Anti-Cybercrime

Attacks against information systems

The EU cybercrime directive aims to fight cybercrime and promote information security through stronger national laws, more severe criminal penalties and greater cooperation between relevant authorities.

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.

They have applied since 18 May 2019.

SUMMARY

This directive introduces new rules harmonising criminalisation and penalties for a number of offences directed against information systems. These rules include outlawing the use of so-called botnets — malicious software designed to take remote control of a network of computers. It also calls for EU countries to use the same contact points used by the Council of Europe and the G8 to react rapidly to threats involving advanced technology.

The main types of criminal offences covered by this directive are attacks against information systems, ranging from denial of service attacks designed to bring down a server to interception of data and botnet attacks.

Cybercrime needs to be combated effectively, not only when it is within a given Member State but also when it is across Member States. This requires:

ensuring that the same offences are criminalised in all Member States;
giving law enforcement authorities the means to act and to cooperate with one another.

To this end, the present directive requires the approximation of criminal law systems between EU countries and the enhancement of cooperation between judicial authorities concerning:

illegal access to information systems
illegal system interference
illegal data interference
illegal interception.
In all cases, the criminal act must be committed intentionally.

Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation within the meaning of this directive, and causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. The same applies if an offence is committed using another person’s identity and causes harm to this person.

The directive also introduces the liability of ‘legal persons’ and sets out sanctions that may apply if they are found liable.

Each EU country will assume jurisdiction at minimum for offences committed on its territory or by one of its nationals outside its territory. Where several countries have jurisdiction over an offence, they must cooperate to decide which one will conduct proceedings against the author of said offence.

Improved cooperation

To fight cybercrime better, the directive calls for greater international cooperation between judicial and law enforcement authorities.

To this end, EU countries must:

have an operational national point of contact,
use the existing network of 24/7 contact points ,
respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided,
collect statistical data on cybercrime.

This directive builds on and replaces the EU Council Framework Decision 2005/222/JHA on attacks against information systems. It also builds on the Council of Europe Cybercrime Convention of 2001, which serves as a model for national and regional legislation on cybercrime and creates a common basis for cooperation within and beyond the EU.

REFERENCES

Directive 2013/40/EU

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.

EU restrictive measures against cyber-attacks

SUMMARY OF:

Decision (CFSP) 2019/797 — restrictive measures against cyber-attacks threatening the EU or its Member States

Regulation (EU) 2019/796 — restrictive measures against cyber-attacks threatening the EU or its Member States

They introduce a framework which allows the EU to impose sanctions to deter and respond to cyber-attacks* constituting an external threat to the EU or to EU countries. These cyber-attacks include those against non-EU countries or international organisations where action is considered necessary to achieve the EU’s common foreign and security policy objectives.

Sanctions for listed persons and entities

This framework allows the EU to impose sanctions on persons or entities responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them. Restrictive measures include bans on persons travelling to the EU, and asset freezing.

Persons subject to such sanctions will be listed in Annex I of the decision, as identified by the Council; all funds and economic resources belonging to, owned, held or controlled by any natural or legal person, entity or body listed in Annex I will be frozen.

EU countries are responsible for setting out rules on penalties for infringements.

Cyber-attacks

The cyber-attacks falling within the scope of this new sanctions regime are those which have significant impact and which:

originate or are carried out from outside the EU; or
use infrastructure outside the EU; or
are carried out by persons or entities established or operating outside the EU; or
are carried out with the support of person or entities operating outside the EU.

Cyber-attacks which are a threat to EU countries include those affecting information systems relating to:

critical infrastructure essential to the vital functions of society, or citizens’ health, safety, security, and economic or social well-being;
services necessary for essential social and economic activities, in particular energy, transport, banking; finance, healthcare, drinking water, digital infrastructure;
critical state functions, in particular defence, the governance and functioning of institutions, public elections, economic and civil infrastructure, internal security, and external relations, including diplomatic missions;
the storage or processing of classified information; or
government emergency response teams.

BACKGROUND

A joint communication issued in June 2018 pointed out that activities by State and non-state actors such as cyber-attacks disrupting the economy and public services, through targeted disinformation campaigns, to hostile military actions continue to pose a serious and acute threat to the EU and to EU countries. It identified areas where action should be intensified to further deepen and strengthen the EU contribution to addressing these threats, and called upon EU countries and the Commission to ensure swift follow-up.

In October 2018, in the wake of the cyber attacks on the Organisation for the Prohibition of Chemical Weapons, the European Council adopted conclusions calling for measures to be drawn up to further strengthen the EU’s deterrence, resilience and response to hybrid, cyber as well as chemical, biological, radiological and nuclear threats. The Council was called upon to devise a sanctions regime specific to cyber-attacks.

Resilience, Deterrence and Defence: Building strong cybersecurity in Europe (European Commission)
Reform of cybersecurity in Europe (European Council and Council of the European Union)
Cyber-attacks: Council is now able to impose sanctions — Press release (European Council and Council of the European Union).

DOCUMENTS

Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, pp. 13-19)

Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, pp. 1-12)

RELATED DOCUMENTS

Joint communication to the European Parliament, the European Council and the Council — Increasing resilience and bolstering capabilities to address hybrid threats (JOIN(2018) 16 final, 13.6.2018)

last update 20.01.2020

Top
About Site map Help Links Legal notice Newsletter Contact
Other sites managed by the Publications Office
EU Publications
EU Open Data Portal
Ted
Whoiswho
CORDIS
Portal of the Publications Office of the EU
N-LexCybersecurity of network and information systems

SUMMARY OF:

Directive (EU) 2016/1148 — cybersecurity of network and information systems

WHAT IS THE AIM OF THE DIRECTIVE?

It proposes a wide-ranging set of measures to boost the level of security of network and information systems (cybersecurity*) to secure services vital to the EU economy and society. It aims to ensure that EU countries are well-prepared and are ready to handle and respond to cyberattacks through:

the designation of competent authorities,
the set-up of computer-security incident response teams (CSIRTs), and
the adoption of national cybersecurity strategies.
It also establishes EU-level cooperation both at strategic and technical level.

Lastly, it introduces the obligation on essential-services providers and digital service providers to take the appropriate security measures and to notify the relevant national authorities about serious incidents.

KEY POINTS

Improving national cybersecurity capabilities

EU countries must:

designate one or more national competent authorities and CSIRTs and identify a single point of contact (in case there is more than one competent authority);
identify providers of essential services in critical sectors such as energy, transport, finance, banking, health, water and digital infrastructure where a cyberattack could disrupt an essential service.
EU countries must also put in place a national cybersecurity strategy for network and information systems*, covering the following issues:

being prepared and ready to handle and respond to cyberattacks;
roles, responsibilities and cooperation of government and other parties;
education, awareness-raising and training programmes;
research and development planning;
planning to identify risks.
The national competent authorities monitor the application of the directive by:

assessing the cybersecurity and security policies of providers of essential services;
supervising digital service providers;
participating in the work of the cooperation group (comprising network and information security (NIS) competent authorities from each of the EU countries, the European Commission and the European Union Agency for Network and Information Security (ENISA));
informing the public where necessary to prevent an incident or to deal with an ongoing incident, while respecting confidentiality;
issuing binding instructions to remedy cybersecurity deficiencies.
The CSIRTs are responsible for:

monitoring and responding to cybersecurity incidents;
providing risk analysis and incident analysis and situational awareness;
participating in the CSIRTs network;
cooperating with the private sector;
promoting the use of standardised practices for incident and risk-handling and information classification.
Security and notification requirements

The directive aims to promote a culture of risk management. Businesses operating in key sectors must evaluate the risks they run and adopt measures to ensure cybersecurity. These companies must notify the competent authorities or CSIRTs of any relevant incident, such as hacking or theft of data, that seriously compromises cybersecurity and has a significant disruptive effect on the continuity of critical services and the supply of goods.

To determine incidents to be notified by providers of essential services*, EU countries should take into account an incident’s duration and geographical spread, as well as other factors, such as the number of users relying on that service.

Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and notification requirements.

Improving EU-level cooperation

The directive sets up the cooperation group whose tasks include:

providing guidance to the CSIRTs network;
exchange best practice on the identification of providers of essential services;
assisting EU countries in building cybersecurity capabilities;
sharing information and best practice on awareness-raising and training, research and development;
sharing information and collecting best practice on risks and incidents;
discussing modalities of incident notification.
It also sets up the CSIRT network comprising representatives of EU countries’ CSIRTS and the Computer Emergency Response Team (CERT-EU). Its tasks include:

sharing information on CSIRT services;
sharing information concerning cybersecurity incidents;
supporting EU countries in the response to cross-border incidents;
discussing and identifying a coordinated response to an incident reported by an EU country;
discussing, exploring and identifying further forms of operational cooperation, including:
categories of risks and incidents;
early warnings;
mutual assistance;
co-ordination between countries responding to risks and incidents which affect more than one EU country;
informing the cooperation group of its activities and requesting guidance;
discussing lessons learnt from cybersecurity exercises;
discussing the capabilities of individual CSIRTs at their request;
issuing guidelines on operational cooperation.
Penalties

EU countries must apply effective, proportionate and dissuasive penalties to ensure that the terms of this directive are applied.

FROM WHEN DOES THIS DIRECTIVE APPLY?

It applies from 8 August 2016. EU countries have to incorporate it into national law by 9 May 2018, and identify providers of essential services by 9 November 2018.

BACKGROUND

Cybersecurity (European Commission)
Cybersecurity: The Commission scales up its response to cyber attacks — press release (European Commission)
Directive on Security of Network and Information Systems — press release (European Commission)
Resilience, Deterrence and Defence: Building strong cybersecurity in Europe — factsheet (European Commission).
KEY TERMS

Cybersecurity: the ability of network and information systems to resist action that compromises the availability, authenticity, integrity or confidentiality of digital data or the services those systems provide.
Network and information system: an electronic communications network, or any device or group of interconnected devices which process digital data, as well as the digital data stored, processed, retrieved or transmitted.
Essential services: private businesses or public entities with an important role for the society and economy, as for example water supply, electricity services, etc.
MAIN DOCUMENT

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, pp. 1-30)

RELATED DOCUMENTS

Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact (OJ L 26, 31.1.2018, pp. 48-51)

Commission Implementing Decision (EU) 2017/179 of 1 February 2017 laying down procedural arrangements necessary for the functioning of the Cooperation Group pursuant to Article 11(5) of the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ L 28, 2.2.2017, p. 73-77)

Communication from the Commission to the European Parliament and the Council: Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476 final 2, 4.10.2017)

Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36-58)

Joint communication to the European Parliament and the Council — Resilience, Deterrence and Defence: Building strong cybersecurity for the EU (JOIN(2017) 450 final, 13.9.2017)

Commission staff working document — Assessment of the EU 2013 cybersecurity strategy (SWD(2017) 295 final, 13.9.2017)

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)

Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274, 15.10.2013, pp. 1-50).

Successive amendments to Decision 2013/488/EU have been incorporated into the original document. This consolidated version is of documentary value only.

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, pp. 8-14)

Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (OJ L 165, 18.6.2013, pp. 41-58)

Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions — Cybersecurity Strategy of the European Union: An open, Safe and Secure Cyberspace (JOIN(2013) 1 final, 7.2.2013)

last update 01.03.2018

European societies are increasingly dependent on electronic networks and information systems. The evolution of information communication technology (ICT) has also seen the development of criminal activity that threatens citizens, businesses, governments and critical infrastructures alike. To help fight it, in 2013 the European Union set up the European Cybercrime Centre (EC3) as part of Europol.

ACT

Communication from the Commission to the Council and the European Parliament: Tackling crime in our digital age: establishing a European Cybercrime Centre (COM(2012) 140 final of 28 March 2012).

SUMMARY

Cybercrime refers to criminal acts that are committed online using computers and communications networks (for example, the Internet). Cybercrime’s borderless nature calls for coordination and cooperation among law enforcement agencies. The European Cybercrime Centre (EC3), part of Europol and based in the Netherlands, plays a crucial role in disrupting the operations of the criminal gangs who commit cybercrime.

Focus

EC3 targets cybercrimes:

—

committed by organised crime groups, particularly those generating substantial illicit profits such as online fraud;
—

which cause serious harm to their victims, such as online child sexual exploitation; and
—

affecting critical infrastructure and information systems in the EU (including denial of service attacks designed to make targeted websites unusable).
Functions

European cybercrime information focal point: to gather information on cybercrime from a wide range of sources, identify trends and threats and improve intelligence.

Pooling expertise to support EU countries in capacity building: mainly focusing on police and judiciary training.

Operational support to member countries: encouraging the establishment of cross-border joint investigation teams to tackle specific cybercrime issues and the exchange of operational information in ongoing investigations. They will also provide storage, encryption (encoding messages or data to prevent unauthorised access) expertise and other online tools and facilities.

The collective voice of European cybercrime investigators across law enforcement and the judiciary: in discussions with the ICT industry and other private sector companies as well as with the research community, users’ associations and citizens’ groups.

RELATED ACT

European Cybercrime Centre, First year report, February 2014.

Last updated: 18.06.2014

As the internet has become part of our everyday lives, so too the internet user has become vulnerable to criminals often operating on other continents. In light of the rapid increase in cybercrime*, the European Commission, in 2007, prepared the ground for a comprehensive policy to tackle it.

ACT

Communication from the Commission to the European Parliament, the Council and the Committee of the Regions: Towards a general policy on the fight against cyber crime (COM(2007) 267 final of 22.5.2007)

SUMMARY

WHAT DOES THE COMMUNICATION DO?

It sought to present a general policy to better coordinate the fight against cybercrime.

KEY POINTS

Objective and actions

This was to strengthen the fight against cybercrime at national, European and international levels by:

1.
Improved operational law enforcement cooperation by strengthening and clarifying responsibilities between Europol, Eurojust and other structures.

2.
Coordinated and interlinked training programmes for EU countries’ law enforcement and judicial authorities involving Europol, Eurojust, the European Police College and the European Judicial Training Network.

3.
Better political cooperation and coordination between EU countries by creating a permanent EU contact point for information exchange and an EU cybercrime training platform.

4.
Political and legal cooperation withnon-EU countries via the Council of Europe’s 2001 Convention on cybercrime (and its Additional Protocol), the G8 Lyon-Roma High-Tech Crime Group and Interpol-administered projects.

5.
Improved public-private sector dialogue to create mutual confidence and share relevant information.

6.
Standardising EU countries’ legislation and definitions in the area of cybercrime.

7.
Developing measures/indicators of the extent of cybercrime.

8.
Raising awareness of the dangers and costs of cybercrime.

9.
EU research programmes, such as under the Internal Security Fund – Police.

ACHIEVEMENTS

These include:

a directive on combating the sexual exploitation of children online and child pornography;
the EU’s Cybersecurity Strategy (2013);
the establishment of the European Cybercrime Centre (2013);
a directive on attacks against information systems (2013).
For more information see the European Commission’s web pages on cybercrime.

BACKGROUND

Article 68 of the Treaty of the Functioning of the European Union, which came into force in 2009, formally recognised the European Council’s pre-eminent role in lawmaking in the area of home affairs. This allows action against cybercrime to be complemented by EU laws and more wide-ranging initiatives.

KEY TERM

Cybercrimes: criminal acts committed using electronic communications networks and information systems or against such networks and systems.

It may be broken down into 3 forms:

traditional forms of criminal activity, but using the internet to commit crimes (like fraud or forgery). These range from identity theft to ‘phishing’ (where online criminals set up a fake banking website to trick customers into giving them their password or data so as to steal their money). The internet has also transformed international trade in drugs, arms and endangered species;
publication of illegal content, such as material inciting terrorism, violence, racism, xenophobia or child sexual abuse;
crime unique to electronic networks, new and often wide-ranging and large-scale crimes, unknown in the pre-internet age. Here, criminals attack information systems, sometimes threatening critical information infrastructures of the state and thus directly its citizens. These attacks can be via ‘botnets’ (an acronym of ‘robot networks’) where criminals distribute ‘malware’ (malicious software) that, when downloaded, turns a user’s computer into a ‘bot’. A network of such infected computers is then used to commit crimes without their users knowing.
RELATED ACTS

Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (JOIN (2013) 1 final of 7 February 2013).

last update 26.05.2015