EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Attacks against information systems

Attacks against information systems

The EU cybercrime directive aims to fight cybercrime and promote information security through stronger national laws, more severe criminal penalties and greater cooperation between relevant authorities.


Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.


This directive introduces new rules harmonising criminalisation and penalties for a number of offences directed against information systems. These rules include outlawing the use of so-called botnets -- malicious software designed to take remote control of a network of computers. It also calls for EU countries to use the same contact points used by the Council of Europe and the G8 to react rapidly to threats involving advanced technology.

The main types of criminal offences covered by this directive are attacks against information systems, ranging from denial of service attacks designed to bring down a server to interception of data and botnet attacks.

Cybercrime needs to be combated effectively, not only when it is within a given Member State but also when it is across Member States. This requires:

  • ensuring that the same offences are criminalised in all Member States;
  • giving law enforcement authorities the means to act and to cooperate with one another.

To this end, the present directive requires the approximation of criminal law systems between EU countries and the enhancement of cooperation between judicial authorities concerning:

  • illegal access to information systems
  • illegal system interference
  • illegal data interference
  • illegal interception.

In all cases, the criminal act must be committed intentionally.

Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation within the meaning of this directive, and causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. The same applies if an offence is committed using another person's identity and causes harm to this person.

The directive also introduces the liability of 'legal persons' and sets out sanctions that may apply if they are found liable.

Each EU country will assume jurisdiction at minimum for offences committed on its territory or by one of its nationals outside its territory. Where several countries have jurisdiction over an offence, they must cooperate to decide which one will conduct proceedings against the author of said offence.

Improved cooperation

To fight cybercrime better, the directive calls for greater international cooperation between judicial and law enforcement authorities.

To this end, EU countries must:

  • have an operational national point of contact,
  • use the existing network of 24/7 contact points ,
  • respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided,
  • collect statistical data on cybercrime.

This directive builds on and replaces the EU Council Framework Decision 2005/222/JHA on attacks against information systems. It also builds on the Council of Europe Cybercrime Convention of 2001, which serves as a model for national and regional legislation on cybercrime and creates a common basis for cooperation within and beyond the EU.



Entry into force

Deadline for transposition in the Member States

Official Journal

Directive 2013/40/EU



OJ L 218 of 14.8.2013


Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.

Council of Europe Convention on cybercrime

last update 02.04.2014