European Cyber Agency Remains UnderfundedENISA Chief Says Lack of Appropriate Funding Continues to Be a Challenge
The European cyber agency continues to remain underfunded despite the surge in ransomware and other cyberthreats, the organization's chief said in a recent hearing.
There are multiple discrepancies in how the European Commission allocates funds to the cyber agency, Juhan Lepassaar, the executive director of the European Union Agency for Cybersecurity, said during a Tuesday parliamentary hearing evaluating allocated budgets.
The commission's allocation of funds is supposed to reflect the tasks undertaken by the agency, which Lepassaar said is not commensurate with the cyber risks, which have significantly surged in the aftermath of Russia's invasion of Ukraine.
"Cyberthreats are ever-increasing, but we also see that the commission does not put adequate investments for cybersecurity across our EU organizations," Lepassaar said. "The commission responds to my request for additional investment by saying that we don't have any additional tasks. By maintaining this argument of 'no new tasks, no new resources,' I cannot address the huge change in the cyberthreat landscape."
He added that across Europe, investments in cybersecurity by private sector organizations tend be 7% of their IT budget. The percentage is much lower for public sector organizations, including the European Commission, he said.
This funding shortfall is compounded by the commission's new cyber legislative proposals, which could create new operational requirements for ENISA without providing additional investment support, Lepassaar said. The European Parliament and Council recently reached a political agreement on enhancing cybersecurity requirements the commission put forward for EU organizations. The proposal seeks to improve cyber resilience in the region by introducing a risk management framework for all EU public agencies and by amending the role of CERT-EU, an organization that closely works with ENISA.
"The Cyber Resilience Act and EU Cyber Solidarity Act have proposed new tasks for ENISA without proposing new resources," Lepassaar said. "The issue here is not that we cannot reprioritize tasks, but the problem is that nobody has consulted the organization to understand the resources needed by ENISA to support these new requirements."