Reding calls time on Cinderella agency

The EU’s three-year-old network security agency in Crete will be scrapped under plans for a powerful new telecoms watchdog. Lorraine Mallinder asks whether the €33 million-agency was doomed from day one.

Viviane Reding, the European information society commissioner, fulfilled what has long been an ambition of Brussels policymakers this week (13 November), announcing proposals for a powerful EU telecoms authority. Undeterred by criticisms from industry, national watchdogs and fellow policymakers, the commissioner opted to think big, dreaming up proposals for an authority that will not only oversee the creation of a single telecoms market and manage the airwaves, but also police Europe’s information networks.

Reding’s empire-building threatens to create some casualties. One of the unexpected side-effects of her plans would be the closure of an obscure EU agency located in Heraklion on the island of Crete, known as ENISA (the European Network and Information Security Agency). Since 2004, network security has been ENISA’s job. Under Reding’s plans, however, that job will now be awarded to the new authority. ENISA will effectively be axed.

The casual observer might be moved to question why a three-year-old agency with a mandate approved at high-political level, set up at considerable expense, is now being disbanded.

But those familiar with the story of ENISA’s creation may be less surprised. Insiders have long suspected that ENISA, which was established to "develop a high and effective level of network information security within the EU" was doomed from day one. Marooned on Crete, at a comfortable distance from Europe’s major capitals, it seems that the agency was designed to be a failure.

A report commissioned by Reding, which was released at the beginning of this year, concludes as much. Despite wide agreement on the urgent need to shore up EU network defences, there has been a "general unease" about the way ENISA’s objectives "have been interpreted and implemented by the agency management," says the report. This unease, it goes on to say, has been "compounded by contrasting views and expectations about ENISA’s role among the member states, all represented in ENISA’s large management board".

This chaos would appear, in some ways, to have been intentional. "It was not the fault of ENISA," says an EU source. "It was the fault of the Council [of Ministers] which was afraid that ENISA would do too much to take over the security policy of member states. One of the big problems is that ENISA is located in Crete. Recruiting good people there is almost impossible. That was a decision taken by member states."

The report identifies a number of issues which have hamstrung ENISA since it opened, citing problems such as the "size of its operational staff", its "remote location" and its "organisational structure". The problems, according to the report, stem from the "ambiguities" in ENISA’s 2004 mandate that, frustratingly enough, "may be overcome only by an agreement with the member states in the management board".

Despite being saddled with a lame-duck mandate, the agency nevertheless managed to struggle on.

But the report concludes that ENISA’s achievements "while adequate or even good so far, appear insufficient to achieve the high level of impacts and value added hoped for".

Apparently unaware of plans being hatched in Brussels, ENISA’s management board recently asked an external consultant to examine the case for expanding the agency. The results are expected in two or three months. "The management board is satisfied with the work done by ENISA within the limits of the tasks given to us. We have completed our tasks and are happy the management board said we had achieved a great deal," says Andrea Pirotti, ENISA’s executive director.

"ENISA is an independent body of the EU. As executive director I respond to management boards. I have full respect for all EU bodies. I believe they have all the rights and privileges of taking their own decisions. My job is to implement the work programme and to care for my staff."

According to Reding’s proposals, ENISA, which was allocated €33 million for its five-year mandate, would be sustained for a sixth year to ease the handover of its remit to the new authority, to be known as ETMA (the European Telecom Market Authority). ETMA is expected to become operational in 2010. "The work being done by ENISA can in future be done by a regulator with knowledge and expertise," says the EU source. Most of ENISA’s staff, he says, would be recruited, "if not automatically, then through transfers".

Attention is now turning to the location of ETMA. Speculative reports this week have cited Germany, Hungary, Poland, the Netherlands and the UK as possible candidates. The Greek government is also likely to stake its claim, in all likelihood using ENISA as a bargaining tool. A final decision on ETMA’s location will be taken by heads of state at the end of next year.

The EU’s three-year-old network security agency in Crete will be scrapped under plans for a powerful new telecoms watchdog. Lorraine Mallinder asks whether the €33 million-agency was doomed from day one.

• Primary Source