Directive on attacks against information systems



12 August 2013


European Parliament and the Council of the European Union


Directive 2013/40/EU13 was signed on 12 August and entered into force on 4 September 2013. The Directive, which Member States had to transpose by 4 September 2015, imposes new obligations, tasks and expectations on certain key stakeholders, including CERTs/CSIRTs, LEAs, security specialists, telecommunications service providers, etc. These relate mainly to the operation of the existing 24/7 contact points (introducing a response deadline obligation), improving criminal justice/police cooperation, and the obligation to strengthen statistical data collection in order to support accountability and rational policy making.

With respect to criminal law, the Directive established the criminalisation of certain tools for committing offenses, as well as the notion of ‘illegal interception’. The Directive raises the level of criminal penalties to a maximum term of imprisonment of at least two years. Instigation, aiding, abetting and attempt of those offences will become penalised as well.

Finally, the Directive also introduces new and harmonised rules in relation to certain aggravating circumstances which result in an increased maximum term of imprisonment of at least five years. These aggravating circumstances include crimes committed within the framework of a criminal organisation, or that cause serious damage, or target critical infrastructure information system. A new aggravating circumstance is introduced for crimes committed by misusing the personal data of another person, with the aim of gaining the trust of a third party. Finally, a new substantive criminalisation is introduced in relation to botnets.

The Directive also aims to improve European criminal justice/police cooperation by:

  • strengthening the existing structure of 24/7 contact points, including an obligation to answer within 8 hours to urgent requests (at least in terms of whether the request will be answered, and the form and estimated time of the answer);
  • introducing an obligation to collect basic statistical data on cybercrimes.