The EU cybersecurity agency ENISA just won support from MEPs in a drawn-out battle with the Greek government over its costly division between two offices in Athens and Crete.
The European Union Agency for Network and Information Security (ENISA) has been pushing to close its headquarters in Heraklion, Crete’s largest city, and move all of the agency’s staff into its Athens office. But staff say local politics have kept the Crete office open, although it has already cost the Greek government around €1 million in unnecessary fees.
Since 2013, the agency has kept two offices open. Most other EU agencies only have one. The Greek government pays ENISA’s annual rent of around €640,000—an uncommon arrangement for EU agencies—as a gesture meant to make the remote island location more attractive.
Employees of the agency complain about schools and sparse job prospects for families in Heraklion.
“All staff members that have kids in EU schools talk about problems in the schools,” ENISA director Udo Helmbrecht told EurActiv.com.
Staff members fly between Heraklion and Athens for meetings, racking up costs and travel time.
MEPs in the European Parliament’s Budgets Committee backed ENISA’s bid to shut down the Heraklion office during a meeting last week (16 March).
The committee chair, French ALDE MEP Jean Arthuis (Union des Démocrates et Indépendants), is meeting the Greek transport minister, who in charge of ENISA’s office locations, this month.
“I hope Greece is listening,” Arthuis told MEPs during the committee debate.
ENISA estimates that the Greek government would save around €250,000 per year if the Crete building closes, 40% of what it pays for the agency’s total rent. The Greek government would have saved roughly €1 million since 2013 if the agency was only housed in one office, according to ENISA.
On top of that, Helmbrecht says the Greek government transfers money to the agency up to four or five months late, delaying rent payments and angering landlords.
Rent for the Heraklion building costs more per square metre than the Athens office. Some meeting rooms in Heraklion are left empty because they are not used by ENISA staff.
EXCLUSIVE / Europe’s cybersecurity agency has admitted it is unprepared for the advent of the internet of things, lacking the money and expertise to meet the challenges posed by the much hyped move towards digitally connected devices.
EU sources told EurActiv the local government in Crete wants to keep an EU agency on the island for prestige.
“The reasons lie in political decisions taken in the past,” said German S&D MEP Jens Geier (SPD), the Budget Committee’s rapporteur for EU agencies.
Paul Timmers, the director in charge of cybersecurity at the European Commission’s technology unit DG CONNECT, told MEPs in the Budget Committee that his office has stepped in to mediate the squabble between ENISA and the Greek government.
“At the request of ENISA we’ve had a number of exchanges with the Greek government in order to help so that the rent payments happen in a timely fashion,” Timmers said.
On top of the savings in rent, ENISA staff say the agency would gain somewhere between €100,000 and €200,000 each year if the Heraklion office closed, or 6% of its budget for operations, which excludes salaries.
EurActiv has previously reported on ENISA’s shoestring budget of €10 million per year.
As of last year, the cash-strapped agency did not have the funds to hire cybersecurity experts to work on the Internet of Things, the increase of devices with internet connection, and only had two experts on cloud computing.
A boost of €100,000 or more to ENISA’s budget would mean the agency could tender an extra project out to a company working on cybersecurity. Helmbrecht said he wants the agency to work on new technologies and named cars and healthcare as potential areas where the funds could go.
ENISA only started researching connected cars and cybersecurity this year.
The agency could see its staff stretched even thinner once new EU cybersecurity rules come into effect by 2018.
Under the rules, ENISA will help EU countries field notifications from companies after they experience security breaches.
To deal with the new workload brought on by the new NIS directive, ENISA has requested a €5 million budget increase to hire 25 new employees in 2017.
MEPs are putting pressure on the Greek government to move ENISA before the agency is up for review in 2018.
Some compared ENISA’s bid to close its Heraklion office with the Parliament’s second seat in Strasbourg.
Czech EPP MEP Tomáš Zdechovský told the Budget Committee he would shut down the Parliament’s Strasbourg building if he could to save money and silence critics who call the two seats wasteful.
“I think in this particular case we can reasonably have a discussion about the efficiency,” Zdechovský said about ENISA’s two locations.
“Sometimes you just have to accept that something has failed,” he added.
An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.