For the EU Agencies Corner of REALaw, we speak with Juhan Lepassaar about the past, present, and future of the European Union Agency for Cybersecurity (ENISA), drawing on his insights as its Executive Director.
Established in 2004, ENISA is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. It collects and provides independent, high-quality technical advice and assistance to Member States and EU bodies on cybersecurity and supports the development and implementation of the Union’s cybersecurity policies. After more than 15 years in the Estonian and European public service, Lepassaar assumed his duties as the Executive Director of ENISA in October 2019, and his term was extended for another five years in 2024.
The conversation takes place in March 2026. Right at the outset, Lepassaar mentions that, being Estonian, he always shares his thoughts candidly. As a result, we enjoy a deep dive into ENISA’s work, its most notable achievements, and future aspirations. In the interview, we explore ENISA’s evolution over the years, its present-day challenges, and prospects for what lies ahead.
From a think tank to a support entity
To set the stage, we ask Lepassaar to highlight what he considers the most significant change that he may not have anticipated when he first took up the role of ENISA’s Executive Director. In addressing this question, he first refers to the global shifts:
“As an internal market agency, [ENISA] very much operates in the ecosystem of the rule of law. […] And the big impact that we have seen globally is the erosion of the values that underpin the functioning of the internal market”.
“When I applied for the post of the Executive Director, I never imagined that I would deal with the COVID-19 pandemic, the war in Ukraine, or frictions within the transatlantic alliance”.
Then, Lepassaar turns to the changes within the European cybersecurity landscape:
“When ENISA was just created, it acted more like a think tank, to bring together best practices and expertise in the area of cybersecurity, but we gradually started to act as a support entity for the Member States to build their capacities and capabilities”.
He highlights two new areas added to ENISA’s mandate in 2019: cybersecurity certification and operational cooperation, which were initially contested by the Member States. These days, however, ENISA is frequently called to step into new areas and support areas such as vulnerability management, and the need for an EU-wide approach to cybersecurity has become “self-evident”.
“Cybersecurity is still regarded as part of national security, but now, the cohesive internal market part has become a dominant feature”.
For Lepassaar, a major development came with the creation of an EU Cybersecurity Reserve under the 2025 Cyber Solidarity Act, a continuation of the European Cybersecurity Support Action, which was adopted as a response to Russia’s war against Ukraine and the resulting escalation of cyberwar activities. Under the new framework, ENISA not only supports the national authorities in raising the resilience of their critical entities but also provides key services directly to the beneficiaries.
“The stakeholders with whom we interact and communicate on a regular basis have expanded”.
Speaking of ENISA itself, Lepassaar emphasises his efforts to change both the organisational structure and culture. Since 2021, the Agency has restructured 25 different functions to ensure more effective implementation of its tasks in line with the requirements of the Cybersecurity Act.
“Due to the changes at both global and European levels, the Agency has been able to pivot very quickly. […] In doing so, we also determined the EU public administration can be agile and nimble and act quickly if there is a real need for it”.
Within the same timeframe, Lepassaar took steps to address the lingering ‘think tank’ mentality to stimulate more informed planning and strategic foresight:
“We still retain our autonomy, but we at least coordinate better, and make sure that we validate our plans with the Member States, so that we can be assured that whatever we are doing will be useful for them”.
“The Commission relies upon the Agency more and more in order to support some of the legwork when it comes to also understanding and analysing the impact of the policy environment that it has put in place. So, of course, the need for the Agency to be aligned with the Commission’s thinking is quite huge”.
Finally, Lepassaar remarks on his own professional journey. Having worked at the Government Office of Estonia and the European Commission in the past, becoming ENISA’s was a major personal challenge:
“When I made a shift from policy to the administration, I did not expect it to be such a huge jump into uncharted waters. […] I made a number of mistakes along the way, but I have learned so much, and I’m also very passionate about EU public administration now”.
ENISA as a talent factory
When asked about his most notable accomplishments, Lepassaar immediately notes that “empowering people to do the great work that they’re doing” within ENISA itself has been one of the greatest joys so far.
“I reformed the management team, but in an evolutionary way, so I really looked for talent within the Agency. […] Finding these hidden jewels is a big achievement”.
He emphasises that he is proud of his work towards ensuring that ENISA’s actions are aligned with the expectations of its key stakeholders – the Member States.
“It used to happen in the past that the Agency acted first, and the Member States only found out afterwards. […] Aligning the work in a way that brings real value to the Member States has been important”.
Additionally, he draws attention to his efforts to turn ENISA into a “talent factory” to boost cybersecurity expertise across Europe:
“There is a persistent skills gap in cybersecurity in the European markets: the Commission has said it’s between 200,000 and 500,000 people in Europe. […] That is why we need to build our own competencies, have an understanding of what these competencies are, how to evaluate them, and how to give feedback to people so that they can put it into practice for their own personal development. All of this is still ongoing work”.
On cybersecurity as a discipline and the current challenges
We invite Lepassaar to give an overview of the most pressing threats and vulnerabilities in the current cybersecurity landscape. He refers to the three main categories of threat actors: those motivated by monetary gains (e.g. ransomware gangs), state and state-aligned actors, and private activists driven by ideological reasons, who may or may not be aligned with the state. While cybersecurity is still a relatively new discipline, it is explicitly designed to deal with technological developments:
“Cybersecurity is a discipline which is bound to technological change, because we wouldn’t talk about cybersecurity without digitalisation of our economy”.
According to Lepassaar, “European economic entities have become increasingly better at understanding and managing their own risks”. Yet assessing the risks across the full value chain remains challenging:
“Cybersecurity nowadays is not about ensuring that nobody hacks your perimeter. […] It is about resilience: how quickly can you restore your services? Can you ensure that you have backup systems so that you do not lose data?”
Although there is much concern about the cybersecurity of state-of-the-art tools, Lepassaar notes that most cybersecurity vulnerabilities concern legacy technologies.
“There were more than 40,000 vulnerabilities which were found last year in technology that is already in the market […] These vulnerabilities represent opportunities for threat access if not managed properly”.
The two most common cybersecurity intrusion vectors in Europe – phishing (i.e. stealing credentials) and the exploitation of vulnerabilities in software – can be addressed by deploying two- or multifactor authentication and engaging in vulnerability management. Lepassaar posits that AI tools, while widely believed to empower cybercriminals, can also assist in cyber defence:
“AI is a great potential tool to speed up the analytical processes. […] But we definitely need to dig deeper, have a better understanding of what goes on inside AI, how people use AI, and what the impact is on society”.
Cybersecurity as a team sport
We are curious to find out how ENISA navigates the collaboration between different supervisory authorities and agencies created in the last few years, both in cybersecurity as well as data and digital domains. Lepassaar admits that when he delegated the management of specific communities to specific operational activities, they did not engage with each other. Now, he has opted for a different approach:
“I’ve decided to create, together with the management board, a dedicated coordination activity. That doesn’t take away the responsibility of other operational activities to deal with the relevant communities, but they need to deal with them in a coordinated fashion”.
Lepassaar acknowledges that it remains to be seen how successful ENISA will be when implementing the new approach. At the same time, he is excited about the expansion of the stakeholder ecosystem, since it “reflects how cybersecurity as a discipline is now more and more integrated and ingrained into different economic facets of the internal market”:
“I am actually happy that there are dedicated communities with dedicated responsibilities in cybersecurity. How can we ensure resilience or that old products put on the market fulfil the minimum cybersecurity requirements? We have to talk with the market supervisory authorities. […] Having different communities is also a way forward when we talk about tackling one of the big problems in cybersecurity, which is securing the supply chains”.
On the new cybersecurity package and Europe’s sovereignty
We take the opportunity to ask Lepassaar for his opinion on the Commission’s proposal for a revised Cybersecurity Act, tabled in January 2026. Although the proposal aims to expand ENISA’s staff and budget, Lepassaar has previously indicated that increasing capacity is “the absolute minimum” and called for a “rethink” rather than an “upgrade”. In our conversation, he elaborates on his standpoint, highlighting that he welcomes “the strategic shift in thinking” as reflected in the proposal:
“To take our own security seriously, as Europeans, we need to also have our capabilities to keep our capacities and to act as Europeans in critical areas”.
In light of this general objective to make cybersecurity more European-centered, Lepassaar sees two crucial areas for improvement:
“We, as Europe, will not become a serious, globally influential cybersecurity player if we don’t do more vulnerability governance and management at the EU level”.
“And we need to help our own industry actors to rethink their product development cycles so that the products that they put on the market are cyber secure by default”.
When asked about his perspective on Europe’s technological sovereignty, Lepassaar quotes a former colleague Ms. Ann Mettler, the former Head of the European Political Strategy Centre (EPSC), the European Commission’s in-house think tank.
“In a world dominated by groundbreaking digital technologies that change economies and societies, sovereignty is bestowed upon those countries that innovate and deploy technology, rather than those who regulate”.
Lepassaar also concedes that while ENISA has extensive technical expertise in cybersecurity, defining the political and legal concept of sovereignty is beyond its mandate.
“Of course, we take a full-spectrum threat approach to cybersecurity management, which includes non-technical risks… […] What I now see is an attempt by the Commission to create a framework where these non-technical risks, which are part of our cybersecurity landscape, can be addressed and dealt with, and I think it’s a good development”.
The future outlook
As the interview draws to a close, we wonder how Lepassaar sees ENISA evolving in the next 10 years. He first talks about his immediate priorities:
“My focus is almost entirely on getting the organisation ready to run the new mandate, including capability building in critical areas where we need to start acting”.
He mentions two essential – yet contradictory – long-term goals that he and his successor need to attain. The first of these objectives is maintaining and advancing European scientific leadership.
“This would require a different kind of approach of not only managing the risks but also taking some bold and risky steps. […] Of course, every time an EU entity acts like this, we see some pushback from the Member States or industry players”.
On the other hand, ENISA must continue to ensure a high common level of cybersecurity resilience and trust in cybersecurity in Europe.
“‘Common’ is measured at the weakest link. […] Besides developing a global leadership in cybersecurity, we also need to help the weakest parties, be they specific Member States, or specific industries or sectors”.
Lepassaar notes, however, that offering such assistance must not “undermine national responsibilities” to avoid creating “a free rider environment”.
“Good cybersecurity starts with mature national cybersecurity capacities, capabilities, and authorities – and this is key to achieving steady resilience development across Europe”.
With 3,5 years left until the end of his term, Lepassaar acknowledges that there is still a lot of work to do but is confident that the organisation is well-positioned to tackle the tasks ahead.