Avrupa Birliği Siber Güvenlik Ajansı'nın (ENISA) Kurumsal ve Yapısal Dönüşümü

Abstract

Avrupa Birliği (AB), geçtiğimiz yirmi yıl boyunca bilgi toplumunun gelişim hızı doğrultusunda büyüyen güvenlik ihtiyacını göz ardı etmemiş ve kurumsal yapısını önemli görev ve sorumluluklara sahip bir siber güvenlik ajansı olan ENISA ile taçlandırmıştır. AB'nin siber güvenlik politikasının kilit bir bileşeni olan ENISA, AB organları ve Üye Devletler ile koordinasyon sağlamakta ve güvenli bir siber ortamı teşvik etmek için üçüncü ülkeler ve uluslararası kuruluşlarla işbirliği yapmaktadır. Bu rapor, ENISA'nın Üye Devletlerin siber güvenlik kapasiteleri arasındaki farklılıkları ele alma ve uyumlaştırma konusundaki gelişen ve genel rolünü ve kuruluşundan bu yana ortaya çıkan ihtiyaçlar ve koşullar doğrultusunda kurumsal yapısında ve sorumluluklarında yapılan güncellemeleri incelemektedir. Ayrıca, AB genelinde uygulamaları ve araçları uyumlu hale getirmeyi amaçlayan AB Siber Güvenlik Yasası kapsamında yetkilerin genişletilmesinin etkisini ve daha fazla ele alınması gereken konuları incelemektedir. Bu nedenle, ENISA'nın AB genelinde siber güvenliği geliştirme çabaları ve mali güç ve yasal etki eksikliği nedeniyle karşılaştığı sorunlar hakkındaki akademik literatürün gözden geçirilmesine dayanmaktadır. Çalışma, uluslararası arenadaki etkisini ve kapasitesini arttırmak için koordinasyon ve destek organı olarak hareket eden bir siber güvenlik kurumunun yetkilerinin güçlendirilmesi ihtiyacını ortaya koyacaktır.

Keywords

• Avrupa Birliği
• Siber Güvenlik
• ENISA
• BİT
• Sertifikasyon

The Institutional and Structural Transformation of the European Union Agency for Cybersecurity (ENISA)

Abstract

Over the past two decades, the European Union (EU) has not ignored the growing need for security in line with the pace of development of the information society and has crowned its institutional structure with ENISA, a cybersecurity agency with important tasks and responsibilities. As a key component of the EU's cybersecurity policy, ENISA coordinates with EU bodies and Member States and cooperates with third countries and international organisations to promote a secure cyber environment. This paper examines the evolving and overall role of ENISA in addressing and harmonising differences between Member States' cybersecurity capabilities, and the updates to its organisational structure and responsibilities in line with the needs and conditions that have emerged since its establishment. It also examines the impact of the extension of competences under the EU Cybersecurity Act, which aims to harmonise practices and tools across the EU, and the issues that need to be further addressed. It is therefore based on a review of the academic literature on ENISA's efforts to improve cybersecurity across the EU and the problems it faces due to its lack of financial power and legal influence. The study will demonstrate the need to strengthen the mandate of a cybersecurity institution that acts as a coordinating and supporting body to increase its influence and capacity in the international arena.

Keywords

• European Union
• Cybersecurity
• ENISA
• ICT
• Certification

References

1. Attström, K., Ludden, V., Lessmann, F., Weström, P., Conrads, J., Carrapico, H. F., …, de la Maza, C. (2017). Study on the evaluation of the European Union Agency for Network and Information Security. Luxembourg: Publications Office of the European Union.
2. Avcıoğlu, M. (2025). Türkiye establishes a new body to tackle cyber threats. https://www.aa.com.tr/en/turkiye/turkiye-establishes-new-body-to-tackle-cyber-threats/3444618 (Accessed: 10th May 2025)
3. Bache, I., George, S. & Bulmer, S. (2011). Politics in the European Union. Oxford: Oxford University Press. Baladari, V. (2025). Unraveling the 2024 CrowdStrike Incident: How a Security Patch Led to Global System Failure and Blue Screen of Death. International Journal of Advanced Research in Science, Communication and Technology, 5(8), 171–177. https://doi.org/10.48175/IJARSCT-24524
4. Benedikt, K. (2021). New act on privacy and electronic communications. European Data Protection Law Review (EDPL), 7(2), 2021, 254–259. https://doi.org/10.21552/edpl/2021/2/17 Bigo, D., Boulet, G., Bowden, C., Carrera, S., Jeandesboz, J. & Scherrer, A. (2012). Fighting cybercrime and protecting privacy in the cloud. Brussels: European Parliament.
5. Bilgehan, A. D. (2025). Siber Güvenlik Başkanlığının düzenlenişine dair değerlendirme. İstanbul Medipol Üniversitesi Hukuk Fakültesi Dergisi, 12(1), 63–88. https://doi.org/10.46547/imuhfd.2025.12.1.3
6. Bisogni, F., Cavallini, S. & Di Trocchio, S. (2011). Cybersecurity at European level: The Role of Information Availability. Communications and Strategies, 1(81), 105–124.
7. Blaese, J-D. (2019). Cybersecurity at EU and national level – the expansion of economic policy. Zei Insights, 65. Bonn: Center for European Integration Studies.
8. Brass, I. & Sowell, J. H. (2021). Adaptive governance for the internet of things: Coping with emerging security risks. Regulation & Governance, 15(4), 1092–1110. https://doi.org/10.1111/rego.12343 Brun, L. (2018). The role of the European Union Agency for Network and Information Security (ENISA) in the governance strategies of European cybersecurity. Faculté des sciences économiques, sociales, politiques et de communication, Université catholique de Louvain, Bellanova, Rocco. http://hdl.handle.net/2078.1/thesis:16234 (Accessed: 12nd May 2025)

9. Bygrave, L. A. (May, 2022). Cyber resilience versus cybersecurity as legal aspiration. 14th International Conference on Cyber Conflict: Keep Moving! (CyCon), Tallinn, CCDCOE Publications, 27-44. https://ccdcoe.org/uploads/2022/06/CyCon_2022_book.pdf (Accessed: 7th August 2025).
10. Calliess, C. & Baumgarten, A. (2020). Cybersecurity in the EU the example of the financial sector: A legal perspective. German Law Journal, 21, 1149–1179. https://doi.org/10.1017/glj.2020.67 Carrapico, H. & Barrinha A. (2018). European Union cybersecurity as an emerging research and policy field. European Politics and Society, 19(3), 299-303. https://doi.org/10.1080/23745118.2018.1430712 Carrapico, H. & Farrand, B. (2020). Discursive continuity and change during Covid-19: The case of EU cybersecurity policy. Journal of European Integration, 42(8), 1111–1126. https://doi.org/10.1080/07036337.2020.1853122
11. Carrapico, H. & Farrand, B. (2024). Cybersecurity trends in the European Union: Regulatory mercantilism and the digitalisation of geopolitics. Journal of Common Market Studies, 00, Annual Review, 1–12. https://doi.org/10.1111/jcms.13654
12. Cavelty, M. D. & Smeets, M. (2023). Regulatory cybersecurity governance in the making: the formation of ENISA and its struggle for epistemic authority. Journal of European Public Policy, 30(7), 1330–1352. https://doi.org/10.1080/13501763.2023.2173274 Commission of European Communities. (2000). Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions: Creating a safer information society by improving the security of information infrastructures and combating computer-related crime, COM(2000) 890 final, Brussels, 26.1.2001.
13. Commission of European Communities. (2001). Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: Network and information security: Proposal for a European policy approach, COM(2001) 298 final, Brussels, 06.06.2001.
14. Commission of European Communities. (2003). Proposal for a Regulation of the European Parliament and of the Council establishing the European Network and Information Security Agency (presented by the Commission), COM(2003) 63 final, 2003/0032 (COD), Brussels, 11.2.2003.
15. Commission of European Communities. (2006). Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: A strategy for a secure information society – Dialogue, partnership and empowerment, COM(2006) 251 final, Brussels, 31.5.2006.
16. Chamon, M. (2014). The empowerment of agencies under the Meroni doctrine and article 114 TFEU: comment on United Kingdom v Parliament and council (short-selling) and the proposed single resolution mechanism. European Law Review, 39(3), 380–403.
17. Chatterjee, C. & Lefcovitch, A. (2016). Cybersecurity, Diplomacy and International Law, Amicus Curiae, 108, 2–12. https://doi.org/10.14296/ac.v2016i108.4945
18. Chiara, P.G. (2024). The internet of things and EU law. Law, governance and technology series 67. Switzerland: Springer. https://doi.org/10.1007/978-3-031-67663-5
19. Christou, G. (2016). Cybersecurity in the European Union: Resilience and adaptability in governance policy, Hampshire: Palgrave Macmillan. https://doi.org/10.1057/9781137400529
20. Ciekanowski, Z., Gruchelski, M., Nowicka, J., Żurawski, S., Pauliuchuk, Y. (2023). Cyberspace as a source of new threats to the security of the European Union. European Research Studies Journal, 26(3), 782–797. https://doi.org/10.35808/ersj/3249
21. Court of Justice of the European Union. (2005). United Kingdom of Great Britain and Northern Ireland v European Parliament and Council of the European Union, Case C-217/04. EU:C:2006:279. Craig, P. (2012). EU administrative law, Oxford: Oxford University Press.
22. Craig, P. P. (2011). Shared administration and networks: Global and EU perspectives. In Anthony, G., Auby, J.-B., Morison, J. & Zwart, T. (Eds.), Values in Global Administrative Law, 81-116, Bloomsbury Publishing.
23. Cornish, P. (2009). Cybersecurity and politically, socially and religiously motivated cyber-attack, Brussels: European Parliament.
24. Cosic, J., & Jukan, A. (2024). Deciphering cyber-security certifications: An ontological journey through composite systems and their certification. 2024 IEEE International Conference on Engineering, Technology, and Innovation (ICE/ITMC), Funchal, Portugal, 2024, 1-6, https://doi.org/10.1109/ICE/ITMC61926.2024.10794255.
25. D’Alterio, F., Rotunno, M., Settembre, M., Bernardini, A. & Sagratella, L. (2024). Navigating 5G security: Challenges and progresses on 5G security assurance and risk assessment, 2024 AEIT International Annual Conference (AEIT), Trento, Italy, 2024, 1-6, https://doi.org/10.23919/AEIT53387.2021.9627014
26. Dewar, R. S. (2017). The European Union and Cybersecurity: A Historiography of an Emerging Actor’s Response to a Global Security Concern. In O’Neill, M. & Swinton, K. (Eds.), Challenges and Critiques of the EU Internal Security Strategy: Rights, Power and Security, 113-148, Cambridge Scholars Publishing.
27. Dragomir, A. (2021). Cyber diplomacy. International Journal of Information Security and Cybercrime, 10(2), 37-50. https://doi.org/10.19107/IJISC.2021.02.05
28. Duic, D. & Petrasevic, T. (2023). Data protection and cybersecurity: case-law of two European courts. EU and Comparative Law Issues and Challenges Series, 7 (Special Issue), 94-118.
29. Dupré, L. (2014). EP3R 2010-2013: Four years of Pan-European public-private cooperation. Atina: ENISA.
30. Duvvur, V. (2022). Securing the Future: Strategies for Modernizing Legacy Systems and Enhancing Cybersecurity. Journal of Artificial Intelligence & Cloud Computing, 1(3), 1–3. https://doi.org/10.47363/JAICC/2022(1)299
31. EEAS Press Team. (2023). US: The European Union and the United States hold the 9th Cyber Dialogue in Brussels. https://www.eeas.europa.eu/eeas/us-european-union-and-united-states-hold-9th-cyber-dialogue-brussels_en (Accessed: 25th March 2025).
32. El‐Maissi, A. M., Kassem, M. M., & Mohamed Nazri, F. (2024). Resilient critical infrastructures: An innovative methodological perspective for critical infrastructure (CI) integrated assessment models by inducing digital technologies during multi-hazard incidents. MethodsX, 12, 102561. https://doi.org/10.1016/j.mex.2024.102561
33. ENISA. (2021). ENISA threat landscape for supply chain attacks. https://doi.org/10.2824/168593 ENISA. (2024a). ENISA threat landscape 2024. https://doi.org/10.2824/0710888
34. ENISA. (2024b). The ENISA Threat landscape (ETL) report is the annual report of the European Union Agency for Cybersecurity, ENISA, on the state of the cybersecurity threat landscape. https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape (Accessed: 15th May 2025).
35. ENISA. (2024c). Best practices for cyber crisis management. https://doi.org/10.2824/767828.
36. Enescu, S. (2020). A Comparative Study On European Cybersecurity Strategies. (Ed. Adrian Lesenciuc), International Conference RCIC’20: Redefining community in intercultural context, 7-9 May 2020, 9(1), (277-282), Brasov: ‘Henri Coanda’ Air Force Academy Publishing. European Business Review. (2023). France and Germany are increasingly drifting apart on digital sovereignty of the cloud sector. https://www.europeanbusinessreview.eu/page.asp?pid=6989, (Accessed: 30th May 2025).
37. European Commission. (2010a). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A digital agenda for Europe, COM(2010) 245 final, Brussels, 19.5.2010. Publications Office of the European Union.
38. European Commission. (2010b). Proposal for a regulation of the European Parliament and of the Council Concerning the European Network and Information Security Agency (ENISA), Brussels, 30.9.2010, COM(2010) 521 final, 2010/0275 (COD). Publications Office of the European Union.
39. European Commission. (2013a). Joint communication to the European Parliament, the Council, the European Economic And Social Committee and the Committee Of The Regions, Cybersecurity Strategy of the European Union: An open, safe and secure cyberspace, JOIN(2013) 1 final, Brussels, 7.2.2013. Publications Office of the European Union.
40. European Commission. (2013b). Proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union, COM(2013) 48 final, 2013/0027 (COD), Brussels, 7.2.2013. Publications Office of the European Union.
41. European Commission. (2016). Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions: Strengthening Europe’s cyber resilience system and fostering a competitive and innovative cybersecurity industry, COM(2016) 410 final, Brussels, 5.7.2016. Publications Office of the European Union.