European societies are increasingly dependent on electronic networks and information systems. The evolution of information communication technology has also seen the development of criminal activity that threatens citizens, businesses, governments and critical infrastructures alike: cybercrime.
What is cybercrime?
Cybercrime consists of criminal acts that are committed online by using electronic communications networks and information systems. It is a borderless problem that can be classified in three broad definitions:
- Crimes specific to the Internet, such as attacks against information systems or phishing (e.g. fake bank websites to solicit passwords enabling access to victims' bank accounts).
- Online fraud and forgery. Large-scale fraud can be committed online through instruments such as identity theft, phishing, spam and malicious code.
- Illegal online content, including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism and xenophobia.
EU response to Cybercrime
In order to combat cybercrime, the EU has implemented legislation and supported operational cooperation, as part of the EU Cybersecurity Strategy. The Communication "Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" builds on and further develops the EU Cybersecurity Strategy. As outlined in the Communication, the European Commission continues to work on effective EU cyber deterrence, by, among other actions, facilitating cross-border access to electronic evidence for criminal investigations.
Several EU legislative actions contribute to the fight against cybercrime. These include:
- 2013 – A Directive on attacks against information systems, which aims to tackle large-scale cyber-attacks by requiring Member States to strengthen national cyber-crime laws and introduce tougher criminal sanctions. In 2017, the Commission has published a Report assessing the extent to which Member States have taken the necessary measures in order to comply with the Directive.
- 2011 – A Directive on combating the sexual exploitation of children online and child pornography, which better addresses new developments in the online environment, such as grooming (offenders posing as children to lure minors for the purpose of sexual abuse)
- 2002 – ePrivacy Directive, whereby providers of electronic communications services must ensure the security of their services and maintain the confidentiality of client information. In 2017, the Commission has proposed to repeal the Directive and replace it with a Regulation concerning the respect for private life and the protection of personal data in electronic communications.
- 2001 – Framework Decision on combating fraud and counterfeiting of non-cash means of payment, which defines the fraudulent behaviours that EU States need to consider as punishable criminal offences. On 13 September 2017, the Commission has proposed a new Directive aiming at updating the current legal framework, removing obstacles to operational cooperation and enhancing prevention and victims’ assistance, to make law enforcement action against fraud and counterfeiting of non-cash means of payment more effective.
European Cybercrime Centre (EC3)
The European Commission has played a key role in the development of EC3, which started operations in January 2013. EC3 acts as the focal point in the fight against cybercrime in the Union, pooling European cybercrime expertise to support Member States' cybercrime investigations and providing a collective voice of European cybercrime investigators across law enforcement and the judiciary.
- Global Alliance against Child Sexual Abuse Online: The Alliance was launched on 5 December 2012 and is a joint initiative by the EU and the US, gathering 54 countries from around the world to fight together Child Sexual Abuse.
- ENISA: The European Network and Information Security Agency is involved in supporting exchanges of good practices between EU States.