European Parliament Votes for Tougher Cyber Crime Penalties

The European Parliament supported the directive on attacks against information systems, repealing the Council Framework Decision 2005/222/JHA. Once adopted by the Council, the directive will give the Member States two years to transpose the provisions into domestic law.

The proposal for the new directive on attacks against information systems was introduced by the European Commission in September 2010, and is planned to replace the Council Framework Decision 2055/222/JHA of 24 February 2005 on attacks against information systems. In June 2012, the proposal was sent to the European Parliament for its formal approval, which was obtained in June 2013.

The draft directive aims to harmonise national criminal law provisions concerning attacks against information systems throughout the European Union and to improve cooperation between relevant agencies, including the police and other specialised law enforcement services of the Member States, as well as the competent Union agencies and bodies, such as Eurojust; Europol and its European Cyber Crime Centre; and the European Network and Information Security Agency (ENISA).1 The draft includes several measures for more effective prevention, mitigation and cooperation within the domain.

More severe penalties

Under the new rules, penalties for cyber crime will be more severe. For the majority of the crimes listed in the draft, such as illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications, or intentionally producing and selling tools used to commit these offences, Member States are required to prescribe a maximum penalty that will be at least two years’ imprisonment. For illegal system interference and illegal data interference, when committed intentionally and where a significant number of information systems have been affected, the draft directive proposes that the maximum punishment should be at least three years’ imprisonment. Criminal acts directed against critical infrastructure, or when committed by a criminal organisation, or causing serious damage, may carry a penalty of five years’ imprisonment.

Tackling botnets

The draft directive has earned the nickname of ‘Botnet directive’, due to its aim of introducing criminal penalties for the creation of botnets. The directive defines the use of botnets as ‘the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber attacks.’2 Since the employment of botnets as part of an attack may inflict serious damage, the draft directive outlines a penalty of at least three years’ imprisonment as a maximum punishment. The text leaves it to Member States to determine what constitutes serious damage in the context of their domestic law and practice.

Eight hours to respond

Article 13 of the draft directive focuses on the exchange of information regarding the offences stated in Articles 3 to 8 of the directive, and requires Member States to identify operational national points of contact and make the contacts available at all times. In order to ensure effective assistance in both technical and legal terms, the draft outlines an eight-hour response time as a rule for Member States in responding to a request, or ‘at least indicating whether the request will be answered, and the form and estimated time of such an answer.’2 The Commission will gather information concerning different points of contact and forward it to the relevant EU and national entities.

In addition to a quick response, Member States will also ensure that there is a system at the national level for the recording, production and provision of statistical data on the offences referred to in Articles 3 to 7 (Article 14).

Liability of legal persons

As one of the measures to combat botnet attacks against information systems in general, Articles 10 and 11 define the liability of legal persons and the sanctions against legal persons, such as firms. Member States need to ensure that legal persons can be held liable for offences defined in Articles 3 to 8 of the draft that are committed for their benefit. Penalties may include criminal or non-criminal fines, such as exclusion from entitlement to public benefits or aid; temporary or permanent disqualification from the practice of commercial activities; or the closure of establishments.

  1. European Parliament, Position of the European Parliament adopted at first reading 4 July 2013 with a view to the adoption of Directive 2013/…/EU of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, July 4, 2013.… []
  2. Ibid. [] []