Information security agency is lawful, says European Court

Rejecting a legal challenge from the UK, the European Court of Justice ruled yesterday that the European Network and Information Security Agency (ENISA), a centre of expertise for Member States and EU Institutions, was established legally.

ENISA was set up in 2004 and is based in Crete. The Court said it was correctly established on the basis of the single market clause in Article 95 of the EC Treaty.

The single market clause of Article 95 provides for the adoption of Community-wide rules which improve the single market by qualified majority in the Council, by a proposal from the Commission and in co-decision with the European Parliament.

The UK had challenged the establishment of ENISA, which in its view should have been made by unanimity in the Council and with consultation of the European Parliament only (EC Treaty Article 308).

But the judgment of the European Court of Justice confirms that Community agencies which contribute to the proper functioning of the single market can be established on the basis of the single market clause even where their powers are essentially non-regulatory in nature.

The European Court of Justice also said that single market rules do not necessarily need to have Member States as their addressees. It highlights the close connection between the work of ENISA and the EU regulatory framework for electronic communications, which have as their objective the single market in the field of telecommunication services.

European Commissioner for Information Society and Media Viviane Reding welcomed the ruling. She said it confirmed the Commission’s view that rules which guarantee "safe, stable and trustworthy IT networks in Europe can be adopted on the basis of the EC Treaty’s single market rules," adding that she intends to make ENISA "a key element of the Commission’s future work on network and IT security."