Annexes to SEC(2010)1123 - SUMMARY OF THE IMPACT ASSESSMENT Accompanying document to the Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on attacks against information systems - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | SEC(2010)1123 - SUMMARY OF THE IMPACT ASSESSMENT Accompanying document to the Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF ... |
|---|---|
| document | SEC(2010)1123  |
| date | September 30, 2010 |
4.3. Option (3) Targeted update of FD on attacks to address the specific threat from large-scale attacks against information systems
This option implies an introduction of specific targeted (i.e. limited) legislation against particularly dangerous large-scale attacks against information systems. Such targeted legislation would be linked to measures to strengthen operational cross-border cooperation against attacks on information systems and at increasing already foreseen minimum penalties. This option would have the form of an update of the existing FD on attacks complemented by a number of non-legislative measures, such as enhancing preparedness, security and resilience of critical information infrastructure protection and the strengthening of instruments and procedures for cross-border law enforcement cooperation and best practice exchange.
4.4. Option (4) Introduction of comprehensive EU legislation against cyber crime
The identification of a need to take rapid action against the development of sophisticated attacks against information systems raises the question whether it would be appropriate to also introduce broader EU legislation on cyber crime in general. Such legislation would not only cover attacks against information systems, but also issues such as financial cyber crime, illegal web content, the collection/storage/transfer of electronic evidence and more detailed jurisdiction rules. Such EU legislation would be applicable alongside the Council of Europe Convention on Cybercrime, which would in particular be complemented with new provisions considered necessary within the EU.
4.5. Option (5) Update of the Council of Europe Convention on Cybercrime
This option would require substantial renegotiation of the current convention, which is a lengthy process and goes against the time frame for action that is proposed in the Impact Assessment. There seems to be no international willingness to renegotiate the Convention. It is therefore outside the required time frame for action to consider an update of the Convention a feasible option.
5. Assessment of impacts
| Options | Economic impact | Social impact | Fundamental rights impact | Impact on third countries | Relevance for objectives A,B,C | Consistency with int’l law |
| Option 1: Status quo / no new EU action | 0 | 0 | 0 | - | 0 | 0 |
| Option 2: Development of a programme to strengthen the efforts to counter attacks against information systems with non- legislative measures. | -/+ | ++ | -/+ | ++ | A + B ++ C + | -/+ |
| Option 3: Targeted update of FD on attacks to address the threat from large-scale attacks against information systems. | --/++ | -/+++ | -/++ | +++ | A +++ B +++ C +++ | ++ |
| Option 4: Introduction of comprehensive EU legislation against cybercrime. | ---/+++ | +++ | --/++ | ++ | A ++ B ++ C ++ | -/++ |
| Preferred option (Options 2 and 3): combination of non-legislative measures with a targeted update of the FD on Attacks | --/+++ | +++ | -/++ | +++ | A +++ B +++ C +++ | ++ |
6. How do the policy options compare?
6.1. Option (1) Status Quo
This option will inevitably lead to a more vulnerable position of private actors, the Member States and the Union as a whole to deal with cybercrime given its nature and growth. Even at a sustained level of currently existing actions, European coordination would be required.
6.2. Option (2) Development of a programme to strengthen the efforts to counter attacks against information systems with non legislative measures
This option has all the advantages and disadvantages related to a soft law instrument. The positive aspect is a possibility to describe each policy option in a way which is consistent with the best national practices, and thereby facilitate the identification of measures that are best in terms of their effectiveness.
However, this option is less effective in terms of the achievement of the objectives.
6.3. Option (3) Targeted update of FD on attacks to address the threat from large-scale attacks against information systems
This option offers a timely and targeted response to the identified problems. It addresses the criminal law issues necessary to effectively prosecute the perpetrators of this crime. It also improves international cooperation by introducing a mechanism for immediate international assistance in cases of urgent requests for cooperation, and promotes cooperation with the private sector through accompanying measures, such as expert meetings. This option also introduces a number of aggravating circumstances, such as the large-scale aspect of the attacks, as well as attacks committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner.
Finally, to enable measuring of the extent of the problem, monitoring obligations are introduced.
6.4. Option (4) Introduction of comprehensive EU legislation against cyber crime
This option, like option 3, has the added value of establishing binding provisions, and therefore a higher level of effectiveness is expected if fully implemented. It is also expected to maximise the positive impact of both the legislative and non-legislative instruments in a wider range of cyber crime issues than only large-scale attacks. In addition, it would address the criminal law legal framework and at the same time improve law enforcement cooperation over the borders. However, this holistic approach currently at this stage is not reflecting a consensus of stakeholders although its implementation would take the fight against cyber crime a step further than all other options.
7. The preferred policy option
Following the analysis of economic impact, social impact, and impact on fundamental rights, options 2 and 3 present the best approach to the problems with a view to achieving the identified objectives.
Overall, the preferred option would be a combination of policy options 2 and 3, as they complement each other, and therefore best meet the defined objectives, both in substance and timing.
8. Monitoring and evaluation
An implementation report should be published within 2 years after the date of entry into force of the Directive. This report should pay attention to the exact implementation of the Directive by Member States.
Furthermore, regular evaluations should be carried out in order to assess how and to what extent the Directive will have contributed to the achievement of its objectives. The first evaluation should be carried out within 5 years after the entry into force of the Directive; the Commission will then publish evaluation reports every 5 years thereafter and these will include information on implementation. On the basis of the conclusions and recommendations of the evaluations, the Commission should take into account any further amendment to or other possible developments of the Directive.
1http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf, p.10.
2ww.theglobeandmail.com/servlet/story/RTGAM.20090328.wspy0328/BNStory/International/home?cid=al_gam_mostemail
3The term botnet describes a network of computers that have been infected by malicious software (computer virus). Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled – often without the knowledge of the users of the compromised computers – by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The persons who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. It is very difficult to trace the perpetrators, as the computers that make up the botnet and carry out the attack, might be located elsewhere than the offender himself.
4http://www.lemonde.fr/technologies/article/2009/03/31/virus-conficker-catastrophe-ou-poisson-d-avril_1174916_651865.html
5Report from the Commission to the Council based on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems - COM(2008) 448.
EN EN