The Agency is scheduled to begin operation in January 2004 and is expected to cost the EU 24 million euros in the first five years, with an additional nine million euros once ten prospective EU participants join. The Agency will recruit both from both the public and private sector and will be managed by an Executive Director responsible for the preparation and implementation of the program, the Agency's budget, and personnel matters. There will also be a Management Board of members appointed by the Council and the Commission as well as industry and consumer representatives.
The proposal depends primarily on voluntary disclosure from private and public operators and does not recommend requiring companies to disclose when security has been breached. Cooperation from companies is expected because it is in their best interest to effectively respond to cyberattacks, although some firms are reticent to reveal that they have been hacked. Although individual members of the EU already have active crisis units, called Computer Emergency Response Teams, there has been no coordinated effort to date. The EU also recognizes the importance of international cooperation in combating security risks, so the Agency will provide support for EU contacts in other countries. Participation in the Agency by countries outside of the EU will be possible, provided they adopt and apply pertinent laws of the European Community. The proposal will need the support of the majority of member states as well as the European Parliament. Text of the proposal can be found at: http://europa.eu.int/eeurope.
Source: European Commission