THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Community, and in particular Article 95 thereof,

Having regard to the proposal from the Commission,

Having regard to the opinion of the European Economic and Social Committee(1),

After consulting the Committee of the Regions,

Acting in accordance with the procedure laid down in Article 251 of the Treaty(2),

Whereas:

(1) Communication networks and information systems have become an essential factor in economic and societal development. Computing and networking are now becoming ubiquitous utilities in the same way as electricity or water supply already are. The security of communication networks and information systems, in particular their availability, is therefore of increasing concern to society not least because of the possibility of problems in key information systems, due to system complexity, accidents, mistakes and attacks, that may have consequences for the physical infrastructures which deliver services critical to the well-being of EU citizens.

(2) The growing number of security breaches has already generated substantial financial damage, has undermined user confidence and has been detrimental to the development of e-commerce. Individuals, public administrations and businesses have reacted by deploying security technologies and security management procedures. Member States have taken several supporting measures, such as information campaigns and research projects, to enhance network and information security throughout society.

(3) The technical complexity of networks and information systems, the variety of products and services that are interconnected, and the huge number of private and public actors that bear their own responsibility risk undermining the smooth functioning of the Internal Market.

(4) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the Framework Directive)(3) lays down the tasks of national regulatory authorities, which include cooperating with each other and the Commission in a transparent manner to ensure the development of consistent regulatory practice, contributing to ensuring a high level of protection of personal data and privacy, and ensuring that the integrity and security of public communications networks are ensured.

(5) Present Community legislation also includes Directive 2002/20/EC(4), Directive 2002/22/EC(5), Directive 2002/19/EC(6), Directive 2002/58/EC(7), Directive 1999/93/EC(8), Directive 2000/31/EC(9), as well as the Council Resolution of 18 February 2003 on the implementation of the eEurope 2005 Action Plan(10).

(6) Directive 2002/20/EC entitles Member States to attach to the general authorisation, conditions regarding the security of public networks against unauthorised access in accordance with Directive 97/66/EC(11).

(7) Directive 2002/22/EC requires that Member States take necessary steps to ensure the integrity and availability of the public telephone networks at fixed locations and that undertakings providing publicly available telephone services at fixed locations take all reasonable steps to ensure uninterrupted access to emergency services.

(8) Directive 2002/58/EC requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard security of its services and also requires the confidentiality of the communications and related traffic data. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(12), requires Member States to provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing.

(9) Directive 2002/21/EC and Directive 1999/93/EC contain provisions on standards that are to be published in the Official Journal of the European Union. Member States also use standards from international bodies as well as de facto standards developed by the global industry. It is necessary for the Commission and the Member States to be able to track those standards which meet the requirements of Community legislation.

(10) These internal market measures require different forms of technical and organisational applications by the Member States and the Commission. These are technically complex tasks with no single, self-evident solutions. The heterogeneous application of these requirements can lead to inefficient solutions and create obstacles to the internal market. This calls for the creation of a centre of expertise at European level providing guidance, advice, and when called upon, with assistance within its objectives, which may be relied upon by the European Parliament, the Commission or competent bodies appointed by the Member States. National Regulatory Authorities, designated under Directive 2002/21/EC, can be appointed by a Member State as a competent body.

(11) The establishment of a European agency, the European Network and Information Security Agency, hereinafter referred to as ‘the Agency’, operating as a point of reference and establishing confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operation, and its diligence in performing the tasks assigned to it, would respond to these needs. The Agency should build on national and Community efforts and therefore perform its tasks in full cooperation with the Member States and be open to contacts with industry and other relevant stakeholders. As electronic networks, to a large extent, are privately owned, the Agency should build on the input from and cooperation with the private sector.

(12) The exercise of the Agency's tasks should not interfere with the competencies and should not pre-empt, impede or overlap with the relevant powers and tasks conferred on:

• the national regulatory authorities as set out in the Directives relating to the electronic communications networks and services, as well as on the European Regulators Group for Electronic Communications Networks and Services established by Commission Decision 2002/627/EC(13) and the Communications Committee referred to in Directive 2002/21/EC,

• the European standardisation bodies, the national standardisation bodies and the Standing Committee as set out in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society Services(14),

• the supervisory authorities of the Member States relating to the protection of individuals with the regard to the processing of personal data and on the free movement of such data.

(13) To understand better the challenges in the network and information security field, there is a need for the Agency to analyse current and emerging risks and for that purpose the Agency may collect appropriate information, in particular through questionnaires, without imposing new obligations on the private sector or the Member States to generate data. Emerging risks should be understood as issues already visible as possible future risks to network and information security.

(14) Ensuring confidence in networks and information systems requires that individuals, businesses and public administrations are sufficiently informed, educated and trained in the field of network and information security. Public authorities have a role in increasing awareness by informing the general public, small and medium-sized enterprises, corporate companies, public administrations, schools and universities. These measures need to be further developed. An increased information exchange between Member States will facilitate such awareness raising actions. The Agency should provide advice on best practices in awareness-raising, training and courses.

(15) The Agency should have the task of contributing to a high level of network and information security within the Community and of developing a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations in the European Union, thus contributing to the smooth functioning of the internal market.

(16) Efficient security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are used at different levels with no common practice on their efficient application. The promotion and development of best practices for risk assessment and for interoperable risk management solutions within public and private sector organisations will increase the security level of networks and information systems in Europe.

(17) The work of the Agency should utilise ongoing research, development and technological assessment activities, in particular those carried out by the different Community research initiatives.

(18) Where appropriate and useful for fulfilling its scope, objectives and tasks, the Agency could share experience and general information with bodies and agencies created under European Union law and dealing with network and information security.

(19) Network and information security problems are global issues. There is a need for closer cooperation at global level to improve security standards, improve information, and promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security. Efficient cooperation with third countries and the global community has become a task also at European level. To this end, the Agency should contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations.

(20) In its activities the Agency should pay attention to small and medium-sized enterprises.

(21) In order effectively to ensure the accomplishment of the tasks of the Agency, the Member States and the Commission should be represented on a Management Board entrusted with the necessary powers to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, approve the Agency's work programme, adopt its own rules of procedure and the Agency's internal rules of operation, appoint and remove the Executive Director. The Management Board should ensure that the Agency carries out its tasks under conditions which enable it to serve in accordance with this Regulation.

(22) A Permanent Stakeholders' Group would be helpful, in order to maintain a regular dialogue with the private sector, consumers organisations and other relevant stakeholders. The Permanent Stakeholders' Group, established and chaired by the Executive Director, should focus on issues relevant to all stakeholders and bring them to the attention of the Executive Director. The Executive Director may, where appropriate and according to the agenda of the meetings, invite representatives of the European Parliament and from other relevant bodies to take part in the meetings of the Group.

(23) The smooth functioning of the Agency requires that its Executive Director is appointed on the grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for network and information security and that he/she performs his/her duties with complete independence and flexibility as to the organisation of the internal functioning of the Agency. To this end, the Executive Director should prepare a proposal for the Agency's work programme, after prior consultation of the Commission and of the Permanent Stakeholders' Group, and take all necessary steps to ensure the proper accomplishment of the working programme of the Agency, should prepare each year a draft general report to be submitted to the Management Board, should draw up a draft statement of estimates of revenue and expenditure of the Agency and should implement the budget.

(24) The Executive Director should have the possibility to set up ad hoc Working Groups to address in particular scientific and technical matters. In establishing the ad hoc Working Groups the Executive Director should seek input from and mobilise the relevant expertise of private sector. The ad hoc Working Groups should enable the Agency to have access to the most updated information available in order to be able to respond to the security challenges posed by the developing information society. The Agency should ensure that its ad hoc Working Groups are competent and representative and that they include, as appropriate according to the specific issues, representation of the public administrations of the Member States, of the private sector including industry, of the users and of academic experts in network and information security. The Agency may, if necessary, add to the Working Groups independent experts recognised as competent in the field concerned. The experts who participate in the ad hoc Working Groups organised by the Agency should not belong to the Agency's staff. Their expenses should be met by the Agency in accordance with its internal rules and in conformity with the existing Financial Regulations.

(25) The Agency should apply the relevant Community legislation concerning public access to documents as set out in Regulation (EC) No 1049/2001(15) of the European Parliament and of the Council and the protection of individuals with regard to the processing of personal data as set out in Regulation (EC) No 45/2001(16) of the European Parliament and of the Council.

(26) Within its scope, its objectives and in the performance of its tasks, the Agency should comply in particular with the provisions applicable to the Community institutions, as well as the national legislation regarding the treatment of sensitive documents.

(27) In order to guarantee the full autonomy and independence of the Agency, it is considered necessary to grant it an autonomous budget whose revenue comes essentially from a contribution from the Community. The Community budgetary procedure remains applicable as far as any subsidies chargeable to the general budget of the European Union are concerned. Moreover, the Court of Auditors should undertake the auditing of accounts.

(28) Where necessary and on the basis of arrangements to be concluded, the Agency may have access to the interpretation services provided by the Directorate General for Interpretation (DGI) of the Commission, or by Interpretation Services of other Community institutions.

(29) The Agency should be initially established for a limited period and its operations evaluated in order to determine whether the duration of its operations should be extended,

HAVE ADOPTED THIS REGULATION: