An Analysis of Directive 2013/40/EU – attacks against information systems

Amy Beales 

Student of the University of Groningen, the Netherlands

Developments in the area of Information Technology have unfortunately meant the development of new crimes in this area and therefore the need to create sanctions for these crimes, cybercrimes. Cybercrimes areborderless criminal acts, which are committed online by using electronic communications networks and information systems.[1]The internet is used as a platform for many day-to-day activities such as the exchange of information, money, social communication and research. The frequency of use and popularity of the internet means that there are increased risks when using it – there is always someone who could intervene in your activities and cause harm. 

The European Union (EU) has been making moves towards protecting people involved in the electronic sphere since 2001 with the Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment.[2]This initiative was considered to be successful in achieving its objectives and was signed and ratified by non Member States such as the USA, Canada and Japan,[3]which shows just how important the level of protection afforded to combating these issues was at the time. It meant that legislation was finally allocated to a growing issue and countries were forced to come to terms with the problems that ignorance may cause. 

The Decision was soon followed by the ePrivacyDirective in 2002[4], which provided for the obligation of providers of electronic communications services  to ensure the security of their services and maintain the confidentiality of client information; and the 2011 Directive on the Combating of Sexual Exploitation of Children Online and Adult Pornography,[5]which better addressed developments in the online environment, such as grooming. The newest Directive is the one which shall be the focus of this essay – the 2013 Directive on Attacks against Information Systems[6](hereafter the Directive); this directive has the purpose of tackling large-scale cyber attacks by requiring that Member States strengthen their national cyber crime laws and introduce tougher criminal sanctions for breaches. This essay will assess the merits and drawbacks that come with the new Directive, the increase in the minimum penalties, as well as new malware advancements such as DDoS (Distributed Denial of Services) attacks and botnets.

Directive to replace Framework Decision
The Directive was first proposed in 2010 with the idea of it replacing the EU Council Framework Decision2005/222/JHA[7], which criminalised a number of acts relating to attacks against information systems. As already discussed, the fast paced nature of the development of the information technology systems meant that the change from a decision to a directive was essential. It is important to note here the differences between a decision and a directive: A decision refers to an issued statement which is binding only to those whom it is addressed and is directly applicable; a directive, on the other hand, is a legislative act which sets out a goal that all EU countries must achieve – how this is done is up to the individual countries. 

The move from one to the other in this case was based on Article 83(1)(a)[8]of the Treaty on the Functioning of the European Union (TFEU) which states that the European Parliament and Council may establish minimum rules concerning the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension when there is a need to combat them on a common basis. The Directive retains numerous provisions of the Framework Directive, as well as stating various offences relating to illegal access to information systems and interference with these systems and their data. However, the Directive’s build upon the Framework Decision was greatly welcomed and saw the introduction of the outlawing of ‘botnets’ and malicious software. 

Botnets are networks of computers which are infected with malicious software and controlled as a group without the owner’s knowledge, usually to send spam email messages, spread viruses, attack computer and servers, and commit other kinds of crime and fraud[9]. The Directive also mentions the illegality of the use of passwords obtained through unsavoury means.[10]The move towards the notion of a directive to cover this issue was important to create harmony between the Member States by binding them to implement legislation in their own national legal order, which would increase cooperation and the likelihood of criminals being caught and punished for their crimes. This notion, as well as what exactly a directive entails, will be discussed later in the essay.

Penalties and Sanctions
Prior to the Directive, it was generally left to the discretion of the Member States to decide how to sanction cyber crimes and any crime to do with the information technology sphere. However, the Directive is working to tackle this to make it more uniform. As well as the introduction of new offences, stricter penalties are introduced in the Directive. Penalties are to include a minimum sentence of two years for any attempt at a breach of an information system. Attacks by organised criminal groups and those which cause significant damage or affects key infrastructure networks [like power-plants, government institutions or transportation networks] can have even tougher sanctions of a minimum five years imprisonment. The use of Botnets also has a minimum sentence of three years if their use results in financial cost or loss of personal data.[11] 

We can also see penalties such as the exclusion from entitlement to public benefits and aid; temporary or permanent disqualification from the practice of commercial activities; placing under judicial supervision; judicial winding-up; temporary or permanent closure of establishments which have been used for committing the offence, as well as many others. The purpose of these penalties is to make them effective, proportionate and dissuasive to those who intentionally and illegally access information systems, launch illegal system interference or launch illegal data interference. This means that those who commit cyber crimes will not go unpunished and with one common set of rules, people will not be able to hide behind the national laws of their country, which was previously easy to do because of the transnational character of cybercrime [i.e. crimes that occur in one country, but have an affect on another, or many others.] The Directive also introduces the possibility of serving punishment on companies who breach obligations of supervision or control which allow a person under their authority to commit any offence listed in the Directive. [12]

EU Law
The directive on attacks against information systems was addressed to all 28 Member States and so all will have to take measures in order to implement the goals of the Directive within the national system. The aim of applying a directive in this manner is to increase the level of cooperation between the Member States and bringing national laws into line with each other, thus creating a united front in matters of conflict. At the moment, Denmark will not be bound by the Directive as they have neither signed nor ratified it, but the UK and Ireland, as well as the rest of the Member States, have decided to apply it; Member States have to take all necessary action to comply with the Directive by 4th September 2015. 

Following publication of the Directive in the Official Journal of the European Union, it shall enter into force twenty days following[14]. Two years later, by 4th September 2017, will see a report submitted to the European Parliament and the Council. It will assess what steps have been taken by the Member States in order to comply with the Directive and possible further legislation needed to make it more effective. At this stage, the Commission will also take into account further technical and legal developments in the field of cybercrime within the scope of the Directive.[15]

Similarities and Advancements
The Directive is similar to the Framework Decision in many ways and therefore does not require Member States to change a great deal of their existing legislation. The definition of cyber crime has remained the same, as well as rules governing liability of legal persons and jurisdiction. However, some of the additions of the Directive may prove slightly more difficult for Member States to initially identify, impose or maintain; the mention of botnets, identity theft and the need to respond urgently to requests from other member states, are but a few. There are discrepancies as to a few of the definitions of terms used – for example exactly how many systems are required to create a botnet – the Directive mentions a ‘significant number’[16]of computers, but of course this is ambiguous and notions of this definition would differ from person to person. There is also the question of what exactly constitutes prejudice to identity owners[17]

All these ambiguous definitions will be ironed out over time, but it is likely to cause some complications and misunderstandings within the first stages of implementation. The question of being able to respond to ‘urgent’ requests from other Member States within eight hours is also likely to cause a few problems and complications; however they again should be made a little clearer and easier as time goes on. With this there is the issue of what exactly is ‘urgent’, to which is it presumed with Member States will use their discretion, and also the fact that legal proceedings take a long time and eight hours may not be long enough to collect the relevant data needed to answer the question at hand. 

Although undisputed that Member States should respond within a reasonable time frame, eight hours seems a little unrealistic if information gathered is to be reliable and a viable source. Given many countries have already criminalised many of the offences mentioned in the Directive, the implementation of the Directive in all Member States will ensure cooperation between national authorities and also hopefully make fighting cybercrime easier and more effective. The idea is to bring Member States in line with each other and hopefully change the situation as it presently stands – there are presently countries who have signed the EU Convention on Cybercrime but still have not ratified it. With the internet playing such a predominant role in society, it is important that it is one of the top priorities in Europe.

Botnets and DDoS
As the Directive mainly focuses on Botnets and the malicious attacks associated with them, it also seems appropriate to mention DDoS attacks. As already mentioned, a Botnet is a group of maliciously infiltrated, internet connected computers without the knowledge of the computers owner. The most common reason for these takeovers is DDoS attacks, which are a subcategory of DoS attacks (Denial of Services). The distributed form of the attacks occur when distributed computers are used from different locations to attack a particular victim/server; the attacks are an attempt to make a server or a network unavailable to its users by temporarily interrupting or suspending services of the host,[18]usually through overwhelming it with traffic from multiple sources[19]which consume its resources, forcing target computers to reset or obstructing the communication media between the indeed users and the victim so they can no longer adequately communicate, rendering it unusable.[20]  The consequence of the server being unusable is loss of money and status of the organisation or website which is being attacked. When used in conjunction with Botnets, the individual controls the botnets remotely to allow for maximum protection and target the maximum number of computers or most effectively attack a specific target.[21] 

In simple terms DDoS attacks either crash services and/or flood services. It is also possible that DDoS attacks or botnet can be traded on the black market – a week long DDoS attack, capable of making a small company go offline, can cost as little as 100 Euros[22]. Systems may also be compromised by a trojan (malware programme which carries out actions determined by the malware causing loss/theft of data and system harm[23]) or hackers can break into systems using automatic tools. There are many different ways to hack into computer systems and cause damage to these platforms, which were intended for a good purpose. As attackers get more knowledgeable about the ways around protection services and firewalls, the next logical step is, of course, legal protection. There have been many cases in recent times where these advances can be demonstrated.

Case Law
If we look at case law, the protection of people on the internet has been long awaited and is essential if the internet is to develop further. In 2005, Jeanson James Ancheta became the first person to be charged for controlling large numbers of hijacked computers (botnets). Although this is an American case, because of their involvement in the ratification of the Framework Directive, it is relevant to our understanding. A similar event occurred in 2009, where a Mr Schiefer was sentences to a 48 month prison sentence after he used botnets to steal the identity of thousands of people and wire tapping computers. These both being US cases, there is also relevant case law in Europe which backs up the need for a stricter stance on cyber crime.

July 2012 saw the shutdown of the Grum botnet, which was responsible for 18 billion emails ever day and 17.4% of global spam traffic. February 2013 saw Microsoft and Symantec put an end to the Bamital botnet, which redirected computer users to a website where they would cash in on the traffic and online advertising network, netted an estimated £640,000 while in operation.[24] 

December 2013, Greek police arrested two individuals who were connected with the spam botnet “Lecpetex” which used Facebook to target as many as 250,000 computers and use them to mine a Bitcoin-like currency called Litecoin.[25]The malware affected users in the UK, Europe and North and South America. This was the biggest case ever handled by the Greek Cyber Crime Unit at the time according to Greek news site, the “Greek Reporter”. A very prevalent case is that of Matjaz Skorjanc, who was arrested in Slovenia in 2010 after it was found he introduced the malware “Mariposa”, which hijacked 12.7 million computers from over 190 countries.[26]He received a 58 month prison sentence and ordered to pay a 4000 Euro fine, as well as forfeiting his home and car, which it was alleged he bought with the money received from the event. It should also be noted that many cases of cybercrime go unreported, especially when the victims have a reputation to uphold, this could include banks, as reporting such things may result in even greater reputational damage. Therefore although there is a large amount of case law on these subjects and it is likely that these are only a fraction of the real number of cases which occur.

Identity Theft
Although not covered as extensively as Botnets, identity theft is still a problem in the cyber sphere, and with the crime rate for this increasing it is important to demonstrate a united legislative front through way of implementation through the Directive. According to article 9(5) of the Directive, Member States are required to ‘take the necessary measures to ensure that when [..illegal system access or interference..] is committed by misusing the personal data of another person, with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner… may be regarded as aggravated circumstances unless those circumstances are already covered by another offence, punishable under national law.’[27] 

In other words – identity theft: the misuse of personal data to gain the trust of a third party, and prejudice to the rightful identity owner. Prior to the Directive, many countries did not have existing legislation specifically tailored towards identity theft, but were left to fall under general criminal laws such as fraud prevention legislation. With identity theft, as with many criminal acts, there is an intention to cause some kind of harm and therefore it was considered that it should be given a clearer distinction for criminalisation.

Big Brother State?
From the above, we can see that there are many important decisions made by the courts which show how important it is to have case law and legislation to protect users of the internet. Case after case can be found on the use of Botnets and the damage they cause to individuals and companies alike. However, some may argue that the protection on the internet is too much and may actually infringe rights of users in an attempt to keep them out of harms way. The recent case of Edward Snowden brings to light the fact that it is not just civilians who are accessing computer information of unsuspecting members of the public, it also happens on a regular basis by government officials. The US, UK, Sweden, France and Germany all have the means to tap into the main internet cables of their country and collect all the traffic which occurs at any given time – this is done by lawful interception facilities and standardised interfaces[28]

Although considered lawful, it has raised questions as to the ethics of security and surveillance technologies, and how far the Directive has gone in order to protect citizens. The New Directive allows those party to it to use their discretion and take “necessary action to ensure” various things such as the protection of the nation and its people. The problem itself lies not with the directive, as this explicitly states that it is not for ‘minor’ acts, but more for large scale problems – however the definition of minor acts itself is open to interpretation by each government, making it a bit arbitrary and open to abuse. 

The problem is the amount of power that the government processes and the possibility of the abuse of that power. Having access to the central servers and databases of the internet, and the ability to tap computers could potentially lead to the abuse of this to obtain information or statistics that would not otherwise be readily given up. The monitoring of internet use is one step closer towards total surveillance and the feared ‘big brother’ or ‘nanny’ state and the removal of basic protection against misuse of information.[29]It has already been reported that a number of countries, including the US and UK, are already monitoring e-mails (looking out for key ‘trigger’ words, friends of suspects or those from unsavoury backgrounds) and data traffic from many unsuspecting civilians computers, but the directive affords a little more discretion and flexibility to countries, causing an arguable expansion in their already seemly unregulated power. The states often argue that pre-emptive surveillance is there for protection but in fact it infringes the right of the people to have the government not interfere in family and private life.

Increased Co-operation
 The effect of the EU Directive worldwide should also be considered. As previously discussed, the Directive hopes to make it so perpetrators of these kinds of cybercrimes cannot use the national laws of less developed Member States to avoid prosecution. However, many people who are responsible for attacks in recent times reside outside of the EU, and so the Directive will have little or no effect on their activities. This then becomes an issue of international law and jurisdiction, which makes it more complex to arrest and sanction those responsible. If a criminal hides in a country which is not a Member State, it becomes a question of whether that country will allow EU officials to detain and question the suspect – something which is unlikely to occur.

This can be seen in the example of the previously mentioned Edward Snowden case, -who sought refuge in Russia, a Non Member-State, who did not give permission for European Officials to enter the territory to arrest Snowden. Of course there may also be questions of jurisdiction between Member States – as it stands, each Member State has jurisdiction for offences committed on its territory or by one of its nationals. Where several Member States have jurisdictional rights over the same matter, cooperation is essential in deciding which State will conduct proceedings[30]against the perpetrator. 

The Directive introduces the importance of the exchange of information, with regards to the exchange of information, obligations remain the same in the Directive, but a response time is added: eight hours to reply to urgent requests from other Member States. There are some reservations held about this time limit though, although eight hours may be feasible for a reply, this reply was unlikely to be substantive or useful because of lack of time for proper investigations and compilations of information.[31] With many different task delegations afforded to cybercrime and information technology, eight hours would more likely result in fragmented bits of incomplete information – a more realistic time frame would be around twenty-four hours, according to most Member States.[32]

To conclude, the new Directive is set to replace the existing Framework Decision of 2005. It has come at an appropriate time as, although the Framework Decision is not old, rapid advancement in the area of information technology means that the legislation must also match this rapid development. Recent times have seen the increasing problems which are caused by malware such as botnets and large scale cyber attacks which threaten to cripple key information infrastructures of many countries, possibly at the same time. The unity that the Directive hopes to create will mean a more rapid response time and a greater level of compliance and cooperation between Member States who have signed and ratified the agreement. By 4th September 2015 the new Directive will be implemented in the national systems of all Member States (with the exception of Denmark), but it is inevitable that new provisions will be needed by this time already. 

The review in 2017 will act as a forum to propose new developments in the legislation and it will hopefully be the case that advances will keep up to date with the problems posed by technology and malicious software. The law will realistically always struggle to keep up with those who abuse the freedom granted by the internet, but as long as legislation acts as some form of deterrent by imposing tough sanctions on those who do take advantage, then it can be considered a success. 

The introduction of Directive 2013/40/EU is a positive thing that will increase safety and security on the internet, both for the individual and nations as a whole. It seems that the main aim of this Directive, as with any directive, is unanimity between the Member States. This can be seen through all Member States being addressees (and thus must implement the directive within their national legal order), the tougher, uniform penalties imposed for such offences, and the overall cohesion it hopes to create between the Members. This Directive is another step towards uniform laws throughout Europe due to the globalised nature of modern society.

[1] European Commission, ‘Cybercrime’ (Europa 2014) accessed 15th November 2014
[2] Council Framework Decision (EC) e.g. 961/2010 combating fraud and counterfeiting of non-cash means of payment [2001] OJ L149/2001
[3] Hans Graux, ‘New Directive on Attacks against Information Systems’ (Time Lex 2013) accessed 15th November 2014
[4] European Directive (EC) 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No  2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws [2009] OJ L337/11
[5] European Directive (EC) 2011/92/EU on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA [2011] OJ L335/1
[6] European Directive (EC) 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L218/8
[7] Council Framework Decision (EC) 2005/222/JHA on attacks against information systems [2005] OJ L69/67
[8] e.g. Council Regulation (EC) 2012 Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union [2012] Art 83(1)(a) OJ C 326/01
[9] Microsoft, ‘What is a Botnet?’ (Microsoft e.g. 2005) accessed 15th November 2014
[10] Mark Turner, Nick Pantlin, Loretta Pugh and Christine Young, ‘EU Cyber Crime Directive takes a tougher stance against attacks on information systems’ (Lexology 2013) accessed 15th November 2014
[11] Brid-Aine Parnell, ‘EU crackdown will see tougher sentences for stupid cyber-badhats’ (The Register 2013) accessed 15th November 2014
[12]Ibid. 11
[13] European Commission, ‘Directives – Definition’ (Europa 2012) accessed 15th November 2014
[14] Ibid. 6. Article 18.
[15] Ibid. 6. Article 17
[16] Ibid. 6 Preamble 5
[17] Ibid. 6 Article 9(5)
[18] ‘Botnet DDoS Attacks’ (Incapsula ) accessed 15th November 2014
[19]What is a DDoS Attack?’ (Digital Attack Map 2013) accessed 15th November 2014
[21] Ibid. 19
[22] Ibid. 17
[24] Katie Collins, ‘European Union agrees tougher jail sentences for cybercriminals’ (Wierd 2013) accessed 15th November 2014
[25] Matthew Sparkes, ‘Arrests as Facebook spam botnet is shut down’ (Telegraph 2014) accessed 15th November 2014
[26] ‘Mariposa botnet ‘mastermind’ jailed in Slovenia’ (BBC News 2013) accessed 15th November 2014
[27] Ibid. 6. Article 9(5)
[28]C.f. the secret room 641A at the AT&T switching facility in San Francisco, see Whistle-Blower’s Evidence, Uncut, Wired, 22.5.2006,;  the GCHQ Tempora programme, see GCHQ taps fibre-optic cables for secret access to world’s communications, The Guardian,21.6.2013,; the German Telecommunications Surveillance Regulation of 2005. The European Telecommunications Standards Institute (ETSI) has a “Lawful Interception Seminar” responsible for defining such standards.

[30] ‘Attacks against information systems’ (Europa 2008) accessed 15th November 2014
[31] European Union Agency for Network and Information Security ‘The Directive on Attacks Against Information Systems’ Version 1.5, 2013
[32] Ibid. 31.