Mr. Juhan Lepassaar:

I thank the Senator for her good questions. Unfortunately, I do not have a day to give a full brief.

I will address the questions one by one. The budget of the agency for this year is €24 million. It will increase slightly again next year. There has been a huge increase in the budget over the past three years, which was due to the adoption of the cybersecurity Acts. If the Senator is asking me whether these funds are sufficient, my response would be sufficient for what purpose?

On the objectives, under the strategic objectives of the ENISA, there are seven clear objectives in terms of what we want to achieve. The first is that all policy domains in the Union take cybersecurity as one of their core missions. Cybersecurity should not be regarded as an annex or an afterthought. When we build new policies, we should try to make them cyber secure by nature and design.

The second big objective is to make sure that the products that are in the EU Internal Market are cyber secure and that there is trust from the end-user in these products. At the same time, we also try to raise capacities of the member states of the organisation so that they become more cyber resilient. We try to help member states in times of crisis, but also to prepare for crisis. We do not look at everything; we concentrate on potential cross-border large-scale cyber events. The organisation cannot do all of these things alone and so one of our biggest cybersecurity strategic objectives is to ensure that we have communities that work with us. These communities are well-organised, they know what to do and they feed their own desires into the agency. These are the five big objectives. We have an understanding as well that we need to be knowledgeable of the future threats and risks. We should have foresight of what is coming around the corner, but while doing that we should not forget that the majority of cybersecurity incidents happen because of existing vulnerabilities in legacy systems. The future is important, but the past is as important.

On the final question with regard to the obstacles, one of the biggest obstacles I see at EU level is how we deal with the past not only in terms of how we deal with legacy systems in technical terms because they include technical vulnerabilities - the Internet was not built for cybersecurity; it was built for free-flow of information - but how we deal with the past in policy terms and how we deal with the fact that the majority of software providers do not have the same level of responsibility or liability when it comes to the cybersecurity of their products as, for example, do manufacturers of physical objects or products in the Internal Market. Cybersecurity was not a mature policy domain, but it is becoming gradually more mature. With this, we need to reassess whether the rights and obligations that were put in place or existed within the policy framework need to be reviewed now and whether it is now time to make the products and services that circulate within our Internal Market more cyber secure by putting more obligations on manufacturers of these services and products so that the end-users do not have to bare the responsibility of always worrying about whether the service or the software they use is cyber secure, but so too do the producers of this software.