The European Union Agency for Cybersecurity (ENISA), tasked with safeguarding the bloc’s digital infrastructure, has drawn criticism after an internal investigation revealed the agency utilized artificial intelligence tools in its threat assessment reports – only to generate significant and concerning errors. The findings, reported by “Der Spiegel”, raise serious questions about the reliability of ENISA’s output and the responsible application of AI within critical European institutions.
Researchers from the Institute for Internet Security at Westfälische Hochschule discovered that AI was employed in at least two ENISA reports without any explicit disclosure. A particularly troubling detail revealed that nearly five percent of the footnotes in one report contained broken links, rendering crucial data inaccessible. “Someone would have only needed to click once to identify these issues” stated Professor Christian Dietrich, who, along with IT security researcher Raphael Springer, reviewed the reports. “What’s deeply concerning is that a public authority, entrusted with the vital task of producing reliable and verifiable reports, failed to do so in this instance.
The revelation exposes a potential crisis of confidence in ENISA, an agency holding an annual budget of almost €27 million and responsible for providing guidance and expertise on cybersecurity across the EU. The agency’s leadership, currently headed by Juhan Lepassaar, acknowledges “shortcomings” and claims responsibility for the errors. They characterize the AI usage as limited to “minor editorial revisions” attributing the faulty links to accidental alterations during the AI-driven process and insist the core content remains valid.
However, critics argue that the incident highlights a broader issue: the rush to embrace AI in high-stakes environments without sufficient oversight or quality control. The failure to clearly indicate AI involvement raises transparency concerns, making it impossible for external experts to rigorously evaluate the report’s methodology. Furthermore, the presence of pervasive errors undermines the credibility of ENISA’s assessments, potentially influencing policy decisions and leaving European institutions vulnerable to cyber threats.
The controversy prompts a necessary re-evaluation of ENISA’s operational practices and calls for stricter protocols regarding the integration of AI within official reports. Questions are being raised in the European Parliament about the agency’s accountability and the safeguards necessary to ensure the integrity of its work, particularly as its role in shaping the EU’s cybersecurity strategy continues to expand. The incident serves as a cautionary tale about the potential pitfalls of blindly adopting powerful technologies without commensurate measures for verification and transparency.
