Attacks against information systems

Attacks against information systems

Outline of the Community (European Union) legislation about Attacks against information systems


These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Internet Online activities and ICT standards

Attacks against information systems

Document or Iniciative

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.


The main types of criminal offences covered by this Framework Decision are attacks against information systems * such as piracy, viruses and denial of service attacks.

This new criminal activity, which knows no borders, can be preve nted and combated by:

  • enhancing the security of information infrastructures; and
  • giving law enforcement authorities the means to act.

To this end, the present Framework Decision proposes the approximation of criminal law systems and the enhancement of cooperation between judicial authorities concerning:

  • illegal access to information systems;
  • illegal system interference;
  • illegal data interference.

In all cases, the criminal act must be intentional.

Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation within the meaning of Joint Action 98/733/JHA, causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. On the other hand, where an offence causes only minor damage, the competent judicial authority may reduce the penalty.

The framework decision proposes criteria for determining the liability of legal persons * and sets out sanctions that may apply if they are found liable (temporary or permanent disqualification from activity, court winding-up order, loss of public benefits, etc.).

Each Member State will have jurisdiction for offences committed on its territory or by one of its nationals. Where several Member States have jurisdiction over an offence, they must cooperate to decide which State will conduct proceedings against the author of said offence.

The Member States will exchange all information intended to enhance cooperation. Notably, operational points of contact available twenty-four hours a day and seven days a week within each Member State shall be appointed.

Member States must inform the General Secretariat of the Council and the Commission of their appointed points of contact and of any other measures adopted to comply with the Framework Decision.


At the Tampere European Council in October 1999, the need to approximate provisions concerning offences and sentencing in the area of cybercrime was recognised and reaffirmed in a Communication entitled: “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime”.

The present Framework Decision forms a part of the information society and of the eEurope Action Plan in general.

This Framework Decision also aims to complement and develop activities carried out at the international level, such as the work of the G8 and the Council of Europe Convention on cybercrime.

Key Terms used in the Act

style=”MARGIN-LEFT: 2em/”>

  • Information Systems: any device or group of inter-connected or related devices which performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.
  • Legal Person: any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.


Act Entry into force Deadline for transposition in the Member States Official Journal
Framework Decision 2005/222/JHA 16.3.2005 16.3.2007 OJ L 69 of 16.3.2005


Commission Report to the Council on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems [COM(2008) 448 final – Not published in the Official Journal].

The Commission finds that transposition of the Framework Decision is not yet complete in Member States. Notable progress has been made in the twenty Member States evaluated in the present Report. Despite widely divergent application methods, a relatively satisfying degree of implementation has been achieved. The Commission invites the seven Member States that had still not announced measures to transpose the Framework Decision into national law in early July 2008 to rectify this situation as quickly as possible It also asks Member States to review their legislation to better suppress attacks against information systems.
In light of the evolution of cybercrime, the Commission considers taking new measures following the adoption of the Framework Decision to combat the use of botnets for criminal purposes and to promote the use of the same contact points used by the Council of Europe and the G8 to react rapidly to threats involving advanced technology.

Leave a Reply

Your email address will not be published. Required fields are marked *