The Concept of Accountability in the Context of the Evolving Role of ENISA in Data Protection, ePrivacy and Cybersecurity

Abstract

The European Union Agency for Network and Information Security (ENISA), is one of the “third generation” of EU agencies, active in the area of cybersecurity. Over a period of years this expert agency’s fundamental regulation has been amended and replaced, and its governing bodies modified. However, a sea change occurred when ENISA received significant additional responsibilities and resources as a result of the EU Cybersecurity Act. In such context, the Chapter’s essential focus is on whether or not accountability is a concern for ENISA today, given its development.

In the light of this evolution both in terms of ENISA’s fundamental regulation and its role, this chapter first provides an overview of theoretical perspectives regarding the accountability of EU agencies, as they are relevant to assess ENISA’s accountability, and describes ENISA as an expert body. Next, ENISA’s role in connection with certain aspects of EU legislation in data protection, ePrivacy, and cybersecurity is detailed, and most notably its creation of ‘soft law’ in these domains. An early challenge to ENISA’s legal basis is also discussed. The evolution of ENISA’s mandate, evidencing its growing importance, is detailed, and changes to its governance structures, as one solution to accountability challenges, are studied. Finally, additional discussion of accountability of ENISA in connection with its increased law ensues, with particular attention paid to its ‘soft law’ role, and potential need for a higher level of ex ante control in the form of greater ‘proceduralisation’ of law-making, prior to a making a forward-looking conclusion.