14.8.2013
EN
Official Journal of the European Union
(7)
Common definitions in this area are important in order
to ensure a consistent approach in the Member States to
the application of this Directive.
(8)
There is a need to achieve a common approach to the
constituent elements of criminal offences by introducing
common offences of illegal access to an information
system, illegal system interference, illegal data inter
ference, and illegal interception.
(9)
Interception includes, but is not necessarily limited to,
the listening to, monitoring or surveillance of the
content of communications and the procuring of the
content of data either directly, through access and use
of the information systems, or indirectly through the use
of electronic eavesdropping or tapping devices by
technical means.
(10)
Member States should provide for penalties in respect of
attacks against information systems. Those penalties
should be effective, proportionate and dissuasive and
should include imprisonment and/or fines.
(11)
This Directive provides for criminal penalties at least for
cases which are not minor. Member States may
determine what constitutes a minor case according to
their national law and practice. A case may be considered
minor, for example, where the damage caused by the
offence and/or the risk to public or private interests,
such as to the integrity of a computer system or to
computer data, or to the integrity, rights or other
interests of a person, is insignificant or is of such a
nature that the imposition of a criminal penalty within
the legal threshold or the imposition of criminal liability
is not necessary.
(12)
The identification and reporting of threats and risks
posed by cyber attacks and the related vulnerability of
information systems is a pertinent element of effective
prevention of, and response to, cyber attacks and to
improving the security of information systems.
Providing incentives to report security gaps could add
to that effect. Member States should endeavour to
provide possibilities for the legal detection and
reporting of security gaps.
(13)
It is appropriate to provide for more severe penalties
where an attack against an information system is
committed by a criminal organisation, as defined in
Council Framework Decision 2008/841/JHA of
24 October 2008 on the fight against organised
crime (1), where a cyber attack is conducted on a large
scale, thus affecting a significant number of information
systems, including where it is intended to create a botnet,
or where a cyber attack causes serious damage, including
where it is carried out through a botnet. It is also appro
priate to provide for more severe penalties where an
(1) OJ L 300, 11.11.2008, p. 42.
L 218/9
attack is conducted against a critical infrastructure of the
Member States or of the Union.
(14)
Setting up effective measures against identity theft and
other identity-related offences constitutes another
important element of an integrated approach against
cybercrime. Any need for Union action against this
type of criminal behaviour could also be considered in
the context of evaluating the need for a comprehensive
horizontal Union instrument.
(15)
The Council Conclusions of 27 to 28 November 2008
indicated that a new strategy should be developed with
the Member States and the Commission, taking into
account the content of the 2001 Council of Europe
Convention on Cybercrime. That Convention is the
legal framework of reference for combating cybercrime,
including attacks against information systems. This
Directive builds on that Convention. Completing the
process of ratification of that Convention by all
Member States as soon as possible should be considered
to be a priority.
(16)
Given the different ways in which attacks can be
conducted, and given the rapid developments in
hardware and software, this Directive refers to tools
that can be used in order to commit the offences laid
down in this Directive. Such tools could include
malicious software, including those able to create
botnets, used to commit cyber attacks. Even where
such a tool is suitable or particularly suitable for
carrying out one of the offences laid down in this
Directive, it is possible that it was produced for a
legitimate purpose Motivated by the need to avoid crimi
nalisation where such tools are produced and put on the
market for legitimate purposes, such as to test the relia
bility of information technology products or the security
of information systems, apart from the general intent
requirement, a direct intent requirement that those
tools be used to commit one or more of the offences
laid down in this Directive must be also fulfilled.
(17)
This Directive does not impose criminal liability where
the objective criteria of the offences laid down in this
Directive are met but the acts are committed without
criminal intent, for instance where a person does not
know that access was unauthorised or in the case of
mandated testing or protection of information systems,
such as where a person is assigned by a company or
vendor to test the strength of its security system. In
the context of this Directive, contractual obligations or
agreements to restrict access to information systems by
way of a user policy or terms of service, as well as labour
disputes as regards the access to and use of information
systems of an employer for private purposes, should not
incur criminal liability where the access under such
circumstances would be deemed unauthorised and thus
would constitute the sole basis for criminal proceedings.
This Directive is without prejudice to the right of access
to information as laid down in national and Union law,
while at the same time it may not serve as a justification
for unlawful or arbitrary access to information.