Attacks Against Information Systems Directive

Attacks Against Informations Systems Directive (aka EU Cyber-crime directive) 2013/40/EU ("Judicial cooperation in criminal matters: combating attacks against information systems" 2010/0273/COD) The UK government has opted into this directive and will be amending the Computer Misuse Act 1990.

The European Parliament adopted the draft directive on 4 July 2013, voting 541 to 91 with nine abstentions on the proposal by the European Commission.


As a Directive, rather than a Regulation, member states are not bound to specific activities and specific policies. All member states have to do is arrive at the purpose of the Directive, rather than follow the same procedures on how to do it. For this Directive, the purpose is to create "effective, proportionate and dissuasive criminal penalties" against those who intentionally illegally access information systems, launch illegal system interference or launch illegal data interference.


This Directive has not come completely out of the blue. It is consistent with the decision from the 2005 EU Framework on the issue and thus replaces Framework Decision 2005/222/JHA. It is also similar in intention to a current cyber-crime convention currently being ratified within the Council of Europe, of which Britain is a member.


Though no direct penalties are specified, it aims to create a minimum set of penalties for the crimes described above. According to James Brokenshire, "it will mean that cyber criminals will not be able to hide in European countries that do not have as well developed laws against cybercrime" as the United Kingdom.


The aim is to protect the online aspects of countries' economies, particularly ones with growing online components. It is currently focused primarily on computers but it may expand to include mobile access.

Further Information


See also