Directive 2013/40/EU transposition deadline
Today is the deadline for transposition into national law of the Directive on attacks against information systems (the "Directive"), which came into force on 24 August 2013. This Directive forms part of the EU's continuing efforts to keep pace in its fight against the ever evolving nature of cybercrime, and in particular, the increasingly sophisticated and large-scale forms of attack against information systems. It updated (and replaced) minimum rules, established by the Council Framework Decision 2005/222/JHA (the "Framework Decision"), relating to the definition of relevant criminal offences and sanctions across Member States and the improved cooperation between competent authorities.
In summary
The Directive re-enacted many of the provisions in the Framework Decision and integrated elements of the Cybercrime Convention 2001. There are four main substantive offences (together, the "Substantive Offences") of:
(i) illegal access to information systems;
(ii) illegal system interference;
(iii) illegal data interference; and
(iv) illegal interception.
The Directive required Member States to make it a criminal offence to intentionally produce, sell, procure for use, import, distribution or otherwise make available, certain tools intended for use in the commission of the Substantive Offences. The Directive's recitals single out "botnet attacks", where a significant number of information systems have been affected through the use of certain tools (e.g. a computer programme, designed for the purpose of committing a Substantive Offence).
The Directive also required that cases involving offences committed within the framework of a criminal organisation, cause serious damage, or are committed against a critical infrastructure information system should carry a maximum penalty of at least 5 years' imprisonment. The misuse of the personal data of another person with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner (identity theft), should also be treated as an aggravating circumstance.
In terms of increased cooperation between competent authorities, new provisions required Member States to be able to respond to urgent information requests with a response time of no more than eight hours, and to monitor and record statistical data and report on cybercrime offences and criminal convictions.
Impact
By and large most Member States had already brought their national criminal regimes into line with both the Framework Decision and the Cybercrime Convention. Accordingly, relatively few legislative changes were required to be ready for today's transposition deadline.
The UK, for example, introduced a small number of changes through the Serious Crime Act 2015 (the "SCA") amending provisions of the Computer Misuse Act 1990 (the "CMA"), which came into force on 5 May 2015. These are summarised in the table below:
| Directive article | SCA amending section | Amendment to the CMA |
| Article 7 - Tools used for committing offences | Section 42 | New procurement offence Section 3A offences already covered the intentional production, sale, import, distribution or otherwise making available of certain tools. Section 3A now makes the procurement of such tools an offence.Previously, section 3A required the prosecution to show that the individual obtained the tool with a view to its being supplied for use to commit, or assist in the commission of an offence: now the obtaining of such a tool is an offence both where the person has an intention to supply the tool, and where the person intends to use the tool to commit (or assist in the commission of) a Substantive Offence. |
| Article 12 - Jurisdiction | Section 43 | Extra-territorial jurisdiction Sections 4 and 5 have extended extra-territorial effect to certain offences under the CMA (including section 3A) to bring them into line with the Directive. This requires Member States to have jurisdiction where the offence has been committed (i) in its territory; or (ii) by one of their nationals provided that the offence was also a crime in the country where it took place.When determining whether an offence has taken place in its territory, jurisdiction must be available both (a) where the offender commits a crime when present in its territory, irrespective of whether the information system is on its territory; and (b) where the offence is against an information system on its territory, irrespective of whether the offender is physically present on its territory.Accordingly it would be possible to prosecute a French national resident in England and Wales who hacked into a computer system in France; or a UK national who hacked into a computer system in the UK whilst temporarily resident in France (and who returns to the UK). |
Section 41 of the Serious Crime Act 2015 also created a new offence of undertaking unauthorised acts (knowing them to be unauthorised) intentionally or recklessly causing, or creating risk of serious damage of a material kind. The government considered that, even though it carried a maximum penalty of 10 years - more than twice that prescribed by the Directive, the penalty for the pre-existing offence under section 3 of the CMA was not adequate to deal with cases of serious damage, for example to critical national infrastructure. Accordingly, the maximum penalty for this new offence is life imprisonment for cases involving threat to life, loss of life or damage to national security, and in respect of damage to the economy or environment, 14 years’ imprisonment.
Next steps
The transposition of the Directive into national law is the next step in the EU's continuing effort to streamline and enhance the European rules to combat cybercrime. It is particularly welcome, given the delay in the adoption of the proposal for a directive concerning measures to ensure a high common level of network and information security across the Union (2013/0027 (COD)).
Under the Directive, the European Commission must submit a report to the European Parliament and the Council by 4 September 2017. The report will assess the extent to which Member States have taken the necessary measures to comply with the Directive, and will be accompanied, if necessary, by legislative proposals.
![]() |
![]() |
| Michael K S Tan Associate +442074662632 | Karen Anderson Partner +442074662404 |
Key contacts
Karen Anderson
Consultant, London
Susannah Cogman
Partner, London
Elizabeth Head
Of Counsel, London
Marina Reason
Partner, London
Kelesi Blundell
Partner, London
Hywel Jenkins
Partner, London
Chris Ninan
Partner, London
Jon Ford
Partner, London
Clive Cunningham
Consultant, London
Simone Hui
Of Counsel, Hong Kong
Chee Hian Kwah
Director, Prolegis LLC, Singapore
Valerie Tao
Knowledge Lawyer, Hong Kong
Cat Dankos
Senior Regulatory Consultant, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.

