New EU Commission Initiative against Cyber Attacks

by Heidi on October 11th, 2010 in Law Enforcement and Legal Action.

As a response to the everyday increasing level of cyber attacks the EU Commission has presented, on September 30, 2010, a proposal for a new EU Directive on attacks against information systems.  During the last few years, there have been several cyber attacks towards governmental institutions within certain EU Member States and since the IT systems of the French respectively the German army and the UK Defence Ministry were infected by the Conficker botnet in 2009 there has been an increased pressure on the EU Commission to ensure that appropriate measures are taken to prevent further cyber attacks. The EU Commission has also raised concerns about the Stuxnet botnet and the possibility to gain remote control of industrial targets such as power plants, pipelines and factories.  


The overall aim with the proposed Directive is to strengthen and modernize the already existing rules of the Framework Decision on attacks against information systems (2205/222/HJA), adopted in 2005. The aim with the Framework Decision was to approximate the laws of the EU Member States to ensure that certain activities against information systems, such as hacking, viruses and denial of service attacks, were criminalized. However, new threats have emerged since 2005 and the Commission is, among other things, concerned about the increased frequency of botnets, where malicious software is being used to hijack a huge number of computers which can thereafter be remotely controlled and used for cyber attacks. The proposed Directive would retain the current provisions in the Framework Decision relating to penalization of illegal access, illegal system interference and illegal data interference and would also implement new rules for the penalization of the use of tools (such as e.g. malicious software or unrightfully obtained passwords) for committing cyber attacks as well as the illegal interception of information systems. The maximum term of imprisonment is proposed to be at least five years (compared to two years as previously proposed by the Framework Decision). The new Directive further proposes certain activities for enhanced cooperation between the police and law enforcement agencies on the EU level. If adopted, the Directive would repeal the Framework Decision and the EU Member States would be obliged to transpose the Directive into national legislation within two years from its adoption.


The proposed Directive has been complemented with a proposal for an EU Regulation with the aim of strengthening and modernizing the European Network and Information Security Agency (“ENISA”). ENISA was created in 2004 and its current mandate expires in 2012. In order to coordinate EU’s activities against cyber threats, the mandate of ENISA is proposed to be prolonged with five years.  ENISA will continue its work to enhance the security and privacy on the internet and to engage Member States and private sector stakeholders in joint activities against cyber threats on the EU level.


All initiatives to prevent cyber crimes are welcome. The problem is the unwieldy legislative process. The adoption of new approximated laws for the EU Member States takes several years, whereas new cyber threats emerge by the hour. Cyber criminals will always be one step ahead of the legislator. Thus, once the new EU Directive is adopted, whether in current or modified format, new cyber threats will have emerged that may not be covered by the at that time brand new legislation. This should not in any way imply that the laws against cyber crimes are inutile - in order to keep the internet reasonably safe the legislator must make every effort to ensure that the perpetrators are prosecuted and properly punished. However, the constant evolution of questionable activities on the internet calls for flexible legislative tools that criminalize certain effects rather than certain well defined behaviors. All recent communication relating to this EU Directive is focused on the emerging threats of botnets, so one must hope that the legislator has not focused on botnets only but has made an effort to create a flexible legislative instrument with the aim of preventing all types of foreseeable cyber crimes.