Council adopts decision on attacks against information systems
On 24 February 2005 the JHA Council finally adopted the framework decision on attacks against information systems. The decision harmonises legislation in the EU for any offence committed against a computer infrastructure with the intention of destroying, modifying or altering the information stored on computers or networks of computers. The two key definitions in the decision are illegal access to information systems and illegal interference with the system. In both cases, intent has to be proven, to rule out gross negligence or recklessness. The decision covers not only offences affecting the Member States but also offences committed in their territory against systems located in the territory of third countries.
The decision was debated for the first time in 1999, initiated by the European Commission in 2001 and sent to the European Parliament for advice in the spring of 2002. In October 2002 the EP gave its recommendations and on 28 February 2003 the ministers of Justice had reached an agreement. It is unclear why it took the Council 2 years to actually adopt the proposal. At the time, parliamentary scrutiny reservations were made by the Irish, French, Swedish, Danish and Netherlands delegations. Civil society raised many objections to the proposal, most notably the broad scope of illegal access and the fact there is no exemption for security experts to test the security of systems.
Andy Mueller from the German user-group CCC commented to the e-zine Heise: “Systems are not made secure by introducing prison sentences for hackers, but by eliminating technical weaknesses.”
The JHA Council adopted the proposal as an A-item. Member States have two years to implement the decision in their national legislation.
Framework decision on attacks against information systems (adopted 24.02.2005)
PRELEX overview of the chronology of the decision making process
EDRI-gram: Agreement on cyber-attacks harms freedom of expression (12.03.2003)