1. The EU legal framework to combat Cybercrime Brussels, 3-4 April 2012 Milena Petkova General Secretariat of the Council of the European Union

2. General overview Post-Lisbon EU institutional setting in the FSJ area EU policy context to fight Cybercrime EU legal instruments Draft Directive on attacks against info systems Directive on sexual abuse of children and child pornography EU policy measures EU Policy Cycle – Priority area 8 “Cybercrime” European Cybercrime Centre (EC3)

3. EU institutional setting in the FSJ area Entry into force of the Lisbon Treaty (December, 2009) Cooperation in criminal matters (Title 5, Chapter 4, TFEU) Before: third pillar of the EU / pronounced intergovernmental nature / unanimity in the Council acting as a sole legislator Now: integral part of the coherent body of the EU policy in the Area of FSJ / shared competence of the EU / Community method applies: QMV / Ordinary legislative procedure (Council and EP co- legislators on legislative files)

4. EU Policy context to fight Cybercrime The Stockholm Programme – an open and secure Europe serving and protecting citizens Endorsed by the European Council. Laying down strategic guidelines for legislative and operational planning within FSJ area for the period 2010 – 2014 – Section 4.4.4 Cybercrime The Internal Security Strategy for the EU (ISS) Sets out a European security model identifying common threats and challenges and strategic guidelines for action, while calling for EU-wide approach to internal security. Raising levels of security in cyberspace is among the five main priority areas for action until 2014. Digital Agenda for Europe One of the seven flagship initiatives of the Europe 2020 Strategy. Builds its key actions around seven problematic areas, where "more comprehensive and united policy response at EU level" is needed in order to boost Europe's social and economic performance trough Information and Communication technologies – Cybercrime and risk of law trust in networks noted

5. European legal instruments 2002 Council of Europe Convention on Cybercrime (Budapest convention) Framework Decision 2005/222/JHA on attacks against information systems (in force) Proposal for a Directive on attacks against information systems, replacing the FD (30 September 2010 – under negotiation between Council and EP - adoption under DK PRES feasible)

6. Current state of affairs CoE Convention on Cybercrime  Remains the only international legal instrument up to date providing for a comprehensive framework to fight Cybercrime  Recognised and promoted by the EU as a “legal framework of reference for fighting Cybercrime at global level” Provisions currently in place by virtue of FD 2005/222/JHA  Incorporates into the EU legislation computer crimes in narrow sense - against the confidentiality, integrity and availability of computer data and systems as provided under Section 1, title 1 of the Convention  illegal access, illegal system interference, illegal data interference as well as instigation, aiding, abetting and attempt  liability of legal persons

7. New proposal – Why? Extended criminalisation Full alignment with Sect. 1, title 1 of the CoE Convention (computer crimes in narrow sense) New forms of criminal behaviour in view of the growing number of large- scale attacks conducted through more sophisticated technological tools, such as "botnets“ Increased penalties “Lisbonisation” of the Framework decision Transitional provisions for the 3 rd pillar acts - Protocol 36 – transitional period expires on 1.12.2014 The directive would be immediately enforceable 2 years after adoption Incomplete or non – transposition - subject to infringement procedures

8. EU legislative action Cybercrime – “EU Crime” (Art. 83 (1), 2 nd indent, TFEU) “…particularly serious crime with a cross-border dimension…” Concept of a Directive (Art. 288, TFEU) – binding, as to the result to be achieved – leave to the national authorities the choice of form and methods Approximation of national legislation by – establishing minimum rules concerning – the definition of criminal offences and the sanctions

9. New proposal and the CoE Convention Illegal access (Art. 3) – “at least when committed by infringing a security measure” Illegal system interference (Art. 4) Illegal data interference (Art. 5) Illegal interception (Art. 6) Tools used for committing offences (art. 7) = Misuse of devices (Art. 6, CoE Conv; paragraph 3 – emphasis added) Possession of tools A device designed or adapted primarily for the purpose of committing offences

10. Draft Directive and new developments – Large scale cyber attacks, in particular “botnets” = aggravating circumstance. “affecting a significant number of information systems or causing serious damage” – Attacks committed by misusing another person's identification data (spoofing) – subject of further discussions with the EP – Attacks against critical infrastructures

11. Penalties in the Council General Approach Offences must be punishable by: – effective, proportionate and dissuasive criminal penalties; – a maximum of at least two years of imprisonment for the basic offences; – if committed against a significant number of IT systems, e. g. in order to create a "botnet", a maximum of at least three years; – if the attack has been committed (i) by an organised criminal group, or (ii) has caused serious damage, e.g. through the use of a "botnet", or (iii) has been committed against a critical infrastructure, a maximum of at least five years. Minor cases are excluded from the scope of the Directive

12. Mandatory jurisdiction (1) 1.Territoriality principle + ubiquity rule The offence was committed in whole or in part within the territory of the Member State concerned, including cases where: i.the offender commits the offence when physically present on the territory of the Member State concerned, whether or not the offence is against an information system on its territory; or ii.the offence is against an information system on the territory of the Member State concerned, whether or not the offender commits the offence when physically present on its territory.

13. Mandatory jurisdiction (2) 2.Extraterritorial jurisdiction based on the restrictive active nationality principle The offence was committed by a nationals, at least in cases when the act is a criminal offence at the place where it was performed (positive double criminality check requirement) NB! No reservation possible, but MSs are free to determine the conditions to exercise jurisdiction Council Framework Decision 2009/948/JHA on prevention and settlement of conflict of jurisdiction in criminal proceedings applicable to concurring jurisdiction claims within the EU

14. Discretionary extraterritorial jurisdiction Where the offence was committed outside of the territory of the Member State in cases where: i.the offender has his or her habitual residence in the territory of that Member State; or ii.the offence is committed for the benefit of a legal person established in the territory of that Member State

15. Exchange of information make use of the existing network of 24/7 operational points of contact ensure procedures so that in urgent requests MS can indicate within a maximum of 8 hours at least i.whether the request for assistance will be answered, ii.as well as the form and the estimated time of this answer

16. Directive on Child abuse and Child pornography (2011) Criminalisation of on-line Grooming, i.e. soliciting children for sexual purposes on the Internet (min standards) Measures against websites containing or disseminating child pornography – Removing of websites hosted in the Mss territory and obligation to endeavour to obtain removal of pages hosted outside – mandatory – Blocking access to web pages towards the Internet users within their territory – optional additional requirements: transparent procedures and adequate safeguards (necessity and proportionality check)

17. EU Policy cycle Multi-annual policy cycle with regard to serious international and organised crime in order to tackle the most important criminal threats in a coherent and methodological manner through optimum cooperation between the relevant services of the Member States, EU Institutions and EU Agencies as well as relevant third countries and organisations Provides for an integrated multi-disciplinary approach

18. EU Policy Cycle steps 1.Threat analysis (EU SOCTA) 2.Choice of EU crime priorities – Council conclusions 3.Defining the strategic goals 4.Adopting Operational Action Plans 5.Reporting and evaluation

19. First EU Policy Cycle (2012 – 2013) & Cybercrime Start of the first pilot cycle in January 2012 Cybercrime among the 8 priority areas in the fight against organized and serious crime in the EU for the period 2012-2013 together with THB, Illegal immigration, container shipment, etc. Strategic goals under priority area “Cybercrime” – legislation, – internet governance, – Member State and EU capacities to detect, investigate and prosecute cybercrime, – the establishment of the European Cybercrime Centre (ECC), – a common Union approach to disrupting and dismantling criminal infrastructures, – cooperation with the public and private sectors to raise security and cyberspace, and – Developing reporting systems or platforms in each Member State to report on cybercrime/cyber incidents/data breaches both by legal entities and citizens Operational Action Plans with concrete operational activities relating to the strategic goals have been adopted. Next Policy Cycle – full fledged 4 years cycle covering 2013 – 2017

20. European Cybercrime Centre (EC3) COM Communication adopted on 28th March 2012 EC3 to be hosted by Europol and to act as a focal point in the fight against Cybercrime in the EU Core functions  To serve as a EU Cyber information focal point  To pool cyber expertise  To provide operational support to MSs  To become the collective voice of the European Cybercrime investigators By the end of 2013 – initial operational capability

21. Thank you for your attention! _____________________________ Milena Petkova General Secretariat of the Council of the EU DG D 2B “Human Rights and Criminal Justice” milena.petkova@consilium.europa.eu