General FAQ's on ENISA

1. What does ENISA do?

 The prime purpose of ENISA is to enhance the capability of the Community, the Member States and, as consequence, the business community to prevent, address and respond to network and information security problems.
To this end, ENISA is focusing its activities on:

• Advising and assisting the Commission and the Member States on information security and in their dialogue with industry to address security-related problems in hardware and software products.

• Collecting and analysing data on security incidents in Europe and emerging risks;

• Promoting risk assessment and risk management methods to enhance our capability to deal with information security threats.

• Awareness-raising and co-operation between different actors in the information security field, notably by developing public / private partnerships with industry in this field.

2. What does ENISA NOT do?

It should be noted that ENISA’s role is NOT of being an inspecting or directly operating or regulating EU-authority (as some other EU-agencies are). ENISA’s remit clearly does not extend to the domains of national security, law enforcement and defence. Therefore, the Agency therefore does not deal with issues such as IT-terrorism, cyber crime, criminal law (done by Member States and Europol), personal data protection (done by the EDPS-agency and national Data Protection Authorities) or the Member States’ own measures in Critical Information Infrastructure Protection (CIIP). In regards to CIIP, it is a concept which is floating and the definition thereof constantly moves. ENISA is often working on the same information infrastructures from an Information Society and Digital Economy perspective. ENISA’s aim is to smoothen the functioning of the Internal Market and working for the Member States to increase information exchange and cooperation on network and information security issues.

3.Why was ENISA created to work for the EU and its Member States with Information Security?

 ENISA was created as it became increasingly clear to the Member States that they where all making a lot of efforts in this area. At the same time, the importance of making sure that the Digital Economy and Information Society functioning became progressively more clear. But in 2001, there was very little, or no cooperation or information exchange between the Members States, or between the governments and the industry in the field of Information Security. ENISA was set up to bridge this gap and bring forward good practices for all to use and to spread a culture of security across Europe.

By using the “open method of co-ordination” between the Member States and the industry in this field, ENISA is facilitating and can contribute to a significant improvement in raising the exchange of Information Security knowledge and best practices between the Member States. ENISA acts like a broker of knowledge and a switchboard of information. ENISA should also increase the possibilities for the external world to have a speaking partner of the EU on these matters.

4. Who was looking after Information Security until ENISA was created?

 It is a misconception that ENISA is looking after information security for Europe. According to the OECD culture of security guidelines, Information Security is a responsibility for all stakeholders. This means that users at home, service providers and product developers have a responsibility to ensure that our information systems are used in a secure manner. Ultimately it is up the Member States to ensure that sufficient security levels are reached and enforced. ENISA’s role as an Expert Authority is to bring knowledge together on how this goal can be achieved, and to spread this information on secure behaviour to relevant stakeholders, EU-institutions and Member States.

5. What has ENISA done so far?

Please see our General Report pages and for latest updates, our press releases.

6. Who is in charge of ENISA?

ENISA is headed by the Executive Director, Dr. Udo Helmbrecht who is responsible for all questions related to Information Security falling within the Agency's remit. The work of the Agency is overseen by a Management Board. The Management Board is composed of representatives from the EU Member States, the European Commission as well as industry, academic and consumer’s organisation stakeholders. The Executive Director is moreover responsible to the European Parliament, the Council of the European Union, and the Court of Auditors. As ENISA’s budget derives from the budget of the European Union, its expenditure remains subject to the normal EU financial checks and procedures.

7. Why is ENISA situated in Crete?

 As for the location of all 30 EU Agencies, this decision was taken by Ministers from all EU countries. The objective is to locate an EU-agency closer to EU’s citizens. The Ministers found a common agreement that ENISA should be situated in Greece, in order to bring an EU-agency closer to its citizens in one of the Member States. The Greek government then decided to situate ENISA in Crete, due to the close connection to one of the 10 leading ICT-centre’s in Europe, FORTH.

8. What is the local connection in Crete for ENISA?

 As for the local connection, our location in Crete and Seat Agreement has contributed to the establishment of a European section in a local, Greek school in Crete, that may be endorsed by the European School in Belgium. That way, ENISA may create more of an international atmosphere in Crete, being a local version of a “miniature EU”. A certain number of official ENISA meetings are held in Greece.  In all public procurements ENISA has to apply strict, objective and impartiality stance between candidates from all over Europe.

9. Why does the EU decentralise its agencies?

The EU-policy of locating EU agencies in different member states has the objective to bring the EU closer to its citizens. Therefore, the EU has ca 30 different Agencies. Just as Botticelli depicts the ”Birth of Spring ” in Crete, and the first European originates from Crete, Crete is the cradle for much of the European culture and civilisation. Now, ENISA, starting from Crete, fosters a new culture: a culture of security, for Internet and networks to function safe and by encouraging smart users.

10. How does ENISA communicate?

To meet its objective, ENISA relies on the support of the EU Member States. Through the assistance of the Member States as multipliers of information, ENISA reaches out to relevant actors in the Member States, the EU institutions, the private sector and business, and other Information Security experts in the world. Also through its structure, with a Permanent Stakeholders’ Group and a Management Board which includes stakeholders, ENISA will bridge the gap in between the public and the private sector in the field of Information Security. Evidently, with a limited budget and staff, the ENISA web site is a main channel for acting like a ‘switchboard’ of information for the EU Member States. The geographical location of ENISA, as any EU Agency situated in Europe (see question 7), therefore is of less relevance, as we have broadband connections in Crete and good support from the Greek authorities and all our stakeholders. We moreover reach out to the Information Security community through co-organising conferences, workshops and by producing the ENISA Quarterly Review.

11. Is it possible to take part in ENISA studies/ make business with ENISA?

 As a European Union agency, our work and procurement of services and products, as well as in call for studies, is within strict, official financial procedures, procurement rules and regulations. All information concerning studies, or tenders launched through procurements by ENISA and/or by Community programmes (e.g. Modinis programme, supported under the umbrella of eEurope). is regularly updated on this website under "Studies" or under “Public procurement”.

12. How many and who works at the Agency?

 There are about 60 agents (including the Executive Director) staff members working at ENISA. All are highly specialized and qualified from both the private and the public sector. All staff is recruited through EU-wide selections procedures with applicants from across the 27 EU Member States. There are also a few Seconded National Experts working at the Agency on a short term basis.