This article is written by Rishabh Mishra, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).

Introduction

ENISA stands for European Network Information and Security Agency; it is the European Union Agency for Cybersecurity. It has an objective to achieve a high common level of cybersecurity across the whole of Europe. In 2004 it was established by the European Union. ENISA with the support of the EU Cybersecurity Act it works on the following subjects:

1. Helps EU to frame a cyber policy for Europe;
2. Works to achieve enhanced trustworthiness of ICT products;
3. It provides services and processes with cybersecurity certification schemes.
4. It cooperates with Member States and European Union’s bodies.
5. It helps Europe to prepare itself for future cyber challenges.
6. It works towards solidifying the trust of its stakeholders in the connected economy with the intent to enhance the EU’s infrastructure resilience and to achieve the ultimate aim of digital security of Europe’s society and citizens.
7. It provides assistance and advice to the Commission and member states on information security. Its assistance and advice to the Commission and the Member States also extend for addressing hardware and software security-related problems in the products to the concerned industry.
8. It collects and analyzes data of emerging risks and security incidents that took place in Europe.
9. It promotes risk assessment and risk management methods to increase the abilities required to tackle information security threats.
10. It works towards awareness and cooperation among various stakeholders in the information security field, remarkably by developing public/private partnerships with industry in this field.

The activities with respect to digital security are covered under four main topics, which are computer emergency response teams, critical information infrastructure protection and resilience, identity and trust, and risk management.

In this article, various functions of ENISA are discussed with the intent to understand the core of ENISA’s efforts towards cyber security through various laws. 

Functions of ENISA

Presently, ENISA carries out its functions mentioned above on the following topics:

Cloud and big data

ENISA works on this topic because of the ongoing technological trends and needs of the community. It works with the private and public sectors to make them understand the security benefits and drawbacks of cloud storage. The term big data has evolved from the vast use of cloud service combined with the volume of data.

COVID-19

In the wake of the pandemic, people have started working virtually from home. As a result of this ENISA has started sharing its recommendations on different topics which are as follows:

1. Remote working;
2. Online shopping;
3. Health; and
4. Security advise to affected sectors.

Apart from the above topics it shares various other internal and external resources only for cyber security experts and these resources cover security issues with respect to COVID-19.

Critical infrastructures and services

ENISA works on this topic with the intent to ensure a strengthened Industrial Control System (ICS) for the following reasons:

1. The high impact of cyber attacks on critical infrastructure and services.
2. ICS products are mostly based on standard embedded system platforms and often used commercially, as these results in a reduction in cost and ease of working but in parallel exposes systems to network-based attacks.
3. Smart grids improve control over consumption and distribution of electricity but these improvements come in exchange for exposing the electricity network system to foreseen and unforeseen challenges, especially in the field of security of communication networks and information systems. 
4. Maritime transport is one of the major transport services in the whole of Europe and there is an increase in dependency on ICT in this sector which exposes the system to cyber-attacks.

Critical infrastructure includes electricity generation plants, transportation systems and manufacturing facilities which are controlled and monitored by the Industrial Control System which includes SCADA.

CSIRT services

There are three main categories of CSIRT services, which are as follows:

1. Reactive services—these services consist of post incidental reports from any constituency or any other cyber threat or attack-related event, for example; compromised hosts, malware etc.
2. Proactive services—these services are provided with the intent to detect and prevent attacks even before hitting systems. Information is sent to alert constituencies and partners to protect themselves from attack or prepare themselves from being targeted.
3. Security Quality Management Services—under this, organizations’ security postures are reviewed and improved without being dependent on time and are provided upon request.

CSIRTs and communities

ENISA works towards cooperation between its members by the development of the CSIRT network. It also works towards cooperation with other operational communities for e.g. law enforcement, financial, SCADA systems community and energy communities. All these cooperation activities have been taking place for the past 10 years.

CSIRTs in Europe

CSIRTs in Europe are working towards supporting member states and communities to improve their CSIRT capabilities from the past 10 years. It has achieved to make individual teams from different sectors and businesses and existing CSIRT communities an indispensable element of their efforts.

Cyber Crisis Management

In Cyber Crisis Management ENISA helps in the prevention of cyber security incidents and crises or effective response to the same. Its activities include the following:

1. Crisis simulations to,
2. Trainings,
3. Support to the Member States in developing their crisis plans and structures,
4. International conferences and,
5. Several studies. 

Cyber exercises

Cyber exercises include the activity of building prevention capacity which is a part of activities of cyber crisis management with other following activities:

1. Cyber Europe programme,
2. Cyber Exercise Platform (CEP),
3. Trainings and studies,
4. Other cyber exercises are supported by ENISA.

Cyber Security Education

ENISA does the following activities to achieve its objective of educating people:

1. Supporting and strengthening improvisation in cyber security skills and competence at each level i.e. from non-experts to highly skilled professionals.
2. Awareness of cyber security and potential cyber threats.
3. Promotion of safe online behaviour.
4. Act in accordance with the EU’s Digital Action Plan.
5. Promotion and analysis of cyber security education to cover the deficiency in numbers of cyber security professionals.
6. Monthly campaigning for increasing cyber security awareness to citizens. This campaign is known as European Cyber Security Month (ECSM) which primarily intends to focus on the expansion of cyber security awareness.
7. A competition is conducted every year between member states to identify cyber talents from them and is also done with the intent to promote friendly relations among participating countries. This competition is known as the European Cyber Security Challenge.
8. Creation of European Cyber Security Skill Framework with intent to develop a general understanding of various factors such as roles, competencies, skills and knowledge to address the deficiency of cyber security skills.
9. Maintains database for cyber security-related education programmes.
10. Initiatives like #NoMoreRansom for awareness on common ransomware attacks and #Netiquette for secure and safe digital life of all EU citizens through four posters which are part of educational campaigns.

Data protection

As regulations like General Data Protection Regulation (GDPR) and Digital Single Market (DSM) alone cannot pledge to cyber security, this is where technology can play a pivotal role by offering privacy protection tools for proper implementation, monitoring and enforcement of legal provisions. It also focuses on data protection safeguards by using the concept of “privacy by design” and Privacy Enhancing Technologies (PETs) to support privacy integration in systems and services. It also provides security measures with an emphasis on Cryptographic protocols and tools, personal data breaches and online and mobile data protection.

Incidental reporting 

Breach reporting is one of the important modalities of tackling cyber threats in present and in future. Presently there are NIS directives for the same but before NIS there were rules concerned with telecom providers, trust service providers, payment service providers, manufacturers of medical devices and for data controllers under Telecom Framework Directives, eIDAS Regulation, Payment Service Directives, Medical Device Regulation and GDPR respectively.

IoT and smart infrastructure

ENISA provides good security practices and recommendations to operators, manufacturers and decision-makers to secure IoT and Smart Infrastructures from cyber threats. ENISA focuses on IoTs because it is an emerging concept which collects, exchanges and processes data among interconnected devices with the intent to dynamically adapt the concept.

National cyber security directives

Addressing the need for flexible and dynamic cyber security strategies to tackle global threats, a National Cyber Security Strategies (NCSS) is designed to advance the security and resilience of national infrastructures and services. It establishes a range of national objectives and priorities which must be accomplished in a particular time frame. NCSS collaboration building is also on its prime focus, as the most focused area under collaboration building strategy among stakeholders is Information Sharing and the creation of Public-Private Partnerships.

Every national cyber security strategy works in collaboration for the enhancement of cyber security at each level i.e. threat information sharing to raise awareness. However, collaboration can be achieved by Information Sharing and Analysis Centres (ISACs) and Public Private Partnerships (PPPs).

Good practices suggested by ENISA for evaluation of NCSS by their member states are as follows:

• National Capabilities Assessment Framework (NCAF)
• Good practices in innovation on Cybersecurity under the NCSS
• Updated NCSS Good Practice Guide 
• NCSS: an Implementation Guide
• National Cybersecurity Strategies
• An Evaluation Framework for NCSS
• Incentives and barriers of the cyber insurance market in Europe
• Cyber Insurance: Recent Advances, Good Practices and Challenges

ENISA’s work on information sharing being an important aspect of cyber security provides good practices and recommendations and focuses on the following things:

1. Tackling cyber attacks;
2. Incident response;
3. Mitigation measures
4. Preparatory controls

ENISA’s work on Public-Private Partnerships depends upon the environmental, cultural and legal framework of member states.

NIS Directives

NIS Directives are the first part of the EU’s cyber security legislation. It is widely adopted in the legislation of member states. It provides some level of flexibility in its adoption in legislatures of member states taking into account national circumstances. NIS directives consist of three parts:

1. National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.
2. Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.
3. National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online marketplaces, cloud and online search engines).

Standards and certification

ENISA has focused on standardization since its inception. It works on standardization in cooperation with European and International Standards Developing Organisations. It also contributes towards the R&D of risk management and security of electronic products, systems, networks and services for making EU standards. As far as certification is concerned ENISA works towards the preparation of candidate certification schemes. For standardization Regulation (EU) 526/2013 is concerned and Regulation (EU) 2019/881 (Cybersecurity Act) under which a cyber security certification framework is established is concerned.

Threats and risks

Cyber risk and threat management have been vital components of ENISA’s activities. As both, the activities are important for IT Security Management and are subject to vibrant transformation. It is working in this field to provide information and knowledge to stakeholder communities. It is pertinent to mention that risk management is one of the priority activities of ENISA and likewise cyber threat landscaping is the main course of work under this topic.

Conclusion

ENISA has a very dynamic perspective and a visionary eye in the cyber security assurances across Europe and member states. Its efforts show that it understands the risks and threats posed by cybercriminals and issues related to hyper-connectivity in the digital world. It tries to be in proactive mode and bridges the gap between law and its enforcement in letters and spirits. As people are more active in the digital world especially after the COVID-19 pandemic or one may say more dependent on cyber activities from maintaining personal and professional relationships to buying groceries, which exposes even a technologically challenged individual to the cyber world and makes them easy targets of cybercriminals who do not miss the opportunity to take advantage of this situation, by targeting individuals particularly in e-commerce and e-payment businesses, as well as in healthcare system. The ENISA activities and efforts reflect their new vision and mission to work towards a trusted and cyber-secure Europe in cooperation with the wider community.

References

1. https://www.enisa.europa.eu/about-enisa
2. https://dig.watch/actors/european-union-agency-network-and-information-security
3. https://www.enisa.europa.eu/topics/cloud-and-big-data
4. https://www.enisa.europa.eu/topics/wfh-covid19
5. https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services
6. https://www.enisa.europa.eu/topics/csirt-cert-services
7. https://www.enisa.europa.eu/topics/cross-cooperation-for-csirts
8. https://www.enisa.europa.eu/topics/csirts-in-europe
9. https://www.enisa.europa.eu/topics/cyber-crisis-management
10. https://www.enisa.europa.eu/topics/cyber-exercises
11. https://www.enisa.europa.eu/topics/cybersecurity-education
12. https://www.enisa.europa.eu/topics/data-protection
13. https://www.enisa.europa.eu/topics/incident-reporting
14. https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures
15. https://www.enisa.europa.eu/topics/national-cyber-security-strategies
16. https://www.enisa.europa.eu/topics/nis-directive
17. https://www.enisa.europa.eu/topics/standards
18. https://www.enisa.europa.eu/topics/threat-risk-management

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.