EU Council takes action against attacks on information systems

16 August 2005

Peter Van de Velde

Background and objectives

On 24 February 2005, the Council of the European Union adopted Framework Decision 2005/222/JHA on attacks against information systems (hereafter “the Framework Decision”)[1]. This decision is a new step in the EU’s fight against cyber crime. The deadline for implementation of the Framework Decision into national law is 16 March 2007.

Framework decisions were introduced by the 1997 Amsterdam Treaty. Under Article 34 of the amended Treaty on European Union, the Council may, by unanimous decision, adopt a framework decision for the purpose of the approximation of the laws of Member States. Although framework decisions are stated to be binding upon Member States as to the result to be achieved, Member States are given the choice as to the form and methods employed to achieve the result and are stated not to have direct effect.

Network and information security belongs to the core of the European Commission’s policy regarding the information society, (cf. also the eEurope 2005 Action Plan and the creation in 2004 of the European Network and Information Security Agency (ENISA)). Tackling cyber crime is also an issue under the EU’s “third pillar”, i.e. co-operation between Member States in the field of justice and home affairs. Computer-related crime may indeed originate from criminal or even terrorist organisations. Attacks on information systems are often trans-border in nature due to the fact that information systems become more and more borderless themselves. However, gaps and differences in the laws of the Member States may hamper the fight against trans-national cyber crime and may complicate efficient law enforcement.

The Framework Decision has been in the pipeline since April 2002. It has two main objectives: (i) creating a common set of legal definitions and criminal offences across the EU and (ii) improving the effective prosecution of offenders by setting out minimum rules with regards to penalties, as well as rules with regards to the judicial co-operation between Member States.

The Framework Decision aims at combating relatively new forms of crime such as hacking, spreading computer viruses and other malicious code, organising “denial of service” (DoS) attacks, website defacement etc. It is “technology neutral” and uses terms such as “information system” (which can include electronic networks, computers and other (portable) devices connected to networks, such as mobile phones, PDAs, etc.) and “computer data”, i.e. data and programmes suitable for processing in an information system or suitable for causing an information system to perform functions.

Criminal offences and penalties

The Framework Decision basically covers three types of criminal offences: (i) illegal access to information systems, (ii) illegal system interference and (iii) illegal data interference. Member States need to take the necessary measures to ensure that these offences are punishable, provided that they are committed “intentionally” and “without right”. The use of the word “intentional” in the Framework Decision is important. Member States may currently not require certain computer-related offences to be committed “intentionally” in order to be punishable, e.g. Belgian law currently makes a distinction between “internal” hacking, which is punishable when committed “with a fraudulent intention or an intention to harm”, and “external” hacking, which is already punishable when committed “knowingly”.

Reference can be made here to the Convention on Cyber Crime of the Council of Europe of 23 November 2001 (hereafter “the Convention”)[2]: this international treaty also requires that offences against the confidentiality, integrity and availability of data and systems must be committed “intentionally” in order to be punishable. The Convention was signed by all EU Member States. Certain countries, such as Belgium, are currently in the process of implementing the Convention into their national law. In Belgium, a draft law is pending before Parliament adapting the existing Belgian law on cyber crime of 28 November 2000[3] to the provisions of the Convention.

With regards to illegal access to information systems, the Framework Decision provides that Member States may decide that this offence will only be committed when the access is obtained “by infringing a security measure”. This is, at present, not the case in all Member States, e.g. Belgium punishes any illegal access to an information system, regardless of whether there was an infringement of a security measure or not.

Illegal system interference shall be made punishable as a criminal offence in case of intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data, when committed without right. Illegal data interference shall be made punishable as a criminal offence in case of intentional deleting, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system, when committed without right. Member States also need to ensure that instigation, aiding and abetting and attempting the above are made punishable.

It is important to note that the Framework Decision explicitly seeks to strike a balance between punishing acts that are harmful to information systems and “over-criminalisation”, i.e. criminalising “minor” offences or criminalising right-holders and authorised persons.

Furthermore, the Framework Decision provides that criminal penalties should be “effective, proportional and dissuasive”. It requires Member States to have available a maximum penalty of at least between 1 and 3 years of imprisonment for illegal system or data interference, and a maximum penalty of between 2 and 5 years where aggravating circumstances apply, e.g. when the offence was committed within the framework of a criminal organisation or has caused serious damages or has affected essential interests.

Liability of legal persons

The Framework Decision also addresses the issue of the liability of legal persons for acts of cyber crime. The Member States need to ensure that legal persons can be held liable for computer-related crime that was committed for their benefit by any person with a leading position within the legal person, or by any other person under its authority in case the offence was the result of a lack of supervision or control by the relevant leading persons.

Liability of a legal person shall however not exclude criminal proceedings against the natural persons who were involved as perpetrators, instigators or accessories in the commission of the offences.

The Member States should ensure that legal persons are also punishable by “effective, proportionate and dissuasive penalties”. These shall include criminal or non-criminal fines, but may also consist of other measures, such as, e.g. a temporary or permanent disqualification from the practice of commercial activities or an exclusion from entitlement to public aid.

Establishment of jurisdiction

Finally, it is important to note that the Framework Decision contains guidance on the establishment of jurisdiction between Member States in case of cross-border cyber crime.

A Member State will have jurisdiction: (i) where the offence has been committed in all or in part within its territory, (ii) by one of its nationals, or (iii) for the benefit of a legal person that has its head office in that Member State. Jurisdiction of a Member State shall include cases where the offender commits the offences when physically present on the Member State’s territory (whether or not the offence is directed against an information system on that territory), or where the offence is committed against an information system on the Member State’s territory (whether or not the offender is physically present on that territory). A Member State may decide not to apply or to apply only in specific cases or circumstances the aforementioned jurisdiction rules, except for the rule that it shall establish jurisdiction where the offence has been committed in all or in part within its territory.

Where an offence would fall under the jurisdiction of more then one Member State and when any of the Member States concerned can validly prosecute on the basis of the same facts, the Member States shall co-operate and decide which of them will prosecute the offenders with the aim, if possible, of centralising proceedings in one Member State.

Implementation deadline

As well as implementing the Framework Decision into national law by 16 March 2007, most of the EU Member States also still need to ratify the Convention, which officially entered into force on 1 July 2004 after it obtained its first five ratifications. Apart from the 44 Member States of the Council of Europe, the Convention is also open to ratification for the US, Canada, Japan and South Africa.

[1] O.J., L69/67 of 16 March 2005.

[3]Moniteur belge, 3 February 2001.