ENISA European Union Agency for Cybersecurity.

ENISA is the EU cybersecurity agency, headquartered in Athens. Supports member states and EU institutions on cybersecurity policy, operational cooperation and the EU certification framework. Operationally involved in NIS 2 cooperation, DORA implementing standards, and the AI Act security baseline. Their threat-landscape report is the single most-cited yearly publication.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyStandards bodiesAll entries

The Cyber Academy take

ENISA is the EU cybersecurity agency, headquartered in Athens. Supports member states and EU institutions on cybersecurity policy, operational cooperation and the EU certification framework. Operationally involved in NIS 2 cooperation, DORA implementing standards, and the AI Act security baseline. Their threat-landscape report is the single most-cited yearly publication.

ENISA is the European Union Agency for Cybersecurity. Its job is to raise the common level of cybersecurity across the Union.

What ENISA does, and what it does not do

ENISA is the EU body for cybersecurity. It is headquartered in Athens.

It works alongside member states, the European Commission and EU institutions. It supports three areas:

  • Policy.
  • Operational cooperation.
  • Capacity building.

ENISA does not run national defence itself. The distinction matters in practice. ENISA does not do these things:

  • Investigate breaches.
  • Issue binding fines.
  • Supervise individual companies.

National competent authorities and sector regulators do that work. ENISA produces what those authorities rely on:

  • Guidance.
  • Threat intelligence.
  • Technical baselines.

Regulated organisations under those authorities lean on the same material.

ENISA compared to a national agency

A useful way to place ENISA is to contrast it with a national agency. Take France’s ANSSI.

ANSSI is a member-state authority. It has operational and regulatory powers inside one country.

ENISA operates one level up. It coordinates across all member states. It gives the EU a single technical reference point.

This stops twenty-seven national approaches from drifting apart. So when a French CISO cites both, the split is clear:

  • ANSSI is the authority they answer to.
  • ENISA is the EU-wide source they align with.

Where ENISA touches the regulations you must comply with

For a GRC practitioner, ENISA is not an abstraction. It shows up directly inside the texts you are scoped against.

NIS 2

Under NIS 2, ENISA supports the cooperation mechanisms between member states. It maintains shared situational awareness.

It also contributes technical guidance. This helps essential and important entities read their obligations consistently. Those obligations cover security and incident reporting.

DORA

Under DORA, ENISA contributes to the implementing and regulatory technical standards. These turn the regulation’s high-level requirements for financial entities into concrete expectations.

AI Act

The AI Act’s security provisions are still taking shape. ENISA is positioned to help define the cybersecurity baseline expected of high-risk AI systems.

EU Cybersecurity Act

ENISA runs the European cybersecurity certification framework. It develops schemes for products, services and processes.

A scheme lets each one be certified once. The result is then recognised across the Union.

The output practitioners actually read

ENISA publishes a lot. Its annual Threat Landscape report is the single most-cited piece of work.

It is the reference document teams reach for when they need an authoritative, EU-level view. It shows how the threat picture is evolving across sectors. Practitioners use it to:

  • Sanity-check their own risk assessments.
  • Brief boards with a source that is independent and pan-European.
  • Justify control priorities to auditors and regulators.

ENISA also publishes more than the report:

  • Sector-specific guidance.
  • Good-practice guides.
  • The technical groundwork behind certification schemes.

How to treat ENISA in practice

Treat ENISA as a source of authority. It is not a body you report to. You do not file anything with ENISA.

Instead, align your own work with what it publishes:

  • Your risk language.
  • Your control baselines.
  • Your threat assumptions.

That material is the reference your national authority and your auditor read too. Increasingly, your regulator reads it as well.

Frequently asked questions

01Is ENISA a regulator that can fine my company?

No. ENISA is a supporting and coordinating agency. Enforcement, supervision and penalties under regimes like NIS 2 and DORA sit with national competent authorities and sector regulators, not with ENISA.

02What is the difference between ENISA and ANSSI?

ENISA is the EU-wide agency coordinating cybersecurity across all member states. ANSSI is France's national cybersecurity authority with operational and regulatory powers inside France. A French organisation answers to ANSSI and aligns with ENISA.

03What is ENISA's role in the EU cybersecurity certification framework?

Under the EU Cybersecurity Act, ENISA develops and manages European certification schemes so that ICT products, services and processes can be certified once and recognised across all member states, rather than certified separately in each country.

04Which ENISA publication should I actually read?

The annual ENISA Threat Landscape report is the most widely cited. It gives an independent, EU-level view of evolving threats that practitioners use to validate risk assessments and brief leadership.

05Do I have to report incidents to ENISA?

Generally no. Incident reporting under NIS 2 and DORA flows to designated national authorities and CSIRTs. ENISA supports shared situational awareness across member states but is not normally the entity you file an incident report with.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.