This year, the European Union Agency for Cybersecurity, ENISA, is celebrating its 20th anniversary and what grim times to do that in. According to Executive Director Juhan Lepassaar, "the threat landscape has been severely impacted over the past 2 years by the Russian war of aggression and other geopolitical tensions via distributed denial-of-service (DDoS) and ransomware attacks, a huge rise in information manipulation, and attacks against data to be used for extortion.”

ENISA's Single Programming Document 2024-2026 reflects this assessment as it details the agency's multi-annual planning, its work program for 2024 and multi-annual staff planning. The document lays out the state of play of the EU cybersecurity policy landscape and ENISA's role in the implementation of many of the associated legislative texts.

The agency will play an important role in the implementation of the Cyber Resilience Act. It is expected to be the central body receiving notifications from manufacturers of actively exploited vulnerabilities contained in connected products, as well as incidents that have an impact on the security of those products. It will also be tasked with preparing a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements.

In addition, the report underlines ENISA's role in supporting the mapping of cyber legislation initiatives in the finance sector and its collaboration with other EU stakeholders on cybersecurity aspects of the Digital Operational Resilience Act, including crisis management, incident reporting and information sharing. When it comes to artificial intelligence, the agency will focus on fostering understanding of the interplay between cybersecurity and AI and how this can affect the availability, safety or resilience of future AI services and applications. The agency plans to monitor existing initiatives from member states in this area of AI and machine learning and continue to provide good security practices and guidelines.

Elsewhere:

  • Italy's data protection authority, the Garante, came out this week with enforcement decisions following its investigation on organizations' obligation to communicate contact details of data protection officers. The first wave of sanctions applies to four municipalities, with fines of 2,000 euros. One was also found to be in breach of compliance of the obligation to appoint a DPO, resulting in a fine of 5,000 euros.
  • Following approval of the final draft of the EU AI Act by the member states, the European Parliament will vote next, first at committee level expected next week and then in plenary session expected on 10 or 11 April.
  • The IAPP Madrid KnowledgeNet Chapter is planning a big gathering next week around "Innovation, Technology and Personal Data: Horizon and challenges in 2024." With such an ambitious discussion topic must come a solid program. The agenda features Director of the Spanish Data Protection Agency Mar España Martí, representatives from the Madrid Bar Association and data protection officers from groups including Publicis, Colt, Orange Spain, Iberia, Haleon and many others.