On 3 September 2013, new EU Directive 2013/40 on attacks against information systems (the "Directive") came into force. The Directive aims to tackle large-scale cyber-attacks by requiring Member States to strengthen national cyber-crime laws and introduce tougher criminal sanctions.
The Directive was initially proposed in 2010 as a replacement to the EU Council Framework Decision 2005/222/JHA (the "Framework Decision"), which criminalised various activities in relation to attacks on information systems. Since the Framework Decision, there have been a number of increasingly sophisticated and high-profile cyber-attacks and the EU Council considered that further regulation was needed.
The Directive retains many of the provisions in the Framework Decision and sets out similar offences in relation to illegal access to information systems and interference with systems and data. However, the Directive introduces new rules that outlaw the use of botnets and malicious software, as well as illegally-obtained passwords. The use of botnets, which are networks of computers infected with malicious software and controlled as a group without the owners' knowledge, is cited by the EU Parliament in the preamble to the Directive as a particular concern.
The new penalties to be imposed by Member States are between two and five years' imprisonment. The Directive provides that penalties should be more severe where an attack against an information system is committed by a criminal organisation, or where such an attack causes significant damage or affects key infrastructure.
In addition to new offences and tougher penalties, the new Directive aims to facilitate the prevention of cyber-crime by improving co-operation between judicial and other competent authorities. Member States will be required to use the existing G8 and Council of Europe structure of 24/7 contact points, with an obligation to answer within eight hours any urgent requests for help. Member States will also need to collect statistics on cyber-attacks, which the European Commission will review to help prevent future attacks.
Member States have until 4 September 2015 to implement the provisions of the Directive into national law. Businesses are likely to welcome a pan-European approach to penalties, and a more aggressive stance in tackling large-scale cyber-attacks.