New Directive on Attacks against Information Systems

Author info
Hans Graux

At the EU level, various attempts have been made to harmonise cybercrime legislation across the region. In 2001 the Council of Europe’s Cybercrime Convention represented a first foray into this policy area and was followed by the 2005 EU Framework Decision on Attacks against Information Systems. As cybercrime has evolved, a revised framework has been needed and now a new EU Directive on Attacks against Information Systems replaces the Framework Decision and updates the rules.

Background

The first European attempt to provide a harmonized legal framework for combating cybercrime took place at the 2001 Council of Europe’s Cybercrime Convention (also known as the “Budapest Convention”). It defined a series of crimes (such as illegal access, system and data interference, and illegal interception) and set out rules concerning jurisdiction and criminal investigative measures. It was quite successful in its objectives, being one of the few Council of Europe initiatives that was also signed and ratified by non-member states, including the USA, Japan and Canada.

Within the EU, the first legal initiative was the 2005 EU Framework Decision on Attacks against Information Systems. That Decision had a somewhat different scope than the Cybercrime Convention. On the one hand, it was more narrowly focused: its applicability was limited to the EU Member States only and it did not contain rules on investigative measures (as that was beyond the scope of the EU’s regulatory competences). On the other hand, it did specify minimal penalties and required the Member States to create 24/7 contact networks to assist one another in criminal investigations; neither of these issues was included in the Cybercrime Convention. Thus, EU cybercrime legislation had already been harmonized to some extent.

New challenges require new rules

Cybercrime however has not stopped evolving. Newer trends include the rise of organized crime, botnet attacks (in which computers are attacked by a very large number of infected computer systems) and identity theft (where a person’s identity information is used by a third party, typically to commit fraud or otherwise cause harm). In the light of these challenges, a revised framework has been needed. 

In 2010 the European Commission published a legislative proposal and, after deliberation, it was finally adopted by the European Parliament on 22 July 2013. The new legislation was published in the EU’s Official Journal on 14 August 2013 as the Directive 2013/40/EU on Attacks against Information Systems and entered into force on 4 September 2013. The Directive abolishes the Framework Decision and Member States must transpose it into national law by 4 September 2015.

Key changes and challenges

Much of the Directive mirrors the content of the prior Framework Decision and therefore does not require significant change. For example, all prior cybercrime definitions are retained (albeit with sometimes higher penalties), as well as the rules concerning jurisdiction, liability of legal persons, and cooperation through the 24/7 contact networks. In addition, a few elements from the Cybercrime Convention were integrated which had so far been missing in EU law, such as the crime of illegal interception and the misuse of tools. Since most Member States had already aligned their laws to both the Framework Decision and the Cybercrime Convention, these elements will not require much legislative change for most EU countries.

However, several elements in the Directive are entirely new. The Directive introduces new aggravating circumstances, including the committing of crimes where “a significant number of information systems have been affected through the use of a tools” (i.e. botnet attacks), and crimes “committed by misusing the personal data of another person, with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner” (i.e. identity theft). Furthermore, Member States will in the future need to be able to respond to urgent information requests with a response time of no more than 8 hours, and they will be required to collect statistical data and report on cybercrime prevalence and criminal convictions within their borders.

These new elements are not always easy to implement. It will be a challenge to judge the number of systems required to create a botnet (a “significant number”), as will the question of what exactly causes “prejudice” to an “identity owner”. On these points, guiding jurisprudence is likely to take some time to develop in many Member States. Similarly, statistical data collection may be difficult as most Member States do not have a public authority required to collect all data, as categorized under the Directive, on incident prevalence, arrests, prosecutions and convictions.

It is clear that the Directive aims to further streamline EU efforts and cooperation in the fight against cybercrime, and is intended to provide new weapons in the Member States’ arsenal. It is hoped this change proves to be a positive development. 

Hans Graux comments:

The new Directive further streamlines and enhances the European rules in the fight against cybercrime. While some of the new provisions will clearly be a challenge to implement and apply correctly, they provide a common path to more effective crime fighting.

For further information on this legal development please contact Hans Graux at (hans.graux@timelex.eu).