RSS
Alphabetical index
This page is available in 15 languages
New languages available:  CS - HU - PL - RO

We are migrating the content of this website during the first semester of 2014 into the new EUR-Lex web-portal. We apologise if some content is out of date before the migration. We will publish all updates and corrections in the new version of the portal.

Do you have any questions? Contact us.


Attacks against information systems

This framework decision aims to fight cybercrime and promote information security. In light of this new form of transnational crime, the main aim of this Framework Decision is to enhance cooperation between judicial and other competent authorities through approximating rules on criminal law in the area of attacks against information systems.

ACT

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.

SUMMARY

The main types of criminal offences covered by this Framework Decision are attacks against information systems * such as piracy, viruses and denial of service attacks.

This new criminal activity, which knows no borders, can be preve nted and combated by:

  • enhancing the security of information infrastructures; and
  • giving law enforcement authorities the means to act.

To this end, the present Framework Decision proposes the approximation of criminal law systems and the enhancement of cooperation between judicial authorities concerning:

  • illegal access to information systems;
  • illegal system interference;
  • illegal data interference.

In all cases, the criminal act must be intentional.

Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation within the meaning of Joint Action 98/733/JHA, causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. On the other hand, where an offence causes only minor damage, the competent judicial authority may reduce the penalty.

The framework decision proposes criteria for determining the liability of legal persons * and sets out sanctions that may apply if they are found liable (temporary or permanent disqualification from activity, court winding-up order, loss of public benefits, etc.).

Each Member State will have jurisdiction for offences committed on its territory or by one of its nationals. Where several Member States have jurisdiction over an offence, they must cooperate to decide which State will conduct proceedings against the author of said offence.

The Member States will exchange all information intended to enhance cooperation. Notably, operational points of contact available twenty-four hours a day and seven days a week within each Member State shall be appointed.

Member States must inform the General Secretariat of the Council and the Commission of their appointed points of contact and of any other measures adopted to comply with the Framework Decision.

Context

At the Tampere European Council in October 1999, the need to approximate provisions concerning offences and sentencing in the area of cybercrime was recognised and reaffirmed in a Communication entitled: “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime”.

The present Framework Decision forms a part of the information society and of the eEurope Action Plan in general.

This Framework Decision also aims to complement and develop activities carried out at the international level, such as the work of the G8 and the Council of Europe Convention on cybercrime.

Key Terms used in the Act

  • Information Systems: any device or group of inter-connected or related devices which performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.
  • Legal Person: any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.

REFERENCES

Act Entry into force Deadline for transposition in the Member States Official Journal
Framework Decision 2005/222/JHA 16.3.2005 16.3.2007 OJ L 69 of 16.3.2005

RELATED ACTS

Commission Report to the Council on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems [COM(2008) 448 final – Not published in the Official Journal].

The Commission finds that transposition of the Framework Decision is not yet complete in Member States. Notable progress has been made in the twenty Member States evaluated in the present Report. Despite widely divergent application methods, a relatively satisfying degree of implementation has been achieved. The Commission invites the seven Member States that had still not announced measures to transpose the Framework Decision into national law in early July 2008 to rectify this situation as quickly as possible It also asks Member States to review their legislation to better suppress attacks against information systems.
In light of the evolution of cybercrime, the Commission considers taking new measures following the adoption of the Framework Decision to combat the use of botnets for criminal purposes and to promote the use of the same contact points used by the Council of Europe and the G8 to react rapidly to threats involving advanced technology.

Last updated: 23.08.2008
Legal notice | About this site | Search | Contact | Top