Activities of Ioan ENCIU related to 2010/0273(COD)
Plenary speeches (1)
Attacks against information systems (debate)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA
Amendments (28)
Amendment 13 #
Proposal for a directive
Recital 1
Recital 1
(1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and, other specialised law enforcement services of the Member States, and the Commission, Eurojust, Europol and the European Network and Information Security Agency, to enable a common and comprehensive Union approach.
Amendment 19 #
Proposal for a directive
Recital 2
Recital 2
(2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace both in the Union and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union and improved coordination and cooperation at international level.
Amendment 24 #
Proposal for a directive
Recital 4
Recital 4
(4) Common definitions in this area, particularly of information systems and, computer data, are importantnd criminal offences in respect of information systems and computer data are essential in order to ensure a consistent and uniform approach in the Member States to the application of this Directive.
Amendment 29 #
Proposal for a directive
Recital 6
Recital 6
(6) Member States should provide forboth for harmonised penalties in respect of attacks against information systems and for effective measures to prevent such attacks. The penalties provided for should be effective, proportionate and dissuasive.
Amendment 33 #
Proposal for a directive
Recital 11
Recital 11
(11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form ofof a criminal offence or intent to commit a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States should be able to respond promptly and effectively to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice, the preservation of datassistance, including as regards restoring information system functionality, the preservation of data in line with personal data protection principles, the collection of evidence, the provision of legal information, and the locating and identification of suspects.
Amendment 35 #
Proposal for a directive
Recital 1
Recital 1
(1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, the Commission, Eurojust, Europol and the European Network and Information Security Agency (ENISA), to enable a common and comprehensive EU approach.
Amendment 36 #
Proposal for a directive
Recital 2
Recital 2
(2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace both in the EU and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union and improved cooperation and coordination at international level.
Amendment 38 #
Proposal for a directive
Recital 3
Recital 3
(3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states or to particular functions in the public or private sector. This tendency is accompanied by the development of increasingly sophisticated tools that can be used by criminals to launch cyber- attacks of various types, such as ‘botnet’ networks, in which a large number of information systems are infected via a computer program so that they can be controlled and used to commit large-scale cyber attacks.
Amendment 39 #
Proposal for a directive
Recital 6
Recital 6
(6) Member States should provide for response and prevention mechanisms and penalties in respect of attacks against information systems. The penalties provided for should be effective, proportionate and dissuasive.
Amendment 41 #
Proposal for a directive
Article 1 – paragraph 1
Article 1 – paragraph 1
This Directive defines criminal offences in the area of attacks against information systems and establishes harmonised minimum rules concerning penalties for such offences. It also aims to introduce common provisions both to prevent and combat such attacks and to improve European criminal justice cooperation in this field, particularly as regards criminal justice.
Amendment 42 #
Proposal for a directive
Article 2 – point d
Article 2 – point d
(d) "without right" means access or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national or European legislation.
Amendment 44 #
Proposal for a directive
Recital 7
Recital 7
(7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, such as via a ‘botnet’ network, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. It is also appropriate to provide for more severe penalties where such an attack has caused serious damage or has affected critical infrastructure or essential interests.
Amendment 47 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. Member States shall also ensure that they have procedures in place so that they can respond within a maximum of eight hours to urgent requests. Such response shall at least indicate whether and in what form themust be effective and include, where appropriate, the facilitation or direct implementation of the following measures: the provision of technical advice, including as regards restoring information system functionality, the preservation of data in line with personal data protection principles, the collection of evidence, the provision of legal information, and the locating and identification of suspects. The points of contact shall indicate the form and timescale in which requests for helpassistance will be answered and when. .
Amendment 48 #
Proposal for a directive
Recital 11
Recital 11
(11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe'’s network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice, the preservation of dataincluding as regards restoring information system functionality, the preservation of data in conformity with personal data protection principles, the collection of evidence, the provision of legal information, and the locating and identification of suspects.
Amendment 50 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall inform the Commission, Eurojust and the European Network and Information Security Agency of their appointed point of contact for the purpose of exchanging information on the offences referred to in Articles 3 to 8. The Commission shall forward that information to the other Member States.
Amendment 50 #
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12a) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement authorities and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress. That cooperation should include, for example, providing support to service providers for shutting down, completely or partially, illegal systems or functions, in accordance with the legislation in force.
Amendment 53 #
Proposal for a directive
Article 15 – paragraph 3
Article 15 – paragraph 3
3. Member States shall transmit the data collected according to this Article to the Commission. They and the European Network and Information Security Agency and shall also ensure that a periodic consolidated review of these statistical reports is published. The European Network and Information Security Agency shall centralise that data at an EU level and use it as a basis for drawing up reports on the state of information system and computer data security across Europe.
Amendment 54 #
Proposal for a directive
Recital 12 b (new)
Recital 12 b (new)
(12b) The European Union and Member States should pay due regard to the protection of their information systems and associated data and provide a high level of protection against identifiable threats and vulnerabilities. The cost and burden of such protection should be proportionate to the potential damage to those affected by cyber attacks.
Amendment 55 #
Proposal for a directive
Article 18 – paragraph 2
Article 18 – paragraph 2
2. Member States and the European Network and Information Security Agency shall send to the Commission all the information that is appropriate for drawing up the report referred to in paragraph 1. The information shall include a detailed description of legislative and non-legislative measures adopted in implementing this Directive.
Amendment 58 #
Proposal for a directive
Recital 12 c (new)
Recital 12 c (new)
(12c) The European Network and Information Security Agency (ENISA) should play a key role in providing the Member States and EU institutions and bodies with technical expertise in the field of preventing and combating cyber attacks, in line with its mandate. In this connection, ENISA should advise the Member States on the establishing and operation of national contact points and Computer Emergency Response Teams (CERTs). ENISA should also be forwarded statistical data by the Member States on offences under this Directive and, on the basis of this and other relevant information, should draw up reports and recommendations on the state of information system and computer data security.
Amendment 65 #
Proposal for a directive
Recital 13
Recital 13
(13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a cross-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings. The European Union should also seek to improve international cooperation on information system, computer network and computer data security, and ensure that consideration is given, in any international agreement involving the exchange of data, to the security of data transfer and storage.
Amendment 72 #
Proposal for a directive
Article 1
Article 1
This Directive defines criminal offences in the area of attacks against information systems and establishes minimum rules concerning penalties for such offences. It also aims to introduce common provisions both to prevent and combat such attacks and to improve European criminal justice cooperation in this field, particularly as regards criminal justice.
Amendment 74 #
Proposal for a directive
Article 2 – point c
Article 2 – point c
(c) "legal person" means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations;
Amendment 77 #
Proposal for a directive
Article 2 – point d
Article 2 – point d
(d) "without right" means access, use or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national or European legislation.
Amendment 108 #
Proposal for a directive
Article 10 – paragraph 2
Article 10 – paragraph 2
2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data or sensitive information, or affecting critical infrastructure information systems.
Amendment 120 #
Proposal for a directive
Article 12 – paragraph 1 – point a
Article 12 – paragraph 1 – point a
(a) temporary or permanent exclusion from entitlement to public benefits or aid;
Amendment 123 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. Member States shall also ensure that they have procedures in place so that they can respond within a maximum of eight hours to urgent requests. Such response shall at least indicate whether and in what form themust be effective and include, where appropriate, the facilitation or direct implementation of the following measures: the provision of technical advice, including as regards restoring information system functionality, the preservation of data in conformity with personal data protection principles, the collection of evidence, the provision of legal information, and the locating and identification of suspects. The points of contact shall indicate the form and timescale in which requests for helpassistance will be answered and when.
Amendment 125 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall inform the Commission, Europol, Eurojust and the European Network and Information Security Agency (ENISA) of their appointed point of contact for the purpose of exchanging information on the offences referred to in Articles 3 to 8. The Commission shall forward that information to the other Member States.