L 218/8
EN
Official Journal of the European Union
14.8.2013
DIRECTIVE 2013/40/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 12 August 2013
on attacks against information systems and replacing Council Framework Decision 2005/222/JHA
the achievement of a safer information society and of an
area of freedom, security, and justice, and therefore
requires a response at Union level and improved
cooperation and coordination at international level.
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE
EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European
Union, and in particular Article 83(1) thereof,
(4)
There are a number of critical infrastructures in the
Union, the disruption or destruction of which would
have a significant cross-border impact. It has become
apparent from the need to increase the critical infra
structure protection capability in the Union that the
measures against cyber attacks should be complemented
by stringent criminal penalties reflecting the gravity of
such attacks. Critical infrastructure could be understood
to be an asset, system or part thereof located in Member
States, which is essential for the maintenance of vital
societal functions, health, safety, security, economic or
social well-being of people, such as power plants,
transport networks or government networks, and the
disruption or destruction of which would have a
significant impact in a Member State as a result of the
failure to maintain those functions.
(5)
There is evidence of a tendency towards increasingly
dangerous and recurrent large-scale attacks conducted
against information systems which can often be critical
to Member States or to particular functions in the public
or private sector. This tendency is accompanied by the
development of increasingly sophisticated methods, such
as the creation and use of so-called ‘botnets’, which
involves several stages of a criminal act, where each
stage alone could pose a serious risk to public interests.
This Directive aims, inter alia, to introduce criminal
penalties for the creation of botnets, namely, the act of
establishing remote control over a significant number of
computers by infecting them with malicious software
through targeted cyber attacks. Once created, the
infected network of computers that constitute the
botnet can be activated without the computer users’
knowledge in order to launch a large-scale cyber attack,
which usually has the capacity to cause serious damage,
as referred to in this Directive. Member States may
determine what constitutes serious damage according to
their national law and practice, such as disrupting system
services of significant public importance, or causing
major financial cost or loss of personal data or
sensitive information.
(6)
Large-scale cyber attacks can cause substantial economic
damage both through the interruption of information
systems and communication and through the loss or
alteration of commercially important confidential
information or other data. Particular attention should
be paid to raising the awareness of innovative small
and medium-sized enterprises to threats relating to
such attacks and their vulnerability to such attacks, due
to their increased dependence on the proper functioning
and availability of information systems and often limited
resources for information security.
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national
parliaments,
Having regard to the opinion of the European Economic and
Social Committee (1),
Acting in accordance with the ordinary legislative procedure (2),
Whereas:
(1)
The objectives of this Directive are to approximate the
criminal law of the Member States in the area of attacks
against information systems by establishing minimum
rules concerning the definition of criminal offences and
the relevant sanctions and to improve cooperation
between competent authorities, including the police and
other specialised law enforcement services of the Member
States, as well as the competent specialised Union
agencies and bodies, such as Eurojust, Europol and its
European Cyber Crime Centre, and the European
Network and Information Security Agency (ENISA).
(2)
Information systems are a key element of political, social
and economic interaction in the Union. Society is highly
and increasingly dependent on such systems. The smooth
operation and security of those systems in the Union is
vital for the development of the internal market and of a
competitive and innovative economy. Ensuring an appro
priate level of protection of information systems should
form part of an effective comprehensive framework of
prevention measures accompanying criminal law
responses to cybercrime.
(3)
Attacks against information systems, and, in particular,
attacks linked to organised crime, are a growing menace
in the Union and globally, and there is increasing
concern about the potential for terrorist or politically
motivated attacks against information systems which
form part of the critical infrastructure of Member
States and of the Union. This constitutes a threat to
(1) OJ C 218, 23.7.2011, p. 130.
(2) Position of the European Parliament of 4 July 2013 (not yet
published in the Official Journal) and decision of the Council of
22 July 2013.