Tag Archives: AT

Attacks against information systems

Attacks against information systems

Outline of the Community (European Union) legislation about Attacks against information systems


These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Internet Online activities and ICT standards

Attacks against information systems

Document or Iniciative

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.


The main types of criminal offences covered by this Framework Decision are attacks against information systems * such as piracy, viruses and denial of service attacks.

This new criminal activity, which knows no borders, can be preve nted and combated by:

  • enhancing the security of information infrastructures; and
  • giving law enforcement authorities the means to act.

To this end, the present Framework Decision proposes the approximation of criminal law systems and the enhancement of cooperation between judicial authorities concerning:

  • illegal access to information systems;
  • illegal system interference;
  • illegal data interference.

In all cases, the criminal act must be intentional.

Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation within the meaning of Joint Action 98/733/JHA, causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. On the other hand, where an offence causes only minor damage, the competent judicial authority may reduce the penalty.

The framework decision proposes criteria for determining the liability of legal persons * and sets out sanctions that may apply if they are found liable (temporary or permanent disqualification from activity, court winding-up order, loss of public benefits, etc.).

Each Member State will have jurisdiction for offences committed on its territory or by one of its nationals. Where several Member States have jurisdiction over an offence, they must cooperate to decide which State will conduct proceedings against the author of said offence.

The Member States will exchange all information intended to enhance cooperation. Notably, operational points of contact available twenty-four hours a day and seven days a week within each Member State shall be appointed.

Member States must inform the General Secretariat of the Council and the Commission of their appointed points of contact and of any other measures adopted to comply with the Framework Decision.


At the Tampere European Council in October 1999, the need to approximate provisions concerning offences and sentencing in the area of cybercrime was recognised and reaffirmed in a Communication entitled: “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime”.

The present Framework Decision forms a part of the information society and of the eEurope Action Plan in general.

This Framework Decision also aims to complement and develop activities carried out at the international level, such as the work of the G8 and the Council of Europe Convention on cybercrime.

Key Terms used in the Act

style=”MARGIN-LEFT: 2em/”>

  • Information Systems: any device or group of inter-connected or related devices which performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.
  • Legal Person: any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.


Act Entry into force Deadline for transposition in the Member States Official Journal
Framework Decision 2005/222/JHA 16.3.2005 16.3.2007 OJ L 69 of 16.3.2005


Commission Report to the Council on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems [COM(2008) 448 final – Not published in the Official Journal].

The Commission finds that transposition of the Framework Decision is not yet complete in Member States. Notable progress has been made in the twenty Member States evaluated in the present Report. Despite widely divergent application methods, a relatively satisfying degree of implementation has been achieved. The Commission invites the seven Member States that had still not announced measures to transpose the Framework Decision into national law in early July 2008 to rectify this situation as quickly as possible It also asks Member States to review their legislation to better suppress attacks against information systems.
In light of the evolution of cybercrime, the Commission considers taking new measures following the adoption of the Framework Decision to combat the use of botnets for criminal purposes and to promote the use of the same contact points used by the Council of Europe and the G8 to react rapidly to threats involving advanced technology.

Atypical acts

Atypical acts

Outline of the Community (European Union) legislation about Atypical acts


These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Institutional affairs > The decision-making process and the work of the institutions

Atypical acts


Atypical acts are acts adopted by the institutions of the European Union (EU). These acts are described as “atypical” because they are not part of the nomenclature of legal acts provided for by the Treaty on the Functioning of the EU (Articles 288 to 292).

There is therefore a wide variety of atypical acts. Some are provided for by other provisions of the founding Treaties of the EU, while others have been developed by institutional practice.

Atypical acts are differentiated by their application, which is generally political. However, some may be binding, but this remains limited to the EU’s institutional framework.

Atypical acts provided for by the Treaties

The EU institutions’ Rules of Procedure are atypical acts. The founding Treaties provide that the EU institutions shall adopt their own Rules of Procedure.

The Rules of Procedure lay down the organisation, operation and internal rules of procedure of the EU institutions. They have binding effect only for the institution concerned.

The founding Treaties also provide for other types of act adopted in the context of political dialogue between the EU institutions. These acts are essentially intended to facilitate work and cooperation between the institutions. For example, in the context of the procedure for the adoption of international agreements, the Council must send negotiating guidelines to the Commission for the negotiation of the agreements.

The institutions may also go further by organising their cooperation by means of interinstitutional agreements. These types of agreement are also atypical acts. They may have binding effect, but only for the institutions which have signed the agreement.

Atypical acts not provided for by the Treaties

Each of the EU institutions has developed a series of instruments in the context of its own activity.

For example, the European Parliament expresses some of its political positions at international level by means of resolutions or declarations. Similarly, the Council regularly adopts conclusions, resolutions or guidelines following its meetings. These acts essentially express the institutions’ opinion on certain European or international issues. They have general application but do not have binding effect.

The Commission also adopts several atypical acts which are specific to it. These are communications, which generally present new policy programmes. The Commission also adopts green papers which are intended to launch public consultations on certain European issues. It uses these to gather the necessary information before drawing up a legislative proposal. Following the results of the green papers, the Commission sometimes adopts white papers setting out detailed proposals for European action.