COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')

Council of the European Union

Brussels, 14 September 2017 (OR. en)

12183/17

Interinstitutional File: ADD 6

2017/0225 (COD) i

CYBER 127 TELECOM 207 ENFOPOL 410 CODEC 1397 JAI 785 MI 627 IA 139

COVER NOTE

From: Secretary-General of the European Commission, signed by Mr Jordi AYET PUIGARNAU, Director

date of receipt: 13 September 2017

To: Mr Jeppe TRANHOLM-MIKKELSEN, Secretary-General of the Council of the European Union

No. Cion doc.: SWD(2017) 500 final PART 3/6

Subject: COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013 i, and on Information and Communication Technology cybersecurity certification

(''Cybersecurity Act'')

Delegations will find attached document SWD(2017) 500 final PART 3/6.

Encl.: SWD(2017) 500 final PART 3/6

12183/17 ADD 6 MK/ec

EUROPEAN COMMISSION

Brussels, 13.9.2017 SWD(2017) 500 final

PART 3/6

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013 i, and on Information and Communication Technology cybersecurity certification

(''Cybersecurity Act'')

{COM(2017) 477 final i} {SWD(2017) 501 final} {SWD(2017) 502 final}

Annex 6:

Economic estimates of the policy options for ENISA

This document provides an estimation of the costs related to each of the four options for the future of ENISA. The costs are based on a series of assumptions presented below:

• It has been assumed that the Greek government will continue to provide its current financial contribution (of EUR 640,000 per year) for the offices in Greece and that this budget would be sufficient to accommodate extended offices if needed. This assumption concerns Options 1, 2 and 3.

• It has been assumed that the new staff would reinforce the implementation of the current mandate and implement the new tasks foreseen. The calculation was based on the average cost as per category of an employee. For the staff based in Greece a corrective coefficient (79.3%) was applied. For staff based in Brussels, no coefficient applies.

Category of personnel Standard rate without corrective coefficient

 Temporary agent 138.000 €/year

 Seconded National Expert 78.000 €/year

 Contractual agent 70.000 €/year

• The gradual increase of staff (Option 2 and 3) has been also reflected (e.g. calculation takes into consideration the potential employment date).

• For the calculation of overall costs per option, efforts have been made to take potential synergies with other EU bodies (especially CERT-EU).

• Additional set-up costs might apply, for example, for staff recruitment. This was taken into consideration in relevant options (Option 2 and 3) or additional office costs (Option 3).

• A standard inflation rate of 2% was also applied.

  The cost estimations are based on several sources:

• ENISA evaluation report • ENISA Annual Activity Report 2015. • Europaid (2017): Current per diem rates. Available at: https://ec.europa.eu/europeaid/sites/devco/files/perdiems-2017-03-17_en.pdf. Accessed 16.06.2017. • Statista – The Statistics Portal (2016): Rental prices of prime office properties in selected European cities as of 4th quarter 2016 (in euros per square meter per year). Available at: https://www.statista.com/statistics/431672/commercial-property-primerents-europe/. Accessed 16.07.2017 • ENISA (2017): Statement of estimates (budget 2017). Available at: https://www.enisa.europa.eu/about-enisa/accounting-finance/files/annualbudgets/enisa-2017-annual-budget. Accessed 16.07.2017

The costs estimations for each of the four options are presented below.

Option 0:

Baseline, maintain the status quo: This option concerns an extension of the current mandate in terms of scope and objectives, though the provisions from the NIS Directive, the eIDAS Regulation and Telecoms Framework Directive would need to be taken into account. Under Option 0 the minimum scenario assumes that ENISA will be able to take on all new tasks assigned to it as per recent legislative changes (NIS Directive) by reallocating responsibilities and tasks, as it has been done in the 2016 and 2017 Work Programme. The below calculation, however, assumes that ENISA will get another eight staff members (two for each of the key sectors finance, health, transport and energy) to respond to its new responsibilities.

YEAR 1 YEAR 2 ONWARDS

Number of staff/ Costs in EUR per Number of staff/ Costs in EUR per year specification of year specification of other

other costs costs Current 84 11,244,679 84 11,244,679 budget

Revise 0 676,416 8 676,416 ENISA’s mandate to make its new tasks per recent/upcomi ng legislation more specific Total budget 84 11,921,095 92 11,921,095 under the (48 TAs, 31 CAs, (56 TAs, 31 CAs, 5

option 5 SNEs) 1 SNEs)

Option 1:

Expiry of ENISA's mandate (terminating ENISA): it would involve closing ENISA and not creating another EU-level institution, but relying on existing institutions/organisations to implement engagements under, for example, the NIS Directive and bilateral or regional ties at Member State level. The direct costs for the EU budget of not extending the mandate of ENISA in 2020 would be EUR 0, which implies thus a cost saving for the European institutions of approximately EUR 10,332,000 yearly, plus a 2% standard increase per year.

The financing provided by the Government of the Hellenic Republic (which constitutes between 6 and 7% each year), as well as contributions from third countries participating in the work of the Agency (around 1%) were deducted from this estimate.

Please note, however, that some one-off costs related to e.g. re-allocating staff and the removal of infrastructure and all miscellaneous administrative requirements for ending ENISA's activities might need to be incurred in the year following the decision to close down ENISA.

1 Based on: Multi-annual staff policy plan year 2017-2019, Establishment plan in Draft EU budget 2017, in ENISA Programming document

2017-2019; Annex III

Option 2

'Reformed ENISA': This option would build on the current mandate of ENISA with a view of adopting selective changes which take the evolution of the cybersecurity landscape into account. The Agency would gain a permanent mandate, based on the following key building blocks: support to EU policy development and implementation; capacity building; knowledge and information; market related tasks; research and innovation; and operational cooperation and crisis management.

This option assumes substantial increase of ENISA's resources to reinforce the execution of the current tasks and to implement new tasks. The table below presents the needs of new staff as per the category of tasks.

Tasks AD AST CA SNE Total

Policy and capacity building 10 2 12

Operational cooperation 9 2 7 18

Certification (market related tasks) 6 1 7 14

Knowledge, information and awareness 1 2 3

Research and Innovation 2 1 3

TOTAL 28 8 7 7 50

Based on the above needs, the table presents the costs for year 1 and 2 of the introduction of the option 2. The costs are presented differentiating between staff costs (costs due to additional human resources) and “other” costs e.g. infrastructure & operating expenditure as well as for operational expenditure.

Baseline

ENISA 2017 2019 2020 TOTAL

(31/12/2016)

Staff Expenditure

(including also e.g.

expenditure related to staff 6.387 12.143 14.973 27.117

recruitment, training, sociomedical

infrastructure)

Infrastructure & 4.833

operating expenditure 1.770 2.188 2.645

Operational

Expenditure 3.086 5.764 6.078 11.842

TOTAL for ENISA 11.244 20.095 23.696 43.792

Option 3

EU cybersecurity agency with full operational capabilities. This option implies reforming ENISA by bringing together three main functions: 1. A policy/advisory function; 2. A centre of information and expertise, and 3. A Computer Emergency Response Team (CERT). To a large extent this option would imply the same change in the scope of the mandate as option 2. However, additional tasks would be added in the area of incident response and crisis management, so that the Agency would cover the entire cybersecurity lifecycle and deal with prevention, detection and response to cyber incidents.

This option assumes substantial increase of ENISA's resources to reinforce the execution of the current tasks and to implement new tasks. It also assumes that a substantial number of new staff would be based in Brussels.

The table below presents the needs of new staff as per the category of tasks.

Tasks AD AST CA SNE Total

Policy and capacity building 10 2 12

Operational cooperation (NIS, exercises) 9 2 7 18

Operational support (CERT function) 6 2 6 6 20

Certification (market related tasks) 6 1 7 14

Knowledge, information and awareness 1 2 3

Research and Innovation 2 1 3

TOTAL 34 10 13 13 70

Based on the above needs, the table presents the costs for year 1 and 2 of the introduction of the option 3. The costs are presented differentiating between staff costs (costs due to additional human resources) and “other” costs e.g. infrastructure & operating expenditure as well as for operational expenditure.

Baseline ENISA 2017 2019 2020 TOTAL

(31/12/2016)

Staff Expenditure (including also e.g.

expenditure related to

staff recruitment, 6.387 13.027 17.382 30.409

training, socio-medical

infrastructure)

Infrastructure &

operating expenditure 1.770 3.938 4.966 8.904

Operational

Expenditure 3.086 5.764 6.078 11.842

TOTAL for ENISA 11.244 22.729 28.426 51.155