Migration and Home Affairs

Combating Cybercrime: EU-wide rules against cyber attacks come into force

Friday, 4 September, 2015

Today marks the deadline for the implementation by Member States of EU-wide rules to counter attacks against information systems. Under the new rules, illegal access, system interference or interception constitute criminal offences across the EU. Creators of so-called "botnets", networks of infected computers that criminals can harness for their exploits, face criminal sanctions, as do the authors of other types of malware. The Directive on Attacks against Information Systems also put in place new rules to reinforce swift cooperation between Member States' law enforcement authorities.

The European Agenda on Security lists cybercrime as one of the three top priorities for the current mandate of the European Commission in the field of security. Commissioner Avramopoulos, in charge of Migration and Home Affairs, said: "Cybercriminals violate the fundamental rights of EU citizens and harm our economy. Users have a right to feel safe online, and perpetrators must not feel that they can act with impunity. We need to strengthen the trust in online services that is essential for the Digital Single Market. The implementation of the Directive is a key step towards closer cooperation across the EU."

Cybercrimes create significant costs to the EU economy, which increase with the growing reliance on online services. The concerns of users about online safety have risen in the last years, as the most recent Eurobarometer on Cyber Security shows. The vast majority of Internet users (85%) feel that the risk of becoming a victim of cybercrime is increasing. A clear majority also state that they are concerned that their online personal information is not kept secure by websites (73%). When using the Internet for online banking or shopping, 42% of users are worried about the security of online payments. Because of security concerns, 13% of users pronounced themselves less likely to buy goods online and 12% are less likely to bank online.

Rates of victimization have also increased. 14% of Internet users have not been able to access online services because of cyber-attacks, 12% have had their social media or email account hacked, and 16% of internet users who say they buy online goods or services have experienced online fraud. Across the EU, 8% of Internet users have fallen victim to ransomware, malware that hijacks a device and is only removed against payment of a "fee". 8% say they have been a victim of credit card or banking fraud online, 7% say they have experienced identity theft, and 7% say they have accidentally encountered child pornography online.

The directive enables a more effective response to this threat across the EU by harmonizing criminal rules on attacks against information systems and introducing a new offence of creating tools used for committing offences, such as malware. It also reinforces cooperation between the judiciary and the police of the Member States, introducing the obligation for Member States to make better use of the existing 24/7 network of contact points by treating urgent requests in a specified timeframe.

However, to date, only 10 out of the 28 EU Member States have confirmed they have fully transposed the EU Directive into their national legislation and two countries have reported partial transposition of the directive. Commissioner Avramopoulos said: "I call on all Member States to swiftly adopt the necessary rules, which form the basis for a unified and more effective response to cybercrimes."

The new harmonized rules constitute just one element in the EU's response to this phenomenon. They complement the Directive on child sexual abuse, which also addresses the increasingly prominent online components of these offences. The Commission has also created a dedicated European Cybercrime Centre within Europol to support Member States' law enforcement agencies and coordinate operations. A Global Alliance against Child Sexual Abuse Online, bringing together 54 states around the globe, focuses on a particularly heinous form of cybercrimes affecting the youngest and most vulnerable.

Next Steps

Cybercrime continues to figure prominently on the agenda of the Commission. The two flagship strategies, the European Agenda on Security and the Digital Single Market Strategy, highlight the need to better address cyber threats and the EU's commitment to the highest standards of privacy and data protection. Plans for future initiatives include reviewing the applicable legal framework for specific offences such as fraud and counterfeiting of non-cash means of payments; analysing obstacles to criminal investigations on cybercrime, notably on issues of competent jurisdiction and rules on access to evidence and information, with a view to enabling a more effective law enforcement response; and enhancing cyber capacity building action under external assistance instruments.

For more information: