ENISA: Fit for Purpose?

Executive Summary 

Since its inception 20 years ago, the European Union Agency for Cybersecurity (ENISA) has evolved and gained prominence as a cybersecurity entity at EU level. ENISA is entrusted with a central role in implementing EU cybersecurity policies, fostering cooperation among Member States, and strengthening resilience against cyber threats. In recent years, its mandate has expanded and the agency has taken on an increasingly multifaceted role as the EU pursues an ambitious political and regulatory cybersecurity agenda. With legislation such as the NIS2 Directive, the Cyber Resilience Act, and the Cyber Solidarity Act, ENISA’s workload has grown substantially, placing additional demands on the agency. This raises questions about whether the agency is sufficiently equipped to manage an expanding portfolio of tasks amidst a growing threat landscape – in short, is ENISA fit for purpose?

The paper identifies six challenges facing ENISA in the fulfillment of its purpose:

1. ENISA operates within a complex and heterogeneous environment, where its role and influence are contested by the emergence of new cybersecurity entities at the EU level. At the same time, the agency must demonstrate added value in a landscape marked by varying levels of maturity and differing approaches to implementing EU cybersecurity policies across Member States.

2. ENISA’s expansion of tasks results in mounting expectations from a steadily increasing number of actors, as the agency must cater to a complex actor network while facing rising demands from various stakeholder groups, such as EU Institutions, Bodies, and Agencies; Member State entities, and private sector actors. 

3. ENISA’s activities extend beyond purely internal market-driven objectives as the agency’s operational footprint continues to grow. As cybersecurity is an area where national and EU-level security concerns increasingly intersect, ENISA’s involvement in incident management, situational awareness, and operational coordination-related activities has also grown. These activities contribute to, but also go beyond, the agency’s primary objective of supporting the EU’s internal market, which forms its legal basis.

4. ENISA’s purview is progressively shaped by political dynamics, as reflected by the increasing relevance of cybersecurity to EU policy-making, the agency’s growing role in policy development, ENISA’s expanded participation in the Council of the EU’s Horizontal Working Party on Cyber Issues, and the political controversies that have arisen surrounding cybersecurity certification schemes developed by ENISA.

5. ENISA is taking on a more prominent role at the international level, inter alia, by establishing working arrangements with cybersecurity entities of international partners, participating in EU cyber dialogues with foreign counterparts, and managing a growing number of collaboration requests emanating from outside the EU.

6. ENISA’s workforce needs exceed its allocated budget, as the agency’s resource requests go unmet amid expanding responsibilities from new legislation, rising stakeholder expectations, and a deteriorating cybersecurity threat landscape.

These challenges underscore the increasing complexity and scope of ENISA’s tasks, as the agency must, inter alia, address diverse priorities while ensuring interoperability across Member States, reconcile EU-level coordination with national sovereignty, and balance its technical mandate with political realities. All of these tasks ultimately constrain the agency’s ability to contribute to implementing the EU cybersecurity policy framework and support policy coherence.

To address these challenges, the paper puts forward three recommendations:

• Clarifying ENISA’s role: To optimize its impact, particularly given its limited resources, policy- and decision-makers should clarify the agency’s role and specify where ENISA adds the most value in enhancing the Union’s cybersecurity.

• Refining prioritization of ENISA activities: Improved prioritization would enable ENISA to sustainably build specialized expertise in key areas while fostering trusted relationships with priority recipients of its actions.

• Managing expectations of ENISA’s target audiences: To ensure transparency and clarity, it is crucial that stakeholders understand how ENISA prioritizes its activities and engagement as this will mitigate potential misunderstandings and manage expectations based on a realistic understanding of the agency’s capabilities.

With ENISA’s role under review as part of the European Commission’s ongoing evaluation mandated by the Cybersecurity Act, 2025 marks a pivotal moment for reassessing the agency’s capacity and clarifying its strategic direction. For policymakers in Member States and EU institutions, two basic conceptual options emerge to make ENISA truly fit for purpose: equipping ENISA with additional financial resources and personnel to fully meet its mission and responsibilities or redefining ENISA’s mandate to align with existing resources, which would entail significantly narrowing the agency’s tasks and scope of activities. Taking the necessary steps to act on one of the proposed options, rather than maintaining the below-par status quo, is essential if the EU is to effectively manage and implement its ever-expanding cybersecurity policy framework.

Introduction

In 2004, the European Union (EU) established the European Network and Information Security Agency (ENISA), now headquartered in Athens, Greece. ¹ Since then, the agency’s name has been changed to the European Union Agency for Cybersecurity, while its abbreviation remains intact. EU Member States, the Commission, and the European Parliament have also gradually expanded ENISA’s mandate and tasks in both quantitative and qualitative terms, reflecting the rising prominence of cybersecurity on the EU’s agenda in recent years. ²

In the first ten years of the agency’s existence, the EU’s regulatory entrepreneurship ³ efforts – proactive initiatives to shape and expand the cybersecurity policy ecosystem through regulation and policy – in the area of cyber and IT security were still very limited. Over the past decade, however, the EU has developed likely the world’s most comprehensive regulatory framework on cybersecurity through the adoption of numerous cybersecurity-specific horizontal and sectoral directives and regulations as well as policies spanning numerous policy areas. ⁴

In particular, the last few years have witnessed an unprecedented dynamic in regulatory activity, with more than 300 legal acts mentioning cybersecurity adopted between 2019 and 2024. ⁵ This evolution has had implications for ENISA: the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), ⁶ the Cyber Resilience Act (CRA), ⁷ and Cyber Solidarity Act (CSOA) ⁸ are just three examples of recent legislative EU endeavors that have conferred additional tasks on the agency. ⁹

Among some of ENISA’s recently added tasks feature

• the development and maintenance of a “European vulnerability database” ¹⁰ (Art. 12(2) NIS 2 Directive),

• the drafting of a biennial “report on the state of cybersecurity in the Union” (Art. 18 NIS 2 Directive, the first of which was published in December 2024 ¹¹ ),

• the “[e]stablishment of a single reporting platform” (Art. 16(1) CRA) ¹² , inter alia, for the notification of “actively exploited vulnerabilit[ies] contained in the product with digital elements” (Art. 14(1) CRA) and “severe incident[s] having an impact on the security of the product with digital elements” (Art. 14(3) CRA) by manufacturers pursuant to the CRA,

• the “operation and administration of the EU Cybersecurity Reserve, in full or in part” (Art. 14(5) CSOA) through the CSOA, as well as

• upon request by either the European Commission or the European cyber crisis liaison organisation network (EU-CyCLONe), the “review and assess[ment of] cyber threats, known exploitable vulnerabilities and mitigation actions with respect to a specific significant cybersecurity incident or large-scale cybersecurity incident” (Art. 21 CSOA) in the framework of the EU’s European Cybersecurity Incident Review Mechanism established via the CSOA.

Even if more and more voices in the policy world are calling for the existing initiatives to be properly implemented first, ¹³ cybersecurity will likely continue to be high on the political agenda during the term of this European Commission. Looking at Ursula von der Leyen’s candidate speech for a second mandate as European Commission President, ¹⁴ the political guidelines for the von der Leyen Commission II, ¹⁵ and the mission letter to the new Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen also overseeing the ‘cyber portfolio,’ ¹⁶ all indicate that cybersecurity will most likely keep its place at the higher end of the EU’s political agenda. ¹⁷ Most recently, for example, the European Commission’s action plan on the cybersecurity of hospitals and healthcare providers followed through on this indication by proposing to task ENISA with “establish[ing], within its organisation, a dedicated European Cybersecurity Support Centre for hospitals and healthcare providers as part of its mandate to safeguard and support the EU’s critical infrastructure.” ¹⁸ Expectations facing ENISA are thus likely to continue rising, from the European Commission, Member States, as well as other stakeholders, raising questions about whether the agency is sufficiently equipped to manage an expanding portfolio of tasks amidst a growing threat landscape – in short, whether the agency is fit for purpose.

ENISA’s ability to fully deliver on its mandate is not an end in itself. Instead, an ENISA that is fit for purpose is imperative to the EU’s strategic ambition to enhance cybersecurity across the Union as well as its regulatory and policy innovation on cybersecurity. Internally, an ENISA unfit for purpose could impair EU-level efforts to create a cohesive and effective cybersecurity framework, as the success of Union-wide cybersecurity policies also relies on coordination across Member States, with ENISA entrusted with an essential role in supporting this effort. Externally, if ENISA struggles to deliver on its mandate, including by supporting improved coordination and consistent implementation, this may have broader implications for the EU’s standing as a regulatory entrepreneur and for its often invoked Brussels Effect, a term coined to refer to the “EU’s unilateral ability to regulate global markets by setting the standards” in various policy fields. ¹⁹

This makes 2025 a pivotal moment to assess the agency’s role and capacity within the EU cyber ecosystem – also as it coincides with the European Commission’s ongoing evaluation of the agency, mandated by Article 67 of the Cybersecurity Act (CSA), ²⁰ which could prompt the European Commission to propose a revision of ENISA’s mandate. Testaments to the need to evaluate ENISA include the recently adopted Council conclusions on ENISA ²¹ from December 2024 as well as the earlier June 2024 Council conclusions on the future of cybersecurity, which, inter alia, called upon the European Commission “to take duly into account the development of ENISA’s role reviewing the Cybersecurity Act” and ENISA “to establish clear priorities, including focusing on supporting the Member States through existing structures.” ²² Most recently, in March 2025, the EU ministers responsible for cybersecurity emphasized the “need for a strengthened, clearly defined, and focused ENISA [...] mandate” as a component of their ‘Warsaw Call’ declaration. ²³ Even though it was included in a leaked version of the European Commission’s 2025 work program for this year’s fourth quarter, ²⁴ a revision of the CSA seems to be on the table only as early as 2026. ²⁵

This policy paper aims to contribute to evaluative efforts at the policy level by reviewing ENISA’s capability to fulfill its mandate in an increasingly complex cybersecurity landscape. The analysis approaches the question of ENISA’s ‘fitness’ by examining key factors and capabilities necessary to achieve the agency’s purpose, including the scope of tasks assigned to ENISA, staffing, budget, and governance structures (Chapter 3). The paper also explores the agency’s role within the broader EU cybersecurity policy framework, ENISA’s actor network and target audiences, its position in political processes, as well as its international engagement. By considering the implications of these considerations, the paper identifies challenges to the agency’s ability to fulfill its purpose and meet the expectations placed upon it (Chapter 4), underscoring the importance of clearly defining the agency’s role, more effectively articulating its priorities, and enhancing the management of stakeholder expectations when looking ahead (Chapter 5).

ENISA 101: Answers to Frequently Asked Questions 

What are the main characteristics of decentralized EU agencies like ENISA?

ENISA was established as a decentralized EU agency. The CSA draws on Article 114 of the Treaty on the Functioning of the European Union (TFEU), ²⁶ providing the opportunity for the European Parliament and the Council of the European Union to adopt measures deemed necessary “for the approximation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market” (Art. 114(1) TFEU). ²⁷

Being a decentralized agency –  as opposed to an EU executive, Common Foreign and Security Policy (CFSP) or European Atomic Energy Community agency ²⁸ – comes with specific characteristics:

• Establishment: Decentralized EU agencies are established “by secondary law to manage specific technical, scientific or managerial tasks,” have their own legal personality, are set up indefinitely timewise, and are located in Member States throughout the Union. ²⁹

• Function: In general terms, decentralized agencies are tasked to “contribute to the implementation of EU policies and support cooperation between the EU and national governments by pooling technical and specialist expertise and knowledge from both the EU institutions and national authorities.” ³⁰

• Oversight: Decentralized EU agencies are “subject to the external control of the Court of Auditors and to the annual discharge from the European Parliament.” ³¹

• External engagement: ³² The external relations of decentralized EU agencies have been described as a “constitutional twilight zone,” given the fact that they bring “together two constitutionally problematic issues: the EU’s external action and the limits to the empowerment of EU agencies.” ³³ This results in a circumscribed, narrow scope for external action. For example, decentralized agencies must respect and maintain the EU’s “institutional balance,” ³⁴ and any agency’s external engagement should be essential to fulfilling its core responsibilities. The procedures for the external activities of specific EU agencies are outlined in agreements between the relevant Commission Directorate-Generals (DGs) and the agencies. ³⁵

What is ENISA’s purpose? 

ENISA’s purpose is threefold (emphasis by the author):

1. “achieving a high common level of cybersecurity across the Union,”

2. “reducing the fragmentation of the internal market,” and

3. “approximating Member State laws, regulations and administrative provisions” (Art. 3)

as outlined at the beginning of the CSA.

As also contained in the CSA, EU co-legislators envision the agency to be “a centre of expertise on cybersecurity by virtue of its independence, the scientific and technical quality of the advice and assistance it delivers, the information it provides, the transparency of its operating procedures, the methods of operation, and its diligence in carrying out its tasks” (Art. 4(1)). In July 2020, ENISA published its strategy for “A Trusted and Cyber Secure Europe” outlining seven strategic objectives that are linked to specific CSA articles and activities. ³⁶ In February 2025, the agency published an updated version of its strategy, as revised by its Management Board in October 2024. ³⁷ With some minor adjustments in wording, the seven strategic objectives remained primarily the same. The major change rests in clustering them in horizontal and vertical objectives as well as an increased emphasis on implementation in the second as well as preparedness and response in the third objective (see below). ³⁸ According to the strategy, ENISA seeks to achieve and contribute to the following objectives through its activities:

→ Horizontal objectives:

• Empowered communities in an involved and engaged cyber ecosystem

• Foresight on emerging and future cybersecurity opportunities and challenges

• Consolidated and shared cybersecurity information and knowledge support for Europe

↓ Vertical objectives:

• Support for effective and consistent implementation of EU cybersecurity policies

• Effective Union preparedness and response to cyber incidents, threats, and cyber crises

• Strong cybersecurity capacity within the EU

• Building trust in secure digital solutions

What is ENISA tasked with?

The CSA assigns ENISA eight activity areas:

(1) Development and implementation of Union policy and law (Article  5)

• Provision of “independent opinion and analysis as well as carrying out preparatory work” to “assist[...] and advis[e] on the development and review of Union policy and law in the field of cybersecurity and on sector-specific policy and law initiatives,”

• Issuance of “opinions, guidelines, provi[sion of] advice and best practices” in an assistance effort towards Member States to “implement the Union policy and law regarding cybersecurity consistently,”

• Support to NIS Cooperation Group activities,

• Support to Member States “in the implementation of specific cybersecurity aspects of Union policy”

(2) Capacity-building (Article 6)

• Assistance to Member States with regard to

  • “efforts to improve the prevention, detection and analysis of, and the capability to respond to cyber threats and incidents [through] knowledge and expertise,”

  • “developing national CSIRTs [Computer Security Incident Response Teams],” and

  • “regularly organising the cybersecurity exercises at Union level”

• Assistance to Member States and EU Institutions, Bodies and Agencies (EUIBAs) with regard to “establishing and implementing vulnerability disclosure policies on a voluntary basis”

• Assistance to EUIBAs with regard to

  • “improv[ing] the prevention, detection and analysis of cyber threats and incidents and to improve their capabilities to respond to such cyber threats and incidents, in particular through appropriate support for the CERT-EU [Cybersecurity Service for the Union institutions, bodies, offices and agencies],” and

  • “developing and reviewing Union strategies regarding cybersecurity, promoting their dissemination and tracking the progress in their implementation”

(3) Operational cooperation at the Union level (Article 7)

• Vis-à-vis Member States through the CSIRTs Network:

  • “advising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more Member States, providing advice in relation to a specific cyber threat” and

  • “analysing vulnerabilities and incidents on the basis of publicly available information or information provided voluntarily by Member States for that purpose”

• Vis-à-vis Union and Member States: “contribut[ing] to developing a cooperative response at Union and Member States level to large-scale cross-border incidents or crises related to cybersecurity,” for example, by “ensuring the efficient flow of information and the provision of escalation mechanisms between the CSIRTs network and the technical and political decision-makers at Union level”

• Vis-à-vis EUIBAs:

  • “exchang[ing] know-how and best practices”

  • providing “advice and issuing of guidelines on relevant matters related to cybersecurity”

(4) Market, cybersecurity certification, and standardization (Article 8)

• Preparation of “candidate European cybersecurity certification schemes”

• Development and publication of “guidelines and develop good practices, concerning the cybersecurity requirements for ICT [information and communications technology] products, ICT services and ICT processes”

(5) Knowledge and information (Article 9)

• Provision of “topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on cybersecurity”

• Performance of “long-term strategic analyses of cyber threats and incidents in order to identify emerging trends and help prevent incidents”

(6) Awareness-raising and education (Article 10)

Implementation of “regular outreach campaigns to increase cybersecurity and its visibility in the Union and encourage a broad public debate” together with Member States and EUIBAs

(7) Research and innovation (Article 11)

• Provision of advice to EUIBAs and Member States on “research needs and priorities in the field of cybersecurity”

• “Contribut[ion] to the strategic research and innovation agenda at Union level in the field of cybersecurity”

(8) International cooperation (Article 12)

• Supporting “the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation”

These activity areas translate to various operational activity areas outlined in ENISA’s annual work programs. ³⁹

How is the European Commission involved in ENISA’s governance structures and day-to-day operations?

In contrast to EU executive agencies placed directly under the European Commission’s control and oversight, ⁴⁰ the relationship of decentralized EU agencies with the European Commission is one of “partial autonomy,” manifested, for example, in the European Commission’s involvement in the drafting of the agency’s work program or the representation in statutory bodies of the respective agencies. ⁴¹ The Directorate-General for Communications Networks, Content and Technology (DG CONNECT) is the DG responsible (partner DG) for ENISA. The European Commission is involved in ENISA’s governance structures at multiple levels: It participates in ENISA’s Management and Executive Boards (through representatives from DG CONNECT and Directorate-General for Digital Services (DG DIGIT ⁴² )), with voting rights and the authority to request extraordinary meetings, proposes Executive Director candidates, and evaluates their performance. It also oversees ENISA’s strategic direction through mandatory consultations on financial rules, annual work programs, and the single programming document, where the European Commission’s opinion must be considered before adoption. Furthermore, ENISA is required to submit various reports to the European Commission, including biennial progress updates, annual budgetary reports, and responses to audit observations. Additionally, the European Commission evaluates ENISA’s impact, mandate, and future tasks every five years and retains the authority to propose amendments to the regulatory framework stipulating its mandate. Vice versa, the European Commission relies on ENISA for technical advice and analyses to support cybersecurity policy development and implementation and may request ENISA to create or review European cybersecurity certification schemes under the Union’s rolling work program. For more details and references to the relevant provisions of the CSA, see Annex I (Section 6.1).

How are EU Member States involved in ENISA’s governance structures and day-to-day operations?

The relationship between ENISA and EU Member States is structured to ensure Member States are  involved in the agency’s governance and advisory processes. Each Member State is represented in ENISA’s Management Board, with one appointed member per state, all possessing voting rights. This arrangement ensures that Member States collectively hold influence on ENISA’s strategic decisions, such as the adoption of its single programming document and budget. Some Member States are also represented in ENISA’s Executive Board, which handles preparatory and administrative tasks to facilitate Management Board decision-making. Additionally, representatives of each Member State are involved in ENISA’s National Liaison Officers Network (NLO), which supports the exchange of information between ENISA and Member States. Finally, Member States have the right to attend and participate in meetings of ENISA’s Advisory Group, which provides expert guidance on ENISA’s work. For more details and references to the relevant provisions of the CSA, see Annex I (Section 6.1).

Who decides on ENISA’s resource allocation?

Article 314 TFEU outlines the EU’s budgetary procedure, which is decided annually by the European Parliament and the Council of the EU through a special legislative procedure. ⁴³ The annual budget must follow the EU’s Multiannual Financial Framework (MFF), which sets spending limits by category and is approved by the Council of the EU with involvement from the European Parliament (Art. 312 TFEU). The current MFF covers the years 2021-2027. The European Commission prepares both the MFF proposal and draft annual budgets, based on estimates received from EU institutions and bodies (see Art. 29 CSA for ENISA’s procedure). If the European Parliament and the Council of the EU disagree on the budget, Article 314(5)–(8) TFEU describe resolution steps, including forming a conciliation committee. ENISA’s Executive Director is responsible for managing the agency’s budget (Art. 31(1) CSA).

How have ENISA’s budgetary and human resources evolved over time?

In 2023, ENISA oversaw a budget of 44 million euros (including 15 million euros for implementation of the Cybersecurity Support Action through a separate contribution agreement ⁴⁴ ) and employed 113 people. ⁴⁵ In addition to its regular budgetary allocation and additional funding for the implementation of the Cybersecurity Support Action until 2026, ENISA receives supplementary financial means for carrying out specific tasks: 12 million euros for establishing, managing, and maintaining the single reporting platform foreseen in the CRA as well as 2.55 million euros in order to continue the Cybersecurity Support Action until December 2027. ⁴⁶ According to the agency’s latest single programming document, other contribution agreements are on the table regarding the agency’s tasks in the context of the Cyber Situation and Analysis Centre ⁴⁷ and the Cyber Reserve as stipulated in the CSOA. ⁴⁸

The following two figures provide an overview of developments in 2005–2023 based on data from the European Court of Auditors (ECA) ⁴⁹ :

Figure 1: Development of ENISA’s budget 2005–2023

Figure 2: Development of ENISA’s staff numbers 2005–2023

These numbers translate to a 126% increase in staff and a 598% increase in budget (including the additional money granted to ENISA for implementation of the Cybersecurity Support Action) between the years 2005 and 2023. When deducting additional contributions emanating from the Cybersecurity Support Action, ENISA’s budget increased by 360% when compared to the year 2005 (see Figure 3).

Figure 3: Percentage increase of ENISA’s budget and staff 2005–2023

Challenges

This chapter outlines six key challenges facing ENISA in the fulfillment of its purpose based on various observations. These challenges are deeply interconnected, mutually reinforcing, and have a significant cumulative impact on ENISA’s capacity to carry out its mandated tasks, which ultimately affects its contribution to make the European Union more cybersecure. As each challenge brings its own set of issues shaping ENISA’s ability to fulfill its purpose, every section concludes with a paragraph outlining the implications for ENISA’s operations and the EU cybersecurity policy ecosystem as a whole.

Challenge 1: ENISA operates within a complex, heterogeneous environment

ENISA operates in a complex and demanding environment, making its role and the place it occupies within the EU cybersecurity policy ecosystem challenging from the outset. Three observations highlight challenges pertaining to ENISA’s operating environment:

Observation 1: ENISA’s role and sphere of influence are contested

ENISA’s mandate spans a wide range of issue areas, including awareness-raising, research, certification, and policy development (for a comprehensive overview see Section 3.3). In addition to substantial overlaps with other actors at both the EU ⁵⁰ and Member State levels undertaking similar tasks, ENISA’s role is being contested by the establishment of new actors at the EU level operating in areas intersecting with the agency’s mandate. The most recent example of such an occurrence is the set-up of the so-called Cyber Situation and Analysis Centre housed within DG CONNECT’s Cyber Coordination Task Force, to which ENISA also contributes. ⁵¹ In this respect, in its conclusions on ENISA, the Council of the EU also specifically invited the European Commission to “streamline the tasks of the Cyber Situation and Analysis Centre of the Commission and ENISA’s related tasks.” ⁵² Another very prominent example is the set-up of the European Cybersecurity Competence Centre (ECCC) in Bucharest, agreed upon in 2021, ⁵³ which has assumed tasks relating to, for instance, research and skills – tasks that ENISA is also mandated to undertake.

In both instances, it is not clear what conceptual basis, for example, along the lines of strategic/operational/tactical/reflective tasks, underlies the distribution of responsibilities between ENISA, the Cyber Situation and Analysis Centre, and the ECCC. Therefore, the establishment of these actors raises the question of why the sought capacities and tasks – encompassing elements as stipulated in ENISA’s mandate – were not housed or built up within ENISA itself as a strategic mid- to long-term effort, which would have supported the co-legislators’ original ambition of the agency being a “centre of expertise on cybersecurity” (Art. 4(1) CSA).  From a systemic and institutional perspective, this diversification in actors also further contributes to a diversification of the EU cybersecurity policy ecosystem (sometimes also labelled as a “galaxy” ⁵⁴ ).

Observation 2: ENISA operates in an environment with varied maturity and capability levels

ENISA’s room for maneuver is further challenged by the fact that different levels of cybersecurity maturity and capabilities persist in Member States, EU entities, and sectors. Already within Member States, there is significant variation in terms of cybersecurity readiness. While noting the limitations to indexes seeking to compare national approaches, a look at the International Telecommunications Union’s 2024 Global Cybersecurity Index reveals diverse levels of cybersecurity maturity in the Union. Whereas the capacities of fifteen EU Member States are considered “role-modelling,” ten other Member States find themselves in the “advancing” category, and two in the “establishing” tier. ⁵⁵ This variety in Member State cybersecurity maturity corresponds with the European Commission’s assessment on the state of “cyber preparedness” in EUIBAs. ⁵⁶ The disparity is also mirrored at the sectoral level: Whereas sectors like finance and energy often exhibit (more) advanced cybersecurity levels, less resourced sectors, such as the rail or health sector, lag behind and display moderate or low maturity levels. ⁵⁷ In addition, capacities are spread heterogeneously among EU citizenry, which is another target group according to ENISA’s mandate. ⁵⁸ For a supranational organization like ENISA, this poses a challenge, as it must tailor its outputs to diverse, distinct environments while still adding value to each. By way of a concrete example, the cybersecurity agency of a well-resourced EU Member State may be less dependent on ENISA’s support, whereas others with lower cybersecurity maturity may approach ENISA with a whole different set of expectations, for example, relating to capacity-building.

Observation 3: ENISA must add value to differing national implementations

Third, ENISA faces significant heterogeneity in how Member States implement (EU) cybersecurity policies within their jurisdictions. This variability in initial policy foundations and overall approaches to cybersecurity manifests in several areas, including, for instance, cybersecurity certification ⁵⁹ and market supervision. ⁶⁰ In this respect, ENISA’s report on the state of cybersecurity in the Union highlights divergences among Member States pertaining, inter alia, to “domains related to policy implementation, in particular with regards to vulnerability disclosure and supervisory measures for essential and important entities, as well as R&D and education” and “monitoring frequency” relating to Member States’ “cybersecurity threat level.” ⁶¹

As a specific example, Member States differ in the importance they attach to sectoral versus central responsibility at the national level, as exemplified by the competent authorities designated by EU Member States pursuant to the first NIS Directive. While one entity assumes the role as the competent authority for all “operators of essential services” and “digital service providers” in the majority of Member States, others have from two up to seven entities assuming this role: ⁶²

Table 1: Number of competent authorities for all operators of essential services and digital service providers designated pursuant to the first NIS Directive across Member States

Implications

The lack of a clear demarcation of ENISA’s role, competences, and relationship with other entities at both the EU and the Member State levels can pose notable consequences. Without a designated body to coordinate cybersecurity at the EU level, this ambiguity – at worst, contributing to confusion and fragmentation – can result in inefficiencies and duplicated efforts. For ENISA, it increases the need for coordination with other actors, which may hinder its ability to develop specialized expertise. ⁶³ The diverse approaches to cybersecurity policy implementation and the varying maturity levels across Member States, EUIBAs, and sectors present challenges to implementing a uniform, horizontal framework. Given its broad mandate but limited resources (see also Section 4.6), ENISA must maintain a deep understanding of national and sectoral contexts ⁶⁴ to address the distinct yet interconnected priorities of multiple stakeholders. These peculiarities can pose a challenge to ENISA’s activities, as the agency must account for these specificities in its work to have impact, yet it must find a way to do so in a resource-preserving way while also ensuring the highest possible level of interoperability.

Challenge 2: ENISA’s expansion of tasks results in mounting expectations from a steadily increasing number of actors

In recent years, the EU’s regulatory scope covering cybersecurity matters has expanded significantly. Over time, the EU’s regulatory efforts have transitioned from a ‘light touch’ approach to a more robust framework. This has resulted in a growing variety and number of entities, including, for instance, Member State entities, EU bodies, and other actors like energy network operators and domain name system service providers now being subject to elevated cybersecurity obligations and respective mechanisms for enforcement across the Union. These developments have also accelerated ENISA’s relevance and the agency has gained prominence, as evidenced by the increase in mentions of ENISA in EU documents in percentage terms within the last two decades (see Figure 6 below). ⁶⁵

Figure 4: Percentage increase in EU documents mentioning ENISA or European Network and Information Security Agency ⁶⁶

The documents mentioning ENISA often also specifically confer tasks to the agency. Many of these tasks stem from legislation adopted within recent years, emphasizing the gradual expansion of ENISA’s tasks among a wide variety of actors: EUIBAs and EU-internal coordination bodies, Union-level cooperation and EU–Member State-coordination bodies, Member State entities, and non-state stakeholders and bodies with stakeholder involvement. With more entities and ICT products falling within the scope of EU cybersecurity legislation, a continuously growing number of actors with varied portfolios has – and more openly expresses – expectations regarding ENISA.

A few observations underscore this development:

Observation 1: ENISA must cater to a comprehensive actor network

As Table 2 below shows (for a more detailed version see Annex II, Section 6.2), EU legislation provides for a diverse and expanding network of relationships involving ENISA by outlining interactions and relationships with various specific actors. The designated relationships are often bidirectional since ENISA acts, for instance, both as a provider of assistance as well as a recipient of information from actors, such as Member State entities.

Table 2: Overview of ENISA’s actor network as derived from EU legislation (for more details on their legal bases, see Annex II, Section 6.2) ⁶⁷

Observation 2: ENISA maintains a wide web of relationships

ENISA’s actor network is further expanded when accounting for relationships specified in policy documents and interactions otherwise alluded to in ENISA’s annual activity report or other publicly available sources, such as the agency’s website. Overall, their relationship encompasses a very wide scope, comprising, for example, cooperation in the implementation of joint activities and events, or the issuance of joint publications.

Table 3: Expansion of ENISA’s actor network accounting for other sources

Observation 3: ENISA faces rising expectations from various actor groups

With Tables 2 and 3 together comprising (at least parts of) ENISA’s complex actor network, expectations are not only implicitly held by this network but also increasingly expressed explicitly. One can distill several lines of implicit and explicit sets of expectations from the responses to the ENISA evaluation – most of which stem from business associations and private sector enterprises – as well as the recent Council conclusions on ENISA, and other sources. The following seven examples are non-exhaustive but provide a good overview over some of the expectations facing ENISA:

1. ENISA should follow through more thoroughly on specific stipulations in its mandate: For example, in 2022, the ECA noted that ENISA lacks comprehensive insight into the specific practices of individual EUIBAs with respect to their vulnerability disclosure policies and does not provide support in creating or executing these policies – a task foreseen in ENISA’s mandate as stipulated in the CSA. ⁹⁷ In their conclusions on ENISA, Member States have also voiced a desire for ENISA to “share and actively promote technical guidance and best practices in a regular and structured manner assisting the Member States in implementing cybersecurity policy and legislations.” ⁹⁸

2. ENISA should provide additional guidance, education, and/or expertise: For instance, Digital Europe, advocated that “ENISA should deepen its sector-specific expertise to provide tailored guidance and support to critical sectors.” ⁹⁹ Another private sector stakeholder, a US-based company, called for support by ENISA in “navigat[ing] the EU cybersecurity legislative landscape” through the development of “educational tools for companies to help them prepare for future legislation.” ¹⁰⁰

3. ENISA should enhance opportunities for collaboration with the private sector, stakeholders, and public authorities: For example, Microsoft advocated for the establishment of a dedicated unit for a more structured engagement with the private sector, ¹⁰¹ whereas Digital Europe underscored the need to enhance “collaboration with sector-specific authorities and organisations, such as ISACs [Information Sharing and Analysis Centers].” ¹⁰² Also the Finnish IT Center for Science referred to limited engagement of ENISA at the national level with private sector stakeholders, alluding to CSIRTs as an example, ¹⁰³ and the American Chamber of Commerce to the EU sought elevation of communication with ENISA from a “one-way process” to a two-way interaction. ¹⁰⁴ The European Consumer Organization highlighted the need for increased ENISA activities dedicated to outreach to “fully deliver on its [the agency’s] mandate of developing and implementing EU policies on cybersecurity, particularly in relation to consumers.” ¹⁰⁵ In its contribution, Microsoft also outlined the perceived benefits of elevating and expanding the agency’s relationship with each EU Member State as well as EU institutions, specifically the Council and the European Parliament. ¹⁰⁶ A public transport sector entity emphasized the limited visibility and knowledge of ENISA in the sector. ¹⁰⁷ For example, in its conclusions on ENISA, the Council called on the agency “to consider ways to enhance the collaboration between ENISA and European standardisation bodies” and encouraged the agency “to bolster cooperation with the private sector.” ¹⁰⁸

4. ENISA should be conferred additional tasks: For instance, the REWIRE project recommends integration of the “ownership and maintenance of the ECSF [European Cybersecurity Skills Framework]” as part of the agency’s mandate, ¹⁰⁹ while ISACA has made the case for adding the development of a certification scheme for cybersecurity skills to ENISA’s tasks. ¹¹⁰

5. ENISA should expand the list of actors it seeks to target with its outputs: For example, the International Association of Public Transport implicitly called for elevated consideration of the specificities and concerns of the public transport sector throughout ENISA’s work relating to transport. ¹¹¹ The City of Stockholm advocated for a more comprehensive translation of ENISA’s outputs, such as training materials, to enhance the agency’s value added at the local, municipal level. ¹¹²

6. ENISA should pay increased attention to developments relating to emerging technologies: For instance, the Information Technology Industry Council (ITI), Kaspersky, and Microsoft called for the consideration of emerging technologies as part of its mandate. ¹¹³ In this respect, ITI and Microsoft specifically alluded to AI and quantum computing.

7. ENISA should increase its international engagement (see also Section 4.5): Not surprisingly, stakeholders operating worldwide or headquartered outside of EU Member State jurisdictions emphasize the importance of giving a boost to ENISA’s international endeavors. ¹¹⁴ For example, in this respect, the ITI mentioned the goals of ENISA being a regular participant in the EU-US Cyber Dialogue and cooperating with the Organisation for Economic Co-operation and Development (OECD), ¹¹⁵ and the American Chamber of Commerce to the EU alluded to “NATO partners from outside the EU.” ¹¹⁶

In summary, the following actor groups have publicly placed expectations on ENISA:

Figure 5: Actor groups with expectations for ENISA

Implications

Meeting the expectations of these various stakeholders requires substantial effort and resources from ENISA. Given its limited financial and human resources (see further Section 4.6), effectively managing these expectations demands a strategic approach and prioritization by the agency and/or higher political levels. The responses to the ENISA evaluation exemplify that these efforts have been insufficient to date. This results in an important challenge for ENISA: If the agency is expected to provide equal or substantial support to all actors in the EU cybersecurity ecosystem, its limited capacity will most likely prevent it from offering comprehensive assistance to any one group and from fully leveraging its unique position.

Challenge 3: ENISA’s activities extend beyond exclusively internal market–driven objectives as the agency’s operational footprint continues to grow

Building upon the principle of conferral, the EU needs competence – exclusively or shared with the Member States – to take action in a particular policy field (Art. 5 Treaty on European Union (TEU)). In accordance, any competencies not specified in EU primary law “remain with the Member States” (Art. 5(2) TEU). Hence, for example, EU Member States retain exclusive competence over national security (Art. 4(2) TEU), with some countries being resistant to any EU involvement in this sensitive area. ¹¹⁷ Therefore, EU cybersecurity legislation often includes disclaimers to clarify that these measures do not infringe upon Member States’ competence in matters of public security, defense, national security, or state activities in criminal law, as illustrated, for instance, in Art. 1(2) of the CSA, ¹¹⁸ thereby also specifying red lines for ENISA’s activities. The CSA draws on EU competences in relation to the internal market as the legal basis for the agency’s establishment by referencing Art. 114 TFEU and specifying “ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union” (Art. 1(1) CSA) as the agency’s objective. Also, during a 2020 event, ENISA’s Executive Director Juhan Lepassaar referred to ENISA as an “internal market agency.” ¹¹⁹

Given the cross-cutting nature of cybersecurity, there are, however, inevitable interlinkages between cyber and national security. While the internal market remains central to ENISA’s mandate – for instance, in relation to the implementation of the NIS 2 Directive – the agency’s growing operational footprint indicates that ENISA is de facto assuming a broader role going beyond purely internal market–driven considerations or entirely economy-related goals such as ensuring the cohesion and prosperity of the EU as “an area without internal frontiers [... permitting] the free movement of goods, persons, services and capital” (Art. 26(2) TFEU). The 2019 CSA also includes operational cooperation as one of the eight pillars of ENISA’s work, mandating ENISA, inter alia, to regularly organize exercises (Art. 7(5) CSA) ¹²⁰ and contribute to the “develop[ment of] a cooperative response at Union and Member States level to large-scale cross-border incidents or crises related to cybersecurity,” for example, by “facilitating [upon request] the technical handling of such incidents or crises, including, in particular, by supporting the voluntary sharing of technical solutions between Member States” (Art. 7(7), point (c)) CSA).

A few concrete examples in the areas of incident and crisis management, situational awareness, and operational coordination illustrate this development:

1. First, ENISA plays a considerable role in providing the secretariat and supporting the work of the CSIRTs Network ¹²¹ and the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). ¹²²

2. Second, the Blueprint on Coordinated Response to Large-Scale Cybersecurity Incidents and Crises – as well as the European Commission’s 2025 update proposal ¹²³ – foresees the involvement of ENISA. ENISA is also part of the EU’s so-called interinstitutional Cyber Crisis Task Force. ¹²⁴

3. Also, the 2017 and 2023 implementing guidelines on the EU’s Cyber Diplomacy Toolbox refer to contributions by ENISA, for instance, in the area of situational awareness. ¹²⁵ Throughout recent years, ENISA was also frequently present when the Horizontal Working Party on Cyber Issues (HWPCI) discussed developments relating to the Cyber Diplomacy Toolbox. ¹²⁶

4. Further examples of ENISA’s increased engagement in operational activities are the issuance of EU Joint Cyber Assessment Reports (EU-JCAR) together with CERT-EU and Europol as well as a one-time alert published jointly with CERT-EU in February 2023 highlighting activities by various Chinese advanced persistent threat (APT) groups. ¹²⁷
   

Implications

Despite the limitations on EU action in the area of national security, these activities – along with the overall evolution of the EU’s cybersecurity acquis – demonstrate that cybersecurity has increasingly become an area where national and EU-level security concerns intersect. ENISA Executive Director Lepasaar has also emphasized that security and cybersecurity are increasingly being considered together, ¹²⁸ and ENISA’s growing operational footprint exemplifies this shift. At the same time, there is continued interest from Member States in ENISA activities relating to operational cooperation. In their conclusions on ENISA, the Council invited the European Commission “to examine and further strengthen ENISA’s role in supporting operational cooperation at the EU level [...], taking into account Member States’ competences in this field.” ¹²⁹ However, discussions around initiatives such as the CSOA and the Joint Cyber Unit have highlighted the ongoing challenge of striking a balance between EU-level coordination in operational matters and national sovereignty–related concerns. Therefore, looking ahead, a key question will be how “operational” should be defined in the context of ENISA’s mandate. Should ENISA become a more operational actor itself – for example, by directly engaging with entities in Member States as envisioned, for example, by the European Commission most recently in its EU Health Action Plan (which is something that some Member States strongly oppose)? Or should ENISA limit its role to exclusively facilitating and supporting Member State–led operational activities?

Challenge 4: ENISA’s purview is progressively shaped by political dynamics

ENISA Executive Director Lepassaar, has acknowledged the significant changes impacting the agency’s role, stating: “For twenty years we have been watching over the cyber security of the Union, but for twenty years not many political projects happened. It was a technical debate, not a political one – that has changed considerably” ¹³⁰ (author’s translation). At the same time, Lepassaar emphasized ENISA’s identity as a technical agency focused on drawing up plans rather than acting as an implementing authority or applying political standards. ¹³¹ While this deliberate shying away from political issues and focus on technical deliverables over the years has likely been an important factor contributing to the agency’s institutionalization, ¹³² the reality of ENISA’s increasingly politicized context has implications for the agency.

Four observations illustrate the implicit politicization of ENISA activities over recent years:

Observation 1: Cybersecurity has become more relevant to EU policy-making

The increasing prominence of cybersecurity at the EU level is evident in the significant increase in the frequency with which terms related to cyber and IT security have been mentioned in EU documents over the years. In parallel, this general evolution elevated the agency’s visibility and, with the issue gaining political prominence, resulted in a gradual expansion of conferred tasks to ENISA (see also Section 4.2).

Figure 6: Percentage increase in EU documents mentioning cybersecurity, IT security, and/or information security ¹³³

Observation 2: ENISA is increasingly involved in policy development

In addition, ENISA not only works with outputs from the political level or builds its work upon them, but the agency is also increasingly involved or consulted in the context of policy-making. Activities relating to the development and implementation of Union policy and law also make up the first cluster of tasks assigned to ENISA (see further Art. 5 CSA). Comparing the respective passages included in ENISA’s annual activity reports over the years 2017–2023 shows a gradual increase. ENISA’s 2023 Annual Activity Report provides a good overview of the scope and status quo of ENISA’s political engagement on various legislative files (Table 4): ¹³⁴

Table 4: ENISA’s involvement in the development of various policy files based on its 2023 annual activity report

In this respect, ENISA also claimed success, as it underscored that its perspectives were reflected in the final text of the CRA. ¹³⁵

With the number of EU legislative acts of relevance to cybersecurity growing, ENISA is also increasingly designated to be consulted or involved in the European Commission’s drafting of various non-legislative acts through the provision of advice, including, for example, the delegated or implementing acts to be adopted pursuant to the NIS 2 Directive, the Regulation on the internal markets for renewable gas, natural gas and hydrogen (2024/1789), the CRA, or the CSOA. Despite the recognition for the importance of this area of work, only a small number of ENISA staff were involved in implementing the agency’s policy development activities in 2023 given resource constraints. ¹³⁶ Against this backdrop, it is not surprising that ENISA, in its 2024 report on the state of cybersecurity in the Union, implicitly advocated for enhanced involvement in the development of EU policies in the context of its recommendation relating to sectoral specificities. ¹³⁷ Other stakeholders have in the past also called for ENISA “to play a more prominent role in advising on planned EU legislative initiatives with cybersecurity implications.” ¹³⁸ In this endeavor, ENISA has the Member States on its side, as they recently called on the European Commission to “reinforce ENISA’s advisory role in providing expert and evidence-based guidance and recommendations, with regard to the implementation of current and future EU legislative and non-legislative initiatives.” ¹³⁹

Observation 3: ENISA’s participation in HWPCI meetings has grown

Judging by the publicized agendas of the HWPCI (and its predecessor group ¹⁴⁰ ), representatives of ENISA have become more regular participants in the HWPCI over the years (see Figure 7).

Figure 7: ENISA representation in HWPCI meetings 2013–2024 ¹⁴¹

While representatives of ENISA were often present in the discussion of various agenda items due to the fact that they gave presentations or updates in earlier years, the agency has recently been increasingly involved without having an active presentation role, especially in the context of discussions on the Cyber Diplomacy Toolbox, Cyber Diplomacy Toolbox Tabletop Exercises, EU Cyber Crisis Management, or debriefs provided by the European Union Intelligence and Situation Centre (EU INTCEN). ENISA also added an office in Brussels, operational since April 2022. ¹⁴²

Observation 4: ENISA could not shy away from the political backlash surrounding the development of certification schemes

A policy paper on ENISA would not be complete without mentioning the policy-related challenges that have arisen around the establishment of European cybersecurity certification schemes. Past developments in this area also showcase that ENISA cannot entirely avoid having to address politically sensitive issues that may arise within the scope of its mandate. As discussions around the European Union Cloud Services Scheme (EUCS) show, ¹⁴³ political considerations – and the lack of a built-in mechanism to deal with divergent Member State views of a (foreign and security) policy nature – have occasionally constrained both the efficiency and the effectiveness of ENISA’s work and resulted in frustration among various actors. To diminish the risk of ‘deadlocking’ ENISA’s work on cybersecurity certification schemes, Danish authorities, for instance, highlighted the “need for a mechanism to shift discussion on political matters from ENISA and technical sub groups to a political forum, such as the Council HWPCI”  in their publicized response to the European Commission’s ENISA evaluation in an effort to separate more political from technical considerations. ¹⁴⁴ In his/her reply to the ENISA evaluation, an anonymous member of ENISA’s Advisory Group identified the resulting challenge for the agency quite well: “the core of the question is whether the Cybersecurity Act certification system should be used to drive a technical process or should it also pursue more political objectives.” ¹⁴⁵

Implications

For ENISA, all these developments raise questions about the agency’s ability to remain completely detached from policy issues or political frameworks. In navigating the increasingly complex policy and regulatory landscape it inevitably finds itself in, ENISA must progressively balance its technical mandate with the political realities shaping its work. ¹⁴⁶

Challenge 5: ENISA is taking on a more prominent role at the international level

The  CSA not only entrusts ENISA with an inward-looking mandate but also tasks it with “contribut[ing] to the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation on issues related to cybersecurity” (Art. 12 CSA). ¹⁴⁷ As examples to that end, the Act enumerates ENISA participation in international exercises in an observational capacity as well as its support for the European Commission through the provision of advice and expertise, for instance, in the area of mutual recognition of cybersecurity certificates, as well as assuming the role as a facilitator for best practice exchange (Art. 12 CSA).

The CSA also provides for the possibility of “participation of third countries that have concluded agreements with the Union to that effect” (Art. 42(2)). ¹⁴⁸ Since 2005, the European Free Trade Association countries Iceland, Liechtenstein, and Norway have participated in ENISA and assume observer roles in the agency’s Management Board. ¹⁴⁹ The CSA also grants ENISA the opportunity to “cooperate with the competent authorities of third countries or with international organisations or both,” with the disclaimer that this cooperation shall be carried out “to the extent necessary in order to achieve the objectives set out in this Regulation” (Art. 42(1)). ¹⁵⁰ Any such working arrangement must be previously approved by the European Commission and cannot result in any legal obligations on the part of either the Union or the Member States (Art. 42(1)). Pursuant to a respective provision in the CSA (Art. 42(3)), ENISA developed an international strategy “concerning matters for which ENISA is competent” in November 2021. The strategy outlines ten principles guiding ENISA’s international approach, including, for example, provisions on focus, resources, and coordination with/approval by other relevant entities and specifies a portfolio of three international approaches (limited, assisting, and outreach) that ENISA can employ. ¹⁵¹

In recent years, ENISA has assumed a more prominent role at the international level, evidenced, for example, by the conclusion of working arrangements with Ukrainian ¹⁵² and American cybersecurity agencies ¹⁵³ in June and December 2023 respectively. A further working arrangement with the NATO Communications and Information Agency (NCIA) is expected to be finalized in due course. ¹⁵⁴ A look at the relevant provisions of ENISA’s annual activity reports between 2017 and 2023 also underscores the tendency of international expansion of the agency’s activities (Table 5):

Table 5: Overview of ENISA’s international activities 2017–2023 based on the agency’s annual activity reports

As a result, and as ENISA itself noted, the expectations of international partners have increased. In this respect, the agency stated in its international strategy (emphasis by the author):

“ENISA is also often approached by third countries directly with high expectations of mutual collaboration, and is confronted each time on how best to react. Such welcomed developments call for a more strategic approach to the international dimension of ENISA’s work in order to guide the engagement of the Agency with third country partners, as well [as] to direct Agency’s response to third country partners seeking cooperation with ENISA.” ¹⁵⁵

Combined with the observation made in Section 4.2, these developments significantly expand the number of actors likely having expectations towards ENISA by adding international partners as a fifth target audience (see Figure 8):

Figure 8: Actor groups with expectations for ENISA II

For instance, a concrete example of these increased expectations for ENISA beyond EU or Member State entities is the interest expressed by stakeholders in having the six Western Balkan economies participate in ENISA (for example, on the basis of Art. 42 CSA). ¹⁵⁶ The exact scope of such an involvement would need to be specified in dedicated working arrangements. Judging by ENISA’s arrangements with Ukrainian and U.S. authorities, these may center around cyber awareness, capacity-building, or the exchange of best practices.

The Council’s conclusions on ENISA also take note of the agency’s increased international activities. In this context, EU Member States emphasized that the agency should concentrate its global efforts on key alliances, including the Organization for Security and Co-operation in Europe and NATO, as well as with prospective EU Member States. On a more critical note, the Council also underlined “the necessity of clarifying, in accordance with relevant procedures, ENISA’s international involvement, ensuring in particular that its Management Board is duly and timely informed of the related activities.” ¹⁵⁷

Implications

ENISA’s growing international activities may contribute to a blurring of lines of responsibility for the EU’s external engagement on cybersecurity and IT security policy at both the EU and Member State levels. ENISA’s enhanced international profile also results in a greater need for coordination with key EU players, particularly the European External Action Service (EEAS), as well as the international relations teams within national cybersecurity agencies. This coordination is crucial to ensure coherence and synergies are leveraged where possible. Looking ahead, an important question will hence be whether ENISA’s international efforts are “proportionate to the agency’s core task” ¹⁵⁸ of “ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience, and trust within the Union” (Art. 1(1) CSA). Given the agency’s resource constraints, it will also be increasingly relevant for policymakers to determine whether – and if so, how – ENISA should prioritize these international tasks and how many resources should be allocated to that purpose.

Challenge 6: ENISA’s workforce needs exceed its allocated budget

Since 2014, ENISA has generally seen an increase in funding and staff, with only a few exceptions in 2018 and 2024 (for a full overview, see Annex III, Section 6.3). Rises were especially granted after the entry into force of the CSA in 2019. However, since the 2024 budget, there has been a gap between ENISA’s requests and the resources ultimately allocated to the agency.

For example:

• For the 2025 budget, ENISA requested six additional full-time equivalents (FTEs) and about three million euros more for staff and operational costs. ¹⁵⁹ The European Commission granted two additional posts (one temporary and one seconded national expert (SNE)) as stipulated in the CRA’s legislative financial statement and did not increase the budget as requested.

• In 2024, ENISA asked for an eight million euro budget increase and 17.5 more FTEs to meet its growing responsibilities, ¹⁶⁰ none of which it ultimately received. ¹⁶¹ With a view to carrying out new tasks conferred to ENISA through the CRA and CSOA, ENISA, based on estimates, requested an additional allocation of 8.33 FTEs (on average) per year for the years 2025–2027. ¹⁶²

The issue of ENISA’s limited human resources dates back to the agency’s early years. In 2007, an evaluation of ENISA came to the conclusion that it should employ “at least 100 staff.” ¹⁶³ At the time, ENISA employed 56. During the 2017 evaluation of ENISA, “38 of 54 respondents to the online public consultation expressed the view that the size of the agency was inadequate.” ¹⁶⁴ At the time of the latter evaluation, ENISA employed 84 persons. This number had risen to 113 by 2023 (for more details on ENISA’s budgetary and human resources over the years see Section 3.7). ¹⁶⁵ The agency surpassed the number of 100 employees for the first time in 2021. ¹⁶⁶

ENISA has responded to these – in its view – unfavorable resource-related developments by becoming increasingly vocal, openly criticizing the significant gap between its requested and allocated resources. It also warned that it is nearing the limits of its operational capacity as a result. To make its case for increased budgetary and human resources, ENISA has put forward a number of arguments over the years:

1. First and foremost, ENISA argues that its resources do not reflect the increasing tasks assigned by new legislation and stakeholder expectations. ¹⁶⁷ In 2023, ENISA’s Management Board raised its concerns in a letter to then Commissioner Thierry Breton in order “to ensure adequate resources for the Agency to be able to undertake any new tasks.” ¹⁶⁸ ENISA underscored its commitment to “continuous improvement of its administrative and operational efficiency,” but also claimed that it would have “almost exhausted all possible internal and external actions that it can take to resolve the insufficient allocated resources.” ¹⁶⁹

2. In addition, ENISA complained that, as a side effect, the de-/re-prioritization resulting from limited resources would have resulted in internal reshufflings and rededication of both resources and personnel due to ad hoc adjustments, with the Cybersecurity Support Action representing one example. ¹⁷⁰

3. Another major concern of the agency is the “rapidly deteriorating cybersecurity threat landscape,” worsened by the war in Ukraine, which ENISA argues was not foreseen in the EU's 2021-2027 MFF. ¹⁷¹ ENISA claims that even with the additional funds dedicated to it via the Cybersecurity Support Action following the Nevers Call, ¹⁷² this financial contribution would not be enough for it to carry out the tasks assigned to it and meet the interests of various stakeholders. ¹⁷³ In this context, the Management Board has asked for “increased human resources that also include an operational reserve component to be able to manage heightened cybersecurity challenges during times of escalation” in order to be prepared to avoid the need for reactive ad hoc readjustment. ¹⁷⁴

4. Lastly, proponents of increased resources for ENISA emphasize the extensive consequences resulting from its constrained resources both in terms of its ability to act and the implications for the attainment of its objectives. These consequences are specifically described as being “detriment[al] to the agency’s ability to achieve a high common level of cybersecurity across the Union.” ¹⁷⁵

With the Council conclusions on ENISA, Member States again made the case for equipping ENISA with “adequate resources – human, financial and technical – in order to fully enable the Agency to execute all the tasks under its competence,” and therefore called on the European Commission “to prioritise actions and assign priority to tasks related to supporting Member States in enhancing their cyber resilience, their operational cooperation and the development and implementation of Union Law when preparing the draft general budget of the Union.” ¹⁷⁶

Implications

Faced with these resource constraints, ENISA finds itself in a situation where it has to square the circle. On the one hand, to make a compelling case for increased resources across the Union, decision-makers would benefit from firsthand experiences of ENISA’s added value. On the other hand, ENISA lacks the resources necessary for effective outreach and communication reaching decision-makers in Member States, which could influence political support. This creates a dilemma: ENISA needs greater visibility – particularly in national capitals – to justify its funding needs, yet it struggles to achieve this visibility without the resources it seeks.

In its 2023 Coordinated Annual Activity Report, the agency acknowledged “overlaps, gaps, and inconsistencies in existing policies,” ¹⁷⁷ underscoring that the agency’s limited resources can not only hinder its ability to act but might also prevent it from effectively monitoring, identifying, and resolving regulatory discrepancies. This challenge is particularly fundamental given the recent expansion of the EU’s cybersecurity policy ecosystem, where a lack of oversight and management of interlinkages across policies risks weakening the Union’s overall objective of enhancing cybersecurity throughout Europe through the establishment and enforcement of a legally sound and consistent framework. Limited resources may also negatively affect the agency’s working environment. This risk is evidenced in ENISA’s 2023 Annual Activity Report, which noted that “staff satisfaction was below the target value, driven mainly by time management and stress levels.” ¹⁷⁸

Recommendations

As Chapter 4 has shown, ENISA has undergone significant shifts in recent years. In theory, ENISA is well-positioned to assist various stakeholders. However, in practice, the agency often falls short of meeting the expectations placed upon it. As the Union positions itself as a global driver and leader in setting norms and standards on cybersecurity, its dedicated agency for cybersecurity matters faces challenges due to resource-induced capacity gaps, mandate unclarity, and operational efficiency, which may impact internal policy cohesion and the EU’s external leadership potential. The challenges outlined in Chapter 4 highlight the need for ENISA, and particularly the political levels involved, to more clearly define the agency’s role, better articulate its priorities, and effectively target key audiences to manage expectations.

Recommendation 1: Clarifying ENISA’s role

Since its establishment, the scope of tasks assigned to ENISA as well as the importance of cybersecurity at the EU level accelerated significantly. In recent years, for example, ENISA has taken on a larger role in coordinating Member States’ activities at the operational level, developing EU policies, and raising its international profile. At the same time, the boundaries between ENISA’s competences and those of other EU and national entities remain blurred, as does the agency’s primary objective of contributing to the “functioning of the internal market” (Art. 114 TFEU).

Additionally, divergences in preferences regarding ENISA’s role exist among Member States. For instance, some Member States may want ENISA to take on a larger role in incident response due to their own limited resources, while others prefer that ENISA does not communicate directly with, for example, domestic companies affected by a particular incident. At the same time, the agency faces the challenge of balancing its technical mandate with the inevitable political components surrounding cybersecurity, playing out especially at the EU level. Meanwhile, the European Commission is bringing more power in terms of cybersecurity policy to the EU level by extending its policy and regulatory efforts – and ultimately also its competences – in this domain, yet it has not expanded ENISA’s role accordingly. This underscores the need for a sharper delineation of ENISA’s activities and a clearer articulation of the stakes the agency holds in EU cybersecurity (policy).

To optimize ENISA’s impact, particularly in the context of its limited resources, it is crucial for policymakers to clarify the agency’s role and specify where ENISA, as an EU agency, adds the most value in enhancing the Union’s cybersecurity. In this respect, pinpointing tasks and responsibilities that ENISA could best handle in collaboration with, or in support of, other entities that may already be carrying out part of the work could help optimize ENISA’s resource capacity.

Recommendation 2: Refining prioritization of ENISA activities

An unclear role and insufficiently delineated target audiences hinder ENISA’s ability to focus and specialize. ENISA’s horizontal mandate and current setup require significant resources for coordinating and maintaining close relationships with actors across EUIBAs, Member States, industry, other stakeholders, and international partners – each with interconnected but varied objectives. At the same time, ENISA’s limited resources necessitate sharper prioritization, with a focus on clearly defined actions that align with its strategic objectives. For instance, in its 2023 Annual Activity Report, the agency noted that “activity 1 [providing assistance on policy development], jointly with activity 2 [supporting implementation of Union policy and law ¹⁸² ], topped the ENISA Management Board’s list of priorities.” ¹⁸³ If this is the shared assessment of Member States and the European Commission, these priorities – along with the full ranking – should be communicated widely and explicitly rather than be left to implicit inference. ¹⁸⁴ An enhanced prioritization would permit ENISA to develop specialized expertise for priority areas in a sustainable manner while at the same time fostering trusted relationships with primary recipients of its activities.

Recommendation 3: Manage expectations of ENISA’s target audiences

As Figure 8 underscores, a wide variety of actors have high expectations for ENISA. However, neither ENISA nor the political leadership defining its mandate appear to have effectively managed these expectations, as evidenced by the publicized responses to the European Commission’s evaluation of ENISA. ¹⁸⁵ To address this, both ENISA and policymakers should clearly communicate – particularly with the private sector, other stakeholders, and international partners – what level of support they can realistically expect from ENISA given the agency’s resource constraints. To ensure transparency and clarity, it is essential that relevant actors understand the criteria by which ENISA prioritizes its activities and stakeholder engagement. While this information does not always need to be publicly available, it should be shared with key stakeholders, especially considering the varying levels of maturity and capability among those seeking ENISA’s assistance. Additionally, if ENISA lacks the resources to engage further, communicating this proactively would help mitigate potential misunderstandings and manage expectations based on a realistic assessment of the agency’s capacity.

As a starting point, ENISA could build upon its 2022 stakeholder strategy, which is not publicly available, by enhancing transparency around stakeholder engagement. Expanding on recent good communication practices – such as listing stakeholders and engagement levels for each agency activity in its work program ¹⁸⁶ and specifying topics and content for intended target audiences, as seen with ENISA’s new website ¹⁸⁷ – can improve clarity and make the strategy more visible as a reference point. Effective expectation management would also benefit significantly from a clearer definition of ENISA’s role (Recommendation 1) and a sharper prioritization of the agency’s activities (Recommendation 2).

Making ENISA fit for purpose is a question of political will

Meeting the EU’s formulated cybersecurity-related objectives requires a strong institutional backbone. Addressing the challenges outlined in this paper is therefore essential to preserving the EU’s regulatory and policy entrepreneurship on cybersecurity matters. If ENISA’s mandate is to be revised during this legislative cycle, policymakers should act on these recommendations. But how can this be achieved?

A first step in implementing these recommendations would be a more proactive and transparent communication strategy by ENISA, the European Commission, and Member States. This should include clear engagement with EU and national entities, organizations bound by EU cybersecurity legislation, and the public. ¹⁸⁸ Enhanced transparency and targeted outreach would help stakeholders better understand ENISA’s actions and priorities – an issue Member States have also previously identified as requiring improvement. ¹⁸⁹

Ultimately, however, ENISA’s future depends on political will. The agency cannot drive meaningful change on its own, as these issues lie beyond its direct scope of influence and decision-making authority (for an overview of ENISA’s governance structures see Section 3.4, Section 3.5, Section 3.6, and Annex I, Section 6.1). Progress will require strong backing from both Member States and the European Commission, which together form ENISA’s Management Board. One way to structure this support could be by integrating an ENISA-specific work package into the mid-term program for Council presidencies, developed by the ‘trio groups’. ¹⁹⁰ Securing additional support from policymakers in the European Parliament could reinforce this effort. The recent Council conclusions on ENISA ¹⁹¹ as well as the ‘Warsaw Call’ declaration by EU ministers responsible for cybersecurity, ¹⁹² which emphasized the “need for a strengthened, clearly defined, and focused ENISA [...] mandate,” provide a strong foundation for mobilizing further support and reinforcing Member State commitments.

To implement the recommendations outlined in this Chapter, policymakers in Member States and EU institutions must decide whether to provide ENISA with the necessary resources, capabilities, and political backing. Two basic conceptual options emerge in that regard: Either decisionmakers equip ENISA with the financial resources and personnel needed to fully meet its mission and responsibilities or, on the contrary, they decide in favor of redefining ENISA’s mandate so that it aligns with existing resources. The latter would require significantly narrowing ENISA’s tasks, limiting its scope of activities – such as focusing solely on policy implementation, capacity-building, and/or certification – and/or restricting the agency’s role to provide support exclusively to Member States and EUIBAs, ¹⁹³ thereby also decreasing the number of actors placing expectations on ENISA.

To facilitate finding consensus on which pathway to take, policy and decision-makers should comprehensively address the following questions when seeking to clarify ENISA’s role, refine its priorities, and manage expectations more effectively:

Outlook

With the agency’s role under review as part of the European Commission’s ongoing evaluation mandated by the CSA, 2025 marks a pivotal moment for reassessing ENISA’s capacity and clarifying its strategic direction. Looking ahead, two issues stand out:

First, resources will remain a crucial factor. As the number of entities subject to new obligations grows, ENISA will require innovative solutions for effective implementation – especially given the similar challenges faced by Member States.  At the same time, there should be no illusion that more resources are in themselves the silver bullet and solution to ENISA’s challenges. They would need to be accompanied by reforms to internal processes to ensure that they are used in the most efficient manner. The negotiation of the next EU MFF post-2027 will be a critical window of opportunity for those advocating for increased resources for ENISA.

Second, in clarifying ENISA’s role, policymakers and decision-makers should determine whether the agency should continue to operate within its role as an “internal market agency” or if its mandate should be explicitly elevated to encompass matters beyond the internal and digital single market. With its responsibilities continuing to expand, ENISA is already de facto functioning as more than an exclusively internal market–oriented entity, reflecting its evolving and increasingly complex mandate. How ENISA’s operational role will evolve and how it navigates political dynamics in the coming years will shape both its designated role and the expectations placed upon it.

Taking the steps necessary to act on one of the proposed options, rather than maintaining the below-par status quo, is essential for the EU to effectively manage – and more importantly implement – its ever-expanding cybersecurity policy framework.

Annex

ENISA’s governance structures

Figure 9: Overview of ENISA’s governance structures on the basis of the CSA

Below, you can expand on various sections to explain the connections between the actors. The numbers and letters correspond to those contained in Figure 9 above. All article references in the table below relate to the Cybersecurity Act, Regulation 2019/881.

ENISA’s actor-network derived from relevant EU legislation

ENISA’s budget requests vs. budget allocations

This table provides an overview of the development of ENISA’s human and financial resources from 2014 to 2025. By comparing ENISA’s budget requests with its actual resource allocation, it highlights the gap between these figures (columns one and three). Additionally, the table illustrates how resource allocation in a given year compares to the budget from the previous year, showing any differences or indicating continuity (columns two and four). The sources for the respective budget years are as follows: 2025, 2024, 2023, 2022, 2021, 2020, 2019, 2018, 2017, 2016, 2015, and 2014.

For clarity, the following symbols in columns one and three represent specific budget outcomes:

▼ indicates that ENISA received less than it requested,

▶ indicates that ENISA’s request was fully met, meaning it received the exact resource adjustment it sought,

▲ indicates that ENISA’s resource allocation exceeded its request.

To illustrate how the table should be read, take the 2025 budget year as an example: ENISA requested six additional temporary posts and a budget increase of approximately €4.26 million. Ultimately, the European Commission granted one additional temporary post and one additional seconded national expert (SNE). Compared to its request, this resulted in a shortfall of five temporary posts but an increase of one SNE (= ▼). The approved budget increase was €795.700, which was €3.47 million less than ENISA’s original request (= ▼)

List of abbreviations

Acknowledgement

This analysis was supported by interviews with researchers and practitioners, as well as online collaboration, including with representatives from EU Member States, industry, academia, and civil society. Inspiration for this paper was drawn from a workshop conducted in June 2024 on ‘Facilitating National Implementation and Application of EU Cybersecurity Policy,’ as well as from conversations on national approaches to implementing EU cybersecurity legislation and policies. The author would like to thank the involved subject matter experts for their insights and for sharing their experience.

At interface, the author would particularly like to thank Sven Herpig for input and advice in turning the initial idea into this policy paper, Jasen Ho for research support, Luisa Seeling for support in editing the text, Alina Siebert for layouting the paper and designing the paper’s visuals, Helene Pleil for feedback on a first draft, Sebastian Rieger and Ernesto Oyarbide-Magaña for helping to spread the word about this publication, and Frederic Dutke for support in implementing the workshop.

Research and analysis have not been commissioned by any entity. Designated programme funds from interface's Cybersecurity Policy and Resilience programme were used to fund this work.