Directive 2013/40/EU transposition deadline

Today is the deadline for transposition into national law of the Directive on attacks against information systems (the “Directive“), which came into force on 24 August 2013. This Directive forms part of the EU’s continuing efforts to keep pace in its fight against the ever evolving nature of cybercrime, and in particular, the increasingly sophisticated and large-scale forms of attack against information systems. It updated (and replaced) minimum rules, established by the Council Framework Decision 2005/222/JHA (the “Framework Decision”), relating to the definition of relevant criminal offences and sanctions across Member States and the improved cooperation between competent authorities.

In summary

The Directive re-enacted many of the provisions in the Framework Decision and integrated elements of the Cybercrime Convention 2001. There are four main substantive offences (together, the “Substantive Offences”) of:

  1. illegal access to information systems;
  2. illegal system interference;
  3. illegal data interference; and
  4. illegal interception.

The Directive required Member States to make it a criminal offence to intentionally produce, sell, procure for use, import, distribution or otherwise make available, certain tools intended for use in the commission of the Substantive Offences. The Directive’s recitals single out “botnet attacks”, where a significant number of information systems have been affected through the use of certain tools (e.g. a computer programme, designed for the purpose of committing a Substantive Offence).

The Directive also required that cases involving offences committed within the framework of a criminal organisation, cause serious damage, or are committed against a critical infrastructure information system should carry a maximum penalty of at least 5 years’ imprisonment. The misuse of the personal data of another person with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner (identity theft), should also be treated as an aggravating circumstance.

In terms of increased cooperation between competent authorities, new provisions required Member States to be able to respond to urgent information requests with a response time of no more than eight hours, and to monitor and record statistical data and report on cybercrime offences and criminal convictions.


By and large most Member States had already brought their national criminal regimes into line with both the Framework Decision and the Cybercrime Convention. Accordingly, relatively few legislative changes were required to be ready for today’s transposition deadline.

The UK, for example, introduced a small number of changes through the Serious Crime Act 2015 (the “SCA“) amending provisions of the Computer Misuse Act 1990 (the “CMA“), which came into force on 5 May 2015. These are summarised in the table below:

Click here to view table.

Section 41 of the Serious Crime Act 2015 also created a new offence of undertaking unauthorised acts (knowing them to be unauthorised) intentionally or recklessly causing, or creating risk of serious damage of a material kind. The government considered that (even though it carried a maximum penalty of 10 years (more than twice that prescribed by the Directive) the penalty for the pre-existing offence under section 3 of the CMA was not adequate to deal with cases of serious damage, for example to critical national infrastructure. The maximum penalty for this new offence is life imprisonment for cases involving threat to life, loss of life or damage to national security, and in respect of damage to the economy or environment, 14 years’ imprisonment.

Next steps

The transposition of the Directive into national law is the next step in the EU’s continuing effort to streamline and enhance the European rules to combat cybercrime. It is particularly welcome, given the delay in the adoption of the proposal for a directive concerning measures to ensure a high common level of network and information security across the Union (2013/0027 (COD)).

Under the Directive, the European Commission must submit a report to the European Parliament and the Council by 4 September 2017. The report will assess the extent to which Member States have taken the necessary measures to comply with the Directive, and will be accompanied, if necessary, by legislative proposals.