprehensive know-how. However, further improvements could be considered here. To avoid a loss of competence and at the same time ensure continuity, Kaspersky suggested a hybrid membership model for ENISA’s Ad Hoc Working Groups. The latter would allow a combination of the individual member’s personal commitment and organizational affiliation. Companies should not be excluded automatically from further contribution based on a change in personnel.

Accelerated processes in scheme development and application

In its statement on the European Cybersecurity Certification Schemes and Framework, Kaspersky called for the acceleration of processes in development and application of the systems. Practice so far has shown that the process of creation and the legally binding adoption of a certification scheme is rather complex and time-consuming. Resource and priority issues for all actors involved need to be clarified to ensure a faster and higher-quality development of the schemes.

Security by Design

In addition, Kaspersky underlined the relevance of the "Secure by Default and by Design" principle. For the development of the EU Cybersecurity Certification Schemes, it is essential to ensure the integrity of services and functions to prevent unauthorized tampering or alterations during the entire lifecycle of the ICT product, service, or process. Furthermore, the availability of services and functions must be secured to make sure that authorized users can access the information and services. To adapt to the evolving threat landscape, it is essential to monitor and update security functions implemented according to Secure by Default and by Design principles. In addition, robust encryption mechanisms must be implemented to safeguard data during storage, transmission, and processing, in accordance with industry recognized standards.