To fight cross-border crimes affecting information and communications networks (cybercrime) is a priority for the EU internal security strategy. To counter so-called cyber-attacks in a borderless space, both the Council of Europe and the EU have drawn up common strategies, operational measures and legislation.
Crimes beyond national borders
The internet, while opening up information flows, has also created a range of new possible transnational crimes. Criminals can threaten the security of nation states and/or the civil liberties of their citizens. Organised crime may exploit cyberspace to steal money, to commit fraud or for other illicit activities, such as breaking into computer networks to steal data or business secrets or to destroy documents. Cybercrime can damage infrastructure essential for vital functions of society, for people’s health, safety, security, and economic or social well-being (for instance power plants, transport networks or government networks).
The first global instrument to deter action directed against the confidentiality, integrity and availability of computer systems, networks and computer data was the 2001 Budapest Convention promoted by the Council of Europe. This legal instrument aims to facilitate detection, investigation, criminalisation and prosecution of such activities at both domestic and international levels.
The EU approach
The proposed directive
The EU adopted the 2005 Council Framework Decision (FD) on attacks against information systems. Under the legal base of the Lisbon Treaty, the Commission proposed a new Directive, to replace the FD. It would establish minimum rules concerning definitions and sanctions for criminal offences in this field. The Civil Liberties, Justice and Home Affairs Committee (rapporteur Monika Hohlmeier, EPP, Germany), has adopted its report, following agreement on the text in trilogue.
The main crimes defined in the proposed Directive are illegal access to information systems, illegal interference with systems or data, and illegal interception of data transmissions (articles 3-6). In particular, stricter criminal sanctions would be required for so-called “botnet” attacks, in which a large number of computers are infected in order to control them remotely, performing tasks automatically without users’ knowledge. Large-scale cyber-attacks can thus spread rapidly over the internet. Penalties would also be imposed on legal persons, such as companies, in case of infringement for their benefit. The directive also takes a careful approach to prevent possible over-criminalisation.
Operational cooperation and legislation
The proposed Directive would also improve operational cooperation between MS’ national law enforcement services and competent EU agencies (Eurojust, Europol and its European cyber crime centre, as well as the European Network and Information Security Agency). Member States (MS) would have to respond within eight hours to an urgent request related to cyber attacks. EU agencies would conduct threat assessments and strategic analyses of cybercrime on the basis of the information submitted by MS. All these activities should also comply with existing EU legislation on privacy and electronic communication and data protection, which is an essential part of the comprehensive approach to effectively counteracting cybercrime.
In the context of shaping a new EU cybercrime strategy, the European Commission proposed in February a Directive concerning measures to ensure a high common level of network and information security (NIS) across the Union This Directive would require all MS to set up Computer Emergency Response Teams (CERTs) and to adopt national NIS strategies and cooperation plans. It is being considered by the EP’s Internal Market Committee.