Documents considered by the Committee on 3 November 2010, including the following recommendations for debate: Financial Management - European Scrutiny Committee Contents

6 Attacks against Information Systems



COM(10) 517

+ ADDs 1-2

Draft Directive on attacks against information systems, repealing Council Framework Decision 2005/222/JHA

Commission staff working documents: Impact assessment and summary of impact assessment

Legal baseArticle 83(1) TFEU; co-decision; QMV
Document originated30 September 2010
Deposited in Parliament5 October 2010
DepartmentHome Office
Basis of considerationEM of 13 October 2010
Previous Committee ReportNone
To be discussed in CouncilNo date set
Committee's assessmentLegally and politically important
Committee's decisionNot cleared; further information requested


6.1 In 2005, the Council adopted a Framework Decision which required Member States to criminalise unauthorised access to, or interference with, information systems and computer data. Member States were also required to introduce common rules on criminal liability, criminal sanctions, jurisdiction and the exchange of information between law enforcement authorities. The UK participated in the adoption of the Framework Decision and is bound by it.

6.2 In July 2008, the Commission produced a report on the implementation of the Framework Decision.[30] It concluded that implementation was relatively good but that a number of new threats had emerged since the adoption of the Framework Decision, "in particular the emergence of large-scale simultaneous attacks against information systems and increased criminal use of so-called 'botnets'".[31] The term 'botnet' refers to a network of computers infected by a virus which can be activated, without their users' knowledge, to attack information systems. A 'botnet' is one example of a tool which can be used to carry out large scale attacks affecting significant numbers of information systems or causing considerable damage.

The draft Directive

6.3 The draft Directive would repeal the 2005 Framework Decision while incorporating most of its provisions and introducing some new elements to strengthen Member States' capacity to prevent and prosecute large-scale attacks against information systems. The new elements would require all Member States to criminalise:

  • the intentional interception of non-public transmissions of computer data from an information system (Article 6); and
  • the production, sale, procurement, import, possession or distribution of any device or tool for the purpose of committing any of the offences contained in the draft Directive (Article 7).

6.4 In addition, the draft Directive would require Member States to impose tougher criminal penalties if any of the following "aggravating" circumstances apply:

  • where a criminal organisation is involved in the commission of an offence;
  • where the offence has been committed by means of a tool (such as a botnet) designed to attack a significant number of information systems or to cause considerable damage; and
  • where the commission of the offence conceals the real identity of the perpetrator and causes prejudice to the rightful identity owner.

In such cases, Member States would be required to introduce a maximum term of imprisonment of at least five years (Article 10).

6.5 The draft Directive would extend the bases for establishing which Member State has jurisdiction so as to include the place of habitual residence of the offender (Article 13). There would be a new obligation on national contact points to provide an initial response to urgent requests for information within eight hours (Article 14) and a new requirement for Member States to collate statistical data on offences covered by the draft Directive (including the number of offences reported, any follow-up, and the number of investigations, prosecutions and convictions each year — Article 15).

6.6 The legal base proposed for the draft Directive is Article 83(1) of the Treaty on the Functioning of the European Union (TFEU) which provides for the adoption of directives "establishing minimum rules concerning the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension resulting from the nature or impact of such offences or from a special need to combat them on a common basis". Computer crime and organised crime are two of the areas identified under Article 83(1) as suitable for EU action.

6.7 The Commission says that EU action is justified for the following reasons:

  • attacks against information systems often have a cross-border dimension;
  • approximation of Member States' criminal laws will discourage offenders from exploiting differences by operating in Member States with more lenient criminal laws or sanctions;
  • a common understanding of what constitutes criminal behaviour will make it easier for Member States to co-operate in exchanging information and collecting and comparing data; and
  • a common EU approach will enhance the EU's contribution to international efforts to tackle cyber crime (for example, within the Council of Europe and G8).

6.8 The Commission's impact assessment (ADDs 1-2) considers a number of options, including non-legislative measures, to achieve its principal objective, a reduction in the number of large-scale attacks originating in, or targeting, the EU. It concludes that the introduction of limited and targeted measures to update the legal framework established by the 2005 Framework Decision would be most effective. The Commission says that the stronger penal measures proposed in the draft Directive would be likely to "reduce the financial cost caused by large-scale attacks coming from the EU and third countries, which in turn will have a positive economic impact in terms of the continued growth of the Internet economy (estimated at more than €300 billion in Europe) and the economy as a whole".[32] The main costs for Member States would arise from the obligation to collate statistics and to ensure that national contact points are capable of responding in urgent cases within an eight hour deadline. The Commission estimates the total cost for all Member States at just under €6 million.[33]

The Government's view

6.9 In his Explanatory Memorandum of 13 October, the Parliamentary Under-Secretary of State for Crime Prevention (James Brokenshire) says that "a robust response and a consistent approach across the EU" is needed to prevent attacks on information systems and prosecute those responsible. He adds that, as the draft Directive incorporates many of the provisions contained in the 2005 Framework Decision, "significant new legislation is unlikely to be necessary for the purposes of implementation" as most of the offences described are already included in the Computer Misuse Act 1990.[34]

6.10 The Minister helpfully identifies the provisions in the draft Directive with which the UK may not be fully compliant and which might therefore require changes to domestic legislation. These include:

  • the requirement in Article 7 to prosecute the creation, possession and distribution of tools for the purpose of illegal interception;
  • the requirement in Article 10 to increase the maximum term of imprisonment to not less than five years in cases where aggravating circumstances apply — UK legislation does not provide for the maximum sentence to be increased in such cases but, rather, envisages that the existence of aggravating circumstances will result in the imposition of a sentence at the upper end of the sentencing scale. The maximum sentence in the UK for at least one of the offences in the draft Directive is less than five years, so the UK would either have to increase the level of sentence or create a specific new offence with a higher maximum sentence; and
  • the extension of extra-territorial jurisdiction to include offences under Articles 6 and 7 of the draft Directive on illegal interception and the illegal use of tools to commit computer crimes would require changes to section 4 of the Computer Misuse Act 1990 and section 1 of the Regulation of Investigatory Powers Act 2000.

6.11 The Minister indicates that the Government will seek to ensure that the current, non-statutory basis for providing an operational national contact point (through the Serious Organised Crime Agency) is compliant with the requirements of the draft Directive, and will also seek further detail from the Commission on the type of statistical data which Member States would be required to collate under Article 15. The UK already collates information on prosecutions and convictions under the Computer Misuse Act 1990, but does not collect broader statistical information on computer crime.

6.12 The Minister notes that the UK's Opt-in applies to the draft Directive and that the deadline for notifying the Government's decision on whether or not to opt in is 28 December 2010. He adds:

"The Government will particularly consider the impact of the given proposal on our security, civil liberties, the integrity of the UK common law systems and the control of immigration.

"We do not believe that the Directive would have a significant impact upon UK national security, as the Directive relates to tackling criminal activity. We do not believe that that there are concerns relating to the balance of EU and UK competence in this area.

"Most of the offences contained in the Directive are already offences in UK law and therefore we do not believe that the Directive poses any significant concerns relating to civil liberties.

"The proposed sentences for offences committed as part of an organised crime group do conflict with the current sentences in UK law. We would seek to address this in negotiations.

"Any decision to amend UK legislation will take into account the outcomes of impact assessments, the potential costs, and better regulation."[35]

6.13 The Minister considers the proposed legal base for the draft Directive to be appropriate and agrees with the Commission's assessment that EU action is justified on grounds of subsidiarity. He provides an extensive analysis of the fundamental rights implications of the draft Directive. A number of provisions lack precision (for example, criminal liability under certain Articles applies only for cases "which are not minor"), but the Minister adds that the UK would seek to ensure more precise wording during negotiations and in any ensuing domestic implementing legislation. He concludes that the Government is satisfied that the draft Directive complies with fundamental rights.

6.14 Finally, the Minister indicates that there would be some financial cost associated with UK participation in the draft Directive (as currently worded) resulting from the need to amend some aspects of domestic legislation and to establish a structure for collating statistics relating to cyber crime.


6.15 We thank the Minister for his informative Explanatory Memorandum which sets out clearly the possible implications of the proposed Directive for UK domestic law and sentencing policy. We agree that large-scale attacks against information systems are likely to have a cross-border dimension and require close co-operation between Member States. We think that the legal base proposed is appropriate and accept that there is a case for further EU action to respond to new methods and tools for committing cyber crime.

6.16 We note that many of the provisions in the proposed Directive are the same as those included in the 2005 Framework Decision. The Framework Decision established criminal liability for illegal access to, or interference with, information systems and computer data and required Member States to ensure, in each case, that criminal liability applies "at least for cases which are not minor". While such language may not be unusual in Framework Decisions adopted before the Lisbon Treaty entered into force, at a time when the jurisdiction of the Court of Justice for EU criminal law matters was limited, we question whether such language continues to be appropriate, and to provide the necessary legal certainty and clarity, in the post-Lisbon era where the Court will have full jurisdiction to sanction Member States for inadequate transposition or implementation of new EU criminal law measures. The Minister alludes to the problem of unclear and imprecise wording in his Explanatory Memorandum and suggests that this can be tackled during negotiations or by implementing more precise national laws. We think the former course would be preferable.

6.17 The rules on jurisdiction in Article 13 of the draft Directive differ in one important respect from those set out in the Framework Decision. Article 13(1)(b) would require a Member State to exercise jurisdiction where an offence has been committed by a person who is "habitually resident" within the territory of that State. We should be grateful if the Minister would explain what implications, if any, this provision would have for existing UK rules on jurisdiction.

6.18 We note that the Government has not yet decided whether or not to opt into the draft Directive. We should be grateful if the Minister would inform us of the Government's decision and provide us with progress reports once negotiations are underway. Meanwhile, we intend to hold the draft Directive under scrutiny.

30   Member States were required to implement the Framework Decision by 16 March 2007. Back

31   Commission's explanatory memorandum, section 1, paragraph 2. Back

32   See ADD 1, section 5.3.1, p. 34. Back

33   Compliance costs for the UK may be lower than in some other Member States as the UK national contact point is already capable of responding within 12 hours, so little additional resource is likely to be needed to reduce this to 8 hours - see ADD 1, section 5.3.10, p. 40. Back

34   Paragraph 13 of the Minister's Explanatory Memorandum.  Back

35   Paragraphs 51-55 of the Minister's Explanatory Memorandum. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2010
Prepared 12 November 2010