REPORT on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) (before 27 June 2019: European Union Agency for Network and Information Security (ENISA)) for the financial year 2019

2. PROPOSAL FOR A EUROPEAN PARLIAMENT DECISION

on the closure of the accounts of ENISA (European Union Agency for Cybersecurity) (before 27 June 2019: European Union Agency for Network and Information Security (ENISA))for the financial year 2019

(2020/2164(DEC))

The European Parliament,

– having regard to the final annual accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2019,

– having regard to the Court of Auditors’ annual report on EU agencies for the financial year 2019, together with the agencies' replies[8],

– having regard to the statement of assurance[9] as to the reliability of the accounts and the legality and regularity of the underlying transactions provided by the Court of Auditors for the financial year 2019, pursuant to Article 287 of the Treaty on the Functioning of the European Union,

– having regard to the Council’s recommendation of 1 March 2021 on discharge to be given to the Agency in respect of the implementation of the budget for the financial year 2019 (05793/2021 – C9‑0061/2021),

– having regard to Article 319 of the Treaty on the Functioning of the European Union,

– having regard to Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012[10], and in particular Article 70 thereof,

– having regard to Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004[11], and in particular Article 21 thereof,

– having regard to Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)[12], and in particular Article 31 thereof,

– having regard to Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial regulation for the bodies set up under the TFEU and Euratom Treaty and referred to in Article 70 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council[13], and in particular Article 105 thereof,

– having regard to Articles 32 and 47 of Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council[14],

– having regard to Rule 100 of and Annex V to its Rules of Procedure,

– having regard to the report of the Committee on Budgetary Control (A9-0085/2021),

1. Approves the closure of the accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2019;

2. Instructs its President to forward this decision to the Executive Director of ENISA (European Union Agency for Cybersecurity), the Council, the Commission and the Court of Auditors, and to arrange for its publication in the Official Journal of the European Union (L series).

 

3. MOTION FOR A EUROPEAN PARLIAMENT RESOLUTION

with observations forming an integral part of the decision on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) (before 27 June 2019: European Union Agency for Network and Information Security (ENISA)) for the financial year 2019

(2020/2164(DEC))

The European Parliament,

– having regard to its decision on discharge in respect of the implementation of the budget ENISA (European Union Agency for Cybersecurity) for the financial year 2019,

– having regard to Rule 100 of and Annex V to its Rules of Procedure,

– having regard to the report of the Committee on Budgetary Control (A9-0085/2021),

A. whereas, according to its statement of revenue and expenditure[15], the final budget of the ENISA (European Union Agency for Cybersecurity) (the ‘Agency’) for the financial year 2019 was EUR 16 932 952, representing an increase of 47,58 % compared to 2018; whereas that increase results mainly from an increase in expenditure on staff, ICT and core operational activities, related to the adoption of the Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)[16]; whereas the budget of the Agency derives mainly from the Union budget;

B. whereas the Court of Auditors (the ‘Court’), in its report on the Agency’s annual accounts for the financial year 2019 (the ‘Court's report’), states that it has obtained reasonable assurance that the Agency’s annual accounts are reliable and that the underlying transactions are legal and regular;

Budget and financial management

1. Notes that the budget monitoring efforts during the financial year 2019 resulted in a budget implementation rate of 96,80 %, representing a decrease of 3,18 % compared to 2018; notes furthermore that the payment appropriations execution rate was 70,12 %, representing a decrease of 18,44 % compared to 2018;

Performance

2. Notes that the Agency uses certain key performance indicators (KPIs) to measure the added value provided by its activities and to enhance its budget management, notes that the Agency implemented quantitative and qualitative key performance indicators to measure activities’ impact more efficiently, and that it has also been implemented a specific set of key performance indicators to monitor stakeholders’ expectations; welcomes the addition of specific key performance indicators related to the new mandate given by the Cybersecurity Act;

3. Welcomes that the Agency has signed a service level agreement with the European Centre for the Development of Vocational Training, in order to obtain more efficiency through services sharing, knowledge sharing and exchange of best practices, especially in the following fields: IT tools, human resources management, procurement and business continuity;

Staff policy

4. Notes with concern that, on 31 December 2019, the establishment plan was 79,66 % filled, with 47 temporary agents appointed out of 59 temporary agents authorised under the Union budget (compared to 48 authorised posts in 2018); notes that, in addition, 26 contract agents and two seconded national experts worked for the Agency in 2019; notes the increased establishment plan is due to the new Agency’s mandate that conferred greater competencies and resources following the adoption of the Cybersecurity Act;

5. Is very concerned by the lack of gender balance reported for 2019 for senior managers and the management board; invites the Agency to increase its efforts to achieve a better gender balance at all levels; asks the Commission and the Member States to take into account the importance of ensuring gender balance when nominating their members to the Agency’s management board;

6. Notes that the Agency has some difficulties in recruiting, attracting and retaining suitably qualified staff, mainly due to the low correction coefficients applied to the staff’s salaries in Greece and the professionals’ deficit in the IT security market in the Union; welcomes the Agency’s social measures implemented to increase attractiveness and notes that the Agency’s new establishment plan allows to propose higher contract positions;

7. Notes that the review of the handover procedures to new staff members is currently ongoing; notes also that the handover procedures are considered to be included in the sensitive posts policy; calls on the Agency to report on the future development and on the adoption of the sensitive posts policy;

8. Notes from the Court’s report that the Agency used temporary or interim workers to perform tasks within the Agency, those workers represent the 29 % of the total work force, an increase from the previous year, and according to the Court, that number indicates the increased dependency on interim workers; notes that in 2019 the Agency paid approximately EUR 923 000 for those services, representing 5,60 % of the Agency’s budget; notes, moreover, that the Court refrained from making observations regarding the application of the Directive 2008/104/EC on temporary agency work[17] to Union agencies, as there is a case pending before the Court of Justice;

Procurement

9. Notes with concern from the Court’s report the observed weakness in the procurement procedures, where, in three out of four cases audited, an overlap was observed between selection criteria and award criteria, and a lack of separation constituting a procedural flaw, exposing the Agency to the risk of tendering procedures being annulled; further notes that the Agency did not comply with Financial Regulation deadlines for the publication of the award notice in the Official Journal;

10. Notes from the Court’s report that in two out of four framework services contracts audited, the tender specifications did not provide precise information on the method for comparing the financial offers based on case-scenarios, not ensuring the most economical implementation; notes from the Court’s report that the Agency has set an incorrect threshold sum for three contracts given the scope and the value of the contracts and that it did not carried out any assessment on the risks related to the actual implementation and financial dependency to the Agency tied to a fixed sum offered for the contract; notes the Agency’s reply to the Court’s findings and the measures taken by the Agency to prevent a recurrence of these failures;

Prevention and management of conflicts of interest and transparency

11. Notes the Agency’s existing measures and ongoing efforts to secure transparency, prevention and management of conflicts of interest and notes that the CVs of the members of the management board and their declaration of conflicts are being published on its website; notes that the Agency does not publish the senior management’s declaration of conflicts of interest and CVs on its website, with the exception of those of the executive director; calls the Agency to publish the declarations of conflicts of interest and the CVs of its senior management and to report to the discharge authority on the measures taken in that regard;

Internal controls

12. Notes that the Agency has planned to adopt a new sensitive posts policy in 2020;

13. Notes regarding the audit of the Commission’s internal audit service (IAS) on ‘Stakeholders’ involvement in the production of deliverables in ENISA’ that one important recommendation is still pending as relevant procedures needed to be revised and approved internally;

14. The internal audit service released a report on human resources management and ethics in 2019, four important and three very important recommendations were issued; notes that an action plan to address the recommendations has been agreed with the IAS and calls the Agency to report on their implementation status;

Other comments

15. Notes with concern that the Agency has not yet developed a formal and comprehensive environmental management policy to ensure an environmentally friendly working place; calls on the Agency to act upon this;

16. Notes the Agency has produced 55 reports and has been active in raising awareness regarding cybersecurity issues;

17. Calls upon the Agency to focus on disseminating the results of its research to the general public;

o

o  o

18. Refers, for other observations of a cross-cutting nature accompanying its decision on discharge, to its resolution of ... 2021[18] on the performance, financial management and control of the agencies.

INFORMATION ON ADOPTION IN COMMITTEE RESPONSIBLE

 

FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

 

 

 

Key to symbols:

+ : in favour

- : against

0 : abstention