The Cybersecurity Act granted ENISA a permanent mandate along with increased responsibilities, transforming it from a \u201cCinderella\u201d agency<\/a> into a key cybersecurity entity in the EU. ENISA aims to achieve a high common level of cybersecurity across the Union. Its main tasks include:<\/p>\n \u00a0<\/strong>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Photo credits: ENISA website<\/p>\n The Emergence of AMLA <\/strong><\/p>\n The evolution of the EU’s anti-money laundering framework has seen notable advancements<\/a>, starting from the initial anti-money laundering Directive (AMLD1<\/a>) in 1990 to the latest updates with AMLD6<\/a>, Anti-Money Laundering Regulation (AMLR<\/a>), and Anti-Money Laundering Authority Regulation (AMLAR<\/a>). This development signifies an expanding regulatory focus that originally targeted drug trafficking in the 1990s, evolving<\/a> into a robust framework that addresses intricate financial crimes<\/a> like cyber-enabled money laundering. A significant shift occurred with AMLD3<\/a>, which embraced risk-based approaches for customer due diligence<\/a> (CDD). The enactment of AMLD4<\/a> improved transparency by creating mandatory central registers for beneficial ownership information, a refinement further augmented by AMLD5<\/a> (2018), which required public accessibility<\/a>. The recent introductions of AMLR, AMLAR, and AMLD6 establish centralised oversight while adapting to technological advancements by creating a unified supervisory body across the EU<\/a>, effectively standardising anti-money laundering initiatives among member states and confronting new technological hurdles<\/a>. This evolution exemplifies direct enforcement and is a new form of functional spillover<\/a> that arises from internal pressure and functional necessity, rather than from external crises. This indicates that achieving the established policy goals necessitates the expansion and uniform application of EU law. Below, we delve into why and how direct enforcement is essential for ENISA to attain a high common level of cybersecurity throughout the EU.<\/p>\n Why should ENISA follow the same trajectory as AMLA? <\/strong><\/p>\n The increasing frequency<\/a> and sophistication of cyber threats<\/a> pose significant risks to economic activities, public services, and citizens’ privacy. In recent years, the EU has implemented several legislation addressing cybersecurity, such as the Cybersecurity Act<\/a>, NIS 2 Directive<\/a>, Cyber Resilience Act<\/a>, and Cyber Solidarity Act<\/a>.<\/p>\n These legislations have expanded ENISA\u2019s capacities<\/a>, but they are insufficient for the EU\u2019s ambition to enhance cybersecurity across the Union, as the success of EU cybersecurity policies relies on implementation by Member States. For example, the NIS 2 Directive has so far been transposed by only four Member States, prompting the European Commission to open infringement proceedings against 23 Member States<\/a>. This presents a real risk of fragmentation across the EU, which hinders effective cybersecurity. From a functional spillover<\/a> perspective, the increasing cybersecurity threats and divergent approaches among Member States suggest that ENISA\u2019s role may need to evolve beyond its original advisory and coordinative function towards enforcement powers.<\/p>\n The situation facing ENISA mirrors AMLA\u2019s earlier context – both agencies emerged in response to fragmented national practices and cross-border threats that require unified, robust responses. However, while AMLA was granted limited enforcement powers due to the ineffectiveness of the previous decentralised approach and the lack of cooperation among national AML\/CFT supervisors<\/a>, ENISA remains confined to coordination and advisory functions. To some extent, one could argue that ENISA\u2019s case resembles AMLA, and granting ENISA enforcement powers would ensure compliance with EU cybersecurity standards and achieve a high common level of cybersecurity across the Union.<\/p>\n However, this might be an impossible mission or one that lies in the fairly distant future\u2026 Direct enforcement for the wandering ENISA faces a steep climb, blocked by the EU\u2019s limited competences in security matters, an area still fiercely guarded by the Member States.<\/p>\n How this trajectory can be beneficial<\/strong><\/p>\n As referred to above, the sole competence of Member States in matters of public and national security (recognised under Article 4(2) TEU) currently limits ENISA\u2019s ability to gain direct enforcement powers; there is, however, precedent for derogation from the national security exemption, as can be observed in the Privacy International case (paragraph 44)<\/a> in relation to the e-privacy Directive.<\/p>\n For now though, we must not jump ahead but instead envisage some preliminary steps that may take ENISA some distance down AMLA\u2019s beaten path. A prerequisite of any centralisation is an unequivocal delineation of the agency\u2019s role in a crowded regulatory environment. The elaboration of the EU cybersecurity landscape in recent years has led to a blurring of the lines between the competences of the entities involved<\/a>, particularly with the emergence of several networks and centres at the EU level aiming to prepare for, respond to, or analyse cybersecurity threats and incidents<\/a>. Although the notion of collaboration seems to be favoured in EU cybersecurity policy, the lack of exclusive specialisation on ENISA\u2019s part would undermine any future enforcement remit for the agency. Thus, policymakers should pinpoint the tasks and responsibilities the execution of which would allow ENISA to contribute most optimally to the improvement of EU cybersecurity. This prioritisation of tasks would enable ENISA to enhance its operational efficiency, and ultimately its reputation, potentially paving the way for a transition to a more substantively empowered role.<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n<\/td>\n ENISA<\/strong><\/p>\n<\/td>\n AMLA<\/strong><\/p>\n<\/td>\n<\/tr>\n Legal basis<\/strong><\/p>\n<\/td>\n Cybersecurity Act (2019) & NIS2 Directive<\/p>\n<\/td>\n AML\/CFT Regulation (2024) & AMLD6<\/p>\n<\/td>\n<\/tr>\n Enforcement powers <\/strong><\/p>\n<\/td>\n No direct enforcement (supports national authorities)<\/p>\n<\/td>\n Direct enforcement<\/p>\n (40+ high-risk financial entities (crypto, cross-border institutions))<\/p>\n<\/td>\n<\/tr>\n Sector focus<\/strong><\/p>\n<\/td>\n All critical sectors (energy, health, transport, digital infra)<\/p>\n<\/td>\n Financial sector priority, limited non-financial oversight<\/p>\n<\/td>\n<\/tr>\n Enforcement tools<\/strong><\/p>\n<\/td>\n Technical enforcement i.e., cybersecurity certification, Vulnerability reporting; Operational Tools i.e., Cyber Exercise Platform for crisis simulations, CSIRT Network coordination; Compliance Leverage i.e., National strategy evaluation toolkit Biennial risk trend reports to EU institutions<\/p>\n<\/td>\n Corrective measures i.e., operations restrictions, government structures; Financial sanction i.e., fines; Investigative powers.<\/p>\n<\/td>\n<\/tr>\n Dispute resolution <\/strong><\/p>\n<\/td>\n Non-binding recommendations through Cooperation Group<\/p>\n<\/td>\n Binding arbitration in cross-border supervisory conflicts<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u00a0<\/p>\n\n\n","protected":false},"excerpt":{"rendered":" By Arailym, Patrick and Sondra The road to what might be called regulatory maturity is often a long one. In EU cybersecurity regulation, a culture of vertical and horizontal collaboration is optimistic but seemingly ineffective. It likely leaves the European Union Agency for Cybersecurity (ENISA) feeling somewhat envious of the centralised enforcement powers recently vested … Continue reading “Following in AMLA\u2019s footsteps: is direct enforcement the way to go for wandering ENISA?”<\/span><\/a><\/p>\n","protected":false},"author":94,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9203","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=\/wp\/v2\/posts\/9203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9203"}],"version-history":[{"count":3,"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=\/wp\/v2\/posts\/9203\/revisions"}],"predecessor-version":[{"id":9345,"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=\/wp\/v2\/posts\/9203\/revisions\/9345"}],"wp:attachment":[{"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eulawenforcement.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/eulawenforcement.com\/wp-content\/uploads\/2025\/04\/Picture1.png\")
ENISA – the European Union Agency for Cybersecurity<\/a>, previously known as the European Network and Information Security Agency, was established in 2004 by Regulation No 460\/2004<\/a>. It was reformed by Regulation No 526\/2013<\/a>, which was later repealed by the Cybersecurity Act.<\/a><\/p>\n\n
![\"\"](\"https:\/\/eulawenforcement.com\/wp-content\/uploads\/2025\/04\/Picture2.png\")
<\/p>\n\n\n
\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n