Activities of Marie-Christine VERGIAT related to 2010/0273(COD)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA PDF (387 KB) DOC (447 KB)
Amendments (36)
Amendment 37 #
Proposal for a directive
Recital 2
Recital 2
(2) Attacks against information systems, in particular as a result of the threat fromat least those linked to organised crime, are a growing menace, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union.
Amendment 41 #
Proposal for a directive
Recital 6
Recital 6
(6) Member States should provide for penalties in respect of attacks against information systems. The penalties provided for should be effective, proportionate and dissuasive.
Amendment 46 #
Proposal for a directive
Recital 10
Recital 10
(10) This Directive does not intcover action takend to impose criminal liability where the offences are committed without criminal intent, such as for authorised testing or protection of information systemsensure the security of information systems, e.g. the ability of an information system to resist criminal acts as defined in this Directive, or to make available tools used or intended to be used to enhance that ability. It also does not seek to impose criminal liability if the objective criteria used to define the crimes listed in this Directive have been met, but the act was committed without criminal intent.
Amendment 52 #
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12a) Member States should regard the protection of their information systems and the data they contain as part of their duty of care. Reasonable levels of protection should be provided against reasonably identifiable threats and areas of vulnerability. The costs and charges linked to this protection should reflect the harm which a cyber attack would cause to the persons concerned.
Amendment 56 #
Proposal for a directive
Recital 12 b (new)
Recital 12 b (new)
(12b) Member States should also take appropriate steps to oblige legal persons who operate of supply information systems on their territory to protect personal data in their care against offences referred to in this Directive. Legal persons should provide reasonable levels of protection against reasonably identifiable threats and areas of vulnerability. Member States should ensure that a legal person who has failed to provide a reasonable level of protection is liable to criminal prosecution for negligence and to severe penalties if the damage suffered as a result of that failure is considerable.
Amendment 59 #
Proposal for a directive
Recital 12 c (new)
Recital 12 c (new)
(12c) It is also necessary to foster and improve cooperation between service providers, producers and law-enforcement bodies, whilst fully respecting the rule of law, especially as regards legal certainty and the rights of suspects and accused persons, such as the presumption of innocence and the right to seek legal redress. It is also necessary that in a constitutional state the persons responsible for enforcing the law should respect the rule of law.
Amendment 62 #
Proposal for a directive
Recital 12 d (new)
Recital 12 d (new)
(12d) Without prejudice to voluntary cooperation between legal persons, such as service providers and producers, on the one hand, and law-enforcement bodies and judicial authorities, on the other, Member States should define the cases in which the failure to act can in itself constitute criminal behaviour.
Amendment 64 #
Proposal for a directive
Recital 12 e (new)
Recital 12 e (new)
(12e) In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against attacks. In that connection, the introduction of minimum standards and of the principle of the criminal liability of operators and producers in respect of the appropriate protection of information systems is fundamental. For this reason, the Union's and the Member State' fight against cybercrime will be effective only if this Directive is accompanied by preventive measures to combat such offences adopted in accordance with Articles 67(3) and 84 of the Treaty on the Functioning of the European Union.
Amendment 68 #
Proposal for a directive
Recital 14
Recital 14
(14) Since the objectives of this Directive, i.e. ensuring that attacks against information systems, at least when they are perpetrated with criminal intent, are punished in all Member States by effective, proportionate and dissuasive criminal penalties and improving and encouraging judicial cooperation by removing potential complications, cannot be sufficiently achieved by the Member States, as rules have to be common and compatible, and can therefore be better achieved at the level of the Union, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. This Directive does not go beyond what is necessary in order to achieve those objectives.
Amendment 69 #
Proposal for a directive
Recital 15
Recital 15
(15) Any personal data processed in the context of the implementation of this Directive should be protected in accordance with the rules laid down in the Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with regard to those processing activities which fall within its scope and Regulation (EC) No. 45/2001 of the European Parliament and the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. This Directive should also be consistent with Directive 95/46/EC1 and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981; it should also take account of two recommendations of the Committee of Ministers of the Council of Europe, No R(87)15 regulating the use of personal data in the police sector and No R(95)4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services. _________________ 1 Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
Amendment 70 #
Proposal for a directive
Recital 16
Recital 16
(16) This Directive should respects the fundamental freedoms and rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, including the protection of personal data, the right to privacy, freedom of expression and information, the right to a fair trial, presumption of innocence and the rights of the defence, as well as the principles of legality and proportionality of criminal offences and penalties. In particular, tThis Directive seeks tomust ensure full respect for these rights and principles and mustshould be implemented accordingly.
Amendment 71 #
Proposal for a directive
Recital 16 a (new)
Recital 16 a (new)
(16a) This Directive is not intended to be applied by the Member States in a manner which is not consistent with Articles 2 and 3(1) and (2) of the Treaty on European Union, which lay down principles which must apply to cyberspace and the fight against cybercrime. Its application must not undermine the principle of internet neutrality.
Amendment 73 #
Proposal for a directive
Article 1
Article 1
This Directive defines criminal offences in the area of attacks against information systems and establishes minimum rules concerning penalties for such offences. It also aims to introduce common provisions to prevent such attacks and improve European criminal justice cooperation in this field. It also aims to encourage the production of ever more secure IT tools and the installation of ever more secure IT systems.
Amendment 80 #
Proposal for a directive
Article 2 – point d
Article 2 – point d
(d) "without right" means access or interference not authorised by the owner, other right holder of the system or of part of it, or notunless the denial of such authorisation in itself constitutes an abuse of the law or unless such access or interference is permitted under national legislation.
Amendment 85 #
Proposal for a directive
Article 3
Article 3
Member States shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence, at least for cases which are not minorinvolve criminal intent and which have serious and damaging consequences for the existence and functioning of the information system or systems concerned. The actions referred to in the first subparagraph shall only be regarded as a criminal offence if a security measure has been breached and if the operator or provider of the system was not informed comprehensively and in good time of the vulnerability of the information system.
Amendment 88 #
Proposal for a directive
Article 4
Article 4
Member States shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which are not minorinvolve criminal intent and which have serious and damaging consequences for the existence and functioning of the information system or systems concerned.
Amendment 89 #
Proposal for a directive
Article 5
Article 5
Member States shall take the necessary measures to ensure that the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system is punishable as a criminal offence when committed without right, at least for cases which are not minorinvolve criminal intent and which have serious and damaging consequences for the existence and functioning of the information system or systems concerned.
Amendment 91 #
Proposal for a directive
Article 6
Article 6
In accordance with Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and with the Charter of Fundamental Rights, Member States shall take the necessary measures to ensure that the intentional interception by technical means, of non- public transmissions of computer data to, from or within a information system, including electromagnetic emissions from an information system carrying such computer data, is punishable as a criminal offence when committed without rightintentionally and without right, at least for cases which involve criminal intent and which have serious and damaging consequences for the existence and functioning of the information system or systems concerned.
Amendment 94 #
Proposal for a directive
Article 7 – point a
Article 7 – point a
(a) device, including a computer program but excluding a computer itself, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;
Amendment 95 #
Proposal for a directive
Article 7 – point b
Article 7 – point b
Amendment 97 #
Proposal for a directive
Article 8 – paragraph 1
Article 8 – paragraph 1
Amendment 98 #
Proposal for a directive
Article 8 a (new)
Article 8 a (new)
Article 8a Manufacturers’ liability Member States shall take the measures required to ensure that manufacturers are held criminally liable in connection with the production, placing on the market, marketing, operation and non-compliance with security standards of products and systems which are defective or which have proven security problems, thus making cyber attacks or data loss more likely.
Amendment 100 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by effective, proportional and dissuasive criminal penalties.
Amendment 103 #
Proposal for a directive
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least two years.
Amendment 106 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed within the framework of a criminal organizsation as defined in Framework Decision 2008/841/JHA.
Amendment 109 #
Proposal for a directive
Article 10 – paragraph 2
Article 10 – paragraph 2
2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data.
Amendment 112 #
Proposal for a directive
Article 10 – paragraph 3
Article 10 – paragraph 3
Amendment 113 #
Proposal for a directive
Article 10 – paragraph 3 a (new)
Article 10 – paragraph 3 a (new)
3a. Member States shall ensure that the penalties referred to Article 9 will not apply to offences referred to in Articles 3 to 7 when the offences are clearly not committed for criminal intent, such as during the testing or the immediate protection of information systems, or if the operator or vendor of the system is fully informed of the vulnerability in a timely manner.
Amendment 114 #
Proposal for a directive
Article 10 – paragraph 3 b (new)
Article 10 – paragraph 3 b (new)
3b. Member States shall consider the protection of their information systems and associated data. Reasonable levels of protection should be provided against reasonably identifiable levels of threats and vulnerabilities, with the protection proportionate to the probable damage to the parties concerned.
Amendment 115 #
Proposal for a directive
Article 10 – paragraph 3 c (new)
Article 10 – paragraph 3 c (new)
3c. Member States shall take appropriate steps to oblige legal persons under their jurisdictions to protect information systems from offences detailed in Articles 3 to 7. Reasonable levels of protection should be provided against reasonably identifiable levels of threats and vulnerabilities, with the protection proportionate to the probable damage to the parties concerned.
Amendment 116 #
Proposal for a directive
Article 10 – paragraph 3 d (new)
Article 10 – paragraph 3 d (new)
3d. Where legal persons are considered to have failed to provide a reasonable level of protection as detailed in paragraph 3b and 3c against offenses detailed in Articles 3 to 7, and where these offenses are considered to have been carried out with clear criminal intent, then these offenses will be considered to have been carried out under alleviating circumstances when applying criminal penalties.
Amendment 117 #
Proposal for a directive
Article 10 – paragraph 3 e (new)
Article 10 – paragraph 3 e (new)
3e. Where legal persons have clearly failed to provide a reasonable level of protection and in cases where the damage caused as a result of this failure is considerable, then Member States shall ensure that is possible to impose deterrent sanctions and to prosecute this legal person for negligence.
Amendment 119 #
Proposal for a directive
Article 12 – paragraph 1 – introductory part
Article 12 – paragraph 1 – introductory part
1. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(1) is punishable by effective, proportionate and dissuasive penalties, which shall include criminal or non- criminal fines and may include other sanctions, for example:
Amendment 121 #
Proposal for a directive
Article 12 – paragraph 2
Article 12 – paragraph 2
2. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(2) is punishable by effective, proportionate and dissuasive penalties or measures.
Amendment 127 #
Proposal for a directive
Article 15 a (new)
Article 15 a (new)
Article 15a Training 1. Member States shall encourage the organisation and contribute to the funding of training courses for members of the public so that the latter are aware of the possibility of attacks intended to undermine the freedom and security of cyberspace and are able to protect themselves against such attacks. 2. Member States shall incorporate into their school curricula lessons which teach pupils about IT tools, the dangers they pose and how to protect themselves.
Amendment 128 #
Proposal for a directive
Article 15 b (new)
Article 15 b (new)
Article 15b Conformity with levels of security 1. Member States shall lay down in their national law criteria regarding the conformity of all IT tools with minimum levels of security. 2. No more than two years after the adoption of this Directive, the Commission shall submit a proposal for a directive which lays down minimum security criteria for all IT tools sold on the internal market.