https://orcid.org/0000-0002-3775-1284
![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
Over the last decades, cybersecurity has become a top priority for the European Union (EU). As a contribution to scholarship on the ‘regulatory security state’, we analyze how the European Union Agency for Cybersecurity (ENISA), emerged and stabilized as the EU's key agency for cybersecurity. We use data from policy documents, secondary sources, and semi-structured interviews to show how ENISA struggled to become a relevant actor by carving out a specific role for itself. In particular, we show how challenging it was for the agency to acquire epistemic authority. Although the trajectory of ENISA supports attempts to govern through regulation, it also shows that its role was never a given, only functions as part of a larger whole, and continues to be subject to change. Our article indicates that the study of security governance must remain ontologically flexible to capture hybrid forms and political struggles.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Correction Statement
This article has been corrected with minor changes. These changes do not impact the academic content of the article.
Notes
1 At the EU level, apart from ENISA, important institutions include the Directorate General for Communications Networks, Content and Technology, Europol's European Cybercrime Center, the European External Action Service, the European Defence Agency, and the permanent Computer Emergency Response Team for the EU institutions. Also see the Cybersecurity Institutional Map (ENISA, Citation2022).
2 The driving force for this move was the recognition that ICT was becoming increasingly important to economic growth, competitiveness, and the development of a more inclusive society (Commission of the European Communities 2000).
3 By March 2006, ENISA's staff was composed of 35 temporary agents, mainly young professionals between 31 and 40 (60%) from Greece, Italy, and Belgium (42%) (ENISA 2007).
4 Indeed, on clear alternative path was proposed by Viviane Redding: Do not extend ENISA's mandate but fold it into the Electronic Communications Markets Authority (EECMA).
5 At least according to the board members as stated in the minutes of the 23rd board meeting.
6 ENISA initially moved a third of its staff from Crete to Athens. According to one reporter, it can be seen as an ‘admission that locating the agency on a Mediterranean island impeded the agency's effectiveness’ (Vogel, Citation2013).
7 ENISA developed a similar response to the Log4j vulnerability through the CSIRTs network in December 2021 (ENISA, Citation2021b).
8 More specifically, ENISA’s (Citation2022) programming document explains that the organization is responsible for nine ‘operational activities’ and two ‘corporate activities’.
9 For an example of this process also see the 23rd board meeting board meeting (ENISA, Citation2013).
10 The issue was again raises in later meetings, including in extraordinary board meeting held in February 2020 (ENISA, Citation2020).
11 For a detailed overview on the set up of the working group, see the discussion by Pirotti in the seventh board meeting (ENISA, Citation2006).