Protecting Information Systems [EU]
Information Systems Offences
2013 Directive introduces new rules harmonising criminalisation and penalisation of a number of offences directed against information systems. The rules include outlawing the use of so-called botnets, which are malicious software designed to take remote control of a network of computers.
The types of criminal offence covered by the Directive include attacks against information systems, ranging from denial of service attacks designed to bring down a server to interception of data and botnet attacks.
The Directive requires approximation of criminal law systems between States and the enhancement of cooperation between judicial authorities concerning:
- Illegal access to information systems,
- illegal system interference,
- illegal data interference,
- illegal interception.
An act must be intentional in order to be criminal. Instigating, aiding, abetting and attempting to commit the above offences is also liable to punishment.
EU restrictive measures against cyber-attacks
SUMMARY OF:
Decision (CFSP) 2019/797 — restrictive measures against cyber-attacks threatening the EU or its Member States
Regulation (EU) 2019/796 — restrictive measures against cyber-attacks threatening the EU or its Member States
WHAT ARE THE AIMS OF THE DECISION AND THE REGULATION?
They introduce a framework which allows the EU to impose sanctions to deter and respond to cyber-attacks* constituting an external threat to the EU or to EU countries. These cyber-attacks include those against non-EU countries or international organisations where action is considered necessary to achieve the EU’s common foreign and security policy objectives.
KEY POINTS
Sanctions for listed persons and entities
This framework allows the EU to impose sanctions on persons or entities responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them. Restrictive measures include bans on persons travelling to the EU, and asset freezing.
Persons subject to such sanctions will be listed in Annex I of the decision, as identified by the Council; all funds and economic resources belonging to, owned, held or controlled by any natural or legal person, entity or body listed in Annex I will be frozen.
EU countries are responsible for setting out rules on penalties for infringements.
Cyber-attacks
The cyber-attacks falling within the scope of this new sanctions regime are those which have significant impact and which:
originate or are carried out from outside the EU; or
use infrastructure outside the EU; or
are carried out by persons or entities established or operating outside the EU; or
are carried out with the support of person or entities operating outside the EU.
Cyber-attacks which are a threat to EU countries include those affecting information systems relating to:
critical infrastructure essential to the vital functions of society, or citizens’ health, safety, security, and economic or social well-being;
services necessary for essential social and economic activities, in particular energy, transport, banking; finance, healthcare, drinking water, digital infrastructure;
critical state functions, in particular defence, the governance and functioning of institutions, public elections, economic and civil infrastructure, internal security, and external relations, including diplomatic missions;
the storage or processing of classified information; or
government emergency response teams.
FROM WHEN DO THE DECISION AND THE REGULATION APPLY?
They have applied since 18 May 2019.
BACKGROUND
A joint communication issued in June 2018 pointed out that activities by State and non-state actors such as cyber-attacks disrupting the economy and public services, through targeted disinformation campaigns, to hostile military actions continue to pose a serious and acute threat to the EU and to EU countries. It identified areas where action should be intensified to further deepen and strengthen the EU contribution to addressing these threats, and called upon EU countries and the Commission to ensure swift follow-up.
In October 2018, in the wake of the cyber attacks on the Organisation for the Prohibition of Chemical Weapons, the European Council adopted conclusions calling for measures to be drawn up to further strengthen the EU’s deterrence, resilience and response to hybrid, cyber as well as chemical, biological, radiological and nuclear threats. The Council was called upon to devise a sanctions regime specific to cyber-attacks.
See also:
Resilience, Deterrence and Defence: Building strong cybersecurity in Europe (European Commission)
Reform of cybersecurity in Europe (European Council and Council of the European Union)
Cyber-attacks: Council is now able to impose sanctions — Press release (European Council and Council of the European Union).
KEY TERMS
Cyber-attacks: unauthorised actions involving access to and interference with information systems, data interference or data interception.
MAIN DOCUMENTS
Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, pp. 13-19)
Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, pp. 1-12)
RELATED DOCUMENTS
Joint communication to the European Parliament, the European Council and the Council — Increasing resilience and bolstering capabilities to address hybrid threats (JOIN(2018) 16 final, 13.6.2018)
Cybersecurity of network and information systems
SUMMARY OF:
Directive (EU) 2016/1148 —
WHAT IS THE AIM OF THE DIRECTIVE?
It proposes a wide-ranging set of measures to boost the level of security of network and information systems (cybersecurity*) to secure services vital to the EU economy and society. It aims to ensure that EU countries are well-prepared and are ready to handle and respond to cyberattacks through:
the designation of competent authorities,
the set-up of computer-security incident response teams (CSIRTs), and
the adoption of national cybersecurity strategies.
It also establishes EU-level cooperation both at strategic and technical level.
Lastly, it introduces the obligation on essential-services providers and digital service providers to take the appropriate security measures and to notify the relevant national authorities about serious incidents.
KEY POINTS
Improving national cybersecurity capabilities
EU countries must:
designate one or more national competent authorities and CSIRTs and identify a single point of contact (in case there is more than one competent authority);
identify providers of essential services in critical sectors such as energy, transport, finance, banking, health, water and digital infrastructure where a cyberattack could disrupt an essential service.
EU countries must also put in place a national cybersecurity strategy for network and information systems*, covering the following issues:
being prepared and ready to handle and respond to cyberattacks;
roles, responsibilities and cooperation of government and other parties;
education, awareness-raising and training programmes;
research and development planning;
planning to identify risks.
The national competent authorities monitor the application of the directive by:
assessing the cybersecurity and security policies of providers of essential services;
supervising digital service providers;
participating in the work of the cooperation group (comprising network and information security (NIS) competent authorities from each of the EU countries, the European Commission and the European Union Agency for Network and Information Security (ENISA));
informing the public where necessary to prevent an incident or to deal with an ongoing incident, while respecting confidentiality;
issuing binding instructions to remedy cybersecurity deficiencies.
The CSIRTs are responsible for:
monitoring and responding to cybersecurity incidents;
providing risk analysis and incident analysis and situational awareness;
participating in the CSIRTs network;
cooperating with the private sector;
promoting the use of standardised practices for incident and risk-handling and information classification.
Security and notification requirements
The directive aims to promote a culture of risk management. Businesses operating in key sectors must evaluate the risks they run and adopt measures to ensure cybersecurity. These companies must notify the competent authorities or CSIRTs of any relevant incident, such as hacking or theft of data, that seriously compromises cybersecurity and has a significant disruptive effect on the continuity of critical services and the supply of goods.
To determine incidents to be notified by providers of essential services*, EU countries should take into account an incident’s duration and geographical spread, as well as other factors, such as the number of users relying on that service.
Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and notification requirements.
Improving EU-level cooperation
The directive sets up the cooperation group whose tasks include:
providing guidance to the CSIRTs network;
exchange best practice on the identification of providers of essential services;
assisting EU countries in building cybersecurity capabilities;
sharing information and best practice on awareness-raising and training, research and development;
sharing information and collecting best practice on risks and incidents;
discussing modalities of incident notification.
It also sets up the CSIRT network comprising representatives of EU countries’ CSIRTS and the Computer Emergency Response Team (CERT-EU). Its tasks include:
sharing information on CSIRT services;
sharing information concerning cybersecurity incidents;
supporting EU countries in the response to cross-border incidents;
discussing and identifying a coordinated response to an incident reported by an EU country;
discussing, exploring and identifying further forms of operational cooperation, including:
categories of risks and incidents;
early warnings;
mutual assistance;
co-ordination between countries responding to risks and incidents which affect more than one EU country;
informing the cooperation group of its activities and requesting guidance;
discussing lessons learnt from cybersecurity exercises;
discussing the capabilities of individual CSIRTs at their request;
issuing guidelines on operational cooperation.
Penalties
EU countries must apply effective, proportionate and dissuasive penalties to ensure that the terms of this directive are applied.
Context
It applies from 8 August 2016. EU countries have to incorporate it into national law by 9 May 2018, and identify providers of essential services by 9 November 2018.
BACKGROUND
Cybersecurity (European Commission)
Cybersecurity: The Commission scales up its response to cyber attacks — press release (European Commission)
Directive on Security of Network and Information Systems — press release (European Commission)
Resilience, Deterrence and Defence: Building strong cybersecurity in Europe — factsheet (European Commission).
KEY TERMS
Cybersecurity: the ability of network and information systems to resist action that compromises the availability, authenticity, integrity or confidentiality of digital data or the services those systems provide.
Network and information system: an electronic communications network, or any device or group of interconnected devices which process digital data, as well as the digital data stored, processed, retrieved or transmitted.
Essential services: private businesses or public entities with an important role for the society and economy, as for example water supply, electricity services, etc.
MAIN DOCUMENT
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, pp. 1-30)
RELATED DOCUMENTS
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact (OJ L 26, 31.1.2018, pp. 48-51)
Commission Implementing Decision (EU) 2017/179 of 1 February 2017 laying down procedural arrangements necessary for the functioning of the Cooperation Group pursuant to Article 11(5) of the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ L 28, 2.2.2017, p. 73-77)
Communication from the Commission to the European Parliament and the Council: Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476 final 2, 4.10.2017)
Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36-58)
Joint communication to the European Parliament and the Council — Resilience, Deterrence and Defence: Building strong cybersecurity for the EU (JOIN(2017) 450 final, 13.9.2017)
Commission staff working document — Assessment of the EU 2013 cybersecurity strategy (SWD(2017) 295 final, 13.9.2017)
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)
Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274, 15.10.2013, pp. 1-50).
Successive amendments to Decision 2013/488/EU have been incorporated into the original document. This consolidated version is of documentary value only.
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, pp. 8-14)
Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (OJ L 165, 18.6.2013, pp. 41-58)
Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions — Cybersecurity Strategy of the European Union: An open, Safe and Secure Cyberspace (JOIN(2013) 1 final, 7.2.2013)
European Cybercrime Centre at Europol
European societies are increasingly dependent on electronic networks and information systems. The evolution of information communication technology (ICT) has also seen the development of criminal activity that threatens citizens, businesses, governments and critical infrastructures alike. To help fight it, in 2013 the European Union set up the European Cybercrime Centre (EC3) as part of Europol.
ACT
Communication from the Commission to the Council and the European Parliament: Tackling crime in our digital age: establishing a European Cybercrime Centre (COM(2012) 140 final of 28 March 2012).
SUMMARY
Cybercrime refers to criminal acts that are committed online using computers and communications networks (for example, the Internet). Cybercrime’s borderless nature calls for coordination and cooperation among law enforcement agencies. The European Cybercrime Centre (EC3), part of Europol and based in the Netherlands, plays a crucial role in disrupting the operations of the criminal gangs who commit cybercrime.
Focus
EC3 targets cybercrimes:
—committed by organised crime groups, particularly those generating substantial illicit profits such as online fraud;
—which cause serious harm to their victims, such as online child sexual exploitation; and
—affecting critical infrastructure and information systems in the EU (including denial of service attacks designed to make targeted websites unusable).
Functions
1.European cybercrime information focal point: to gather information on cybercrime from a wide range of sources, identify trends and threats and improve intelligence.
2.Pooling expertise to support EU countries in capacity building: mainly focusing on police and judiciary training.
3.Operational support to member countries: encouraging the establishment of cross-border joint investigation teams to tackle specific cybercrime issues and the exchange of operational information in ongoing investigations. They will also provide storage, encryption (encoding messages or data to prevent unauthorised access) expertise and other online tools and facilities.
4.The collective voice of European cybercrime investigators across law enforcement and the judiciary: in discussions with the ICT industry and other private sector companies as well as with the research community, users’ associations and citizens’ groups.
RELATED ACT
European Cybercrime Centre, First year report, February 2014.
Last updated: 18.06.2014
Communication
Communication from the Commission to the European Parliament, the Council and the Committee of the Regions: Towards a general policy on the fight against cyber crime (COM(2007) 267 final of 22.5.2007)
SUMMARY
WHAT DOES THE COMMUNICATION DO?
It sought to present a general policy to better coordinate the fight against cybercrime.
KEY POINTS
Objective and actions
This was to strengthen the fight against cybercrime at national, European and international levels by:
1.Improved operational law enforcement cooperation by strengthening and clarifying responsibilities between Europol, Eurojust and other structures.
2.Coordinated and interlinked training programmes for EU countries’ law enforcement and judicial authorities involving Europol, Eurojust, the European Police College and the European Judicial Training Network.
3.Better political cooperation and coordination between EU countries by creating a permanent EU contact point for information exchange and an EU cybercrime training platform.
4.Political and legal cooperation withnon-EU countries via the Council of Europe’s 2001 Convention on cybercrime (and its Additional Protocol), the G8 Lyon-Roma High-Tech Crime Group and Interpol-administered projects.
5.Improved public-private sector dialogue to create mutual confidence and share relevant information.
6.Standardising EU countries’ legislation and definitions in the area of cybercrime.
7.Developing measures/indicators of the extent of cybercrime.
8.Raising awareness of the dangers and costs of cybercrime.
9.EU research programmes, such as under the Internal Security Fund – Police.
ACHIEVEMENTS
These include:
a directive on combating the sexual exploitation of children online and child pornography;
the EU’s Cybersecurity Strategy (2013);
the establishment of the European Cybercrime Centre (2013);
a directive on attacks against information systems (2013).
For more information see the European Commission’s web pages on cybercrime.
BACKGROUND
Article 68 of the Treaty of the Functioning of the European Union, which came into force in 2009, formally recognised the European Council’s pre-eminent role in lawmaking in the area of home affairs. This allows action against cybercrime to be complemented by EU laws and more wide-ranging initiatives.
KEY TERM
Cybercrimes: criminal acts committed using electronic communications networks and information systems or against such networks and systems.
It may be broken down into 3 forms:
traditional forms of criminal activity, but using the internet to commit crimes (like fraud or forgery). These range from identity theft to ‘phishing’ (where online criminals set up a fake banking website to trick customers into giving them their password or data so as to steal their money). The internet has also transformed international trade in drugs, arms and endangered species;
publication of illegal content, such as material inciting terrorism, violence, racism, xenophobia or child sexual abuse;
crime unique to electronic networks, new and often wide-ranging and large-scale crimes, unknown in the pre-internet age. Here, criminals attack information systems, sometimes threatening critical information infrastructures of the state and thus directly its citizens. These attacks can be via ‘botnets’ (an acronym of ‘robot networks’) where criminals distribute ‘malware’ (malicious software) that, when downloaded, turns a user’s computer into a ‘bot’. A network of such infected computers is then used to commit crimes without their users knowing.
RELATED ACTS
Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (JOIN (2013) 1 final of 7 February 2013).