BETA


2010/0273(COD) Judicial cooperation in criminal matters: combating attacks against information systems

Progress: Procedure completed

RoleCommitteeRapporteurShadows
Lead LIBE HOHLMEIER Monika (icon: PPE PPE) PICKART ALVARO Alexander Nuno (icon: ALDE ALDE), ALBRECHT Jan Philipp (icon: Verts/ALE Verts/ALE), KIRKHOPE Timothy (icon: ECR ECR)
Committee Opinion AFET OJULAND Kristiina (icon: ALDE ALDE) Tunne KELAM (icon: PPE PPE), Sabine LÖSING (icon: GUE/NGL GUE/NGL)
Committee Opinion ITRE EHLER Christian (icon: PPE PPE)
Committee Opinion BUDG
Lead committee dossier:
Legal Basis:
TFEU 083-p1-a1

Events

2017/09/13
   EC - Follow-up document
Details

The Commission presented a report assessing the extent to which the Member States have taken the necessary measures in order to comply with Directive 2013/40/EU on attacks against information systems.

The objectives of the Directive are to approximate the criminal law of the Member States in the area of attacks against information systems and to improve cooperation between competent authorities. This is done by establishing minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems and by requiring operational 24/7 points of contact.

By the transposition date, 22 Member States had notified the Commission that they had fully completed the Directive's transposition . As of 31 May 2017, infringement procedures for non-communication of national transposition measures against BE, BG and IE were still pending. However, the Commission acknowledges the efforts made by the Member States to transpose the Directive.

The analysis in this report is based on the information that Member States provided by 31 May 2017.

Progress made : the report concluded that the Directive has made real progress in criminalising cyberattacks on a comparable level across the Member States, facilitating cross-border cooperation between law enforcement authorities investigating cyberattacks.

Member States have amended criminal codes and other relevant legislation. They have streamlined their procedures and set up or improved cooperation schemes.

Scope for improvement : the Commission confirmed, however, that there is considerable scope for improvement if Member States were to fully implement all of its provisions. The main improvements to be implemented by the Member States relate in particular to:

the use of the definitions of the terms 'information system', 'computer data', 'legal person' and 'without right' provided by the Directive: only two countries have introduced legislation covering all aspects of these definitions; the inclusion of all the possibilities that define specific criminal related offences (illegal access to information systems, illegal data interference, illegal interception of computer data: tools, such as computer programmes or passwords, used to commit offences); the establishment of common standards of penalties for cyberattacks (minimum levels of maximum penalties, penalties where a significant number of information systems have been affected, offences committed by a criminal organisations, causing serious damage, involvement critical infrastructure information systems in offences, identity theft, liability of legal persons).

Other issues appear to relate to the implementation of administrative provisions on appropriate reporting channels and the monitoring and statistics for the offences included in the Directive.

Outlook : the Commission states that it will continue to support Member States in their implementation of the Directive and will provide additional opportunities for Member States to identify and exchange best practices in the second half of 2017.

The Commission currently sees no need to propose amendments to the Directive . It is considering measures to improve cross-border access to electronic evidence for criminal investigations, including proposing legislative measures by the beginning of 2018. It is also considering the role of encryption in criminal investigations and will report on its findings by October 2017.

Lastly, the Commission is committed to ensuring that the transposition is finalised across the EU and that the provisions are correctly implemented.

2013/09/24
   EC - Commission response to text adopted in plenary
Documents
2013/08/14
   Final act published in Official Journal
Details

PURPOSE: to approximate Member States’ criminal law in the area of attacks against information systems.

LEGISLATIVE ACT: Directive 2013/40/EU of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.

CONTENT: the Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems. It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities .

Offences: for cases which are not minor, and are committed intentionally and without right, the following actions must be punishable as criminal offences:

· illegal access to information systems : illegal access to the whole or to any part of an information system where committed by infringing a security measure;

· illegal system interference : seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;

· illegal data interference : deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible;

· illegal interception : intercepting, by technical means, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data;

· tools used for committing offences : the intentional production, sale, procurement for use, import, distribution or otherwise making available, of one of the following tools, without right and with the intention that it be used to commit any of the offences referred to above: (i) a computer programme, designed or adapted primarily for the purpose of committing any of the offences referred to above; ii) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.

Incitement, aiding and abetting and attempt : the Directive provides that:

· the incitement, or aiding and abetting, to commit any of the five offences referred to above must be punishable as a criminal offence;

· the attempt to commit illegal system interference and illegal data interference must be punishable as a criminal offence.

Penalties: offences that fall within the scope of the Directive should be subject to the following penalties:

· a maximum penalty of at least two years of imprisonment , in cases which are not minor;

· a maximum penalty of at least three years of imprisonment when offences relating to illegal system interference and illegal data interference are committed intentionally, and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose;

· a maximum penalty of at least five years of imprisonment when offences relating to illegal system interference and illegal data interference are: (i) committed within the framework of a criminal organisation, or (ii) causing serious damage, or (iii) committed against a critical infrastructure information system.

When offences relating to illegal system interference and illegal data interference are committed by misusing the personal data of another person, with the aim of gaining the trust of a third party , thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances, unless those circumstances are already covered by another offence, punishable under national law.

A recital in the Directive states that setting up effective measures against identity theft and other identity-related offences constitutes another important element of an integrated approach against cybercrime. Any need for Union action against this type of criminal behaviour could also be considered in the context of evaluating the need for a comprehensive horizontal Union instrument.

Legal persons : the Directive makes provision for ensuring that legal persons may be held liable and sanctioned.

Jurisdiction: the Directive sets out rules on the establishment of jurisdiction with regard to the offences described above. A recital notes that the transnational and borderless nature of modern information systems means that attacks against such systems have a cross-border dimension, thus underlining the urgent need for further action to approximate criminal law in this area.

National contact point : Member States must ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They must have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer.

Data collection : a recital in the text states that there is a need to collect comparable data on the offences laid down in this Directive. Relevant data should be made available to the competent specialised Union agencies and bodies, such as Europol and ENISA, in line with their tasks and information needs, in order to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby to contribute to formulating a more effective response. Member States should submit information on the modus operandi of the offenders to Europol and its European Cybercrime Centre for the purpose of conducting threat assessments and strategic analyses of cybercrime in accordance with Council Decision 2009/371/JHA.

Replacement of Framework Decision 2005/222/JHA : in relation to Member States participating in the adoption of this Directive, references to the Framework Decision 2005/222/JHA shall be construed as references to this Directive.

Report: by 4 September 2017, the Commission must submit a report assessing the extent to which the Member States have taken the necessary measures in order to comply with the Directive. It will, also take into account the technical and legal developments in the field of cybercrime, particularly with regard to the scope of the Directive.

ENTRY INTO FORCE: 3 September 2013.

TRANSPOSITION: by 4 September 2015.

2013/08/12
   CSL - Draft final act
Documents
2013/08/12
   CSL - Final act signed
2013/08/12
   EP - End of procedure in Parliament
2013/07/22
   EP/CSL - Act adopted by Council after Parliament's 1st reading
2013/07/04
   EP - Results of vote in Parliament
2013/07/04
   EP - Decision by Parliament, 1st reading
Details

The European Parliament adopted by 541 votes to 91, with 9 abstentions, a legislative resolution on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA.

Parliament adopted its position at first reading under the ordinary legislative procedure. The amendments adopted in plenary are the result of a compromise reached between the European parliament and the Council. They amend the Commission’s proposal as follows:

Objective of the Directive: the objective of the Directive is to establish minimum rules concerning the definition of criminal offences and the sanctions in the area of attacks against information systems . It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities.

Definitions: a definition of “without right” was added: "without right" means access, interference, interception, or any other conduct referred to in this Directive, not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation.

It should also be noted that, in the recitals, a definition of “interception” has been introduced: interception includes (but is not necessarily limited to) the listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly, through access and use of the information systems, or indirectly through the use of electronic eavesdropping or tapping devices by technical means.

Illegal system interference: Member States shall take the necessary measures to ensure that, when committed intentionally and without right, at least for cases which are not minor, the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence . The same follows in respect to the illegal access to illegal data interference or in the case of illegal interception within the meaning of the Directive.

Incitement, aiding and abetting and attempt: provision should also be made for measures to ensure that the incitement, aiding and abetting to commit an offence within the meaning of the Directive is punishable as a criminal offence. Member States are called upon to ensure that the attempt to commit an offence is punishable as a criminal offence.

Penalties: offences that fall within the scope of the Directive should be subject to the following penalties :

a maximum penalty of at least two years of imprisonment, in cases which are not minor; a maximum penalty of at least three years of imprisonment when certain offences covered by the Directive are committed intentionally , and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; a maximum penalty of at least five years of imprisonment when offences covered by the Directive are:

- committed within the framework of a criminal organisation, or

- causing serious damage, or

- committed against a critical infrastructure information system .

In a recital, it is stipulated that criminal sanctions should be envisaged at least for cases which are not minor . Member States may determine what constitutes a minor case according to their national law and practice. The case may be considered minor, for example, when the damage caused by the offence and/or the risk it carries to public or private interests, such as to the integrity of a computer system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such nature, that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary.

Furthermore, if certain when certain offences are committed by misusing personal data of another person , with the aim of gaining trust of a third party, thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances . A recital stipulates that identity theft and other identity-related offences of the same type could require action at EU level in the form of a comprehensive horizontal EU instrument.

Jurisdiction: a Member State shall inform the Commission where it decides to establish further jurisdiction over an offence covered by the Directive committed outside their territory , e.g. where:

the offender has his or her habitual residence in the territory of that Member State ; or the offence is committed for the benefit of a legal person established in the territory of that Member State.

National contact point: Member States should ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They should also ensure that they have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer.

Data collection: it is stipulated that there is a need to collect comparable data on offences referred to in this Directive. Relevant data should be made available to the competent specialised agencies, such as Europol and the European Network and Information Security Agency in line with their tasks and information needs. The objective is to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby contribute to formulating more effective responses.

Replacement of the Framework Decision 2005/222/JHA: it is clearly stipulated that the Directive aims to amend and expand the provisions of Framework Decision 2005/222/JHA concerning attacks against information systems.

Reports: lastly, the Commission should submit, within four years of the adoption of this Directive , a report to the European Parliament and the Council, assessing the extent to which the Member States have taken the necessary measures in order to comply with this Directive, accompanied, if necessary, by legislative proposals. In this respect, the Commission shall also take into account the technical and legal developments in the field of cyber crime, particularly with regard to the scope of this Directive.

Documents
2013/07/03
   EP - Debate in Parliament
2013/06/19
   EP - Committee report tabled for plenary, 1st reading
Details

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Monika HOHLMEIER (EPP, DE) on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA.

The committee recommends that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should be to modify the Commission’s proposal as follows:

Objective of the Directive: the objective of the Directive is to establish minimum rules concerning the definition of criminal offences and the sanctions in the area of attacks against information systems . It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities.

Definitions: a definition of “without right” was added: "without right" means access, interference, interception, or any other conduct referred to in this Directive, not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation.

It should also be noted that, in the recitals, a definition of “interception” has been introduced: interception includes (but is not necessarily limited to) the listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly, through access and use of the information systems, or indirectly through the use of electronic eavesdropping or tapping devices by technical means.

Illegal system interference: Member States shall take the necessary measures to ensure that, when committed intentionally and without right, at least for cases which are not minor, the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence . The same follows in respect to the illegal access to illegal data interference or in the case of illegal interception within the meaning of the Directive.

Incitement, aiding and abetting and attempt: provision should also be made for measures to ensure that the incitement, aiding and abetting to commit an offence within the meaning of the Directive is punishable as a criminal offence. Member States are called upon to ensure that the attempt to commit an offence is punishable as a criminal offence.

Penalties: in a recital, it is stipulated that criminal sanctions should be envisaged at least for cases which are not minor . Member States may determine what constitutes a minor case according to their national law and practice. The case may be considered minor, for example, when the damage caused by the offence and/or the risk it carries to public or private interests, such as to the integrity of a computer system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such nature, that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary.

In any event, offences that fall within the scope of the Directive should be subject to the following penalties :

a maximum penalty of at least two years of imprisonment, in cases which are not minor; a maximum penalty of at least three years of imprisonment when certain offences covered by the Directive are committed intentionally , and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; a maximum penalty of at least five years of imprisonment when offences covered by the Directive are:

- committed within the framework of a criminal organisation, or

- causing serious damage, or

- committed against a critical infrastructure information system .

Furthermore, if certain when certain offences are committed by misusing personal data of another person , with the aim of gaining trust of a third party, thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances . A recital stipulates that identity theft and other identity-related offences of the same type could require action at EU level in the form of a comprehensive horizontal EU instrument.

Jurisdiction: a Member State shall inform the Commission where it decides to establish further jurisdiction over an offence covered by the Directive committed outside their territory , e.g. where:

the offender has his or her habitual residence in the territory of that Member State ; or the offence is committed for the benefit of a legal person established in the territory of that Member State.

National contact point: Member States should ensure that they have an o perational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They should also ensure that they have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer.

Data collection: it is stipulated that there is a need to collect comparable data on offences referred to in this Directive. Relevant data should be made available to the competent specialised agencies, such as Europol and the European Network and Information Security Agency in line with their tasks and information needs. The objective is to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby contribute to formulating more effective responses.

Replacement of the Framework Decision 2005/222/JHA: it is clearly stipulated that the Directive aims to amend and expand the provisions of Framework Decision 2005/222/JHA concerning attacks against information systems.

Reports: lastly, the Commission should submit, within four years of the adoption of this Directive , a report to the European Parliament and the Council, assessing the extent to which the Member States have taken the necessary measures in order to comply with this Directive, accompanied, if necessary, by legislative proposals. In this respect, the Commission shall also take into account the technical and legal developments in the field of cyber crime, particularly with regard to the scope of this Directive.

Documents
2013/06/06
   EP - Vote in committee, 1st reading
2012/01/27
   EP - Amendments tabled in committee
Documents
2011/11/28
   EP - Committee opinion
Documents
2011/11/24
   EP - Committee draft report
Documents
2011/11/11
   EP - Committee opinion
Documents
2011/06/09
   CSL - Debate in Council
Details

The Council adopted a general approach on a draft directive on attacks against information systems, proposed by the Commission in September 2010. The general approach will constitute the basis for the Council's negotiations with the European Parliament on this proposal under the ordinary legislative procedure.

The proposal aims to update the existing rules dating from 2005 (Framework Decision 2005/222/JHA), while building on the Council of Europe Convention on Cybercrime (Budapest Convention). It establishes minimum rules for the definition of criminal offences and the penalty levels in the area of attacks against IT systems. It also aims to facilitate the prevention of such attacks and to improve the cooperation between member states' authorities in this field. The new rules would retain most of the provisions currently in place - namely the penalisation of illegal access, illegal system interference and illegal data interference as well as instigation, aiding, abetting and attempt to commit those criminal offences - and include the following new elements :

penalisation of the production and making available of tools (e.g. malicious software designed to create "botnets" 1 or unrightfully obtained computer passwords) for committing the offences; illegal interception of computer data will become a criminal offence; improvement of European cooperation in criminal matters by strengthening the existing structure of 24/7 contact points, including an obligation to provide feedback within eight hours to urgent requests; and the obligation to collect basic statistical data on cybercrimes.

Concerning the level of criminal penalties , the new rules would raise the thresholds :

in the general case to a maximum term of imprisonment of at least two years; if committed against a significant number of IT systems, e. g. in order to create a "botnet", to a maximum term of imprisonment of at least three years; if the attack has been committed by an organised criminal group, or has caused serious damage, e.g. through the use of a "botnet", or has affected a critical IT system, to a maximum term of imprisonment of at least five years.

These new forms of aggravating circumstances are intended to address the emerging threats posed by large scale cyber attacks, which are increasingly reported across Europe and have the potential severely to damage public interests.

Lastly, the Council has clarified the rules concerning the establishment of jurisdiction by the member states on cybercrime.

While the UK and Ireland participate in the adoption and application of this directive, Denmark would not be bound by it.

Documents
2011/06/09
   CSL - Council Meeting
2011/05/04
   ESC - Economic and Social Committee: opinion, report
Documents
2011/03/29
   EP - OJULAND Kristiina (ALDE) appointed as rapporteur in AFET
2010/12/15
   IT_CHAMBER - Contribution
Documents
2010/12/09
   EP - HOHLMEIER Monika (PPE) appointed as rapporteur in LIBE
2010/11/30
   PT_PARLIAMENT - Contribution
Documents
2010/11/24
   EP - EHLER Christian (PPE) appointed as rapporteur in ITRE
2010/11/18
   IT_SENATE - Contribution
Documents
2010/10/07
   EP - Committee referral announced in Parliament, 1st reading
2010/09/30
   EC - Document attached to the procedure
2010/09/30
   EC - Document attached to the procedure
2010/09/30
   EC - Legislative proposal published
Details

PURPOSE: to propose a new legislative framework aimed at combating (large scale) attacks against information systems and to repeal Council Framework Decision 2005/222/JHA.

PROPOSED ACT: Directive of the European Parliament and of the Council.

BACKGROUND: in recent years, the number of attacks against IT systems has risen steadily in Europe. Moreover, previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, have been observed in the Member States and other countries. New concerns, such as the massive spread of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks - have emerged. Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled – often without the knowledge of the users of the compromised computers – by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The people who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems.

With regard to cybercrime, the main cause of this phenomenon is vulnerability resulting from a variety of factors. Insufficient response by law enforcement mechanisms contributes to the prevalence of these phenomena, and exacerbates the difficulties, as certain types of offences go beyond national borders. Variations i n national criminal law and procedure may give rise to differences in investigation and prosecution, leading to differences in how these crimes are dealt with.

Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools ('malware' and 'botnets'), while offering offenders anonymity and dispersing responsibility across jurisdictions. Given the difficulties of bringing a prosecution, organised crime is able to make considerable profits with little risk.

On 24 February 2005, EU Member States agreed a Council Framework Decision ( 2005/222/JHA ) that addresses the most significant forms of criminal activity against information systems, such as hacking, viruses and denial of service attacks. The Framework Decision seeks to approximate criminal law across the EU to ensure that Europe's law enforcement and judicial authorities can take action against this form of crime. Member States were required to take the necessary measures to comply with the provisions of the Framework Decision by 16 March 2007.

On 14 July 2008, the Commission published a report on the implementation of the Framework Decision. It was noted that several emerging threats had been highlighted by recent attacks across Europe since adoption of the Framework Decision, in particular the emergence of large-scale simultaneous attacks against information systems and increased criminal use of so-called 'botnets'." These attacks were not the centre of attention when the Framework Decision was adopted.

In response to these developments, the Commission presents this proposal which aims to consider recent technical advances and the new modi operandi found in today's cyber attacks as devise better responses to the threat.

IMPACT ASSESSMENT: various policy options have been examined as a means of achieving the objective.

Option 1: Status Quo / No new EU action .

Option 2: Development of a programme to strengthen the efforts to counter attacks against information systems by means of non-legislative measures : these measures would, in addition to the programme for critical information infrastructure protection, focus on cross-border law enforcement and public-private cooperation. These soft-law instruments should aim to promote further coordinated action at EU level, including strengthening of the existing 24/7 network of contact points for law enforcement agencies; establishment of an EU network of public-private contact points involving cybercrime experts and law enforcement agencies; elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators; and support for the organisation of training programmes for law enforcement agencies on the investigation of cybercrime.

Option 3: Targeted update of the rules of the Framework Decision (new Directive replacing the current Framework Decision) to address the threat from large-scale attacks against information systems (botnets) and, when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner, the efficiency of Member States' law enforcement contact points, and the lack of statistical data on cyber attacks.

Option 4: Introduction of comprehensive EU legislation against cybercrime : this option would entail new comprehensive EU legislation. In addition to introducing the soft-law measures in policy option 2 and the update in policy option 3, it would also tackle other legal problems related to Internet use (such as financial cybercrime, illegal Internet content, the collection/storage/transfer of electronic evidence…)

Option 5: Update of the Council of Europe Convention on Cybercrime : this option would require substantial renegotiation of the current Convention, which is a lengthy process and doesn’t seem realistic as there seems to be no international willingness to renegotiate the Convention.

The preferred policy option is a combination of non-legislative measures (option 2) with a targeted update of the Framework Decision (option 3).

LEGAL BASE: Article 83(1) of the Treaty on the Functioning of the European Union (TFEU).

CONTENT: the draft Directive, while repealing Framework Decision 2005/222/JHA, will retain its current provisions and include the following new elements:

On substantive criminal law in general , the proposed Directive:

1) Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offences.

2) Includes aggravating circumstances :

the large-scale aspect of the attacks - botnets or similar tools would be addressed by introducing a new aggravating circumstance, in the sense that the act of putting in place a botnet or a similar tool would be an aggravating factor when crimes listed in the existing Framework Decision are committed; when such attacks are committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. Any such rules would need to comply with the principles of legality and proportionality of criminal offences and penalties and be consistent with existing legislation on the protection of personal data .

3) Introduces ‘illegal interception’ as a criminal offence.

4) Introduces measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points:

an obligation to comply with a request for assistance by the operational contact points (set out in Article 14 of the Directive) within a certain time limit is proposed. The Cybercrime Convention does not specify a binding provision of this kind. The aim of this measure is to ensure that the contact points indicate within a specified time whether they are able to provide a solution to the request for assistance, and by when the requesting point of contact can expect such a solution to be found. The actual content of the solutions is not specified.

5) Addresses the need to provide statistical data on cybercrimes by making it obligatory for the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on the offences referred to in the existing Framework Decision and the newly added ‘illegal interception’.

Taking account of gravity of the crimes : the Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only 'cases which are not minor' in the process of transposition of the directive into national law. This element of flexibility is intended to allow Member States not to cover cases that would in abstracto be covered by the basic definition but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology. This possibility to limit the scope of criminalisation should not however lead to the introduction of additional constitutive elements of offences beyond those that are already included in the Directive, because this would lead to the situation that only offences committed with the presence of aggravating circumstances are covered. In the process of transposition, Member States should refrain in particular from adding additional constitutive elements to the basic offences such as e.g. a special intention to derive illicit proceeds from crime or the presence of a specific effect such as causing a considerable damage.

BUDGETARY IMPLICATION: the implications of the proposal for the Union budget are small. More than 90% of the estimated cost of EUR 5 913 000 would be borne by the Member States and there is the possibility of applying for EU funding to reduce the cost.

Documents

Votes

A7-0224/2013 - Monika Hohlmeier - Résolution législative #

2013/07/04 Outcome: +: 541, -: 91, 0: 9
IT DE PL ES GB RO FR HU BG BE EL CZ SK PT IE HR DK AT SI SE NL EE FI LT MT LU LV CY
Total
58
86
47
45
59
27
66
18
16
20
21
19
12
19
11
11
12
18
7
8
20
6
9
4
4
5
6
6
icon: PPE PPE
232

Czechia PPE

2

Denmark PPE

For (1)

1

Sweden PPE

2

Estonia PPE

For (1)

1

Lithuania PPE

1

Malta PPE

2

Luxembourg PPE

3
2
icon: S&D S&D
167

Bulgaria S&D

3

Slovenia S&D

2

Sweden S&D

2

Netherlands S&D

1

Estonia S&D

For (1)

1

Finland S&D

1

Lithuania S&D

1

Malta S&D

2

Latvia S&D

1
icon: ALDE ALDE
69

Greece ALDE

1

Slovakia ALDE

For (1)

1
3

Slovenia ALDE

For (1)

1

Sweden ALDE

3

Finland ALDE

For (1)

1

Lithuania ALDE

1

Luxembourg ALDE

For (1)

1
icon: ECR ECR
43

Hungary ECR

For (1)

1

Belgium ECR

For (1)

1

Croatia ECR

For (1)

1

Denmark ECR

For (1)

1

Netherlands ECR

For (1)

1
icon: EFD EFD
27

Belgium EFD

For (1)

1

Greece EFD

2

Slovakia EFD

For (1)

1

Denmark EFD

1

Netherlands EFD

For (1)

1

Finland EFD

For (1)

1

Lithuania EFD

For (1)

1
icon: PSE PSE
1

Bulgaria PSE

1
icon: NI NI
23

Spain NI

1
5
2

France NI

2

Hungary NI

Abstain (1)

1

Bulgaria NI

1

Belgium NI

For (1)

1
icon: GUE/NGL GUE/NGL
30

Spain GUE/NGL

Against (1)

1

United Kingdom GUE/NGL

Against (1)

1

Portugal GUE/NGL

3

Ireland GUE/NGL

Against (1)

1

Croatia GUE/NGL

Against (1)

1

Denmark GUE/NGL

1

Netherlands GUE/NGL

Abstain (1)

2

Latvia GUE/NGL

Against (1)

1

Cyprus GUE/NGL

2
icon: Verts/ALE Verts/ALE
48

Spain Verts/ALE

2

United Kingdom Verts/ALE

4

Belgium Verts/ALE

3

Greece Verts/ALE

Against (1)

1

Portugal Verts/ALE

Against (1)

1

Denmark Verts/ALE

Against (1)

1

Austria Verts/ALE

2

Sweden Verts/ALE

Against (1)

1

Netherlands Verts/ALE

2

Estonia Verts/ALE

Abstain (1)

1

Finland Verts/ALE

Against (2)

2

Luxembourg Verts/ALE

Against (1)

1

Latvia Verts/ALE

Against (1)

1
AmendmentsDossier
178 2010/0273(COD)
2011/10/12 ITRE 44 amendments...
source: PE-473.808
2011/10/13 AFET 39 amendments...
source: PE-473.863
2012/01/27 LIBE 95 amendments...
source: PE-480.665

History

(these mark the time of scraping, not the official date of the change)

docs/0/docs/0/url
Old
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1122/COM_SEC(2010)1122_EN.pdf
New
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1122/COM_SEC(2010)1122_EN.pdf
docs/1/docs/0/url
Old
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf
New
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf
docs/7
date
2013-06-03T00:00:00
docs
title: PE513.117
type
Amendments tabled in committee
body
EP
docs/10
date
2010-12-15T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517
type
Contribution
body
IT_CHAMBER
docs/11
date
2010-11-18T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517
type
Contribution
body
IT_SENATE
docs/11
date
2010-12-16T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517
type
Contribution
body
IT_CHAMBER
docs/12
date
2010-11-30T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517
type
Contribution
body
PT_PARLIAMENT
docs/12
date
2010-11-19T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517
type
Contribution
body
IT_SENATE
docs/13
date
2010-12-01T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517
type
Contribution
body
PT_PARLIAMENT
events/5/docs
  • url: https://www.europarl.europa.eu/doceo/document/CRE-7-2013-07-03-TOC_EN.html title: Debate in Parliament
links/National parliaments/url
Old
http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=COD&year=2010&number=0273&appLng=EN
New
https://ipexl.europarl.europa.eu/IPEXL-WEB/dossier/code=COD&year=2010&number=0273&appLng=EN
committees/0/shadows/3
name
VERGIAT Marie-Christine
group
European United Left - Nordic Green Left
abbr
GUE/NGL
docs/2/docs/0/url
Old
https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:0816)(documentyear:2011)(documentlanguage:EN)
New
https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:0816)(documentyear:2011)(documentlanguage:EN)
docs/3/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE472.192&secondRef=02
New
https://www.europarl.europa.eu/doceo/document/ITRE-AD-472192_EN.html
docs/4/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE476.089
New
https://www.europarl.europa.eu/doceo/document/LIBE-PR-476089_EN.html
docs/5/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE469.848&secondRef=02
New
https://www.europarl.europa.eu/doceo/document/AFET-AD-469848_EN.html
docs/6/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE480.665
New
https://www.europarl.europa.eu/doceo/document/LIBE-AM-480665_EN.html
events/0/docs/0/url
Old
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf
New
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf
events/1/type
Old
Committee referral announced in Parliament, 1st reading/single reading
New
Committee referral announced in Parliament, 1st reading
events/3/type
Old
Vote in committee, 1st reading/single reading
New
Vote in committee, 1st reading
events/4
date
2013-06-19T00:00:00
type
Committee report tabled for plenary, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/A-7-2013-0224_EN.html title: A7-0224/2013
summary
events/4
date
2013-06-19T00:00:00
type
Committee report tabled for plenary, 1st reading/single reading
body
EP
docs
url: http://www.europarl.europa.eu/doceo/document/A-7-2013-0224_EN.html title: A7-0224/2013
summary
events/5/docs
  • url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20130703&type=CRE title: Debate in Parliament
events/7
date
2013-07-04T00:00:00
type
Decision by Parliament, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/TA-7-2013-0321_EN.html title: T7-0321/2013
summary
events/7
date
2013-07-04T00:00:00
type
Decision by Parliament, 1st reading/single reading
body
EP
docs
url: http://www.europarl.europa.eu/doceo/document/TA-7-2013-0321_EN.html title: T7-0321/2013
summary
committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
rapporteur
name: HOHLMEIER Monika date: 2010-12-09T00:00:00 group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
date
2010-12-09T00:00:00
rapporteur
name: HOHLMEIER Monika group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/1
type
Committee Opinion
body
EP
associated
False
committee_full
Foreign Affairs
committee
AFET
rapporteur
name: OJULAND Kristiina date: 2011-03-29T00:00:00 group: Alliance of Liberals and Democrats for Europe abbr: ALDE
committees/1
type
Committee Opinion
body
EP
associated
False
committee_full
Foreign Affairs
committee
AFET
date
2011-03-29T00:00:00
rapporteur
name: OJULAND Kristiina group: Alliance of Liberals and Democrats for Europe abbr: ALDE
committees/3
type
Committee Opinion
body
EP
associated
False
committee_full
Industry, Research and Energy
committee
ITRE
rapporteur
name: EHLER Christian date: 2010-11-24T00:00:00 group: European People's Party (Christian Democrats) abbr: PPE
committees/3
type
Committee Opinion
body
EP
associated
False
committee_full
Industry, Research and Energy
committee
ITRE
date
2010-11-24T00:00:00
rapporteur
name: EHLER Christian group: European People's Party (Christian Democrats) abbr: PPE
docs/1/docs/0/url
Old
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf
New
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf
docs/9/body
EC
events/0/docs/0/url
Old
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf
New
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf
events/4/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2013-224&language=EN
New
http://www.europarl.europa.eu/doceo/document/A-7-2013-0224_EN.html
events/7/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-321
New
http://www.europarl.europa.eu/doceo/document/TA-7-2013-0321_EN.html
activities
  • date: 2010-09-30T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf title: COM(2010)0517 type: Legislative proposal published celexid: CELEX:52010PC0517:EN body: EC commission: DG: url: http://ec.europa.eu/dgs/home-affairs/ title: Migration and Home Affairs Commissioner: MALMSTRÖM Cecilia type: Legislative proposal published
  • date: 2010-10-07T00:00:00 body: EP type: Committee referral announced in Parliament, 1st reading/single reading committees: body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika
  • body: CSL meeting_id: 3096 docs: url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3096*&MEET_DATE=09/06/2011 type: Debate in Council title: 3096 council: Justice and Home Affairs (JHA) date: 2011-06-09T00:00:00 type: Council Meeting
  • date: 2013-06-06T00:00:00 body: EP type: Vote in committee, 1st reading/single reading committees: body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika
  • body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2013-224&language=EN type: Committee report tabled for plenary, 1st reading/single reading title: A7-0224/2013 type: Committee report tabled for plenary, 1st reading/single reading committees: body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika date: 2013-06-19T00:00:00
  • date: 2013-07-03T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20130703&type=CRE type: Debate in Parliament title: Debate in Parliament body: EP type: Debate in Parliament
  • date: 2013-07-04T00:00:00 docs: url: http://www.europarl.europa.eu/oeil/popups/sda.do?id=23160&l=en type: Results of vote in Parliament title: Results of vote in Parliament url: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-321 type: Decision by Parliament, 1st reading/single reading title: T7-0321/2013 body: EP type: Results of vote in Parliament
  • date: 2013-07-22T00:00:00 body: EP/CSL type: Act adopted by Council after Parliament's 1st reading
  • date: 2013-08-12T00:00:00 body: CSL type: Final act signed
  • date: 2013-08-12T00:00:00 body: EP type: End of procedure in Parliament
  • date: 2013-08-14T00:00:00 type: Final act published in Official Journal docs: url: http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040 title: Directive 2013/40 url: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2013:218:TOC title: OJ L 218 14.08.2013, p. 0008
commission
  • body: EC dg: Migration and Home Affairs commissioner: MALMSTRÖM Cecilia
committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
date
2010-12-09T00:00:00
rapporteur
name: HOHLMEIER Monika group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/0
body
EP
responsible
False
committee
AFET
date
2011-03-29T00:00:00
committee_full
Foreign Affairs
rapporteur
group: ALDE name: OJULAND Kristiina
committees/1
type
Committee Opinion
body
EP
associated
False
committee_full
Foreign Affairs
committee
AFET
date
2011-03-29T00:00:00
rapporteur
name: OJULAND Kristiina group: Alliance of Liberals and Democrats for Europe abbr: ALDE
committees/1
body
EP
responsible
False
committee_full
Budgets
committee
BUDG
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
opinion
False
committees/2
body
EP
responsible
False
committee
ITRE
date
2010-11-24T00:00:00
committee_full
Industry, Research and Energy
rapporteur
group: PPE name: EHLER Christian
committees/3
type
Committee Opinion
body
EP
associated
False
committee_full
Industry, Research and Energy
committee
ITRE
date
2010-11-24T00:00:00
rapporteur
name: EHLER Christian group: European People's Party (Christian Democrats) abbr: PPE
committees/3
body
EP
shadows
responsible
True
committee
LIBE
date
2010-12-09T00:00:00
committee_full
Civil Liberties, Justice and Home Affairs
rapporteur
group: PPE name: HOHLMEIER Monika
council
  • body: CSL type: Council Meeting council: Justice and Home Affairs (JHA) meeting_id: 3096 url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3096*&MEET_DATE=09/06/2011 date: 2011-06-09T00:00:00
docs
  • date: 2010-09-30T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1122/COM_SEC(2010)1122_EN.pdf title: SEC(2010)1122 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=SECfinal&an_doc=2010&nu_doc=1122 title: EUR-Lex type: Document attached to the procedure body: EC
  • date: 2010-09-30T00:00:00 docs: url: http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf title: SEC(2010)1123 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=SECfinal&an_doc=2010&nu_doc=1123 title: EUR-Lex type: Document attached to the procedure body: EC
  • date: 2011-05-04T00:00:00 docs: url: https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:0816)(documentyear:2011)(documentlanguage:EN) title: CES0816/2011 type: Economic and Social Committee: opinion, report body: ESC
  • date: 2011-11-11T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE472.192&secondRef=02 title: PE472.192 committee: ITRE type: Committee opinion body: EP
  • date: 2011-11-24T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE476.089 title: PE476.089 type: Committee draft report body: EP
  • date: 2011-11-28T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE469.848&secondRef=02 title: PE469.848 committee: AFET type: Committee opinion body: EP
  • date: 2012-01-27T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE480.665 title: PE480.665 type: Amendments tabled in committee body: EP
  • date: 2013-06-03T00:00:00 docs: title: PE513.117 type: Amendments tabled in committee body: EP
  • date: 2013-08-12T00:00:00 docs: url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=ADV&RESULTSET=1&DOC_ID=[%n4]%2F13&DOC_LANCD=EN&ROWSPP=25&NRROWS=500&ORDERBY=DOC_DATE+DESC title: 00038/2012/LEX type: Draft final act body: CSL
  • date: 2013-09-24T00:00:00 docs: url: /oeil/spdoc.do?i=23160&j=0&l=en title: SP(2013)625 type: Commission response to text adopted in plenary
  • date: 2017-09-13T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0474/COM_COM(2017)0474_EN.pdf title: COM(2017)0474 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2017&nu_doc=0474 title: EUR-Lex summary: The Commission presented a report assessing the extent to which the Member States have taken the necessary measures in order to comply with Directive 2013/40/EU on attacks against information systems. The objectives of the Directive are to approximate the criminal law of the Member States in the area of attacks against information systems and to improve cooperation between competent authorities. This is done by establishing minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems and by requiring operational 24/7 points of contact. By the transposition date, 22 Member States had notified the Commission that they had fully completed the Directive's transposition . As of 31 May 2017, infringement procedures for non-communication of national transposition measures against BE, BG and IE were still pending. However, the Commission acknowledges the efforts made by the Member States to transpose the Directive. The analysis in this report is based on the information that Member States provided by 31 May 2017. Progress made : the report concluded that the Directive has made real progress in criminalising cyberattacks on a comparable level across the Member States, facilitating cross-border cooperation between law enforcement authorities investigating cyberattacks. Member States have amended criminal codes and other relevant legislation. They have streamlined their procedures and set up or improved cooperation schemes. Scope for improvement : the Commission confirmed, however, that there is considerable scope for improvement if Member States were to fully implement all of its provisions. The main improvements to be implemented by the Member States relate in particular to: the use of the definitions of the terms 'information system', 'computer data', 'legal person' and 'without right' provided by the Directive: only two countries have introduced legislation covering all aspects of these definitions; the inclusion of all the possibilities that define specific criminal related offences (illegal access to information systems, illegal data interference, illegal interception of computer data: tools, such as computer programmes or passwords, used to commit offences); the establishment of common standards of penalties for cyberattacks (minimum levels of maximum penalties, penalties where a significant number of information systems have been affected, offences committed by a criminal organisations, causing serious damage, involvement critical infrastructure information systems in offences, identity theft, liability of legal persons). Other issues appear to relate to the implementation of administrative provisions on appropriate reporting channels and the monitoring and statistics for the offences included in the Directive. Outlook : the Commission states that it will continue to support Member States in their implementation of the Directive and will provide additional opportunities for Member States to identify and exchange best practices in the second half of 2017. The Commission currently sees no need to propose amendments to the Directive . It is considering measures to improve cross-border access to electronic evidence for criminal investigations, including proposing legislative measures by the beginning of 2018. It is also considering the role of encryption in criminal investigations and will report on its findings by October 2017. Lastly, the Commission is committed to ensuring that the transposition is finalised across the EU and that the provisions are correctly implemented. type: Follow-up document body: EC
  • date: 2010-12-16T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517 type: Contribution body: IT_CHAMBER
  • date: 2010-11-19T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517 type: Contribution body: IT_SENATE
  • date: 2010-12-01T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2010)0517 title: COM(2010)0517 type: Contribution body: PT_PARLIAMENT
events
  • date: 2010-09-30T00:00:00 type: Legislative proposal published body: EC docs: url: http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf title: COM(2010)0517 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2010&nu_doc=517 title: EUR-Lex summary: PURPOSE: to propose a new legislative framework aimed at combating (large scale) attacks against information systems and to repeal Council Framework Decision 2005/222/JHA. PROPOSED ACT: Directive of the European Parliament and of the Council. BACKGROUND: in recent years, the number of attacks against IT systems has risen steadily in Europe. Moreover, previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, have been observed in the Member States and other countries. New concerns, such as the massive spread of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks - have emerged. Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled – often without the knowledge of the users of the compromised computers – by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The people who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. With regard to cybercrime, the main cause of this phenomenon is vulnerability resulting from a variety of factors. Insufficient response by law enforcement mechanisms contributes to the prevalence of these phenomena, and exacerbates the difficulties, as certain types of offences go beyond national borders. Variations i n national criminal law and procedure may give rise to differences in investigation and prosecution, leading to differences in how these crimes are dealt with. Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools ('malware' and 'botnets'), while offering offenders anonymity and dispersing responsibility across jurisdictions. Given the difficulties of bringing a prosecution, organised crime is able to make considerable profits with little risk. On 24 February 2005, EU Member States agreed a Council Framework Decision ( 2005/222/JHA ) that addresses the most significant forms of criminal activity against information systems, such as hacking, viruses and denial of service attacks. The Framework Decision seeks to approximate criminal law across the EU to ensure that Europe's law enforcement and judicial authorities can take action against this form of crime. Member States were required to take the necessary measures to comply with the provisions of the Framework Decision by 16 March 2007. On 14 July 2008, the Commission published a report on the implementation of the Framework Decision. It was noted that several emerging threats had been highlighted by recent attacks across Europe since adoption of the Framework Decision, in particular the emergence of large-scale simultaneous attacks against information systems and increased criminal use of so-called 'botnets'." These attacks were not the centre of attention when the Framework Decision was adopted. In response to these developments, the Commission presents this proposal which aims to consider recent technical advances and the new modi operandi found in today's cyber attacks as devise better responses to the threat. IMPACT ASSESSMENT: various policy options have been examined as a means of achieving the objective. Option 1: Status Quo / No new EU action . Option 2: Development of a programme to strengthen the efforts to counter attacks against information systems by means of non-legislative measures : these measures would, in addition to the programme for critical information infrastructure protection, focus on cross-border law enforcement and public-private cooperation. These soft-law instruments should aim to promote further coordinated action at EU level, including strengthening of the existing 24/7 network of contact points for law enforcement agencies; establishment of an EU network of public-private contact points involving cybercrime experts and law enforcement agencies; elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators; and support for the organisation of training programmes for law enforcement agencies on the investigation of cybercrime. Option 3: Targeted update of the rules of the Framework Decision (new Directive replacing the current Framework Decision) to address the threat from large-scale attacks against information systems (botnets) and, when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner, the efficiency of Member States' law enforcement contact points, and the lack of statistical data on cyber attacks. Option 4: Introduction of comprehensive EU legislation against cybercrime : this option would entail new comprehensive EU legislation. In addition to introducing the soft-law measures in policy option 2 and the update in policy option 3, it would also tackle other legal problems related to Internet use (such as financial cybercrime, illegal Internet content, the collection/storage/transfer of electronic evidence…) Option 5: Update of the Council of Europe Convention on Cybercrime : this option would require substantial renegotiation of the current Convention, which is a lengthy process and doesn’t seem realistic as there seems to be no international willingness to renegotiate the Convention. The preferred policy option is a combination of non-legislative measures (option 2) with a targeted update of the Framework Decision (option 3). LEGAL BASE: Article 83(1) of the Treaty on the Functioning of the European Union (TFEU). CONTENT: the draft Directive, while repealing Framework Decision 2005/222/JHA, will retain its current provisions and include the following new elements: On substantive criminal law in general , the proposed Directive: 1) Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offences. 2) Includes aggravating circumstances : the large-scale aspect of the attacks - botnets or similar tools would be addressed by introducing a new aggravating circumstance, in the sense that the act of putting in place a botnet or a similar tool would be an aggravating factor when crimes listed in the existing Framework Decision are committed; when such attacks are committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. Any such rules would need to comply with the principles of legality and proportionality of criminal offences and penalties and be consistent with existing legislation on the protection of personal data . 3) Introduces ‘illegal interception’ as a criminal offence. 4) Introduces measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points: an obligation to comply with a request for assistance by the operational contact points (set out in Article 14 of the Directive) within a certain time limit is proposed. The Cybercrime Convention does not specify a binding provision of this kind. The aim of this measure is to ensure that the contact points indicate within a specified time whether they are able to provide a solution to the request for assistance, and by when the requesting point of contact can expect such a solution to be found. The actual content of the solutions is not specified. 5) Addresses the need to provide statistical data on cybercrimes by making it obligatory for the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on the offences referred to in the existing Framework Decision and the newly added ‘illegal interception’. Taking account of gravity of the crimes : the Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only 'cases which are not minor' in the process of transposition of the directive into national law. This element of flexibility is intended to allow Member States not to cover cases that would in abstracto be covered by the basic definition but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology. This possibility to limit the scope of criminalisation should not however lead to the introduction of additional constitutive elements of offences beyond those that are already included in the Directive, because this would lead to the situation that only offences committed with the presence of aggravating circumstances are covered. In the process of transposition, Member States should refrain in particular from adding additional constitutive elements to the basic offences such as e.g. a special intention to derive illicit proceeds from crime or the presence of a specific effect such as causing a considerable damage. BUDGETARY IMPLICATION: the implications of the proposal for the Union budget are small. More than 90% of the estimated cost of EUR 5 913 000 would be borne by the Member States and there is the possibility of applying for EU funding to reduce the cost.
  • date: 2010-10-07T00:00:00 type: Committee referral announced in Parliament, 1st reading/single reading body: EP
  • date: 2011-06-09T00:00:00 type: Debate in Council body: CSL docs: url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3096*&MEET_DATE=09/06/2011 title: 3096 summary: The Council adopted a general approach on a draft directive on attacks against information systems, proposed by the Commission in September 2010. The general approach will constitute the basis for the Council's negotiations with the European Parliament on this proposal under the ordinary legislative procedure. The proposal aims to update the existing rules dating from 2005 (Framework Decision 2005/222/JHA), while building on the Council of Europe Convention on Cybercrime (Budapest Convention). It establishes minimum rules for the definition of criminal offences and the penalty levels in the area of attacks against IT systems. It also aims to facilitate the prevention of such attacks and to improve the cooperation between member states' authorities in this field. The new rules would retain most of the provisions currently in place - namely the penalisation of illegal access, illegal system interference and illegal data interference as well as instigation, aiding, abetting and attempt to commit those criminal offences - and include the following new elements : penalisation of the production and making available of tools (e.g. malicious software designed to create "botnets" 1 or unrightfully obtained computer passwords) for committing the offences; illegal interception of computer data will become a criminal offence; improvement of European cooperation in criminal matters by strengthening the existing structure of 24/7 contact points, including an obligation to provide feedback within eight hours to urgent requests; and the obligation to collect basic statistical data on cybercrimes. Concerning the level of criminal penalties , the new rules would raise the thresholds : in the general case to a maximum term of imprisonment of at least two years; if committed against a significant number of IT systems, e. g. in order to create a "botnet", to a maximum term of imprisonment of at least three years; if the attack has been committed by an organised criminal group, or has caused serious damage, e.g. through the use of a "botnet", or has affected a critical IT system, to a maximum term of imprisonment of at least five years. These new forms of aggravating circumstances are intended to address the emerging threats posed by large scale cyber attacks, which are increasingly reported across Europe and have the potential severely to damage public interests. Lastly, the Council has clarified the rules concerning the establishment of jurisdiction by the member states on cybercrime. While the UK and Ireland participate in the adoption and application of this directive, Denmark would not be bound by it.
  • date: 2013-06-06T00:00:00 type: Vote in committee, 1st reading/single reading body: EP
  • date: 2013-06-19T00:00:00 type: Committee report tabled for plenary, 1st reading/single reading body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2013-224&language=EN title: A7-0224/2013 summary: The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Monika HOHLMEIER (EPP, DE) on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA. The committee recommends that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should be to modify the Commission’s proposal as follows: Objective of the Directive: the objective of the Directive is to establish minimum rules concerning the definition of criminal offences and the sanctions in the area of attacks against information systems . It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities. Definitions: a definition of “without right” was added: "without right" means access, interference, interception, or any other conduct referred to in this Directive, not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation. It should also be noted that, in the recitals, a definition of “interception” has been introduced: interception includes (but is not necessarily limited to) the listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly, through access and use of the information systems, or indirectly through the use of electronic eavesdropping or tapping devices by technical means. Illegal system interference: Member States shall take the necessary measures to ensure that, when committed intentionally and without right, at least for cases which are not minor, the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence . The same follows in respect to the illegal access to illegal data interference or in the case of illegal interception within the meaning of the Directive. Incitement, aiding and abetting and attempt: provision should also be made for measures to ensure that the incitement, aiding and abetting to commit an offence within the meaning of the Directive is punishable as a criminal offence. Member States are called upon to ensure that the attempt to commit an offence is punishable as a criminal offence. Penalties: in a recital, it is stipulated that criminal sanctions should be envisaged at least for cases which are not minor . Member States may determine what constitutes a minor case according to their national law and practice. The case may be considered minor, for example, when the damage caused by the offence and/or the risk it carries to public or private interests, such as to the integrity of a computer system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such nature, that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary. In any event, offences that fall within the scope of the Directive should be subject to the following penalties : a maximum penalty of at least two years of imprisonment, in cases which are not minor; a maximum penalty of at least three years of imprisonment when certain offences covered by the Directive are committed intentionally , and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; a maximum penalty of at least five years of imprisonment when offences covered by the Directive are: - committed within the framework of a criminal organisation, or - causing serious damage, or - committed against a critical infrastructure information system . Furthermore, if certain when certain offences are committed by misusing personal data of another person , with the aim of gaining trust of a third party, thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances . A recital stipulates that identity theft and other identity-related offences of the same type could require action at EU level in the form of a comprehensive horizontal EU instrument. Jurisdiction: a Member State shall inform the Commission where it decides to establish further jurisdiction over an offence covered by the Directive committed outside their territory , e.g. where: the offender has his or her habitual residence in the territory of that Member State ; or the offence is committed for the benefit of a legal person established in the territory of that Member State. National contact point: Member States should ensure that they have an o perational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They should also ensure that they have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer. Data collection: it is stipulated that there is a need to collect comparable data on offences referred to in this Directive. Relevant data should be made available to the competent specialised agencies, such as Europol and the European Network and Information Security Agency in line with their tasks and information needs. The objective is to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby contribute to formulating more effective responses. Replacement of the Framework Decision 2005/222/JHA: it is clearly stipulated that the Directive aims to amend and expand the provisions of Framework Decision 2005/222/JHA concerning attacks against information systems. Reports: lastly, the Commission should submit, within four years of the adoption of this Directive , a report to the European Parliament and the Council, assessing the extent to which the Member States have taken the necessary measures in order to comply with this Directive, accompanied, if necessary, by legislative proposals. In this respect, the Commission shall also take into account the technical and legal developments in the field of cyber crime, particularly with regard to the scope of this Directive.
  • date: 2013-07-03T00:00:00 type: Debate in Parliament body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20130703&type=CRE title: Debate in Parliament
  • date: 2013-07-04T00:00:00 type: Results of vote in Parliament body: EP docs: url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=23160&l=en title: Results of vote in Parliament
  • date: 2013-07-04T00:00:00 type: Decision by Parliament, 1st reading/single reading body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-321 title: T7-0321/2013 summary: The European Parliament adopted by 541 votes to 91, with 9 abstentions, a legislative resolution on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA. Parliament adopted its position at first reading under the ordinary legislative procedure. The amendments adopted in plenary are the result of a compromise reached between the European parliament and the Council. They amend the Commission’s proposal as follows: Objective of the Directive: the objective of the Directive is to establish minimum rules concerning the definition of criminal offences and the sanctions in the area of attacks against information systems . It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities. Definitions: a definition of “without right” was added: "without right" means access, interference, interception, or any other conduct referred to in this Directive, not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation. It should also be noted that, in the recitals, a definition of “interception” has been introduced: interception includes (but is not necessarily limited to) the listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly, through access and use of the information systems, or indirectly through the use of electronic eavesdropping or tapping devices by technical means. Illegal system interference: Member States shall take the necessary measures to ensure that, when committed intentionally and without right, at least for cases which are not minor, the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence . The same follows in respect to the illegal access to illegal data interference or in the case of illegal interception within the meaning of the Directive. Incitement, aiding and abetting and attempt: provision should also be made for measures to ensure that the incitement, aiding and abetting to commit an offence within the meaning of the Directive is punishable as a criminal offence. Member States are called upon to ensure that the attempt to commit an offence is punishable as a criminal offence. Penalties: offences that fall within the scope of the Directive should be subject to the following penalties : a maximum penalty of at least two years of imprisonment, in cases which are not minor; a maximum penalty of at least three years of imprisonment when certain offences covered by the Directive are committed intentionally , and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; a maximum penalty of at least five years of imprisonment when offences covered by the Directive are: - committed within the framework of a criminal organisation, or - causing serious damage, or - committed against a critical infrastructure information system . In a recital, it is stipulated that criminal sanctions should be envisaged at least for cases which are not minor . Member States may determine what constitutes a minor case according to their national law and practice. The case may be considered minor, for example, when the damage caused by the offence and/or the risk it carries to public or private interests, such as to the integrity of a computer system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such nature, that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary. Furthermore, if certain when certain offences are committed by misusing personal data of another person , with the aim of gaining trust of a third party, thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances . A recital stipulates that identity theft and other identity-related offences of the same type could require action at EU level in the form of a comprehensive horizontal EU instrument. Jurisdiction: a Member State shall inform the Commission where it decides to establish further jurisdiction over an offence covered by the Directive committed outside their territory , e.g. where: the offender has his or her habitual residence in the territory of that Member State ; or the offence is committed for the benefit of a legal person established in the territory of that Member State. National contact point: Member States should ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They should also ensure that they have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer. Data collection: it is stipulated that there is a need to collect comparable data on offences referred to in this Directive. Relevant data should be made available to the competent specialised agencies, such as Europol and the European Network and Information Security Agency in line with their tasks and information needs. The objective is to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby contribute to formulating more effective responses. Replacement of the Framework Decision 2005/222/JHA: it is clearly stipulated that the Directive aims to amend and expand the provisions of Framework Decision 2005/222/JHA concerning attacks against information systems. Reports: lastly, the Commission should submit, within four years of the adoption of this Directive , a report to the European Parliament and the Council, assessing the extent to which the Member States have taken the necessary measures in order to comply with this Directive, accompanied, if necessary, by legislative proposals. In this respect, the Commission shall also take into account the technical and legal developments in the field of cyber crime, particularly with regard to the scope of this Directive.
  • date: 2013-07-22T00:00:00 type: Act adopted by Council after Parliament's 1st reading body: EP/CSL
  • date: 2013-08-12T00:00:00 type: Final act signed body: CSL
  • date: 2013-08-12T00:00:00 type: End of procedure in Parliament body: EP
  • date: 2013-08-14T00:00:00 type: Final act published in Official Journal summary: PURPOSE: to approximate Member States’ criminal law in the area of attacks against information systems. LEGISLATIVE ACT: Directive 2013/40/EU of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA. CONTENT: the Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems. It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities . Offences: for cases which are not minor, and are committed intentionally and without right, the following actions must be punishable as criminal offences: · illegal access to information systems : illegal access to the whole or to any part of an information system where committed by infringing a security measure; · illegal system interference : seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible; · illegal data interference : deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible; · illegal interception : intercepting, by technical means, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data; · tools used for committing offences : the intentional production, sale, procurement for use, import, distribution or otherwise making available, of one of the following tools, without right and with the intention that it be used to commit any of the offences referred to above: (i) a computer programme, designed or adapted primarily for the purpose of committing any of the offences referred to above; ii) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed. Incitement, aiding and abetting and attempt : the Directive provides that: · the incitement, or aiding and abetting, to commit any of the five offences referred to above must be punishable as a criminal offence; · the attempt to commit illegal system interference and illegal data interference must be punishable as a criminal offence. Penalties: offences that fall within the scope of the Directive should be subject to the following penalties: · a maximum penalty of at least two years of imprisonment , in cases which are not minor; · a maximum penalty of at least three years of imprisonment when offences relating to illegal system interference and illegal data interference are committed intentionally, and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; · a maximum penalty of at least five years of imprisonment when offences relating to illegal system interference and illegal data interference are: (i) committed within the framework of a criminal organisation, or (ii) causing serious damage, or (iii) committed against a critical infrastructure information system. When offences relating to illegal system interference and illegal data interference are committed by misusing the personal data of another person, with the aim of gaining the trust of a third party , thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances, unless those circumstances are already covered by another offence, punishable under national law. A recital in the Directive states that setting up effective measures against identity theft and other identity-related offences constitutes another important element of an integrated approach against cybercrime. Any need for Union action against this type of criminal behaviour could also be considered in the context of evaluating the need for a comprehensive horizontal Union instrument. Legal persons : the Directive makes provision for ensuring that legal persons may be held liable and sanctioned. Jurisdiction: the Directive sets out rules on the establishment of jurisdiction with regard to the offences described above. A recital notes that the transnational and borderless nature of modern information systems means that attacks against such systems have a cross-border dimension, thus underlining the urgent need for further action to approximate criminal law in this area. National contact point : Member States must ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They must have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer. Data collection : a recital in the text states that there is a need to collect comparable data on the offences laid down in this Directive. Relevant data should be made available to the competent specialised Union agencies and bodies, such as Europol and ENISA, in line with their tasks and information needs, in order to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby to contribute to formulating a more effective response. Member States should submit information on the modus operandi of the offenders to Europol and its European Cybercrime Centre for the purpose of conducting threat assessments and strategic analyses of cybercrime in accordance with Council Decision 2009/371/JHA. Replacement of Framework Decision 2005/222/JHA : in relation to Member States participating in the adoption of this Directive, references to the Framework Decision 2005/222/JHA shall be construed as references to this Directive. Report: by 4 September 2017, the Commission must submit a report assessing the extent to which the Member States have taken the necessary measures in order to comply with the Directive. It will, also take into account the technical and legal developments in the field of cybercrime, particularly with regard to the scope of the Directive. ENTRY INTO FORCE: 3 September 2013. TRANSPOSITION: by 4 September 2015. docs: title: Directive 2013/40 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040 title: OJ L 218 14.08.2013, p. 0008 url: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2013:218:TOC
other
  • body: EC dg: url: http://ec.europa.eu/dgs/home-affairs/ title: Migration and Home Affairs commissioner: MALMSTRÖM Cecilia
procedure/dossier_of_the_committee
Old
LIBE/7/04091
New
  • LIBE/7/04091
procedure/final/url
Old
http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040
New
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040
procedure/instrument
Old
Directive
New
  • Directive
  • Repealing Framework Decision 2005/222/JHA 2002/0086(CNS)
procedure/subject
Old
  • 3.30.06 Information and communication technologies
  • 3.30.25 International information networks and society, internet
  • 7.40.04 Judicial cooperation in criminal matters
New
3.30.06
Information and communication technologies, digital technologies
3.30.07
Cybersecurity, cyberspace policy
3.30.25
International information networks and society, internet
7.40.04
Judicial cooperation in criminal matters
procedure/summary
  • Repealing Framework Decision 2005/222/JHA
activities/0/docs/0/celexid
CELEX:52010PC0517:EN
activities/0/commission/0/DG/title
Old
Home Affairs
New
Migration and Home Affairs
activities/0/docs/0/celexid
CELEX:52010PC0517:EN
activities/0/docs/0/url
Old
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf
New
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf
links/European Commission/title
Old
PreLex
New
EUR-Lex
other/0/dg/title
Old
Home Affairs
New
Migration and Home Affairs
activities
  • date: 2010-09-30T00:00:00 docs: url: http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf title: COM(2010)0517 type: Legislative proposal published celexid: CELEX:52010PC0517:EN body: EC type: Legislative proposal published commission: DG: url: http://ec.europa.eu/dgs/home-affairs/ title: Home Affairs Commissioner: MALMSTRÖM Cecilia
  • date: 2010-10-07T00:00:00 body: EP type: Committee referral announced in Parliament, 1st reading/single reading committees: body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika
  • body: CSL meeting_id: 3096 docs: url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3096*&MEET_DATE=09/06/2011 type: Debate in Council title: 3096 council: Justice and Home Affairs (JHA) date: 2011-06-09T00:00:00 type: Council Meeting
  • date: 2013-06-06T00:00:00 body: EP type: Vote in committee, 1st reading/single reading committees: body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika
  • body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2013-224&language=EN type: Committee report tabled for plenary, 1st reading/single reading title: A7-0224/2013 type: Committee report tabled for plenary, 1st reading/single reading committees: body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika date: 2013-06-19T00:00:00
  • date: 2013-07-03T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20130703&type=CRE type: Debate in Parliament title: Debate in Parliament body: EP type: Debate in Parliament
  • date: 2013-07-04T00:00:00 docs: url: http://www.europarl.europa.eu/oeil/popups/sda.do?id=23160&l=en type: Results of vote in Parliament title: Results of vote in Parliament url: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-321 type: Decision by Parliament, 1st reading/single reading title: T7-0321/2013 body: EP type: Results of vote in Parliament
  • date: 2013-07-22T00:00:00 body: EP/CSL type: Act adopted by Council after Parliament's 1st reading
  • date: 2013-08-12T00:00:00 body: CSL type: Final act signed
  • date: 2013-08-12T00:00:00 body: EP type: End of procedure in Parliament
  • date: 2013-08-14T00:00:00 type: Final act published in Official Journal docs: url: http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040 title: Directive 2013/40 url: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2013:218:TOC title: OJ L 218 14.08.2013, p. 0008
committees
  • body: EP responsible: False committee: AFET date: 2011-03-29T00:00:00 committee_full: Foreign Affairs rapporteur: group: ALDE name: OJULAND Kristiina
  • body: EP responsible: False committee_full: Budgets committee: BUDG
  • body: EP responsible: False committee: ITRE date: 2010-11-24T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: PPE name: EHLER Christian
  • body: EP shadows: group: ALDE name: ALVARO Alexander group: Verts/ALE name: ALBRECHT Jan Philipp group: ECR name: KIRKHOPE Timothy group: GUE/NGL name: VERGIAT Marie-Christine responsible: True committee: LIBE date: 2010-12-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: PPE name: HOHLMEIER Monika
links
National parliaments
European Commission
other
  • body: EC dg: url: http://ec.europa.eu/dgs/home-affairs/ title: Home Affairs commissioner: MALMSTRÖM Cecilia
procedure
dossier_of_the_committee
LIBE/7/04091
reference
2010/0273(COD)
subtype
Legislation
legal_basis
Treaty on the Functioning of the EU TFEU 083-p1-a1
stage_reached
Procedure completed
summary
Repealing Framework Decision 2005/222/JHA
instrument
Directive
title
Judicial cooperation in criminal matters: combating attacks against information systems
type
COD - Ordinary legislative procedure (ex-codecision procedure)
final
subject