Cybercrime

Susanne Reindl-Krauskopf

I. Introduction

A. General
Areas Regulated by CyCC

Substantive Criminal Law (art. 213 CyCC)

Procedural Law (art. 14-22 CyCC)

International Co-operation (Art. 23-35 CyCC)

Individual Legal Instruments on EU Level

Convention on Mutual Judicial Assistance of 29 May

2000
Framework Decision on the Execution of Orders
Freezing Property or Evidence of 22 July 2003

B. Substantive Criminal Law

for Cybercrimes
CyCC

Attacks on data and systems

Computer-related forgery

Computer-related fraud

Child pornography

Copyright infringements

B. Substantive Criminal Law

for Cybercrimes
Individual Legal Instruments on EU Level

Framework Decision / Directive on Attacks against

Information Systems

Framework Decision on Combating the Sexual

Exploitation of Children and Child Pornography and the
Directive on Combating the Sexual Abuse and Sexual
Exploitation of Children and Child Pornography and to
replace the Council Framework Decision

Framework Decision on Combating Fraud and

Counterfeiting of Non-Cash Means of Payment.

C. Result

Comprehensive convention vs. individual legal

instruments

Scope: signatories vs. member states

Enforcement of convention obligations vs

consequences of failing to implement EU law

II. Detailed comparison based on

attacks on data and systems

Basis for Comparison

Art. 2-6 CyCC

Directive on Attacks against Information Systems

(Dir.)

Framework Decision on Attacks against Information

Systems (FD)

A. Penalties
Art. 13 CyCC

effective, proportionate and dissuasive penalties,

including imprisonment

Art. 9 Dir.

effective, proportionate and dissuasive penalties

minimum level of maximum penalties

Least Maximum Penalties Art. 9

Dir.

Basic rule: Maximum imprisonment of at least 2 years,

for cases which are not minor
Maximum imprisonment of at least 3 years for
interference with systems and data (art. 4; 5 Dir.), if a
significant number of systems have been affected by
the use of certain tools
Maximum imprisonment of at least 5 years in art. 4 & 5
Dir.
for offences committed within the framework of a
criminal organisation,
for offences which cause serious damage; or
For attacks committed against a critical infrastructure
information system.

B. Individual Offences in
Comparison
1. "Hacking" Unauthorised System Access
Art. 2 CyCC

Options for defining the offences

(Art. 2 FD and) Art. 3 Dir.

Infringement of security measures

A non-minor case = ?

Result

CyCC = basis for FD and Dir.

Punishability however more extensive (under FD
and Dir.)

B. Individual Offences in
Comparison
2. System Interference
Art. 5 CyCC; Art. 3 FD; Art. 4 Dir.

Facts basically congruent

Significant differences only in
the punishability of the attempt;
the required sanctions

Result

CyCC = basis for FD and Dir.

Risks newly identified in Dir. are accounted for in
the sanctions

B. Individual Offences in
Comparison
3. Banned Tools

Art. 6 CyCC; Art. 7 Dir. (not covered in FD!)

Significant differences in
sanctions system
tools covered
threshold for mandatory sanctions
Punishability of possession only

Result
CyCC = basis for Dir.
RL apparently less far-reaching, but large number of
possible reservations to art. 6 CyCC

III. Result

In the area of attacks on data and systems the CyCC

clearly serves as a key basis for FD and Dir.

Meanwhile new threat scenarios arising from

technological progress have been identified and
accounted for in Dir., esp. in the penalties system.

The Directive thus partly establishes a stricter regime

applicable to its regional scope.

Challenges, such as cross-border preventive and

investigative measures, also need joint international
solutions for newly emerging phenomena.

A legal framework largely harmonised between the

Council of Europe and the European Union would
therefore be desirable in the areas of preventing and
prosecuting cybercrime.