As Europe faces increasing digital threats and geopolitical volatility, cybersecurity is no longer just a national concern. For the Western Balkans Six (WB6), aligning with the European Union’s cybersecurity framework is a strategic necessity—one that must be reflected in institutional access.
This year, policy roundtables in Tirana, Berlin and Brussels convened regional and EU experts to explore deeper cybersecurity cooperation. A clear consensus emerged: the European Union should initiate phased integration of the WB6 into the EU Agency for Cybersecurity (ENISA), starting with observer status and progressing toward full membership.
While ENISA has maintained cooperative ties with the region, there is currently no formal mechanism for WB6 participation beyond third-country engagement. With the EU Cybersecurity Act under review, the European Commission has a timely opportunity to amend the regulation and create a legal pathway for candidate countries to obtain observer status.
The EU has emphasized digital transformation as a key pillar of its future. Through instruments like the Growth Facility for the Western Balkans, the bloc has linked regional digital resilience with EU convergence. However, cybersecurity integration has lagged. Enabling ENISA access would align with EU enlargement goals and offer practical benefits for both sides.
The 2022 cyberattacks against Albania revealed the vulnerabilities that stem from fragmented capacities. Cyber threats in one part of Europe quickly become continental issues. Without coordinated resilience, the security of the Digital Single Market remains exposed.
Phased integration into ENISA would allow WB6 countries to participate in its expert networks, contribute to certification frameworks, and align with incident response protocols. This approach would strengthen institutional capacity and support legal harmonization with EU standards.
Many WB6 countries have already adopted national cybersecurity strategies and aligned with the EU’s Network and Information Security (NIS) Directive. But participation in ENISA requires more than domestic reforms—it requires structured access.
We propose a three-step approach:
-
Amend the EU Cybersecurity Act to allow observer status for candidate countries meeting basic institutional criteria—similar to arrangements with EEA countries.
-
Launch feasibility assessments and technical support to help WB6 states meet ENISA benchmarks.
-
Establish a roadmap for full membership, tied to each country’s EU accession progress and compliance.
The Kosovar Centre for Security Studies (KCSS), through the IGNITA initiative supported by the Open Society Foundations – Western Balkans, has developed a detailed policy paper that outlines this roadmap and the current cybersecurity landscape across the region.
Crucially, the process must be region-wide. Fragmented bilateral arrangements would entrench existing asymmetries. A unified, regional integration strategy—building on the Berlin Process and the priorities set in the Reform and Growth Facility—offers a coherent and scalable approach. The 2023 Berlin Summit conclusions supported this direction.
From the EU’s perspective, integrating the WB6 into ENISA would signal a credible and concrete step toward enlargement. It would also reduce the EU’s digital threat surface and foster a more secure common infrastructure. Cybersecurity is inherently transnational. Its governance must be as well.
This proposal does not call for shortcuts. Integration into ENISA must be merit-based, contingent on reforms and compliance with EU norms. But the EU must act now—by opening the door and creating clear incentives for participation.
Institutionalized cooperation through ENISA would embed cybersecurity standards, improve accountability, and send a tangible message to citizens in the Western Balkans: European integration is not abstract—it is happening.
As the EU finalizes the Cybersecurity Act revision and advances the Reform and Growth Facility, now is the moment to bridge the digital divide. ENISA is the right place to start.