Progress: Procedure completed
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | LIBE | HOHLMEIER Monika ( PPE) | PICKART ALVARO Alexander Nuno ( ALDE), ALBRECHT Jan Philipp ( Verts/ALE), KIRKHOPE Timothy ( ECR) |
Committee Opinion | AFET | OJULAND Kristiina ( ALDE) | Tunne KELAM ( PPE), Sabine LÖSING ( GUE/NGL) |
Committee Opinion | ITRE | EHLER Christian ( PPE) | |
Committee Opinion | BUDG |
Lead committee dossier:
Legal Basis:
TFEU 083-p1-a1
Legal Basis:
TFEU 083-p1-a1Subjects
Events
The Commission presented a report assessing the extent to which the Member States have taken the necessary measures in order to comply with Directive 2013/40/EU on attacks against information systems.
The objectives of the Directive are to approximate the criminal law of the Member States in the area of attacks against information systems and to improve cooperation between competent authorities. This is done by establishing minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems and by requiring operational 24/7 points of contact.
By the transposition date, 22 Member States had notified the Commission that they had fully completed the Directive's transposition . As of 31 May 2017, infringement procedures for non-communication of national transposition measures against BE, BG and IE were still pending. However, the Commission acknowledges the efforts made by the Member States to transpose the Directive.
The analysis in this report is based on the information that Member States provided by 31 May 2017.
Progress made : the report concluded that the Directive has made real progress in criminalising cyberattacks on a comparable level across the Member States, facilitating cross-border cooperation between law enforcement authorities investigating cyberattacks.
Member States have amended criminal codes and other relevant legislation. They have streamlined their procedures and set up or improved cooperation schemes.
Scope for improvement : the Commission confirmed, however, that there is considerable scope for improvement if Member States were to fully implement all of its provisions. The main improvements to be implemented by the Member States relate in particular to:
the use of the definitions of the terms 'information system', 'computer data', 'legal person' and 'without right' provided by the Directive: only two countries have introduced legislation covering all aspects of these definitions; the inclusion of all the possibilities that define specific criminal related offences (illegal access to information systems, illegal data interference, illegal interception of computer data: tools, such as computer programmes or passwords, used to commit offences); the establishment of common standards of penalties for cyberattacks (minimum levels of maximum penalties, penalties where a significant number of information systems have been affected, offences committed by a criminal organisations, causing serious damage, involvement critical infrastructure information systems in offences, identity theft, liability of legal persons).
Other issues appear to relate to the implementation of administrative provisions on appropriate reporting channels and the monitoring and statistics for the offences included in the Directive.
Outlook : the Commission states that it will continue to support Member States in their implementation of the Directive and will provide additional opportunities for Member States to identify and exchange best practices in the second half of 2017.
The Commission currently sees no need to propose amendments to the Directive . It is considering measures to improve cross-border access to electronic evidence for criminal investigations, including proposing legislative measures by the beginning of 2018. It is also considering the role of encryption in criminal investigations and will report on its findings by October 2017.
Lastly, the Commission is committed to ensuring that the transposition is finalised across the EU and that the provisions are correctly implemented.
PURPOSE: to approximate Member States’ criminal law in the area of attacks against information systems.
LEGISLATIVE ACT: Directive 2013/40/EU of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.
CONTENT: the Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems. It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities .
Offences: for cases which are not minor, and are committed intentionally and without right, the following actions must be punishable as criminal offences:
· illegal access to information systems : illegal access to the whole or to any part of an information system where committed by infringing a security measure;
· illegal system interference : seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;
· illegal data interference : deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible;
· illegal interception : intercepting, by technical means, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data;
· tools used for committing offences : the intentional production, sale, procurement for use, import, distribution or otherwise making available, of one of the following tools, without right and with the intention that it be used to commit any of the offences referred to above: (i) a computer programme, designed or adapted primarily for the purpose of committing any of the offences referred to above; ii) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.
Incitement, aiding and abetting and attempt : the Directive provides that:
· the incitement, or aiding and abetting, to commit any of the five offences referred to above must be punishable as a criminal offence;
· the attempt to commit illegal system interference and illegal data interference must be punishable as a criminal offence.
Penalties: offences that fall within the scope of the Directive should be subject to the following penalties:
· a maximum penalty of at least two years of imprisonment , in cases which are not minor;
· a maximum penalty of at least three years of imprisonment when offences relating to illegal system interference and illegal data interference are committed intentionally, and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose;
· a maximum penalty of at least five years of imprisonment when offences relating to illegal system interference and illegal data interference are: (i) committed within the framework of a criminal organisation, or (ii) causing serious damage, or (iii) committed against a critical infrastructure information system.
When offences relating to illegal system interference and illegal data interference are committed by misusing the personal data of another person, with the aim of gaining the trust of a third party , thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances, unless those circumstances are already covered by another offence, punishable under national law.
A recital in the Directive states that setting up effective measures against identity theft and other identity-related offences constitutes another important element of an integrated approach against cybercrime. Any need for Union action against this type of criminal behaviour could also be considered in the context of evaluating the need for a comprehensive horizontal Union instrument.
Legal persons : the Directive makes provision for ensuring that legal persons may be held liable and sanctioned.
Jurisdiction: the Directive sets out rules on the establishment of jurisdiction with regard to the offences described above. A recital notes that the transnational and borderless nature of modern information systems means that attacks against such systems have a cross-border dimension, thus underlining the urgent need for further action to approximate criminal law in this area.
National contact point : Member States must ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They must have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer.
Data collection : a recital in the text states that there is a need to collect comparable data on the offences laid down in this Directive. Relevant data should be made available to the competent specialised Union agencies and bodies, such as Europol and ENISA, in line with their tasks and information needs, in order to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby to contribute to formulating a more effective response. Member States should submit information on the modus operandi of the offenders to Europol and its European Cybercrime Centre for the purpose of conducting threat assessments and strategic analyses of cybercrime in accordance with Council Decision 2009/371/JHA.
Replacement of Framework Decision 2005/222/JHA : in relation to Member States participating in the adoption of this Directive, references to the Framework Decision 2005/222/JHA shall be construed as references to this Directive.
Report: by 4 September 2017, the Commission must submit a report assessing the extent to which the Member States have taken the necessary measures in order to comply with the Directive. It will, also take into account the technical and legal developments in the field of cybercrime, particularly with regard to the scope of the Directive.
ENTRY INTO FORCE: 3 September 2013.
TRANSPOSITION: by 4 September 2015.
The European Parliament adopted by 541 votes to 91, with 9 abstentions, a legislative resolution on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA.
Parliament adopted its position at first reading under the ordinary legislative procedure. The amendments adopted in plenary are the result of a compromise reached between the European parliament and the Council. They amend the Commission’s proposal as follows:
Objective of the Directive: the objective of the Directive is to establish minimum rules concerning the definition of criminal offences and the sanctions in the area of attacks against information systems . It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities.
Definitions: a definition of “without right” was added: "without right" means access, interference, interception, or any other conduct referred to in this Directive, not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation.
It should also be noted that, in the recitals, a definition of “interception” has been introduced: interception includes (but is not necessarily limited to) the listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly, through access and use of the information systems, or indirectly through the use of electronic eavesdropping or tapping devices by technical means.
Illegal system interference: Member States shall take the necessary measures to ensure that, when committed intentionally and without right, at least for cases which are not minor, the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence . The same follows in respect to the illegal access to illegal data interference or in the case of illegal interception within the meaning of the Directive.
Incitement, aiding and abetting and attempt: provision should also be made for measures to ensure that the incitement, aiding and abetting to commit an offence within the meaning of the Directive is punishable as a criminal offence. Member States are called upon to ensure that the attempt to commit an offence is punishable as a criminal offence.
Penalties: offences that fall within the scope of the Directive should be subject to the following penalties :
a maximum penalty of at least two years of imprisonment, in cases which are not minor; a maximum penalty of at least three years of imprisonment when certain offences covered by the Directive are committed intentionally , and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; a maximum penalty of at least five years of imprisonment when offences covered by the Directive are:
- committed within the framework of a criminal organisation, or
- causing serious damage, or
- committed against a critical infrastructure information system .
In a recital, it is stipulated that criminal sanctions should be envisaged at least for cases which are not minor . Member States may determine what constitutes a minor case according to their national law and practice. The case may be considered minor, for example, when the damage caused by the offence and/or the risk it carries to public or private interests, such as to the integrity of a computer system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such nature, that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary.
Furthermore, if certain when certain offences are committed by misusing personal data of another person , with the aim of gaining trust of a third party, thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances . A recital stipulates that identity theft and other identity-related offences of the same type could require action at EU level in the form of a comprehensive horizontal EU instrument.
Jurisdiction: a Member State shall inform the Commission where it decides to establish further jurisdiction over an offence covered by the Directive committed outside their territory , e.g. where:
the offender has his or her habitual residence in the territory of that Member State ; or the offence is committed for the benefit of a legal person established in the territory of that Member State.
National contact point: Member States should ensure that they have an operational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They should also ensure that they have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer.
Data collection: it is stipulated that there is a need to collect comparable data on offences referred to in this Directive. Relevant data should be made available to the competent specialised agencies, such as Europol and the European Network and Information Security Agency in line with their tasks and information needs. The objective is to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby contribute to formulating more effective responses.
Replacement of the Framework Decision 2005/222/JHA: it is clearly stipulated that the Directive aims to amend and expand the provisions of Framework Decision 2005/222/JHA concerning attacks against information systems.
Reports: lastly, the Commission should submit, within four years of the adoption of this Directive , a report to the European Parliament and the Council, assessing the extent to which the Member States have taken the necessary measures in order to comply with this Directive, accompanied, if necessary, by legislative proposals. In this respect, the Commission shall also take into account the technical and legal developments in the field of cyber crime, particularly with regard to the scope of this Directive.
The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Monika HOHLMEIER (EPP, DE) on the proposal for a directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA.
The committee recommends that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should be to modify the Commission’s proposal as follows:
Objective of the Directive: the objective of the Directive is to establish minimum rules concerning the definition of criminal offences and the sanctions in the area of attacks against information systems . It also aims to facilitate the prevention of such offences and to improve cooperation between judicial and other competent authorities.
Definitions: a definition of “without right” was added: "without right" means access, interference, interception, or any other conduct referred to in this Directive, not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation.
It should also be noted that, in the recitals, a definition of “interception” has been introduced: interception includes (but is not necessarily limited to) the listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly, through access and use of the information systems, or indirectly through the use of electronic eavesdropping or tapping devices by technical means.
Illegal system interference: Member States shall take the necessary measures to ensure that, when committed intentionally and without right, at least for cases which are not minor, the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence . The same follows in respect to the illegal access to illegal data interference or in the case of illegal interception within the meaning of the Directive.
Incitement, aiding and abetting and attempt: provision should also be made for measures to ensure that the incitement, aiding and abetting to commit an offence within the meaning of the Directive is punishable as a criminal offence. Member States are called upon to ensure that the attempt to commit an offence is punishable as a criminal offence.
Penalties: in a recital, it is stipulated that criminal sanctions should be envisaged at least for cases which are not minor . Member States may determine what constitutes a minor case according to their national law and practice. The case may be considered minor, for example, when the damage caused by the offence and/or the risk it carries to public or private interests, such as to the integrity of a computer system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such nature, that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary.
In any event, offences that fall within the scope of the Directive should be subject to the following penalties :
a maximum penalty of at least two years of imprisonment, in cases which are not minor; a maximum penalty of at least three years of imprisonment when certain offences covered by the Directive are committed intentionally , and when a significant number of information systems have been affected through the use of a tool designed or adapted primarily for this purpose; a maximum penalty of at least five years of imprisonment when offences covered by the Directive are:
- committed within the framework of a criminal organisation, or
- causing serious damage, or
- committed against a critical infrastructure information system .
Furthermore, if certain when certain offences are committed by misusing personal data of another person , with the aim of gaining trust of a third party, thereby causing prejudice to the rightful identity owner, this may be regarded as aggravating circumstances . A recital stipulates that identity theft and other identity-related offences of the same type could require action at EU level in the form of a comprehensive horizontal EU instrument.
Jurisdiction: a Member State shall inform the Commission where it decides to establish further jurisdiction over an offence covered by the Directive committed outside their territory , e.g. where:
the offender has his or her habitual residence in the territory of that Member State ; or the offence is committed for the benefit of a legal person established in the territory of that Member State.
National contact point: Member States should ensure that they have an o perational national point of contact and make use of the existing network of operational points of contact available 24 hours a day and seven days a week. They should also ensure that they have procedures in place so that in urgent requests they can indicate within a maximum of 8 hours at least whether the request for help will be answered, as well as the form and the estimated time of this answer.
Data collection: it is stipulated that there is a need to collect comparable data on offences referred to in this Directive. Relevant data should be made available to the competent specialised agencies, such as Europol and the European Network and Information Security Agency in line with their tasks and information needs. The objective is to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby contribute to formulating more effective responses.
Replacement of the Framework Decision 2005/222/JHA: it is clearly stipulated that the Directive aims to amend and expand the provisions of Framework Decision 2005/222/JHA concerning attacks against information systems.
Reports: lastly, the Commission should submit, within four years of the adoption of this Directive , a report to the European Parliament and the Council, assessing the extent to which the Member States have taken the necessary measures in order to comply with this Directive, accompanied, if necessary, by legislative proposals. In this respect, the Commission shall also take into account the technical and legal developments in the field of cyber crime, particularly with regard to the scope of this Directive.
The Council adopted a general approach on a draft directive on attacks against information systems, proposed by the Commission in September 2010. The general approach will constitute the basis for the Council's negotiations with the European Parliament on this proposal under the ordinary legislative procedure.
The proposal aims to update the existing rules dating from 2005 (Framework Decision 2005/222/JHA), while building on the Council of Europe Convention on Cybercrime (Budapest Convention). It establishes minimum rules for the definition of criminal offences and the penalty levels in the area of attacks against IT systems. It also aims to facilitate the prevention of such attacks and to improve the cooperation between member states' authorities in this field. The new rules would retain most of the provisions currently in place - namely the penalisation of illegal access, illegal system interference and illegal data interference as well as instigation, aiding, abetting and attempt to commit those criminal offences - and include the following new elements :
penalisation of the production and making available of tools (e.g. malicious software designed to create "botnets" 1 or unrightfully obtained computer passwords) for committing the offences; illegal interception of computer data will become a criminal offence; improvement of European cooperation in criminal matters by strengthening the existing structure of 24/7 contact points, including an obligation to provide feedback within eight hours to urgent requests; and the obligation to collect basic statistical data on cybercrimes.
Concerning the level of criminal penalties , the new rules would raise the thresholds :
in the general case to a maximum term of imprisonment of at least two years; if committed against a significant number of IT systems, e. g. in order to create a "botnet", to a maximum term of imprisonment of at least three years; if the attack has been committed by an organised criminal group, or has caused serious damage, e.g. through the use of a "botnet", or has affected a critical IT system, to a maximum term of imprisonment of at least five years.
These new forms of aggravating circumstances are intended to address the emerging threats posed by large scale cyber attacks, which are increasingly reported across Europe and have the potential severely to damage public interests.
Lastly, the Council has clarified the rules concerning the establishment of jurisdiction by the member states on cybercrime.
While the UK and Ireland participate in the adoption and application of this directive, Denmark would not be bound by it.
PURPOSE: to propose a new legislative framework aimed at combating (large scale) attacks against information systems and to repeal Council Framework Decision 2005/222/JHA.
PROPOSED ACT: Directive of the European Parliament and of the Council.
BACKGROUND: in recent years, the number of attacks against IT systems has risen steadily in Europe. Moreover, previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, have been observed in the Member States and other countries. New concerns, such as the massive spread of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks - have emerged. Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled – often without the knowledge of the users of the compromised computers – by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The people who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems.
With regard to cybercrime, the main cause of this phenomenon is vulnerability resulting from a variety of factors. Insufficient response by law enforcement mechanisms contributes to the prevalence of these phenomena, and exacerbates the difficulties, as certain types of offences go beyond national borders. Variations i n national criminal law and procedure may give rise to differences in investigation and prosecution, leading to differences in how these crimes are dealt with.
Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools ('malware' and 'botnets'), while offering offenders anonymity and dispersing responsibility across jurisdictions. Given the difficulties of bringing a prosecution, organised crime is able to make considerable profits with little risk.
On 24 February 2005, EU Member States agreed a Council Framework Decision ( 2005/222/JHA ) that addresses the most significant forms of criminal activity against information systems, such as hacking, viruses and denial of service attacks. The Framework Decision seeks to approximate criminal law across the EU to ensure that Europe's law enforcement and judicial authorities can take action against this form of crime. Member States were required to take the necessary measures to comply with the provisions of the Framework Decision by 16 March 2007.
On 14 July 2008, the Commission published a report on the implementation of the Framework Decision. It was noted that several emerging threats had been highlighted by recent attacks across Europe since adoption of the Framework Decision, in particular the emergence of large-scale simultaneous attacks against information systems and increased criminal use of so-called 'botnets'." These attacks were not the centre of attention when the Framework Decision was adopted.
In response to these developments, the Commission presents this proposal which aims to consider recent technical advances and the new modi operandi found in today's cyber attacks as devise better responses to the threat.
IMPACT ASSESSMENT: various policy options have been examined as a means of achieving the objective.
Option 1: Status Quo / No new EU action .
Option 2: Development of a programme to strengthen the efforts to counter attacks against information systems by means of non-legislative measures : these measures would, in addition to the programme for critical information infrastructure protection, focus on cross-border law enforcement and public-private cooperation. These soft-law instruments should aim to promote further coordinated action at EU level, including strengthening of the existing 24/7 network of contact points for law enforcement agencies; establishment of an EU network of public-private contact points involving cybercrime experts and law enforcement agencies; elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators; and support for the organisation of training programmes for law enforcement agencies on the investigation of cybercrime.
Option 3: Targeted update of the rules of the Framework Decision (new Directive replacing the current Framework Decision) to address the threat from large-scale attacks against information systems (botnets) and, when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner, the efficiency of Member States' law enforcement contact points, and the lack of statistical data on cyber attacks.
Option 4: Introduction of comprehensive EU legislation against cybercrime : this option would entail new comprehensive EU legislation. In addition to introducing the soft-law measures in policy option 2 and the update in policy option 3, it would also tackle other legal problems related to Internet use (such as financial cybercrime, illegal Internet content, the collection/storage/transfer of electronic evidence…)
Option 5: Update of the Council of Europe Convention on Cybercrime : this option would require substantial renegotiation of the current Convention, which is a lengthy process and doesn’t seem realistic as there seems to be no international willingness to renegotiate the Convention.
The preferred policy option is a combination of non-legislative measures (option 2) with a targeted update of the Framework Decision (option 3).
LEGAL BASE: Article 83(1) of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the draft Directive, while repealing Framework Decision 2005/222/JHA, will retain its current provisions and include the following new elements:
On substantive criminal law in general , the proposed Directive:
1) Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offences.
2) Includes aggravating circumstances :
the large-scale aspect of the attacks - botnets or similar tools would be addressed by introducing a new aggravating circumstance, in the sense that the act of putting in place a botnet or a similar tool would be an aggravating factor when crimes listed in the existing Framework Decision are committed; when such attacks are committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. Any such rules would need to comply with the principles of legality and proportionality of criminal offences and penalties and be consistent with existing legislation on the protection of personal data .
3) Introduces ‘illegal interception’ as a criminal offence.
4) Introduces measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points:
an obligation to comply with a request for assistance by the operational contact points (set out in Article 14 of the Directive) within a certain time limit is proposed. The Cybercrime Convention does not specify a binding provision of this kind. The aim of this measure is to ensure that the contact points indicate within a specified time whether they are able to provide a solution to the request for assistance, and by when the requesting point of contact can expect such a solution to be found. The actual content of the solutions is not specified.
5) Addresses the need to provide statistical data on cybercrimes by making it obligatory for the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on the offences referred to in the existing Framework Decision and the newly added ‘illegal interception’.
Taking account of gravity of the crimes : the Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only 'cases which are not minor' in the process of transposition of the directive into national law. This element of flexibility is intended to allow Member States not to cover cases that would in abstracto be covered by the basic definition but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology. This possibility to limit the scope of criminalisation should not however lead to the introduction of additional constitutive elements of offences beyond those that are already included in the Directive, because this would lead to the situation that only offences committed with the presence of aggravating circumstances are covered. In the process of transposition, Member States should refrain in particular from adding additional constitutive elements to the basic offences such as e.g. a special intention to derive illicit proceeds from crime or the presence of a specific effect such as causing a considerable damage.
BUDGETARY IMPLICATION: the implications of the proposal for the Union budget are small. More than 90% of the estimated cost of EUR 5 913 000 would be borne by the Member States and there is the possibility of applying for EU funding to reduce the cost.
Documents
- Follow-up document: COM(2017)0474
- Follow-up document: EUR-Lex
- Commission response to text adopted in plenary: SP(2013)625
- Final act published in Official Journal: Directive 2013/40
- Final act published in Official Journal: OJ L 218 14.08.2013, p. 0008
- Draft final act: 00038/2012/LEX
- Results of vote in Parliament: Results of vote in Parliament
- Decision by Parliament, 1st reading: T7-0321/2013
- Debate in Parliament: Debate in Parliament
- Committee report tabled for plenary, 1st reading: A7-0224/2013
- Amendments tabled in committee: PE480.665
- Committee opinion: PE469.848
- Committee draft report: PE476.089
- Committee opinion: PE472.192
- Debate in Council: 3096
- Economic and Social Committee: opinion, report: CES0816/2011
- Contribution: COM(2010)0517
- Contribution: COM(2010)0517
- Contribution: COM(2010)0517
- Document attached to the procedure: SEC(2010)1122
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SEC(2010)1123
- Document attached to the procedure: EUR-Lex
- Legislative proposal published: COM(2010)0517
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: SEC(2010)1122 EUR-Lex
- Document attached to the procedure: SEC(2010)1123 EUR-Lex
- Economic and Social Committee: opinion, report: CES0816/2011
- Committee opinion: PE472.192
- Committee draft report: PE476.089
- Committee opinion: PE469.848
- Amendments tabled in committee: PE480.665
- Draft final act: 00038/2012/LEX
- Commission response to text adopted in plenary: SP(2013)625
- Follow-up document: COM(2017)0474 EUR-Lex
- Contribution: COM(2010)0517
- Contribution: COM(2010)0517
- Contribution: COM(2010)0517
Activities
- Jacek PROTASIEWICZ
Plenary Speeches (2)
- 2016/11/22 Attacks against information systems (debate)
- 2016/11/22 Attacks against information systems (debate)
- Jan Philipp ALBRECHT
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Agustín DÍAZ DE MERA GARCÍA CONSUEGRA
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Ioan ENCIU
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Tunne KELAM
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Timothy KIRKHOPE
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Norica NICOLAI
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Kristiina OJULAND
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Hubert PIRKER
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
- Josef WEIDENHOLZER
Plenary Speeches (1)
- 2016/11/22 Attacks against information systems (debate)
Votes
A7-0224/2013 - Monika Hohlmeier - Résolution législative #
Amendments | Dossier |
178 |
2010/0273(COD)
2011/10/12
ITRE
44 amendments...
Amendment 12 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States and the Union; this objective forms part of the Union’s general strategy aimed at combating organised crime, increasing the resilience of computer networks, protecting critical information infrastructure and data protection.
Amendment 13 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police
Amendment 14 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, the Commission, ENISA, EUROPOL and EUROJUST to enable a common and comprehensive Union approach.
Amendment 15 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police, ENISA, national Computer Emergency Response Teams (CERTs), and other specialised law enforcement services of the Member States.
Amendment 16 #
Proposal for a directive Recital 1 a (new) (1a) Information systems are a key element of political, social and economic interaction in Europe. Society is highly and increasingly dependent on such systems. The smooth operation and security of these systems in Europe is vital for the development of the European single market and of a competitive and innovative economy. At the same time as providing great benefits, however, information systems carry a number of risks to our security on account of their complexity and vulnerability to various types of computer crime. The security of information systems is thus a matter of constant concern that requires an effective response from the Member States and the Union.
Amendment 17 #
Proposal for a directive Recital 2 (2) Attacks against information systems
Amendment 18 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace to the functioning of information systems in the Union and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, democracy, security and justice, undermines the creation of a European digital single market and therefore requires a response at the level of the European Union as well as internationally, for example through the 2001 Council of Europe Convention on Cybercrime.
Amendment 19 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace both in the Union and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union and improved coordination and cooperation at international level.
Amendment 20 #
Proposal for a directive Recital 2 a (new) (2a) Recent cyber-attacks, perpetrated against European networks and/ or information systems, have caused substantial economic and security damage to the Union.
Amendment 21 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to international organisations and states or to particular functions in the public or private sector. Such attacks can occasion significant financial losses both by taking down information and communications systems, and by causing the loss or alteration of data. This tendency is being accompanied
Amendment 22 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted
Amendment 23 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states, the Union or to particular functions in the public or private sector. This tendency is accompanied by the rapid development of information technology and thus of increasingly sophisticated tools that can be used by criminals to launch cyber-attacks of various types, some of which have significant potential to cause economic and social damage.
Amendment 24 #
Proposal for a directive Recital 4 (4) Common definitions in this area, particularly of information systems
Amendment 25 #
Proposal for a directive Recital 4 (4) Common definitions and norms of behaviour in this area, particularly of information systems and computer data, are important in order to ensure a consistent approach in the Member States to the application of this Directive.
Amendment 26 #
Proposal for a directive Recital 4 a (new) (4a) The revocation of IP addresses or domain names are examples of system interference and may be considered as criminal offences as defined in Article 4 of this Directive.
Amendment 27 #
Proposal for a directive Recital 4 a (new) (4a) The revocation of IP addresses or domain names are examples of system interference and may be considered as criminal offences as defined in Article 4 of this Directive.
Amendment 28 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems
Amendment 29 #
Proposal for a directive Recital 6 (6) Member States should provide
Amendment 30 #
Proposal for a directive Recital 6 a (new) (6a) Member States, the EU and the private sector, in cooperation with the European Network and Information Security Agency, should take steps to increase the security and integrity of information systems, to prevent attacks and to minimise the impact of attacks.
Amendment 31 #
Proposal for a directive Recital 7 (7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. It is also appropriate to provide for more severe penalties where such an attack
Amendment 32 #
Proposal for a directive Recital 8 (8) The Council Conclusions of 27-28 November 2008 indicated that a new strategy should be developed with the Member States and the Commission, taking into account the content of the 2001 Council of Europe Convention on Cybercrime. The Council and Commission should encourage Member States that have not yet ratified the Convention to do so as soon as possible. That Convention is the legal
Amendment 33 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence
Amendment 34 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States the EU and the European Network and Information Security Agency should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice, the preservation of data, the collection of evidence, the provision of legal information, and the locating of suspects.
Amendment 35 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice, the preservation of data, the collection of evidence, the provision of legal information, the identification of the jeopardised and/or extracted information and the locating of suspects.
Amendment 36 #
Proposal for a directive Recital 11 a (new) (11a) Cooperation by the public authorities with the private sector and civil society is of great importance in preventing and combating attacks against information systems. A permanent dialogue should be established with these partners in view of the extensive use they make of information systems and the sharing of responsibility required for the stable and proper operation of these systems. The raising of awareness among all stakeholders in the use of information systems is important in creating a culture of IT security.
Amendment 37 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. Member States need to improve the exchange of information on attacks against information systems, with the support of the Commission and the European Network and Information Security Agency. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe. Better knowledge about present and future risks will help reach more appropriate decisions on deterring, combating or limiting the damage caused by attacks against information systems.
Amendment 38 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe and to support Member States in the adoption of responses to information security incidents.
Amendment 39 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. The data will moreover help specialised bodies and agencies such as Member States' CERTs, Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe.
Amendment 40 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action at Union level to approximate national criminal legislation in this area. Likewise, the Union should pursue greater international cooperation in the field of network and information system security involving all relevant international actors. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 41 #
Proposal for a directive Article 1 – paragraph 1 This Directive defines criminal offences in the area of attacks against information systems and establishes harmonised minimum rules
Amendment 42 #
Proposal for a directive Article 2 – point d (d) "without right" means access or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national or European legislation.
Amendment 43 #
Proposal for a directive Article 7 – point b (b) a computer password, access code, a digital or physical security token, or similar data by which the whole or any part of an information system is capable of being accessed.
Amendment 44 #
Proposal for a directive Article 8 – paragraph 1 a (new) 1a. Member States shall ensure that the unauthorised forwarding of identification data to other persons with a view to the conduct of any of the activities referred to in Articles 3 to 7 is punishable as a criminal offence.
Amendment 45 #
Proposal for a directive Article 8 – paragraph 1 b (new) 1b. Member States shall ensure that where an offence under Articles 3 to 7 is committed by a person who, within the scope of his or her employment, has access to the security systems inherent in information systems, this shall constitute an aggravating circumstance and be punishable as a criminal offence.
Amendment 46 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data or sensitive information.
Amendment 47 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall ensure that they have an operational national point of contact and make use of the
Amendment 48 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall make use of the existing network of operational points of contact available 24 hours a day and seven days a week. Member States shall also ensure that they have procedures in place so that they can respond within a maximum of eight hours to urgent requests. Such response shall at least indicate whether and in what form the request for help will be answered and when. ENISA may undertake this role and supervise the exchange of information, functioning as a single point of contact and as the Union's cybersecurity incident registrar.
Amendment 49 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall
Amendment 50 #
Proposal for a directive Article 14 – paragraph 2 2. Member States shall inform the Commission, Eurojust and the European Network and Information Security Agency of their appointed point of contact for the purpose of exchanging information on the offences referred to in Articles 3 to 8. The Commission shall forward that information to the other Member States.
Amendment 51 #
Proposal for a directive Article 14 – paragraph 2 a (new) 2a. ENISA shall play a strategic role in the coordination efforts between Member States and the Union institutions.
Amendment 52 #
Proposal for a directive Article 15 – paragraph 1 1. Member States shall ensure that a system is in place for the recording, production and provision of statistical data on the offences referred to in Articles 3 to 8. In the case of offences involving more than one Member State, ENISA may facilitate the exchange of those data among all interested parties, including EUROPOL and EUROJUST.
Amendment 53 #
Proposal for a directive Article 15 – paragraph 3 3. Member States shall transmit the data collected according to this Article to the
Amendment 54 #
Proposal for a directive Article 15 – paragraph 3 3. Member States shall transmit the data collected according to this Article to the Commission and the European Network and Information Security Agency (ENISA). They shall also ensure that a consolidated review of these statistical reports is published.
Amendment 55 #
Proposal for a directive Article 18 – paragraph 2 2. Member States and the European Network and Information Security Agency shall send to the Commission all the information that is appropriate for drawing up the report referred to in paragraph 1. The information
source: PE-473.808
2011/10/13
AFET
39 amendments...
Amendment 14 #
Proposal for a directive – Amendment 15 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, in accordance with the principle of separation of powers.
Amendment 16 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States and the Union; this objective forms part of the Union’s general strategy designed to combat organised crime, secure information networks more effectively, protect critical information infrastructures and safeguard data.
Amendment 17 #
Proposal for a directive Recital 1 a (new) (1a) Information systems are vital to political, social and economic interaction in Europe. Society today is highly dependent on such systems and is becoming even more so. However, despite their major benefits, they also embody a number of risks to our security because of their complexity and vulnerability to various types of cybercrime. The security of information systems is therefore a constant concern and requires effective responses from the Member States and the Union.
Amendment 18 #
Proposal for a directive Recital 2 Amendment 19 #
Proposal for a directive Recital 2 (2)
Amendment 20 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace, as evidenced by the cyber attacks on Estonia and Georgia as a method of modern warfare, and there is increasing concern about the potential for terrorist or economically or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union.
Amendment 21 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular
Amendment 22 #
Proposal for a directive Recital 2 a (new) (2a) A distinction between cyber attacks and physical attacks is crucial. Therefore a separate strategy to respond to such attacks should be developed in respect of attacks against information systems, in full cooperation with national parliaments and the European Parliament. Such a strategy should not constitute a threat to, or a breach of, human rights or fundamental freedoms. Such a strategy should not therefore be equivalent to a response to an armed attack.
Amendment 23 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states, to the Union or to particular functions in the public or private sector. This tendency is accompanied by the rapid development of computer technology and, as a result, increasingly sophisticated tools that can be used by criminals to launch cyber-attacks of various types, some of which have a great potential to cause economic and social damage.
Amendment 24 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous targeted and recurrent large scale attacks conducted against information systems which are critical to states or to particular functions in the public or private sector. This tendency is accompanied by the development of increasingly sophisticated tools that can be used by criminals to launch cyber-attacks
Amendment 25 #
Proposal for a directive Recital 4 a (new) (4a) A thorough, reliable and independent assessment of the overall level of threat of attacks against information systems should be carried out. The Union institutions should adjust their level of information security accordingly.
Amendment 26 #
Proposal for a directive Recital 4 a (new) (4a) There is a need for coordination at the level of the Union to help integrate different initiatives, programmes and activities.
Amendment 27 #
Proposal for a directive Recital 4 b (new) (4b) A Union Cybersecurity Coordinator should be appointed in order to facilitate the integration and coordination of the Union institutions’ initiatives, programmes and activities.
Amendment 28 #
Proposal for a directive Recital 5 a (new) (5a) There is a need to assess the real level of threat of attacks against information systems by a reliable, independent authority and to discuss coordination at the level of the Union to help integrate different initiatives, programmes and activities.
Amendment 29 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems
Amendment 30 #
Proposal for a directive Recital 7 (7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner.
Amendment 31 #
Proposal for a directive Recital 8 (8) The Council Conclusions of 27-28 November 2008 indicated that a new strategy should be developed with the Member States and the Commission, taking into account the content of the 2001 Council of Europe Convention on Cybercrime. The Council and Commission must encourage those Member States that have not yet ratified the Convention to do so as soon as possible. That Convention is the legal framework of reference for combating cybercrime, including attacks against information systems. This Directive builds on that Convention.
Amendment 32 #
Proposal for a directive Recital 8 a (new) (8a) The Council and the Commission should call on those Member States which still need to ratify the Council of Europe Convention on Cybercrime to do so without delay.
Amendment 33 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe’s network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice,
Amendment 34 #
Proposal for a directive Recital 11 a (new) (11a) Cooperation on the part of the authorities with the private sector and civil society is of major importance in avoiding and combating cyber attacks. It is necessary to establish ongoing dialogue with them, given their extensive use of computer systems and the need for shared responsibility in ensuring reliable and functional systems. It is important to raise awareness among all computer system stakeholders, so as to create a data security mentality.
Amendment 35 #
Proposal for a directive Recital 11 a (new) (11a) Closer cooperation should be envisaged both with the European Defence Agency (EDA) and with the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), in particular in the field of capacity building and training.
Amendment 36 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. Member States must step up exchanges of information regarding cyber attacks with the support of the Commission and the European Network and Information Security Agency. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe. Improved knowledge of present and future risks will make it possible to take decisions which are more effective in deterring and combating cyber attacks or reducing the resulting damage.
Amendment 37 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a
Amendment 38 #
Proposal for a directive Recital 12 a (new) (12a) The Commission should examine the feasibility of providing frameworks or instruments to help public private partnerships (PPP) cooperate with each other at national level and Union level, to implement information quality standards for interoperability, and to ensure respect for fundamental rights, the separation of powers and democratic supervision.
Amendment 39 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area at Union level. The Union should also seek greater international cooperation in the field of data network security by collaborating closely with other organisations with the relevant terms of reference, such as the United Nations, NATO, the Council of Europe, or the OSCE and involving other international stakeholders. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 40 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area and to strengthen cross-border cooperation. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 41 #
Proposal for a directive Recital 16 (16) This Directive and any practical application thereof respect
Amendment 42 #
Proposal for a directive Recital 16 (16) This Directive respects the fundamental rights, in particular the right to privacy, and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, including the protection of personal data, freedom of expression and information, the right to a fair trial, presumption of innocence and the rights of the defence, as well as the principles of legality and proportionality of criminal offences and penalties. In particular, this Directive seeks to ensure full respect for these rights and principles and must be implemented accordingly.
Amendment 43 #
Proposal for a directive Recital 16a (new) (16a) The Council and the Commission should insist, in negotiations and cooperation with third countries, on minimum requirements for preventing and fighting cybercrime and cyber attacks as well as on minimum standards for information system security.
Amendment 44 #
Proposal for a directive Recital 16b (new) (16b) The Commission should consider options to facilitate and assist third countries in their efforts to develop their cyber security and cyber defence capabilities.
Amendment 45 #
Proposal for a directive Article 3 – paragraph 1 Member States shall take the necessary measures to ensure that
Amendment 46 #
Proposal for a directive Article 7 – paragraph 1 – introductory part Member States shall take the necessary measure to ensure that the production, sale, procurement for use, import, possession, distribution or otherwise making available of the following
Amendment 47 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by
Amendment 48 #
Proposal for a directive Article 12 – paragraph 1 – introductory part 1. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(1) is punishable by
Amendment 49 #
Proposal for a directive Article 12 – paragraph 2 2. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(2) is punishable by
Amendment 50 #
Proposal for a directive Article 14 – paragraph 2 a (new) 2a. The Commission shall assist Member States in promoting the resilience and stability of the internet and shall undertake other activities aiming at achieving information security.
Amendment 51 #
Proposal for a directive Article 15 – paragraph 3 3. Member States shall transmit the data collected according to this Article to the Commission. They shall also ensure that a consolidated review of these statistical reports is submitted to the European Parliament and published.
Amendment 52 #
Proposal for a directive Article 15 – paragraph 3 a (new) 3a. The Commission shall review the application of this Directive and, in particular, the need to appoint a Union Cybersecurity Coordinator in order to assess the level of threat and facilitate the integration and coordination of the Union institutions’ initiatives, programmes and activities.
source: PE-473.863
2012/01/27
LIBE
95 amendments...
Amendment 100 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by
Amendment 101 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to
Amendment 102 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least two years including the imposition of an adequate fine.
Amendment 103 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of
Amendment 104 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least
Amendment 105 #
Proposal for a directive Article 10 Amendment 106 #
Proposal for a directive Article 10 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of
Amendment 107 #
Proposal for a directive Article 10 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least between two and five years when committed within the framework of a criminal organization as defined in Framework Decision 2008/841/JHA.
Amendment 108 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data or sensitive information, or affecting critical infrastructure information systems.
Amendment 109 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of
Amendment 110 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least between two and five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data.
Amendment 111 #
Proposal for a directive Article 10 – paragraph 3 Amendment 112 #
Proposal for a directive Article 10 – paragraph 3 Amendment 113 #
Proposal for a directive Article 10 – paragraph 3 a (new) 3a. Member States shall ensure that the penalties referred to Article 9 will not apply to offences referred to in Articles 3 to 7 when the offences are clearly not committed for criminal intent, such as during the testing or the immediate protection of information systems, or if the operator or vendor of the system is fully informed of the vulnerability in a timely manner.
Amendment 114 #
Proposal for a directive Article 10 – paragraph 3 b (new) 3b. Member States shall consider the protection of their information systems and associated data. Reasonable levels of protection should be provided against reasonably identifiable levels of threats and vulnerabilities, with the protection proportionate to the probable damage to the parties concerned.
Amendment 115 #
Proposal for a directive Article 10 – paragraph 3 c (new) 3c. Member States shall take appropriate steps to oblige legal persons under their jurisdictions to protect information systems from offences detailed in Articles 3 to 7. Reasonable levels of protection should be provided against reasonably identifiable levels of threats and vulnerabilities, with the protection proportionate to the probable damage to the parties concerned.
Amendment 116 #
Proposal for a directive Article 10 – paragraph 3 d (new) 3d. Where legal persons are considered to have failed to provide a reasonable level of protection as detailed in paragraph 3b and 3c against offenses detailed in Articles 3 to 7, and where these offenses are considered to have been carried out with clear criminal intent, then these offenses will be considered to have been carried out under alleviating circumstances when applying criminal penalties.
Amendment 117 #
Proposal for a directive Article 10 – paragraph 3 e (new) 3e. Where legal persons have clearly failed to provide a reasonable level of protection and in cases where the damage caused as a result of this failure is considerable, then Member States shall ensure that is possible to impose deterrent sanctions and to prosecute this legal person for negligence.
Amendment 118 #
Proposal for a directive Article 10 a (new) Amendment 119 #
Proposal for a directive Article 12 – paragraph 1 – introductory part 1. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(1) is punishable by
Amendment 120 #
Proposal for a directive Article 12 – paragraph 1 – point a (a) temporary or permanent exclusion from entitlement to public benefits or aid;
Amendment 121 #
Proposal for a directive Article 12 – paragraph 2 2. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(2) is punishable by
Amendment 122 #
Proposal for a directive Article 13 – paragraph 1 – point b (b) by one of their nationals
Amendment 123 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall ensure that they have an operational national point of contact and make use of the
Amendment 124 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules,
Amendment 125 #
Proposal for a directive Article 14 – paragraph 2 2. Member States shall inform the Commission, Europol, Eurojust and the European Network and Information Security Agency (ENISA) of their appointed point of contact for the purpose of exchanging information on the offences referred to in Articles 3 to 8. The Commission shall forward that information to the other Member States.
Amendment 126 #
Proposal for a directive Article 15 – paragraph 1 1. Member States shall ensure th
Amendment 127 #
Proposal for a directive Article 15 a (new) Article 15a Training 1. Member States shall encourage the organisation and contribute to the funding of training courses for members of the public so that the latter are aware of the possibility of attacks intended to undermine the freedom and security of cyberspace and are able to protect themselves against such attacks. 2. Member States shall incorporate into their school curricula lessons which teach pupils about IT tools, the dangers they pose and how to protect themselves.
Amendment 128 #
Proposal for a directive Article 15 b (new) Article 15b Conformity with levels of security 1. Member States shall lay down in their national law criteria regarding the conformity of all IT tools with minimum levels of security. 2. No more than two years after the adoption of this Directive, the Commission shall submit a proposal for a directive which lays down minimum security criteria for all IT tools sold on the internal market.
Amendment 35 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, the Commission, Eurojust, Europol and the European Network and Information Security Agency (ENISA), to enable a common and comprehensive EU approach.
Amendment 36 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace both in the EU and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union and improved cooperation and coordination at international level.
Amendment 37 #
Proposal for a directive Recital 2 (2) Attacks against information systems,
Amendment 38 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states or to particular functions in the public or private sector. This tendency is accompanied by the development of increasingly sophisticated tools that can be used by criminals to launch cyber
Amendment 39 #
Proposal for a directive Recital 6 (6) Member States should provide for response and prevention mechanisms and penalties in respect of attacks against information systems. The penalties provided for should be effective, proportionate and dissuasive.
Amendment 40 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems. The penalties provided for should be effective, proportionate and dissuasive and could include imprisonment and/or financial penalties.
Amendment 41 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems. The penalties provided for should be
Amendment 42 #
Proposal for a directive Recital 6 (6) Member States should provide for effective measures to prevent attacks against information systems and penalties in respect of attacks against
Amendment 43 #
Proposal for a directive Recital 7 a (new) (7a) There should be no mandatory requirement to impose a penalty in cases deemed to be ‘minor’. A case may be considered as ‘minor’, for example, when the damage caused by the offence, and/or the risk it carries to public or private interests, such as to the integrity of an information system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such a nature that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary;
Amendment 44 #
Proposal for a directive Recital 7 (7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, such as via a ‘botnet’ network, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. It is also appropriate to provide for more severe penalties where such an attack has caused serious damage or has affected critical infrastructure or essential interests.
Amendment 45 #
Proposal for a directive Recital 10 (10) This Directive does not intend to impose criminal liability where the offences are committed without criminal intent, such as for
Amendment 46 #
Proposal for a directive Recital 10 (10) This Directive does not
Amendment 47 #
Proposal for a directive Recital 10 (10) This Directive does not intend to impose criminal liability where the objective criteria of the crimes listed in this Directive are met but the offences are committed without criminal
Amendment 48 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe
Amendment 49 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. Because not all the Member States collect information concerning attacks against information systems, little is known about such attacks. Because the methods used to collect statistics differ, the Member States which do collect them cannot compare them. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe.
Amendment 50 #
Proposal for a directive Recital 12 a (new) (12a) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement authorities and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress. That cooperation should include, for example, providing support to service providers for shutting down, completely or partially, illegal systems or functions, in accordance with the legislation in force.
Amendment 51 #
Proposal for a directive Recital 12 a (new) (12a) In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by protecting them more effectively against attacks and setting the right incentives for this. In this respect, the establishment of minimum standards and of liability for vendors and operators for the adequate protection of information systems should play a central role. Therefore, the Union and the Member States' fight against cybercrime will have an impact, only if this Directive is accompanied by preventive measures against such offences adopted in accordance with Article 67(3) and Article 84 of the Treaty of the Functioning of the European Union.
Amendment 52 #
Proposal for a directive Recital 12 a (new) (12a) Member States should regard the protection of their information systems and the data they contain as part of their duty of care. Reasonable levels of protection should be provided against reasonably identifiable threats and areas of vulnerability. The costs and charges linked to this protection should reflect the harm which a cyber attack would cause to the persons concerned.
Amendment 53 #
Proposal for a directive Recital 12 a (new) Amendment 54 #
Proposal for a directive Recital 12 b (new) (12b) The European Union and Member States should pay due regard to the protection of their information systems and associated data and provide a high level of protection against identifiable threats and vulnerabilities. The cost and burden of such protection should be proportionate to the potential damage to those affected by cyber attacks.
Amendment 55 #
Proposal for a directive Recital 12 b (new) (12b) Member States should consider the protection of their information systems and associated data. Reasonable levels of protection should be provided against reasonably identifiable threats and vulnerabilities. The cost and burden of such protection should be proportionate to the likely damage to those affected.
Amendment 56 #
Proposal for a directive Recital 12 b (new) (12b) Member States should also take appropriate steps to oblige legal persons who operate of supply information systems on their territory to protect personal data in their care against offences referred to in this Directive. Legal persons should provide reasonable levels of protection against reasonably identifiable threats and areas of vulnerability. Member States should ensure that a legal person who has failed to provide a reasonable level of protection is liable to criminal prosecution for negligence and to severe penalties if the damage suffered as a result of that failure is considerable.
Amendment 57 #
Proposal for a directive Recital 12 b (new) (12b) Member States should also take appropriate steps to oblige legal persons within their jurisdictions to protect personal data in their care from offences referred to in this Directive, as already envisaged by EU law on telecommunications and data protection. Appropriate levels of protection should be provided by legal persons against reasonably identifiable threats in accordance with the state of the art for specific sectors and the specific data processing situations. The cost and burden of such protection should be proportionate to the likely damage to those affected. Where a legal person has clearly failed to provide an appropriate level of protection, and where the damage caused as a result of such failure is considerable, Member States should ensure that it is possible to prosecute that legal person.
Amendment 58 #
Proposal for a directive Recital 12 c (new) (12c) The European Network and Information Security Agency (ENISA) should play a key role in providing the Member States and EU institutions and bodies with technical expertise in the field of preventing and combating cyber attacks, in line with its mandate. In this connection, ENISA should advise the Member States on the establishing and operation of national contact points and Computer Emergency Response Teams (CERTs). ENISA should also be forwarded statistical data by the Member States on offences under this Directive and, on the basis of this and other relevant information, should draw up reports and recommendations on the state of information system and computer data security.
Amendment 59 #
Proposal for a directive Recital 12 c (new) (12c) It is also necessary to foster and improve cooperation between service providers, producers and law-enforcement bodies, whilst fully respecting the rule of law, especially as regards legal certainty and the rights of suspects and accused persons, such as the presumption of innocence and the right to seek legal redress. It is also necessary that in a constitutional state the persons responsible for enforcing the law should respect the rule of law.
Amendment 60 #
Proposal for a directive Recital 12 c (new) (12c) Member States should also take appropriate steps to oblige legal persons within their jurisdictions who operate or provide IT systems to protect from offences referred to in this Directive. Reasonable levels of protection should be provided by legal persons against reasonably identifiable threats and vulnerabilities. Such protection should be proportionate to the likely damage to those affected. Where a legal person has clearly failed to provide a reasonable level of protection, and where the damage caused as a result of such failure is considerable, Member States should ensure that it is possible to impose deterrent sanctions and to prosecute this legal person for negligence.
Amendment 61 #
Proposal for a directive Recital 12 c (new) (12c) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement bodies and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress. This should include, for example, support by service providers in helping to preserve potential evidence, in providing elements helping to identify perpetrators and, as last resort, to shut down illegal systems or functions.
Amendment 62 #
Proposal for a directive Recital 12 d (new) (12d) Without prejudice to voluntary cooperation between legal persons, such as service providers and producers, on the one hand, and law-enforcement bodies and judicial authorities, on the other, Member States should define the cases in which the failure to act can in itself constitute criminal behaviour.
Amendment 63 #
Proposal for a directive Recital 12 d (new) (12d) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement bodies and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress.
Amendment 64 #
Proposal for a directive Recital 12 e (new) (12e) In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against attacks. In that connection, the introduction of minimum standards and of the principle of the criminal liability of operators and producers in respect of the appropriate protection of information systems is fundamental. For this reason, the Union's and the Member State' fight against cybercrime will be effective only if this Directive is accompanied by preventive measures to combat such offences adopted in accordance with Articles 67(3) and 84 of the Treaty on the Functioning of the European Union.
Amendment 65 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems
Amendment 66 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings. There is, moreover, an urgent need to carry into effect the European Parliament declaration of 23 June 2010 on setting up a European early warning system (EWS) for paedophiles and sex offenders1; _______________ 1 OJ C 236 E, 12.8.2011, p.152
Amendment 67 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws and criminal law procedures and systems in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective international police and judicial cooperation in this area, since widely differing measures may be employed to combat such crimes. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 68 #
Proposal for a directive Recital 14 (14) Since the objectives of this Directive, i.e. ensuring that attacks against information systems, at least when they are perpetrated with criminal intent, are punished in all Member States by
Amendment 69 #
Proposal for a directive Recital 15 (15) Any personal data processed in the context of the implementation of this Directive should be protected in accordance with the rules laid down in the Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with regard to those processing activities which fall
Amendment 70 #
Proposal for a directive Recital 16 (16) This Directive should respect
Amendment 71 #
Proposal for a directive Recital 16 a (new) (16a) This Directive is not intended to be applied by the Member States in a manner which is not consistent with Articles 2 and 3(1) and (2) of the Treaty on European Union, which lay down principles which must apply to cyberspace and the fight against cybercrime. Its application must not undermine the principle of internet neutrality.
Amendment 72 #
Proposal for a directive Article 1 This Directive defines criminal offences in
Amendment 73 #
Proposal for a directive Article 1 This Directive defines criminal offences in the area of attacks against information systems and establishes minimum rules concerning penalties for such offences. It also aims to introduce common provisions to prevent such attacks and improve European criminal justice cooperation in this field. It also aims to encourage the production of ever more secure IT tools and the installation of ever more secure IT systems.
Amendment 74 #
Proposal for a directive Article 2 – point c (c) "legal person" means any entity having such status under the applicable law
Amendment 75 #
Proposal for a directive Article 2 – point c (c) ‘legal person’ means any entity having such status under the applicable law
Amendment 76 #
Proposal for a directive Article 2 – point c (c) ‘legal person’ means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations
Amendment 77 #
Proposal for a directive Article 2 – point d (d) "without right" means access, use or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national or European legislation.
Amendment 78 #
Proposal for a directive Article 2 – point d (d)
Amendment 79 #
Proposal for a directive Article 2 – point d (d) ‘without right’ means access, use, or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation.
Amendment 80 #
Proposal for a directive Article 2 – point d (d) "without right" means access or interference not authorised by the owner, other right holder of the system or of part of it,
Amendment 81 #
Proposal for a directive Article 2 – point d a (new) (da) ‘minor case’ means a case where the offence itself is deemed to be minor, there is no pressing need to prosecute in the public interest and the consequences of the offence are negligible;
Amendment 82 #
Proposal for a directive Article 2 – point d b (new) (db) ‘interception’ means listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly or indirectly through the use of electronic eavesdropping or tapping devices by technical means.
Amendment 83 #
Proposal for a directive Article 2 a (new) Article 2a Preventive measures 1. Member States shall in cooperation with the European Network and Information Security Agency promote good practices in relation to security of data processing and support cooperation between public and private stakeholders by facilitating information sharing, awareness raising and dialogue on network and information security, including aspects of the fight against cybercrime. 2. Member States shall ensure that in the case of a personal data breach, the data controller and the data processor notify without undue delay and, as a rule, not later than 24 hours after the personal data breach has been established, the personal data breach to the competent national authority in line with Article 4 of Directive 2002/58/EC as amended by Directives 2006/24/EC and 2009/136/EC (e-privacy Directive). 3. Member States shall take the necessary measures to protect critical infrastructure from cyber attacks and provide for means to hermetically cut off access to a critical infrastructure in case a direct cyber attack severely threatens its proper functioning.
Amendment 84 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access without right
Amendment 85 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence, at least for cases which
Amendment 86 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access without right -meaning entering to the whole or any part of an information system- is punishable as a criminal offence, at least for cases which are not minor. The conduct referred to in paragraph 1 shall be incriminated only where the offence is committed by infringing a security measure and provided that the operator or vendor of the system is not fully informed of the vulnerability in a timely manner.
Amendment 87 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access
Amendment 88 #
Proposal for a directive Article 4 Member States shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which
Amendment 89 #
Proposal for a directive Article 5 Member States shall take the necessary measures to ensure that the intentional
Amendment 90 #
Proposal for a directive Article 6 Member States shall take the necessary measures to ensure that the intentional interception by technical means, of non- public transmissions of computer data to, from or within a information system, including electromagnetic emissions from an information system carrying such computer data, is punishable as a criminal offence when committed without right, at least in cases which are not minor. Interception may also involve recording. Data transmissions comprise the period taken to transfer the data, by cable or by wireless, between the time it is transmitted by the sender and the time it reaches the recipient. Technical means include technical devices fixed to transmission lines as well as devices to collect and record wireless communications, including the use of software, passwords and codes.
Amendment 91 #
Proposal for a directive Article 6 In accordance with Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and with the Charter of Fundamental Rights, Member States shall take the necessary measures to ensure that the
Amendment 92 #
Proposal for a directive Article 6 – paragraph 1 Member States shall take the necessary measures to ensure that the intentional interception by technical means, of non- public transmissions of computer data to, from or within a information system, including electromagnetic emissions from an information system carrying such
Amendment 93 #
Proposal for a directive Article 7 – introductory part Amendment 94 #
Proposal for a directive Article 7 – point a (a) device, including a computer program but excluding a computer itself, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;
Amendment 95 #
Proposal for a directive Article 7 – point b Amendment 96 #
Proposal for a directive Article 8 Amendment 97 #
Proposal for a directive Article 8 – paragraph 1 Amendment 98 #
Proposal for a directive Article 8 a (new) Article 8a Manufacturers’ liability Member States shall take the measures required to ensure that manufacturers are held criminally liable in connection with the production, placing on the market, marketing, operation and non-compliance with security standards of products and systems which are defective or which have proven security problems, thus making cyber attacks or data loss more likely.
Amendment 99 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by effective, proportional and dissuasive criminal penalties, including the imposition of adequate fines.
source: PE-480.665
|
History
(these mark the time of scraping, not the official date of the change)
docs/0/docs/0/url |
Old
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1122/COM_SEC(2010)1122_EN.pdfNew
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1122/COM_SEC(2010)1122_EN.pdf |
docs/1/docs/0/url |
Old
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdfNew
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf |
docs/7 |
|
docs/10 |
|
docs/11 |
|
docs/11 |
|
docs/12 |
|
docs/12 |
|
docs/13 |
|
events/5/docs |
|
links/National parliaments/url |
Old
http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=COD&year=2010&number=0273&appLng=ENNew
https://ipexl.europarl.europa.eu/IPEXL-WEB/dossier/code=COD&year=2010&number=0273&appLng=EN |
committees/0/shadows/3 |
|
docs/2/docs/0/url |
Old
https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:0816)(documentyear:2011)(documentlanguage:EN)New
https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:0816)(documentyear:2011)(documentlanguage:EN) |
docs/3/docs/0/url |
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE472.192&secondRef=02New
https://www.europarl.europa.eu/doceo/document/ITRE-AD-472192_EN.html |
docs/4/docs/0/url |
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE476.089New
https://www.europarl.europa.eu/doceo/document/LIBE-PR-476089_EN.html |
docs/5/docs/0/url |
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE469.848&secondRef=02New
https://www.europarl.europa.eu/doceo/document/AFET-AD-469848_EN.html |
docs/6/docs/0/url |
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE480.665New
https://www.europarl.europa.eu/doceo/document/LIBE-AM-480665_EN.html |
events/0/docs/0/url |
Old
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdfNew
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf |
events/1/type |
Old
Committee referral announced in Parliament, 1st reading/single readingNew
Committee referral announced in Parliament, 1st reading |
events/3/type |
Old
Vote in committee, 1st reading/single readingNew
Vote in committee, 1st reading |
events/4 |
|
events/4 |
|
events/5/docs |
|
events/7 |
|
events/7 |
|
committees/0 |
|
committees/0 |
|
committees/1 |
|
committees/1 |
|
committees/3 |
|
committees/3 |
|
docs/1/docs/0/url |
Old
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdfNew
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/sec/2010/1123/COM_SEC(2010)1123_EN.pdf |
docs/9/body |
EC
|
events/0/docs/0/url |
Old
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdfNew
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf |
events/4/docs/0/url |
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2013-224&language=ENNew
http://www.europarl.europa.eu/doceo/document/A-7-2013-0224_EN.html |
events/7/docs/0/url |
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-321New
http://www.europarl.europa.eu/doceo/document/TA-7-2013-0321_EN.html |
activities |
|
commission |
|
committees/0 |
|
committees/0 |
|
committees/1 |
|
committees/1 |
|
committees/2 |
|
committees/2 |
|
committees/3 |
|
committees/3 |
|
council |
|
docs |
|
events |
|
other |
|
procedure/dossier_of_the_committee |
Old
LIBE/7/04091New
|
procedure/final/url |
Old
http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040New
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32013L0040 |
procedure/instrument |
Old
DirectiveNew
|
procedure/subject |
Old
New
|
procedure/summary |
|
activities/0/docs/0/celexid |
CELEX:52010PC0517:EN
|
activities/0/commission/0/DG/title |
Old
Home AffairsNew
Migration and Home Affairs |
activities/0/docs/0/celexid |
CELEX:52010PC0517:EN
|
activities/0/docs/0/url |
Old
http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdfNew
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2010/0517/COM_COM(2010)0517_EN.pdf |
links/European Commission/title |
Old
PreLexNew
EUR-Lex |
other/0/dg/title |
Old
Home AffairsNew
Migration and Home Affairs |
activities |
|
committees |
|
links |
|
other |
|
procedure |
|