2010/0273(COD)
Judicial cooperation in criminal matters: combating attacks against information systems
Judicial cooperation in criminal matters: combating attacks against information systems 2010/0273(COD)
Next event: 2013/07/01 Indicative plenary sitting date, 1st reading/single reading
Lead committee dossier: LIBE/7/04091
Legal basis: TFEU TFEU 083-p1-a1
Next event: 2013/07/01 Indicative plenary sitting date, 1st reading/single reading
| AFET | BUDG | ITRE | LIBE | |
| Lead Rapporteur | HOHLMEIER Monika (EPP) | |||
| Opinion Rapporteur(s) | OJULAND Kristiina (ALDE) | EHLER Christian (EPP) |
Legal basis: TFEU TFEU 083-p1-a1
Awaiting Parliament 1st reading / single reading / budget 1st stage
2010/0273(COD) Judicial cooperation in criminal matters: combating attacks against information systems
Next event: Indicative plenary sitting date, 1st reading/single reading 2013/07/01
Lead committee dossier: LIBE/7/04091
Legal Basis TFEU TFEU 083-p1-a1
Next event: Indicative plenary sitting date, 1st reading/single reading 2013/07/01
| Role | Committee | Rapporteur | Shadows |
|---|---|---|---|
| Opinion | AFET | OJULAND Kristiina (ALDE) | |
| Opinion | BUDG | ||
| Opinion | ITRE | EHLER Christian (EPP) | |
| Lead | LIBE | HOHLMEIER Monika (EPP) | ALVARO Alexander (ALDE), ALBRECHT Jan Philipp (Verts/ALE), KIRKHOPE Timothy (ECR), VERGIAT Marie-Christine (GUE/NGL) |
Legal Basis TFEU TFEU 083-p1-a1
Subjects
Activites
-
2013/07/01
Indicative plenary sitting date, 1st reading/single reading
- 2012/01/27 Amendments tabled in committee
- 2011/11/24 Committee draft report
- #3096
-
2011/06/09
Council Meeting
- 2011/05/04 Economic and Social Committee: opinion, report
- 2010/10/07 Committee referral announced in Parliament, 1st reading/single reading
-
2010/09/30
Legislative proposal
-
COM(2010)0517
summary
PURPOSE: to propose a new legislative framework aimed at combating (large scale) attacks against information systems and to repeal Council Framework Decision 2005/222/JHA. PROPOSED ACT: Directive of the European Parliament and of the Council. BACKGROUND: in recent years, the number of attacks against IT systems has risen steadily in Europe. Moreover, previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, have been observed in the Member States and other countries. New concerns, such as the massive spread of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks - have emerged. Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled - often without the knowledge of the users of the compromised computers - by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The people who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. With regard to cybercrime, the main cause of this phenomenon is vulnerability resulting from a variety of factors. Insufficient response by law enforcement mechanisms contributes to the prevalence of these phenomena, and exacerbates the difficulties, as certain types of offences go beyond national borders. Variations in national criminal law and procedure may give rise to differences in investigation and prosecution, leading to differences in how these crimes are dealt with. Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools ('malware' and 'botnets'), while offering offenders anonymity and dispersing responsibility across jurisdictions. Given the difficulties of bringing a prosecution, organised crime is able to make considerable profits with little risk. On 24 February 2005, EU Member States agreed a Council Framework Decision (2005/222/JHA) that addresses the most significant forms of criminal activity against information systems, such as hacking, viruses and denial of service attacks. The Framework Decision seeks to approximate criminal law across the EU to ensure that Europe's law enforcement and judicial authorities can take action against this form of crime. Member States were required to take the necessary measures to comply with the provisions of the Framework Decision by 16 March 2007. On 14 July 2008, the Commission published a report on the implementation of the Framework Decision. It was noted that several emerging threats had been highlighted by recent attacks across Europe since adoption of the Framework Decision, in particular the emergence of large-scale simultaneous attacks against information systems and increased criminal use of so-called 'botnets'." These attacks were not the centre of attention when the Framework Decision was adopted. In response to these developments, the Commission presents this proposal which aims to consider recent technical advances and the new modi operandi found in today's cyber attacks as devise better responses to the threat. IMPACT ASSESSMENT: various policy options have been examined as a means of achieving the objective. Option 1: Status Quo / No new EU action. Option 2: Development of a programme to strengthen the efforts to counter attacks against information systems by means of non-legislative measures: these measures would, in addition to the programme for critical information infrastructure protection, focus on cross-border law enforcement and public-private cooperation. These soft-law instruments should aim to promote further coordinated action at EU level, including strengthening of the existing 24/7 network of contact points for law enforcement agencies; establishment of an EU network of public-private contact points involving cybercrime experts and law enforcement agencies; elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators; and support for the organisation of training programmes for law enforcement agencies on the investigation of cybercrime. Option 3: Targeted update of the rules of the Framework Decision (new Directive replacing the current Framework Decision) to address the threat from large-scale attacks against information systems (botnets) and, when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner, the efficiency of Member States' law enforcement contact points, and the lack of statistical data on cyber attacks. Option 4: Introduction of comprehensive EU legislation against cybercrime: this option would entail new comprehensive EU legislation. In addition to introducing the soft-law measures in policy option 2 and the update in policy option 3, it would also tackle other legal problems related to Internet use (such as financial cybercrime, illegal Internet content, the collection/storage/transfer of electronic evidence…) Option 5: Update of the Council of Europe Convention on Cybercrime: this option would require substantial renegotiation of the current Convention, which is a lengthy process and doesn't seem realistic as there seems to be no international willingness to renegotiate the Convention. The preferred policy option is a combination of non-legislative measures (option 2) with a targeted update of the Framework Decision (option 3). LEGAL BASE: Article 83(1) of the Treaty on the Functioning of the European Union (TFEU). CONTENT: the draft Directive, while repealing Framework Decision 2005/222/JHA, will retain its current provisions and include the following new elements: On substantive criminal law in general, the proposed Directive: 1) Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offences. 2) Includes aggravating circumstances: the large-scale aspect of the attacks - botnets or similar tools would be addressed by introducing a new aggravating circumstance, in the sense that the act of putting in place a botnet or a similar tool would be an aggravating factor when crimes listed in the existing Framework Decision are committed; when such attacks are committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. Any such rules would need to comply with the principles of legality and proportionality of criminal offences and penalties and be consistent with existing legislation on the protection of personal data . 3) Introduces 'illegal interception' as a criminal offence. 4) Introduces measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points: an obligation to comply with a request for assistance by the operational contact points (set out in Article 14 of the Directive) within a certain time limit is proposed. The Cybercrime Convention does not specify a binding provision of this kind. The aim of this measure is to ensure that the contact points indicate within a specified time whether they are able to provide a solution to the request for assistance, and by when the requesting point of contact can expect such a solution to be found. The actual content of the solutions is not specified. 5) Addresses the need to provide statistical data on cybercrimes by making it obligatory for the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on the offences referred to in the existing Framework Decision and the newly added 'illegal interception'. Taking account of gravity of the crimes: the Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only 'cases which are not minor' in the process of transposition of the directive into national law. This element of flexibility is intended to allow Member States not to cover cases that would in abstracto be covered by the basic definition but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology. This possibility to limit the scope of criminalisation should not however lead to the introduction of additional constitutive elements of offences beyond those that are already included in the Directive, because this would lead to the situation that only offences committed with the presence of aggravating circumstances are covered. In the process of transposition, Member States should refrain in particular from adding additional constitutive elements to the basic offences such as e.g. a special intention to derive illicit proceeds from crime or the presence of a specific effect such as causing a considerable damage. BUDGETARY IMPLICATION: the implications of the proposal for the Union budget are small. More than 90% of the estimated cost of EUR 5 913 000 would be borne by the Member States and there is the possibility of applying for EU funding to reduce the cost.
- SEC(2010)1122
- SEC(2010)1123
- DG {u'url': u'http://ec.europa.eu/dgs/home-affairs/', u'title': u'Home Affairs'}, MALMSTRÖM Cecilia
-
COM(2010)0517
summary
Documents
- Legislative proposal published: COM(2010)0517
- Document attached to the procedure: SEC(2010)1122
- Document attached to the procedure: SEC(2010)1123
- Economic and Social Committee: opinion, report: CES0816/2011
- Committee draft report: PE476.089
- Amendments tabled in committee: PE480.665
| Amendments | Dossier |
| 178 |
2010/0273(COD) Judicial cooperation in criminal matters: combating attacks against information systems
2011/10/13
AFET
39 amendments...
Amendment 14 #
Proposal for a directive – Amendment 15 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, in accordance with the principle of separation of powers.
Amendment 16 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States and the Union; this objective forms part of the Union’s general strategy designed to combat organised crime, secure information networks more effectively, protect critical information infrastructures and safeguard data.
Amendment 17 #
Proposal for a directive Recital 1 a (new) (1a) Information systems are vital to political, social and economic interaction in Europe. Society today is highly dependent on such systems and is becoming even more so. However, despite their major benefits, they also embody a number of risks to our security because of their complexity and vulnerability to various types of cybercrime. The security of information systems is therefore a constant concern and requires effective responses from the Member States and the Union.
Amendment 18 #
Proposal for a directive Recital 2 Amendment 19 #
Proposal for a directive Recital 2 (2)
Amendment 20 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace, as evidenced by the cyber attacks on Estonia and Georgia as a method of modern warfare, and there is increasing concern about the potential for terrorist or economically or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union.
Amendment 21 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular
Amendment 22 #
Proposal for a directive Recital 2 a (new) (2a) A distinction between cyber attacks and physical attacks is crucial. Therefore a separate strategy to respond to such attacks should be developed in respect of attacks against information systems, in full cooperation with national parliaments and the European Parliament. Such a strategy should not constitute a threat to, or a breach of, human rights or fundamental freedoms. Such a strategy should not therefore be equivalent to a response to an armed attack.
Amendment 23 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states, to the Union or to particular functions in the public or private sector. This tendency is accompanied by the rapid development of computer technology and, as a result, increasingly sophisticated tools that can be used by criminals to launch cyber-attacks of various types, some of which have a great potential to cause economic and social damage.
Amendment 24 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous targeted and recurrent large scale attacks conducted against information systems which are critical to states or to particular functions in the public or private sector. This tendency is accompanied by the development of increasingly sophisticated tools that can be used by criminals to launch cyber-attacks of various types.
Amendment 25 #
Proposal for a directive Recital 4 a (new) (4a) A thorough, reliable and independent assessment of the overall level of threat of attacks against information systems should be carried out. The Union institutions should adjust their level of information security accordingly.
Amendment 26 #
Proposal for a directive Recital 4 a (new) (4a) There is a need for coordination at the level of the Union to help integrate different initiatives, programmes and activities.
Amendment 27 #
Proposal for a directive Recital 4 b (new) (4b) A Union Cybersecurity Coordinator should be appointed in order to facilitate the integration and coordination of the Union institutions’ initiatives, programmes and activities.
Amendment 28 #
Proposal for a directive Recital 5 a (new) (5a) There is a need to assess the real level of threat of attacks against information systems by a reliable, independent authority and to discuss coordination at the level of the Union to help integrate different initiatives, programmes and activities.
Amendment 29 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems
Amendment 30 #
Proposal for a directive Recital 7 (7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner.
Amendment 31 #
Proposal for a directive Recital 8 (8) The Council Conclusions of 27-28 November 2008 indicated that a new strategy should be developed with the Member States and the Commission, taking into account the content of the 2001 Council of Europe Convention on Cybercrime. The Council and Commission must encourage those Member States that have not yet ratified the Convention to do so as soon as possible. That Convention is the legal framework of reference for combating cybercrime, including attacks against information systems. This Directive builds on that Convention.
Amendment 32 #
Proposal for a directive Recital 8 a (new) (8a) The Council and the Commission should call on those Member States which still need to ratify the Council of Europe Convention on Cybercrime to do so without delay.
Amendment 33 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe’s network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice,
Amendment 34 #
Proposal for a directive Recital 11 a (new) (11a) Cooperation on the part of the authorities with the private sector and civil society is of major importance in avoiding and combating cyber attacks. It is necessary to establish ongoing dialogue with them, given their extensive use of computer systems and the need for shared responsibility in ensuring reliable and functional systems. It is important to raise awareness among all computer system stakeholders, so as to create a data security mentality.
Amendment 35 #
Proposal for a directive Recital 11 a (new) (11a) Closer cooperation should be envisaged both with the European Defence Agency (EDA) and with the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), in particular in the field of capacity building and training.
Amendment 36 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. Member States must step up exchanges of information regarding cyber attacks with the support of the Commission and the European Network and Information Security Agency. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe. Improved knowledge of present and future risks will make it possible to take decisions which are more effective in deterring and combating cyber attacks or reducing the resulting damage.
Amendment 37 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a
Amendment 38 #
Proposal for a directive Recital 12 a (new) (12a) The Commission should examine the feasibility of providing frameworks or instruments to help public private partnerships (PPP) cooperate with each other at national level and Union level, to implement information quality standards for interoperability, and to ensure respect for fundamental rights, the separation of powers and democratic supervision.
Amendment 39 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area at Union level. The Union should also seek greater international cooperation in the field of data network security by collaborating closely with other organisations with the relevant terms of reference, such as the United Nations, NATO, the Council of Europe, or the OSCE and involving other international stakeholders. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 40 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area and to strengthen cross-border cooperation. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 41 #
Proposal for a directive Recital 16 (16) This Directive and any practical application thereof respect
Amendment 42 #
Proposal for a directive Recital 16 (16) This Directive respects the fundamental rights, in particular the right to privacy, and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, including the protection of personal data, freedom of expression and information, the right to a fair trial, presumption of innocence and the rights of the defence, as well as the principles of legality and proportionality of criminal offences and penalties. In particular, this Directive seeks to ensure full respect for these rights and principles and must be implemented accordingly.
Amendment 43 #
Proposal for a directive Recital 16a (new) (16a) The Council and the Commission should insist, in negotiations and cooperation with third countries, on minimum requirements for preventing and fighting cybercrime and cyber attacks as well as on minimum standards for information system security.
Amendment 44 #
Proposal for a directive Recital 16b (new) (16b) The Commission should consider options to facilitate and assist third countries in their efforts to develop their cyber security and cyber defence capabilities.
Amendment 45 #
Proposal for a directive Article 3 – paragraph 1 Member States shall take the necessary measures to ensure that
Amendment 46 #
Proposal for a directive Article 7 – paragraph 1 – introductory part Member States shall take the necessary measure to ensure that the production, sale, procurement for use, import, possession, distribution or otherwise making available of the following
Amendment 47 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by
Amendment 48 #
Proposal for a directive Article 12 – paragraph 1 – introductory part 1. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(1) is punishable by
Amendment 49 #
Proposal for a directive Article 12 – paragraph 2 2. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(2) is punishable by
Amendment 50 #
Proposal for a directive Article 14 – paragraph 2 a (new) 2a. The Commission shall assist Member States in promoting the resilience and stability of the internet and shall undertake other activities aiming at achieving information security.
Amendment 51 #
Proposal for a directive Article 15 – paragraph 3 3. Member States shall transmit the data collected according to this Article to the Commission. They shall also ensure that a consolidated review of these statistical reports is submitted to the European Parliament and published.
Amendment 52 #
Proposal for a directive Article 15 – paragraph 3 a (new) 3a. The Commission shall review the application of this Directive and, in particular, the need to appoint a Union Cybersecurity Coordinator in order to assess the level of threat and facilitate the integration and coordination of the Union institutions’ initiatives, programmes and activities.
source: PE-473.863
2011/12/10
ITRE
44 amendments...
Amendment 12 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States and the Union; this objective forms part of the Union’s general strategy aimed at combating organised crime, increasing the resilience of computer networks, protecting critical information infrastructure and data protection.
Amendment 13 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police
Amendment 14 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, the Commission, ENISA, EUROPOL and EUROJUST to enable a common and comprehensive Union approach.
Amendment 15 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police, ENISA, national Computer Emergency Response Teams (CERTs), and other specialised law enforcement services of the Member States.
Amendment 16 #
Proposal for a directive Recital 1 a (new) (1a) Information systems are a key element of political, social and economic interaction in Europe. Society is highly and increasingly dependent on such systems. The smooth operation and security of these systems in Europe is vital for the development of the European single market and of a competitive and innovative economy. At the same time as providing great benefits, however, information systems carry a number of risks to our security on account of their complexity and vulnerability to various types of computer crime. The security of information systems is thus a matter of constant concern that requires an effective response from the Member States and the Union.
Amendment 17 #
Proposal for a directive Recital 2 (2) Attacks against information systems
Amendment 18 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace to the functioning of information systems in the Union and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, democracy, security and justice, undermines the creation of a European digital single market and therefore requires a response at the level of the European Union as well as internationally, for example through the 2001 Council of Europe Convention on Cybercrime.
Amendment 19 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace both in the Union and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union and improved coordination and cooperation at international level.
Amendment 20 #
Proposal for a directive Recital 2 a (new) (2a) Recent cyber-attacks, perpetrated against European networks and/ or information systems, have caused substantial economic and security damage to the Union.
Amendment 21 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to international organisations and states or to particular functions in the public or private sector. Such attacks can occasion significant financial losses both by taking down information and communications systems, and by causing the loss or alteration of data. This tendency is being accompanied
Amendment 22 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states or to particular functions in the public or private sector. This tendency is accompanied by the development of increasingly sophisticated tools that can be used by criminals to launch cyber-attacks of various types. Furthermore, distributed denial-of-service attacks on information systems and/ or attacks on critical information infrastructures for disruption purposes might be used as a means of cyber warfare and/ or terrorism.
Amendment 23 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states, the Union or to particular functions in the public or private sector. This tendency is accompanied by the rapid development of information technology and thus of increasingly sophisticated tools that can be used by criminals to launch cyber-attacks of various types, some of which have significant potential to cause economic and social damage.
Amendment 24 #
Proposal for a directive Recital 4 (4) Common definitions in this area, particularly of information systems
Amendment 25 #
Proposal for a directive Recital 4 (4) Common definitions and norms of behaviour in this area, particularly of information systems and computer data, are important in order to ensure a consistent approach in the Member States to the application of this Directive.
Amendment 26 #
Proposal for a directive Recital 4 a (new) (4a) The revocation of IP addresses or domain names are examples of system interference and may be considered as criminal offences as defined in Article 4 of this Directive.
Amendment 27 #
Proposal for a directive Recital 4 a (new) (4a) The revocation of IP addresses or domain names are examples of system interference and may be considered as criminal offences as defined in Article 4 of this Directive.
Amendment 28 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems
Amendment 29 #
Proposal for a directive Recital 6 (6) Member States should provide
Amendment 30 #
Proposal for a directive Recital 6 a (new) (6a) Member States, the EU and the private sector, in cooperation with the European Network and Information Security Agency, should take steps to increase the security and integrity of information systems, to prevent attacks and to minimise the impact of attacks.
Amendment 31 #
Proposal for a directive Recital 7 (7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. It is also appropriate to provide for more severe penalties where such an attack
Amendment 32 #
Proposal for a directive Recital 8 (8) The Council Conclusions of 27-28 November 2008 indicated that a new strategy should be developed with the Member States and the Commission, taking into account the content of the 2001 Council of Europe Convention on Cybercrime. The Council and Commission should encourage Member States that have not yet ratified the Convention to do so as soon as possible. That Convention is the legal framework of reference for combating cybercrime, including attacks against information systems. This Directive builds on that Convention.
Amendment 33 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence
Amendment 34 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States the EU and the European Network and Information Security Agency should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice, the preservation of data, the collection of evidence, the provision of legal information, and the locating of suspects.
Amendment 35 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe's network of points of contact available on a twenty-four hour, seven-day-a-week basis to exchange information in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to information systems and data, or for the collection of evidence in electronic form of a criminal offence. Given the speed with which large-scale attacks can be carried out, Member States should be able to respond promptly to urgent requests from this network of contact points. Such assistance should include facilitating, or directly carrying out, measures such as: the provision of technical advice, the preservation of data, the collection of evidence, the provision of legal information, the identification of the jeopardised and/or extracted information and the locating of suspects.
Amendment 36 #
Proposal for a directive Recital 11 a (new) (11a) Cooperation by the public authorities with the private sector and civil society is of great importance in preventing and combating attacks against information systems. A permanent dialogue should be established with these partners in view of the extensive use they make of information systems and the sharing of responsibility required for the stable and proper operation of these systems. The raising of awareness among all stakeholders in the use of information systems is important in creating a culture of IT security.
Amendment 37 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. Member States need to improve the exchange of information on attacks against information systems, with the support of the Commission and the European Network and Information Security Agency. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe. Better knowledge about present and future risks will help reach more appropriate decisions on deterring, combating or limiting the damage caused by attacks against information systems.
Amendment 38 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe and to support Member States in the adoption of responses to information security incidents.
Amendment 39 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. The data will moreover help specialised bodies and agencies such as Member States' CERTs, Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe.
Amendment 40 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action at Union level to approximate national criminal legislation in this area. Likewise, the Union should pursue greater international cooperation in the field of network and information system security involving all relevant international actors. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 41 #
Proposal for a directive Article 1 – paragraph 1 This Directive defines criminal offences in the area of attacks against information systems and establishes harmonised minimum rules concerning penalties for such offences. It also aims to introduce common provisions both to prevent and combat such attacks and to improve European
Amendment 42 #
Proposal for a directive Article 2 – point d (d) "without right" means access or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national or European legislation.
Amendment 43 #
Proposal for a directive Article 7 – point b (b) a computer password, access code, a digital or physical security token, or similar data by which the whole or any part of an information system is capable of being accessed.
Amendment 44 #
Proposal for a directive Article 8 – paragraph 1 a (new) 1a. Member States shall ensure that the unauthorised forwarding of identification data to other persons with a view to the conduct of any of the activities referred to in Articles 3 to 7 is punishable as a criminal offence.
Amendment 45 #
Proposal for a directive Article 8 – paragraph 1 b (new) 1b. Member States shall ensure that where an offence under Articles 3 to 7 is committed by a person who, within the scope of his or her employment, has access to the security systems inherent in information systems, this shall constitute an aggravating circumstance and be punishable as a criminal offence.
Amendment 46 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data or sensitive information.
Amendment 47 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall ensure that they have an operational national point of contact and make use of the
Amendment 48 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall make use of the existing network of operational points of contact available 24 hours a day and seven days a week. Member States shall also ensure that they have procedures in place so that they can respond within a maximum of eight hours to urgent requests. Such response shall at least indicate whether and in what form the request for help will be answered and when. ENISA may undertake this role and supervise the exchange of information, functioning as a single point of contact and as the Union's cybersecurity incident registrar.
Amendment 49 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall
Amendment 50 #
Proposal for a directive Article 14 – paragraph 2 2. Member States shall inform the Commission, Eurojust and the European Network and Information Security Agency of their appointed point of contact for the purpose of exchanging information on the offences referred to in Articles 3 to 8. The Commission shall forward that information to the other Member States.
Amendment 51 #
Proposal for a directive Article 14 – paragraph 2 a (new) 2a. ENISA shall play a strategic role in the coordination efforts between Member States and the Union institutions.
Amendment 52 #
Proposal for a directive Article 15 – paragraph 1 1. Member States shall ensure that a system is in place for the recording, production and provision of statistical data on the offences referred to in Articles 3 to 8. In the case of offences involving more than one Member State, ENISA may facilitate the exchange of those data among all interested parties, including EUROPOL and EUROJUST.
Amendment 53 #
Proposal for a directive Article 15 – paragraph 3 3. Member States shall transmit the data collected according to this Article to the Commission
Amendment 54 #
Proposal for a directive Article 15 – paragraph 3 3. Member States shall transmit the data collected according to this Article to the Commission and the European Network and Information Security Agency (ENISA). They shall also ensure that a consolidated review of these statistical reports is published.
Amendment 55 #
Proposal for a directive Article 18 – paragraph 2 2. Member States and the European Network and Information Security Agency shall send to the Commission all the information that is appropriate for drawing up the report referred to in paragraph 1. The information shall include a detailed description of legislative and non-legislative measures adopted in implementing this Directive.
source: PE-473.808
2012/01/27
LIBE
95 amendments...
Amendment 35 #
Proposal for a directive Recital 1 (1) The objective of this Directive is to approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, the Commission, Eurojust, Europol and the European Network and Information Security Agency (ENISA), to enable a common and comprehensive EU approach.
Amendment 36 #
Proposal for a directive Recital 2 (2) Attacks against information systems, in particular as a result of the threat from organised crime, are a growing menace both in the EU and globally, and there is increasing concern about the potential for terrorist or politically motivated attacks against information systems which form part of the critical infrastructure of Member States and the Union. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union and improved cooperation and coordination at international level.
Amendment 37 #
Proposal for a directive Recital 2 (2) Attacks against information systems,
Amendment 38 #
Proposal for a directive Recital 3 (3) There is evidence of a tendency towards increasingly dangerous and recurrent large scale attacks conducted against information systems which are critical to states or to particular functions in the public or private sector. This tendency is accompanied by the development of increasingly sophisticated tools that can be used by criminals to launch cyber
Amendment 39 #
Proposal for a directive Recital 6 (6) Member States should provide for response and prevention mechanisms and penalties in respect of attacks against information systems. The penalties provided for should be effective, proportionate and dissuasive.
Amendment 40 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems. The penalties provided for should be effective, proportionate and dissuasive and could include imprisonment and/or financial penalties.
Amendment 41 #
Proposal for a directive Recital 6 (6) Member States should provide for penalties in respect of attacks against information systems. The penalties provided for should be
Amendment 42 #
Proposal for a directive Recital 6 (6) Member States should provide for
Amendment 43 #
Proposal for a directive Recital 7 a (new) (7a) There should be no mandatory requirement to impose a penalty in cases deemed to be ‘minor’. A case may be considered as ‘minor’, for example, when the damage caused by the offence, and/or the risk it carries to public or private interests, such as to the integrity of an information system or computer data, or to a person's integrity, rights and other interests, is insignificant or is of such a nature that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary;
Amendment 44 #
Proposal for a directive Recital 7 (7) It is appropriate to provide for more severe penalties when an attack against an information system is committed by a criminal organisation, as defined in Council Framework Decision 2008/841/JHA of 24 October 2008 on the fight against organised crime, when the attack is conducted on a large scale, such as via a ‘botnet’ network, or when an offence is committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. It is also appropriate to provide for more severe penalties where such an attack has caused serious damage or has affected critical infrastructure or essential interests.
Amendment 45 #
Proposal for a directive Recital 10 (10) This Directive does not intend to impose criminal liability where the offences are committed without criminal intent, such as for
Amendment 46 #
Proposal for a directive Recital 10 (10) This Directive does not
Amendment 47 #
Proposal for a directive Recital 10 (10) This Directive does not intend to impose criminal liability where the objective criteria of the crimes listed in this Directive are met but the offences are committed without criminal intent, such as for
Amendment 48 #
Proposal for a directive Recital 11 (11) This Directive strengthens the importance of networks, such as the G8 or the Council of Europe
Amendment 49 #
Proposal for a directive Recital 12 (12) There is a need to collect data on offences under this Directive, in order to gain a more complete picture of the problem at Union level and thereby contribute to formulating more effective responses. Because not all the Member States collect information concerning attacks against information systems, little is known about such attacks. Because the methods used to collect statistics differ, the Member States which do collect them cannot compare them. The data will moreover help specialised agencies such as Europol and the European Network and Information Security Agency to better assess the extent of cybercrime and the state of network and information security in Europe.
Amendment 50 #
Proposal for a directive Recital 12 a (new) (12a) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement authorities and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress. That cooperation should include, for example, providing support to service providers for shutting down, completely or partially, illegal systems or functions, in accordance with the legislation in force.
Amendment 51 #
Proposal for a directive Recital 12 a (new) (12a) In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by protecting them more effectively against attacks and setting the right incentives for this. In this respect, the establishment of minimum standards and of liability for vendors and operators for the adequate protection of information systems should play a central role. Therefore, the Union and the Member States' fight against cybercrime will have an impact, only if this Directive is accompanied by preventive measures against such offences adopted in accordance with Article 67(3) and Article 84 of the Treaty of the Functioning of the European Union.
Amendment 52 #
Proposal for a directive Recital 12 a (new) (12a) Member States should regard the protection of their information systems and the data they contain as part of their duty of care. Reasonable levels of protection should be provided against reasonably identifiable threats and areas of vulnerability. The costs and charges linked to this protection should reflect the harm which a cyber attack would cause to the persons concerned.
Amendment 53 #
Proposal for a directive Recital 12 a (new) (12a) Member States should consider the protection of their information systems and associated data as part of their respective duty of care. Appropriate levels of protection should be provided against reasonably identifiable threats. The cost and burden of such protection should be proportionate to the likely damage to those affected.
Amendment 54 #
Proposal for a directive Recital 12 b (new) (12b) The European Union and Member States should pay due regard to the protection of their information systems and associated data and provide a high level of protection against identifiable threats and vulnerabilities. The cost and burden of such protection should be proportionate to the potential damage to those affected by cyber attacks.
Amendment 55 #
Proposal for a directive Recital 12 b (new) (12b) Member States should consider the protection of their information systems and associated data. Reasonable levels of protection should be provided against reasonably identifiable threats and vulnerabilities. The cost and burden of such protection should be proportionate to the likely damage to those affected.
Amendment 56 #
Proposal for a directive Recital 12 b (new) (12b) Member States should also take appropriate steps to oblige legal persons who operate of supply information systems on their territory to protect personal data in their care against offences referred to in this Directive. Legal persons should provide reasonable levels of protection against reasonably identifiable threats and areas of vulnerability. Member States should ensure that a legal person who has failed to provide a reasonable level of protection is liable to criminal prosecution for negligence and to severe penalties if the damage suffered as a result of that failure is considerable.
Amendment 57 #
Proposal for a directive Recital 12 b (new) (12b) Member States should also take appropriate steps to oblige legal persons within their jurisdictions to protect personal data in their care from offences referred to in this Directive, as already envisaged by EU law on telecommunications and data protection. Appropriate levels of protection should be provided by legal persons against reasonably identifiable threats in accordance with the state of the art for specific sectors and the specific data processing situations. The cost and burden of such protection should be proportionate to the likely damage to those affected. Where a legal person has clearly failed to provide an appropriate level of protection, and where the damage caused as a result of such failure is considerable, Member States should ensure that it is possible to prosecute that legal person.
Amendment 58 #
Proposal for a directive Recital 12 c (new) (12c) The European Network and Information Security Agency (ENISA) should play a key role in providing the Member States and EU institutions and bodies with technical expertise in the field of preventing and combating cyber attacks, in line with its mandate. In this connection, ENISA should advise the Member States on the establishing and operation of national contact points and Computer Emergency Response Teams (CERTs). ENISA should also be forwarded statistical data by the Member States on offences under this Directive and, on the basis of this and other relevant information, should draw up reports and recommendations on the state of information system and computer data security.
Amendment 59 #
Proposal for a directive Recital 12 c (new) (12c) It is also necessary to foster and improve cooperation between service providers, producers and law-enforcement bodies, whilst fully respecting the rule of law, especially as regards legal certainty and the rights of suspects and accused persons, such as the presumption of innocence and the right to seek legal redress. It is also necessary that in a constitutional state the persons responsible for enforcing the law should respect the rule of law.
Amendment 60 #
Proposal for a directive Recital 12 c (new) (12c) Member States should also take appropriate steps to oblige legal persons within their jurisdictions who operate or provide IT systems to protect from offences referred to in this Directive. Reasonable levels of protection should be provided by legal persons against reasonably identifiable threats and vulnerabilities. Such protection should be proportionate to the likely damage to those affected. Where a legal person has clearly failed to provide a reasonable level of protection, and where the damage caused as a result of such failure is considerable, Member States should ensure that it is possible to impose deterrent sanctions and to prosecute this legal person for negligence.
Amendment 61 #
Proposal for a directive Recital 12 c (new) (12c) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement bodies and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress. This should include, for example, support by service providers in helping to preserve potential evidence, in providing elements helping to identify perpetrators and, as last resort, to shut down illegal systems or functions.
Amendment 62 #
Proposal for a directive Recital 12 d (new) (12d) Without prejudice to voluntary cooperation between legal persons, such as service providers and producers, on the one hand, and law-enforcement bodies and judicial authorities, on the other, Member States should define the cases in which the failure to act can in itself constitute criminal behaviour.
Amendment 63 #
Proposal for a directive Recital 12 d (new) (12d) It is also necessary to foster and improve cooperation between service providers, producers, law enforcement bodies and judicial authorities, while fully respecting the rule of law, especially as regards legal certainty and foreseeability, as well as the rights of suspected and accused persons such as the presumption of innocence and judicial redress.
Amendment 64 #
Proposal for a directive Recital 12 e (new) (12e) In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against attacks. In that connection, the introduction of minimum standards and of the principle of the criminal liability of operators and producers in respect of the appropriate protection of information systems is fundamental. For this reason, the Union's and the Member State' fight against cybercrime will be effective only if this Directive is accompanied by preventive measures to combat such offences adopted in accordance with Articles 67(3) and 84 of the Treaty on the Functioning of the European Union.
Amendment 65 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems
Amendment 66 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in this area. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings. There is, moreover, an urgent need to carry into effect the European Parliament declaration of 23 June 2010 on setting up a European early warning system (EWS) for paedophiles and sex offenders1; _______________ 1 OJ C 236 E, 12.8.2011, p.152
Amendment 67 #
Proposal for a directive Recital 13 (13) Significant gaps and differences in Member States’ laws and criminal law procedures and systems in the area of attacks against information systems area may hamper the fight against organised crime and terrorism, and may complicate effective international police and judicial cooperation in this area, since widely differing measures may be employed to combat such crimes. The transnational and borderless nature of modern information systems means that attacks against such systems have a trans-border dimension, thus underlining the urgent need for further action to approximate criminal legislation in this area. Besides that, the coordination of prosecution of cases of attacks against information systems should be facilitated by the adoption of Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings.
Amendment 68 #
Proposal for a directive Recital 14 (14) Since the objectives of this Directive, i.e. ensuring that attacks against information systems, at least when they are perpetrated with criminal intent, are punished in all Member States by
Amendment 69 #
Proposal for a directive Recital 15 (15) Any personal data processed in the context of the implementation of this Directive should be protected in accordance with the rules laid down in the Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with regard to those processing activities which fall within its scope and Regulation (EC) No. 45/2001 of the European Parliament and the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. This Directive should also be consistent with Directive 95/46/EC1 and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981; it should also take account of two recommendations of the Committee of Ministers of the Council of Europe, No R(87)15 regulating the use of personal data in the police sector and No R(95)4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services. _________________ 1 Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
Amendment 70 #
Proposal for a directive Recital 16 (16) This Directive should respect
Amendment 71 #
Proposal for a directive Recital 16 a (new) (16a) This Directive is not intended to be applied by the Member States in a manner which is not consistent with Articles 2 and 3(1) and (2) of the Treaty on European Union, which lay down principles which must apply to cyberspace and the fight against cybercrime. Its application must not undermine the principle of internet neutrality.
Amendment 72 #
Proposal for a directive Article 1 This Directive defines criminal offences in the area of attacks against information systems and establishes minimum rules concerning penalties for such offences. It also aims to introduce common provisions both to prevent and combat such attacks and to improve European
Amendment 73 #
Proposal for a directive Article 1 This Directive defines criminal offences in the area of attacks against information systems and establishes minimum rules concerning penalties for such offences. It also aims to introduce common provisions to prevent such attacks and improve European criminal justice cooperation in this field. It also aims to encourage the production of ever more secure IT tools and the installation of ever more secure IT systems.
Amendment 74 #
Proposal for a directive Article 2 – point c (c) "legal person" means any entity having such status under the applicable law
Amendment 75 #
Proposal for a directive Article 2 – point c (c) ‘legal person’ means any entity having such status under the applicable law
Amendment 76 #
Proposal for a directive Article 2 – point c (c) ‘legal person’ means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations
Amendment 77 #
Proposal for a directive Article 2 – point d (d) "without right" means access, use or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national or European legislation.
Amendment 78 #
Proposal for a directive Article 2 – point d (d)
Amendment 79 #
Proposal for a directive Article 2 – point d (d) ‘without right’ means access, use, or interference not authorised by the owner, other right holder of the system or of part of it, or not permitted under national legislation.
Amendment 80 #
Proposal for a directive Article 2 – point d (d) "without right" means access or interference not authorised by the owner, other right holder of the system or of part of it,
Amendment 81 #
Proposal for a directive Article 2 – point d a (new) (da) ‘minor case’ means a case where the offence itself is deemed to be minor, there is no pressing need to prosecute in the public interest and the consequences of the offence are negligible;
Amendment 82 #
Proposal for a directive Article 2 – point d b (new) (db) ‘interception’ means listening to, monitoring or surveillance of the content of communications and the procuring of the content of data either directly or indirectly through the use of electronic eavesdropping or tapping devices by technical means.
Amendment 83 #
Proposal for a directive Article 2 a (new) Article 2a Preventive measures 1. Member States shall in cooperation with the European Network and Information Security Agency promote good practices in relation to security of data processing and support cooperation between public and private stakeholders by facilitating information sharing, awareness raising and dialogue on network and information security, including aspects of the fight against cybercrime. 2. Member States shall ensure that in the case of a personal data breach, the data controller and the data processor notify without undue delay and, as a rule, not later than 24 hours after the personal data breach has been established, the personal data breach to the competent national authority in line with Article 4 of Directive 2002/58/EC as amended by Directives 2006/24/EC and 2009/136/EC (e-privacy Directive). 3. Member States shall take the necessary measures to protect critical infrastructure from cyber attacks and provide for means to hermetically cut off access to a critical infrastructure in case a direct cyber attack severely threatens its proper functioning.
Amendment 84 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access without right
Amendment 85 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence, at least for cases which
Amendment 86 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access without right -meaning entering to the whole or any part of an information system- is punishable as a criminal offence, at least for cases which are not minor. The conduct referred to in paragraph 1 shall be incriminated only where the offence is committed by infringing a security measure and provided that the operator or vendor of the system is not fully informed of the vulnerability in a timely manner.
Amendment 87 #
Proposal for a directive Article 3 Member States shall take the necessary measures to ensure that the intentional access
Amendment 88 #
Proposal for a directive Article 4 Member States shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which
Amendment 89 #
Proposal for a directive Article 5 Member States shall take the necessary measures to ensure that the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system is punishable as a criminal offence when committed without right, at least for cases which
Amendment 90 #
Proposal for a directive Article 6 Member States shall take the necessary measures to ensure that the intentional interception by technical means, of non- public transmissions of computer data to, from or within a information system, including electromagnetic emissions from an information system carrying such computer data, is punishable as a criminal offence when committed without right, at least in cases which are not minor. Interception may also involve recording. Data transmissions comprise the period taken to transfer the data, by cable or by wireless, between the time it is transmitted by the sender and the time it reaches the recipient. Technical means include technical devices fixed to transmission lines as well as devices to collect and record wireless communications, including the use of software, passwords and codes.
Amendment 91 #
Proposal for a directive Article 6 In accordance with Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and with the Charter of Fundamental Rights, Member States shall take the necessary measures to ensure that the
Amendment 92 #
Proposal for a directive Article 6 – paragraph 1 Member States shall take the necessary measures to ensure that the intentional interception by technical means, of non- public transmissions of computer data to, from or within a information system, including electromagnetic emissions from an information system carrying such computer data, is punishable as a criminal offence when committed without right, at least for cases which are not minor.
Amendment 93 #
Proposal for a directive Article 7 – introductory part Amendment 94 #
Proposal for a directive Article 7 – point a (a) device, including a computer program but excluding a computer itself, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;
Amendment 95 #
Proposal for a directive Article 7 – point b Amendment 96 #
Proposal for a directive Article 8 Amendment 97 #
Proposal for a directive Article 8 – paragraph 1 Amendment 98 #
Proposal for a directive Article 8 a (new) Article 8a Manufacturers’ liability Member States shall take the measures required to ensure that manufacturers are held criminally liable in connection with the production, placing on the market, marketing, operation and non-compliance with security standards of products and systems which are defective or which have proven security problems, thus making cyber attacks or data loss more likely.
Amendment 99 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by effective, proportional and dissuasive criminal penalties, including the imposition of adequate fines.
Amendment 100 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 8 are punishable by
Amendment 101 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to
Amendment 102 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least two years including the imposition of an adequate fine.
Amendment 103 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of
Amendment 104 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least
Amendment 105 #
Proposal for a directive Article 10 Amendment 106 #
Proposal for a directive Article 10 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of
Amendment 107 #
Proposal for a directive Article 10 – paragraph 1 1. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by criminal penalties of a maximum term of imprisonment of at least between two and five years when committed within the framework of a criminal organization as defined in Framework Decision 2008/841/JHA.
Amendment 108 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data or sensitive information, or affecting critical infrastructure information systems.
Amendment 109 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of
Amendment 110 #
Proposal for a directive Article 10 – paragraph 2 2. Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 6 are punishable by criminal penalties of a maximum term of imprisonment of at least between two and five years when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data.
Amendment 111 #
Proposal for a directive Article 10 – paragraph 3 Amendment 112 #
Proposal for a directive Article 10 – paragraph 3 Amendment 113 #
Proposal for a directive Article 10 – paragraph 3 a (new) 3a. Member States shall ensure that the penalties referred to Article 9 will not apply to offences referred to in Articles 3 to 7 when the offences are clearly not committed for criminal intent, such as during the testing or the immediate protection of information systems, or if the operator or vendor of the system is fully informed of the vulnerability in a timely manner.
Amendment 114 #
Proposal for a directive Article 10 – paragraph 3 b (new) 3b. Member States shall consider the protection of their information systems and associated data. Reasonable levels of protection should be provided against reasonably identifiable levels of threats and vulnerabilities, with the protection proportionate to the probable damage to the parties concerned.
Amendment 115 #
Proposal for a directive Article 10 – paragraph 3 c (new) 3c. Member States shall take appropriate steps to oblige legal persons under their jurisdictions to protect information systems from offences detailed in Articles 3 to 7. Reasonable levels of protection should be provided against reasonably identifiable levels of threats and vulnerabilities, with the protection proportionate to the probable damage to the parties concerned.
Amendment 116 #
Proposal for a directive Article 10 – paragraph 3 d (new) 3d. Where legal persons are considered to have failed to provide a reasonable level of protection as detailed in paragraph 3b and 3c against offenses detailed in Articles 3 to 7, and where these offenses are considered to have been carried out with clear criminal intent, then these offenses will be considered to have been carried out under alleviating circumstances when applying criminal penalties.
Amendment 117 #
Proposal for a directive Article 10 – paragraph 3 e (new) 3e. Where legal persons have clearly failed to provide a reasonable level of protection and in cases where the damage caused as a result of this failure is considerable, then Member States shall ensure that is possible to impose deterrent sanctions and to prosecute this legal person for negligence.
Amendment 118 #
Proposal for a directive Article 10 a (new) Article 10a Extenuating circumstances 1. Member States shall ensure that the penalties referred to in Article 9 will not apply to offences referred to in Articles 3 to 7 when the offences are clearly not committed for criminal intent, such as during the mandated testing or the immediate protection of information systems. 2. Member States shall consider the protection of their information systems and associated data as part of their respective duty of care. Reasonable levels of protection should be provided against reasonably identifiable levels of threats. 3. Member States shall take the necessary measures to oblige data controllers and data processors within their jurisdiction to protect data from offences referred to in Articles 3 to 6 and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. 4. Where a data controller or a data processor is considered to have failed to provide a reasonable level of protection against offences referred to in Articles 3 to 6, these offences shall be considered to have been carried out under alleviating circumstances when applying criminal penalties. 5. Where a data controller or a data processor has clearly failed to provide a reasonable level of protection and consequently damage is caused, Member States shall ensure that it is possible to prosecute this data controller or data processor.
Amendment 119 #
Proposal for a directive Article 12 – paragraph 1 – introductory part 1. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(1) is punishable by
Amendment 120 #
Proposal for a directive Article 12 – paragraph 1 – point a (a) temporary or permanent exclusion from entitlement to public benefits or aid;
Amendment 121 #
Proposal for a directive Article 12 – paragraph 2 2. Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 11(2) is punishable by
Amendment 122 #
Proposal for a directive Article 13 – paragraph 1 – point b (b) by one of their nationals
Amendment 123 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall ensure that they have an operational national point of contact and make use of the
Amendment 124 #
Proposal for a directive Article 14 – paragraph 1 1. For the purpose of exchange of information relating to the offences referred to in Articles 3 to 8, and in accordance with data protection rules, Member States shall make use of operational national points of contact and the existing network of operational points of contact available 24 hours a day and seven days a week. Member States shall also ensure that they have procedures in place so that they can respond within a maximum of eight hours to urgent requests. Such response shall at least indicate whether and in what form the request for help will be answered and when.
Amendment 125 #
Proposal for a directive Article 14 – paragraph 2 2. Member States shall inform the Commission, Europol, Eurojust and the European Network and Information Security Agency (ENISA) of their appointed point of contact for the purpose of exchanging information on the offences referred to in Articles 3 to 8. The Commission shall forward that information to the other Member States.
Amendment 126 #
Proposal for a directive Article 15 – paragraph 1 1. Member States shall ensure th
Amendment 127 #
Proposal for a directive Article 15 a (new) Article 15a Training 1. Member States shall encourage the organisation and contribute to the funding of training courses for members of the public so that the latter are aware of the possibility of attacks intended to undermine the freedom and security of cyberspace and are able to protect themselves against such attacks. 2. Member States shall incorporate into their school curricula lessons which teach pupils about IT tools, the dangers they pose and how to protect themselves.
Amendment 128 #
Proposal for a directive Article 15 b (new) Article 15b Conformity with levels of security 1. Member States shall lay down in their national law criteria regarding the conformity of all IT tools with minimum levels of security. 2. No more than two years after the adoption of this Directive, the Commission shall submit a proposal for a directive which lays down minimum security criteria for all IT tools sold on the internal market.
source: PE-480.665
|
History
(these mark the time of scraping, not the official date of the change)
| activities/6/date | changed |
Old
2013-06-11New
2013-07-01 |