The European Union Agency for Cybersecurity, commonly known as ENISA, was established in 2004 and is headquartered in Athens, with an additional office in Heraklion, Greece. It originally stood for the European Network and Information Security Agency; its mandate and name were updated by the Cybersecurity Act (Regulation (EU) 2019/881), which granted ENISA a permanent mandate and expanded its tasks.
ENISA's core role is to achieve a high common level of cybersecurity across the European Union. It does this through several functions:
- Policy support: advising the European Commission, Council, and Parliament on cybersecurity legislation and implementation, including the NIS Directive and its successor, NIS2 (Directive (EU) 2022/2555).
- Operational cooperation: coordinating the CSIRTs Network, which links national Computer Security Incident Response Teams, and supporting the EU's cyber crisis management framework.
- Capacity building: running training, exercises (notably the biennial Cyber Europe exercise series), and awareness campaigns such as European Cybersecurity Month.
- Certification: under the Cybersecurity Act, ENISA prepares candidate European cybersecurity certification schemes for ICT products, services, and processes, which the Commission may then adopt.
- Threat intelligence: publishing the annual ENISA Threat Landscape report, which analyses major cyber threats, attack trends, and threat actors targeting the EU.
ENISA is governed by a Management Board composed of representatives from each member state and the Commission, and is led by an Executive Director. Although it does not have direct enforcement powers over private companies or national governments, its technical guidance and certification work shape how EU cyber rules are applied in practice. For MUN delegates and researchers, ENISA is the principal reference point for understanding the EU's institutional response to cyber threats, distinct from CERT-EU (which serves EU institutions) and Europol's EC3 (which handles cybercrime investigations).
Example
In 2023, ENISA published its annual Threat Landscape report identifying ransomware and DDoS attacks as the top threats facing EU member states.
Frequently asked questions
ENISA is the EU's policy and capacity-building agency for cybersecurity across the Union, while CERT-EU is the operational incident response team that serves the EU institutions, bodies, and agencies themselves.
Keep learning