EU struggles to pick next cybersecurity chief

A vote expected next week reveals power struggle between EU and capitals over cybersecurity policy.

Europe’s cybersecurity authorities are struggling to pick their next chief of the beefed-up EU Cybersecurity Agency — and time is running out.

The EU Agency for Cybersecurity, formerly known as ENISA, got more powers under the new “Cybersecurity Act,” a landmark regulation that came into force at the end of last month. The agency will in coming years draft certification schemes to better protect internet-connected devices, boost the security of 5G telecom networks and raise security standards for cloud providers, among other things.

Current Executive Director Udo Helmbrecht’s second term ends in mid-October and his replacement is chosen by the management board, which includes the national EU cybersecurity authorities as well as representatives of the European Commission.

But a selection procedure that should have ended last March has run into trouble.

POLITICO spoke to more than half a dozen people close to the process who said the Commission had run into problems drafting its shortlist, and that national agencies are very sensitive about the selection — leading to a slow and painstaking appointment process.

The Commission and major capitals like Paris and Berlin consider it a key role for exerting control over cybersecurity policy. In drafting the agency’s new mandate, capitals pushed back on Brussels’ attempts to grab more competences. Bigger national agencies like the Germans and French are keen to maintain influence over EU efforts to impose cybersecurity standards and certifications in the coming years.

The Commission sent a shortlist of three people to the management board on June 5. The candidates pitched themselves to national representatives last Thursday, and the board is scheduled to make its pick next week — hoping to put in place new leadership before Helmbrecht leaves office.

The new executive director needs the votes of two-thirds of EU capitals, and must then appear before the European Parliament’s industry committee.

National agencies will hold backroom talks in coming weeks to seek votes for their candidates. The shortlist includes Juhan Lepassaar, the former head of Cabinet of Andrus Ansip who was Commission vice president for digital issues until stepping down this month to take up his seat as an MEP.

Lepassaar, an Estonian political operative in his early forties, has the backing of Tallinn and boasts a track record of managing key political files from the outgoing European Commission, including its drafting of the Cybersecurity Act.

He has a very different profile from the current incumbent Helmbrecht, who spent six years running the powerful German Federal Office for Information Security before taking over the EU agency in 2009.

Helmbrecht — praised in the cybersecurity industry for his technical know-how — has run ENISA for 10 years and put it on the map as a hub for technical expertise.

However, he steered clear of political hot potatoes like 5G security, election-hacking and cyberwarfare.

The other two candidates on the shortlist are national officials from Belgium and Germany, according to three sources.

The agency itself declined to comment on the selection process, referring questions to the management board, whose chairperson, Jean-Baptiste Demaison, senior adviser to the French cybersecurity agency ANSSI, said: “The selection procedure of the next Executive Director of ENISA is indeed ongoing. A communication on the yet-to-be selected [director] will take place as soon as the process will be completed.”

A Commission spokesperson also declined to comment, beyond saying: “In line with the applicable rules, the Commission has already transmitted a shortlist.”

This article has been updated to correct the mention of the French cybersecurity agency, which is the Agence nationale de la sécurité des systèmes d’information, or ANSSI.