Privacy & Information Security Law Blog

On July 4, 2013, the European Parliament adopted new EU legislation to fight cyber crime. The Directive on attacks against information systems (the “Directive”) (see the Committee on Civil Liberties, Justice and Home Affairs’ report tabled for plenary), together with the launch of the European Cybercrime Centre and the adoption of the EU cybersecurity strategy, will strengthen the EU’s overall response to cyber crime and contribute to improving cybersecurity for all EU citizens.

The Directive builds on rules that have been in force since 2005 (the Council Framework Decision 2005/222/JHA on attacks against information systems). The European Commission determined that a new legislative instrument was needed to address emerging threats that were not considered when the 2005 Framework Decision was adopted. Such threats include the emergence of large-scale attacks against information systems, and increased criminal use of so-called “botnets,” networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks.

The Directive, which contains penalties for illegal access, illegal system interference and illegal data interference, retains a number of provisions in the Framework Decision, but also introduces new concepts. For example, using tools such as botnets or unrightfully obtained computer passwords, as well as illegal interception, are now offenses under the Directive.

In addition, the Directive aims to improve European criminal justice and police cooperation by (1) strengthening the existing structure of 24/7 contact points by obliging the EU Member States to react to urgent requests within eight hours, and (2) requiring the EU Member States to collect basic statistical data on cyber crimes.

The Directive also increases the level of criminal penalties to a maximum term of imprisonment of at least two years, or five years for offenses committed within the framework of a criminal organization.

The Directive penalizes instigating, aiding, abetting and attempting the offenses and adds new aggravating circumstances, such as:

• a maximum penalty of at least three years when a significant number of information systems have been affected through the use of a tool (e.g., botnets), and
• a maximum penalty of at least five years when the offense causes serious damage or when the offense is committed against a critical infrastructure information system.

The Directive has yet to be approved by the EU Council. Once published in the Official Journal of the European Union, EU Member States will have two years to implement the Directive into their national laws.