Digital Single Market
Digital Economy & Society

Action 29: Combat cyber-attacks against information systems

The action aims at presenting measures, including legislative initiatives, to combat cyber-attacks against information systems by 2010, and related rules on jurisdiction in cyberspace at European and international levels by 2013.

The Directive on attacks against Information Systems was adopted by the European Council on 22 July 2013.

What is the problem? Cyber attacks have dramatically increased in Europe

In recent years, the number of cyber-attacks against information systems has risen dramatically in Europe and around the world. Previously unknown large-scale threats to the information systems of companies, banks, and the public sector have been observed in the Member States and other countries. A particular concern was raised by the spread of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks.

Why is EU action required? There is no consistent EU-wide legal and security approach to contrast cyber attacks

This Directive requires Member States to amend their criminal laws regarding attacks against information systems in order to respond to the evolving threat. Ensuring consistent EU-wide penalisation of illegal access, system interference and data interference will strengthen the protection of personal data by reducing the ability of cybercriminals to abuse victims' rights without impunity. EU law enforcement authorities will therefore be provided with enhanced tools to fight cybercrime.

The Directive will include provisions for use of specific software ('Botnets') as a method of committing cybercrimes making it a criminal offence and also increasing the maximum penalty for offenders.

The Directive calls for Member States to ensure that they have an operational national contact point for the purpose of exchanging information and responding to urgent requests for assistance from other Member States, and also to implement a system for gathering statistical data on cyber-attacks.

The initiative is expected to have a positive economic impact, as the current costs to businesses of countering cyber-attacks and repairing post-attack damage are considerable.

What has been done so far?

The Directive on attacks against Information Systems was adopted by the European Council on 22 July 2013 and published in the Official Journal on 12 August 2013.

What will the Commission do next?

In 2014:

  • Work with the stakeholders to understand the implications of the Directive and ensure a smooth transition across the EU.

In 2015:

  • Ensure implementation of the Directive by September 2015 and continue to monitor cyber-threats.
Progress Report
Status: Completed Gustav Kalbe Gustav Kalbe