1 Cyberspace

The term “cyberspace”, the combination of the two words “cybernetics” and “space”, meaning cybernetic space, was coined in the 1980s. It is thought that the originator of this term was William Gibson, a Canadian writer, who used it in his novel Neuromancer of 1984, to define computer-generated virtual realities, which the protagonists inhabit. The notion found its place in mass culture, and it is currently used to define virtual space, understood as space for communication via computer networks.Footnote 1 This term is sometimes (incorrectly) used as a synonym for the Internet.Footnote 2

As regards Polish Law, cyberspace is defined, i.a., in Article 2(1a) of the State of Emergency Act of the 21st of June 2002,Footnote 3 Article 3(1)(4) of the Natural Disasters Act of the 18th of April 2002,Footnote 4 and Article 2(1b) of the Act of the 29th of August 2002 on Martial Law and the Competences of the Commander-in-Chief of the Army and the Rules of the Commander-in-Chief’s Subordination to the Constitutional Authorities of the Republic of Poland,Footnote 5 according to which the term is understood as “a space for the processing and exchange of information, created by information and communication systems, defined in Articles 3(3) of the Act of the 17th of February 2005 on the Computerisation of the Operations of Entities Performing Public Tasks, including the links between them and their relations with users.” Within the meaning of the said Act on Computerisation, a communication and information system is a set of interfacing IT hardware and software, providing the facility to process, store, send, and receive data via ICT networks, with the use of an end device suitable for a given network type. According to this relatively comprehensive definition developed by the legislator, cyberspace includes not only communication and information systems, comprising hardware and software facilitating the performance of system functions (processing, storage and sending computer data), but also computer data and interactions between devices and their users.Footnote 6

2 Cybersecurity

The concept of cybersecurity is currently defined under Polish law in the National CyberSecurity System Act of the 5th of July 2018.Footnote 7 Given the significant role this legal Act plays in the field of “cybersecurity law”, it may be assumed that the definition can be applied across the entire legal system. Pursuant to Article 2(4) of the NCSA, cybersecurity is

the ability of information systems to resist actions, which compromise the availability, authenticity, integrity, and confidentiality of processed data, or the related services provided by those information systems.

Under Article 2(4) of the NCSA, the legislator referred to the notions of confidentiality, integrity, availability, and authenticity, i.e., the so-called information-security components (of computer data and communication and information systems). Traditionally, the list has been limited to three “main” components. In addition to confidentiality (covered by protection at the earliest point in time), the list comprised availability and integrity. Availability means the facility to use the information by authorized persons whenever necessary. According to the guidelines included in the Recommendation of the OECD CouncilFootnote 8 concerning Guidelines for the Security of Information Systems C(92)188 of the 26th of October 1992, availability means that data is accessible and usable on a timely basis in the required manner. Under Article 4(d) of Regulation 460/2004, availability means that data is accessible and services are fully operational. According to the definition laid down in Recommendation C (92)188, integrity is understood as the characteristic of data and information being accurate and complete, and the preservation of accuracy and completeness. It refers to the integrity of both data and computer systems. As for information processed in an IT network, integrity means that the sent and received data are identical. This feature is defined in a similar way in Article 4(f) of Regulation (EC) No 460/2004 of the European Parliament and of the Council of the 10th of March 2004 establishing the European Network and Information Security AgencyFootnote 9 (repealed, but the replacement regulations did not include the definition), as “the confirmation that data, which has been sent, received, or stored are complete and unchanged.” It is worth mentioning that this is a theoretical scenario, which is impossible in practice. The vast majority of the currently existing ICT networks, including the Internet, are based on packet-switching technology (for more details, see further remarks in the discussion on the definition of information systems). This means that the data sent via such networks are divided into packets (millions of packets in the case of large data portions), which are then sent (often along various routes) and “compiled” together at the end point. It often happens that the some of the packets “get lost on the way” (it is easy to check, there are small differences between the sizes of the sent and the received file). Confidentiality means access to data only by authorized persons, excluding third parties. It involves the protection of data against the reading and copying of data by unauthorized individuals. The guidelines set out in recommendation C (92)188 define confidentiality as the characteristic of data and information being disclosed only to authorized persons, entities and processes at authorized times and in the authorized manner. In turn, under Article 4(g) of Regulation 460/2004, confidentiality is understood as the protection of communications or stored data against interception and reading by unauthorized persons.Footnote 10

In addition to the (“core”) attributes discussed above, one can currently speak of other properties of information. In line with the ISO 27001 standard (PL-EN IDO/IEC 27001, an international standard specifying the requirements for information-security management systems), information security is interpreted as the maintenance of the confidentiality, integrity, and availability of information. However, other components, such as authenticity, accountability, and reliability, may also be taken into consideration. Authenticity guarantees that the identity of a given entity or resource is as declared. Accountability means the assurance that the actions of such an entity can be assigned in a straightforward way only to this specific entity. Reliability is a property designating cohesive and intentional conduct and results.

These terms are defined in a similar way in the Regulation of the Council of Ministers of the 12th of April 2012 on the National Interoperability Framework, the minimum requirements for public records, the exchange of information in electronic form, and the minimum requirements for communication and information systems.Footnote 11

  • Authenticity: a property consisting of the fact that the origin or contents of data defining an object are as declared (§ 2(2))

  • Availability: a property consisting of the fact that a given ICT-system resource can be used on demand, in a specified time, by an entity authorized to work in the communication and information system (§ 2 (4));

  • Integrity: a property consisting of the fact that a given communication and information system resource has not been modified in an unauthorized manner (§ 2 (5));

  • Confidentiality: a property consisting of the fact that information must not be provided or disclosed to unauthorized natural persons (§ 2 (14)).

  • Accountability: a system property, which involves the attribution of a specified action to a natural person or process, and placing it within a specific time frame (§ 2 (18)).

The concept of “cybersecurity”, as defined under Article 4(2) of the NCSA, was meant to constitute the equivalent of the expression “the security of network and information systems”, as defined in NIS DirectiveFootnote 12 as the capacity of network and information systems to resist, at a given level of confidence, all actions, which compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted or processed data, or the related services provided by, or accessible via, those network and information systems. It is clear that the two definitions differ in terms of defining elements. First, the term “information system” was used as the equivalent of “network and information system”. Second, the legislator removed the phrase “at a given level of confidence”, referring to “the ability to resist”, with a view to ‘relativising’ the expression. It should be stressed that the phrase was present in the first draft of the Act, i.e. in the version referring to social consultations (prior to the work on the Bill in the Sejm, the lower house of the Polish Parliament, but was not included in the final version of the Bill,Footnote 13 due to the controversies, which had occurred during the consultations. First of all, the consultations indicated the need to define the phrase.Footnote 14 As shown above, the author of the Bill chose a simpler solution. Another difference is the narrowing down in the schedule of actions listed in the definition laid down in the Act by omitting the word “all” before “actions”, which stressed the broadest possible scope of such activities, at the same time replacing the conjunction “or” with “and” in the catalogue of such actions. Therefore, one is dealing with conjunctions here, not alternatives, which seems to imply that the actions referred to in the said provisions must be simultaneously directed against the confidentiality, integrity, availability, and authenticity of the processed data, or the related services provided by those network and information systems. The next difference also resulted in the narrowing down of the scope of the definition, as the services “accessible via” information systems were omitted, and only “provided” services were retained. The definition in the NIS Directive mentions stored or transmitted or processed data, whereas the Polish legislator limited the list to the concept of “processing”, which is a generic term in relation to storage and transmission.

To conclude the discussion on the differences between the definitions, it should be stressed that the definition in the NIS Directive was used in the National Framework of the Cybersecurity Policy of the Republic of Poland for 2017–2022 (Resolution of the Council of Ministers No. 52/2017 dated the 27th of April 2017 on the National Framework of Cybersecurity Policy of the Republic of Poland), as well as in the draft Cybersecurity Strategy.

3 The Notion of Cybercrime

To date, no legislator has decided to introduce the legal definition of a computer crime into the legal system. There have been attempts to define this term as part of penal-law studies. A comprehensive definition proposed by Ulrich Sieber during an OECD Expert Committee meeting in Paris in 1983, later included in the OECD report, according to which “computer crime is any illegal, unethical, or unauthorised behaviour involving the automatic data processing and/or transmission of data”Footnote 15 can be considered one of the first. A general definition of computer crime was developed several years later for Interpol. According to this definition, computer crime means “criminal activities in the scope of computer technologies”, which can be divided into the following groups.

  1. (1)

    The breach of resource-access rights

  2. (2)

    Fraud with the use of computers

  3. (3)

    The modification of computer resources

  4. (4)

    The reproduction of software

  5. (5)

    Hardware and software sabotage

  6. (6)

    Offences committed with the use of BBS

  7. (7)

    The storage of illegal resources

  8. (8)

    Crime on the Internet.Footnote 16

Along with technological advancements, the terms describing the phenomenon of computer crime are also evolving. The earliest ones are, of course, “computer crime”, “computer-related crime”, “crime by computer”, and “digital crime”, the last one having a broader scope than “computer crime.” The development of the Internet in recent years has led to the creation of a strong, and practically inseparable, relationship between information and telecommunication technologies. For this reason, numerous suggestions for terms and definitions have been coined to describe the phenomenon of computer crime. These include “Internet crimes”, “e-crimes”, “net crimes”, virtual crimes”, and finally “cybercrimes”, “IT crimes”, and “data-processing crimes.”Footnote 17

Without doubt, the term, which has gained greatest popularity is “cybercrime”, used both in the literature on the subject and in some international documents (in particular, in the Convention on Cybercrime).

During the Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders,Footnote 18 held in Vienna in April 2000, it was found that cybercrime referred to any crime, which can be committed by means of a computer system or network, in a computer system or network, or against a computer system or network. At the same time, the following classification of cybercrime was proposed.

  1. (1)

    In a narrow sense (computer crime), meaning any illegal behaviour directed by means of electronic operations, which targets the security of computer systems and the data processed by them, i.e.

    • unauthorized access

    • damage to computers, computer data, or computer programmes

    • computer sabotage

    • unauthorized interception, and

    • computer espionage

  2. (2)

    Cybercrime in a broader sense (“computer-related crime”): any illegal behaviour committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession, and offering or distributing information by means of a computer system or network.Footnote 19

4 The Classification of Cybercrimes

First, it is necessary to point to the simplest possible dichotomous classification of computer crime, divided into “old” and “new” offences. This refers to the “novelty” of an offence as such (not as a computer crime). The first group includes conventional (common) offences, which had gained a new or modified form due to technological developments (e.g. fraud, harassment, dissemination of child pornography). “New” offences are those, which came with the development of computers and advancements in information technology, and its further convergence with telecommunications. Obtaining unauthorized access to, or unauthorized modification of, computer data can serve as a classic example here.Footnote 20

Both in the literature on the subject and in the legislations of various countries, it is possible to find a similar “tripartite” division of cybercrimeFootnote 21 into computer crimes, computer-facilitated crimes, and computer-supported crimes.Footnote 22

The above classification was also adopted in the Convention on Cybercrime.Footnote 23 Offences amounting to illegal acts categorized in the first group was grouped together under the single title “Offences against the confidentiality, integrity, and availability of computer data and systems.” Offences in the second group are to be found in the subsequent three Sections of the Convention, and they are referred to as “computer-related offences”, “content-related offences”, and “offences related to infringements of copyright and related rights.”

The last group in the tripartite division does not fall within the ambit of substantive penal law, but rather procedural law, in particular the law of evidence. Therefore, they are usually not considered in discussions on computer crime.

The issue of defining and classifying computer crimes has been taken up in the Polish literature on the subject. Andrzej Adamski pointed out that under the penal law, it is possible to differentiate between two meanings of the term “computer crime”, from the substantive and procedural-law perspective,Footnote 24 and from the substantive-law perspective, in the latter of which two types of attacks can be identified.

  1. (1)

    Attacks in which computer systems, applications, data, and information, are the subjects of crime, for example, hacking. The Polish legislator treats them (similarly to other penal-law legislations) as separate types of offence in which information is a generic object of protection. In the Polish Penal Code, such acts were addressed in Chapter XXXIII Offences Against Information Protection (offences in which computers, networks or computer data constitute the target of the perpetrator’s actions), which corresponds to the first group of crimes, in which computers are the subject of illegal activities (the computer as a target).

  2. (2)

    Attacks in which the targets include various legally protected rights, whereas a computer, computer network, data-processing systems and electronic devices serve as tools. They are used for committing both common offences, e.g. fraud, forgery, and unconventional crimes, such as money laundering (corresponding to the second group of offences included in the aforementioned tripartite division—“the computer as an instrument”).

From the procedural perspective, computer crimes are offences in which computer systems can store evidence of criminal activities. Therefore, the group of computer crimes from the procedural perspective includes, in particular, any prohibited acts in which access to information processed in a computer system is required for prosecution purposes. This includes situations in which a computer system was an instrument used in an attack, and instances in which such a system was the target of the attack.Footnote 25

In the Polish literature on the subject, some attention has been given to the issue of singling out Internet crime as a subcategory of computer crimes.

As B. Świątkiewicz noted, Internet crime cannot be treated as the equivalent of computer crime, since the Internet is a tool used for committing a wide range of offences, which are not necessarily reflected in the statutory criteria of a crime as laid down in the Penal Code.Footnote 26 First and foremost, it is certain that the term covers a narrower scope. Michał Sowa suggests that “Internet crime” can be defined as offences

“for which the opportunities provided by the Internet” (web services) or services provided by people via the Internet allow the perpetrator to perform an intentional criminal act, or its individual stages, or at least facilitate the performance of such a criminal act.Footnote 27

Based on the above definition, it is possible to distinguish between Internet crime, in the strict sense of the term (types of prohibited acts, in which the main activities are conducted with the use of the Internet) and Internet crime in the broad sense (in which the committing of a given prohibited act is facilitated by the use of the Internet, including those offences in which the Internet is only a means to an end, or a tool to achieve the expected results outside the network).Footnote 28

5 Challenges Related to the Emergence of Computer Crime

There are numerous characteristics of new technologies, which facilitate criminal activities, and, which at the same time hinder the prevention and prosecution of crime.

First of all, it is the sheer reach of the phenomenon. The Internet has provided communication opportunities on an unprecedented scale. It is estimated that approx. one and a half billion people have Internet access, which accounts for 24% of the world’s population. It is an enormous number of potential perpetrators and victims.

The second feature is availability. The use of computers and the Internet has never been easier or cheaper. On the one hand, the prices of computer hardware and computer-network communications have fallen considerably, and, on the other hand, the use of technological advancements has become easier than in the past. The times when computers were enormous and expensive devices, requiring additional advanced knowledge to be operated are long gone. The Internet can currently be used on mobile phones. Computer programmes have a friendly graphical user interface, and the vast majority of users cannot imagine operating a computer in the so-called text mode (using command lines in MS Windows systems, or consoles in Unix/Linux systems).

Third is the ability to remain anonymous (often not as reliable as it might seem), which both Internet users and potential perpetrators of crimes committed via the Internet can enjoy. It creates an illusion of full confidentiality (or even secrecy) of all the activities performed by network users, and the related chance of avoiding potential penal liability.

Fourth is the possibility to collect a substantial quantity of information across a small space, from which the data can be easily retrieved, and in which it can be reproduced and disseminated without limitations.

The fifth feature is its global reach, which means that the offences committed by perpetrators in one country can have a negative effect in another country. This can create extremely complex situations. For instance, this is the case when a perpetrator based in country A carries out a DDoS attack (Distributed Denial of Service) against a server located in country B, using computers located in countries C and D, while residents of countries E and F can suffer the consequences of such activities.

The last, yet equally important, factor, indicated in the literature on the subject, which hinders counteracting computer crime, includes circumstances related to investigating crimes and conducting penal proceedings. The ephemeral nature of computer data is a source of problems related to collecting and securing evidence. There are also problems arising from the international reach of the network, and the private nature of many of them, which obstructs the access to, e.g., traffic data, which is stored on servers only for a specified period of time. The obvious consequence of the technical nature of computer crime is the fact that individuals dealing with the prosecution of perpetrators must have knowledge of state-of-the-art technology and the appropriate hardware.Footnote 29

When discussing the issue of cybercrime definitions and classifications, it is worth mentioning those acts, which cannot be placed in the category of computer crime.

6 Cyberterrorism and Cyberwar

Susan W. Brenner makes a precise distinction between computer crime and the phenomena of cyberterrorism,Footnote 30 and cyberwarfare, treating them as notions separate from cybercrime. She assigns a very broad sense to the former term, making the assumption that it includes terrorist attacks which are planned, carried out, and coordinated, via computers and computer networks, while the latter is defined as actions taken by states using information technology with a view to achieving military or other strategic goals.Footnote 31

The second most frequently cited definition of cyber-terrorism, provided by D. Denning, has a much narrower meaning. According to this author, cyber-terrorism is a combination of terrorism and cyberspace. In general, it is understood as unlawful attacks and threats of attacks against computers, networks, and information collected in networks to intimidate or coerce governments, or the residents, of a given state, to fulfil political or social objectives. Moreover, in order to be classified as cyberterrorism, a given attack should result in violence against people and property, or cause such a degree of harm that it could evoke fear. Attacks resulting in death or injuries, explosions, plane crashes, water pollution, or severe economic loss, might serve as examples here. Major attacks against critical infrastructures can be treated as cyber-terrorist attacks, depending on their outcomes. The category does not include attacks, which lead to the disruption of non-critical services, or mainly result in financial problems.Footnote 32

7 Terrorism in EU Law

The first EU legal instrument aimed at counteracting terrorism was Council Framework Decision of the 13th of June 2002 2002/475/JHA on combating terrorismFootnote 33 (further referred to as “Framework Decision 2002/475”). The document was replaced by Directive (EU) 2017/541 of the European Parliament and of the Council of the 15th of March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA, which is based on the Framework Decision, and substantially replicates its solutions (this refers to, e.g., the definition of a terrorist offence), at the same time clarifying some solutions and adding new ones.

Most of all, Directive 2017/541 established the minimum rules concerning the definition of criminal offences and sanctions in the field of terrorist offences,Footnote 34 offences related to a terrorist group, and offences related to terrorist activities, as well as measures for the protection of, support for, and assistance to, victims of terrorism. The definition of a terrorist offence laid down in Article 3 of Directive 2017/541 (similar to the one included in Framework Decision 2002/475) is composed of two elements, i.e. objective (actus reus) and subjective (mens rea) elements. For a prohibited act to be considered a terrorist offence, first of all, it must meet an objective criterion, i.e., it must be one of the acts listed in an exhaustive schedule included in Article 3(1)(a) to (i),Footnote 35 or the threat to commit any of the acts (Article 3(1)(j)). Second, a terrorist offence must meet at least one of the subjective premises listed in the second part of the definition, i.e. it must be committed with one of the aims listed in paragraph 2, including

  1. (1)

    seriously intimidating a population

  2. (2)

    unduly compelling a government or an international organisation to perform or abstain from performing any act

  3. (3)

    seriously destabilising or destroying the fundamental political, constitutional, economic, or social structures of a country or an international organisation.Footnote 36

Under Article 4 of Directive 2017/541, Member States are obliged to make sure that directing a terrorist group,Footnote 37 and participating in the activities of a terrorist group, are acts punishable as criminal offences. It was pointed out that the latter should also be understood as including supplying information or material resources, or by funding its activities in any way, in the knowledge of the fact that such participation will contribute to the criminal activities of the terrorist group.

Pursuant to the subsequent Articles of Directive 2017/541, Member States are obliged to criminalise “offences related to terrorist activities”, involving certain activities, which are not terrorists acts per se, but might constitute the preparation to commit terrorist acts.Footnote 38

Under Article 15(1) of Directive 2017/541, the offences referred to in the Directive should be punishable by effective, proportionate, and dissuasive, criminal penalties, which may entail surrender or extradition.

The terrorist offences referred to in Article 3 of Directive 2017/541, and in Article 14 of the said document (aiding and abetting, inciting and attempting offences laid down in the Directive),Footnote 39 should be punishable by custodial sentences heavier than those imposable under national law for such offences, which have no element of “terrorist intent” (Article 15(2).

The offences listed in Article 4 of Directive 2017/541 (offences relating to a terrorist group) should be punishable by custodial sentences, with a maximum sentence of not less than 15 years for the offence referred to in point (a) of Article 4 (directing a terrorist group), and a maximum sentence of not less than 8 years for the offences listed in point (b) of Article 4 (participating in the activities of a terrorist group) (Article 15(3)).

When a criminal offence referred to in Article 6 (recruitment for terrorism) or 7 (providing training for terrorism) is directed towards a child, this may, in accordance with national law, be taken into account when sentencing (Article 15(4) of Directive 2017/541).

8 Cyberterrorism: Terrorism in Cyberspace

The first binding European Union legal Act relating to attacks against security in cyberspace was Council Framework Decision 2005/222/JHA of the 24th of February 2005, on attacks against information systemsFootnote 40 (Framework Decision 2005/222). Work on the draft began in 2001, as a result of the European Commission’s announcement of the so-called Communication on Cybercrime,Footnote 41 containing certain proposals for substantive and procedural-law provisions, directed at combating computer crime, at both the national and Community levels. The outcome of those activities was, i.a., a proposal for the aforementioned framework decision.Footnote 42

In citing Framework Decision 2005/222, it was indicated that its objective was to improve cooperation between the judicial authorities and law-enforcement services of Member States, through approximating the rules on criminal law in Member States in the field of attacks against information systems. The legislative activities at the EU level were substantiated by the need to counteract attacks against information systems, due to the possible relationship between this type of offence and organised crime, and terrorist attacks against information systems, which formed part of the critical infrastructure of the Member States.

First and foremost, under Framework Decision 2005/222, the most important terms were defined (“information system”, “computer data”, “legal person” and “without right”), and Member States were obliged to make sure that illegal access to information systems, illegal system interference, and illegal data interference, were punishable as offences. The document also refers to the issues of the liability of legal persons, jurisdiction, and the use the network of operational points of contact available twenty four hours a day, seven days a week, for the purpose of exchanging information on attacks against information systems.

The limited number of offences referred to in Framework Decision 2005/222, the need to incorporate new threats, and the wish to adapt the existing legal regulations to new European Union initiatives in the field of cybersecurity, and to supplement them in order to regulate the matter comprehensively, led to a decision to commence work on a new legal instrument addressing the issue of cybercrime. The result was the enactment of Directive 2013/40/EU of the European Parliament and of the Council of the 12th of August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHAFootnote 43 (Directive 2013/40).

In citing the Directive, it was stressed that attacks against information systems, and, in particular, attacks linked to organised crime, and the potential for terrorist or politically motivated attacks against information systems, were a growing menace, and that they could pose a real threat to information systems forming part of critical infrastructures of Member States and the European Union.

The contents of Directive 2013/40 are largely based on the provisions of Framework Decision 2005/222/JHA, at the same time providing for certain new solutions (new types of prohibited acts: the illegal interception of computer data, and offences related to the use of “hacking tools”, and the specification of additional aggravating circumstances to consider when sentencing offenders).

For the purpose of Directive 2013/40 (and previously for the purpose of Framework Decision 2005/222), an “information system” is defined as a device or group of inter-connected or related devices, one or more of which, pursuant to a programme, automatically processes computer data, as well as computer data stored, processed, retrieved or transmitted by that device or group of devices for the purposes of its or their operation, use, protection and maintenance (Article 2(a)).

The above definition can be characterised by a broad objective scope. Given the above, an information system should be understood as both a single data-processing device (e.g. a computer or a smart phone) and a computer network, including small networks (e.g. LANFootnote 44), covering several computers, and large-scale structures consisting of interconnected networks (e.g. MANFootnote 45).Footnote 46

Under Article 2(b) of Directive 2013/40, the term “computer data” was defined as a representation of facts, information, or concepts in a form suitable for processing in an information system, including a program suitable for causing an information system to perform a function.

Under Article 2(d) of Directive 2013/40, “without right” means conduct referred to in this Directive, including access, interference, or interception, which is not authorized by the owner, or by another rights holder, of the system, or of part of it, or not permitted under national law.

Article 3 of the said Directive includes an obligation imposed on Member States to ensure that, when gained intentionally, access without right to the whole or to any part of an information system, is punishable as a criminal offence committed by infringing a security measure. Access to information systems is understood as the possibility of using their resources (i.e. using the data stored in the systems, and the use of hardware, which, in fact, results in access to data and software used for controlling such access).

Another offence defined in Directive 2013/40 is illegal system interference, which consists of seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, impairing, altering, or suppressing such data, or by rendering such data inaccessible, intentionally and without right (Article 4 of Directive 2013/40). This mostly includes activities involving logic operations directed against information systems, with a view to hindering or disrupting system functions by affecting the processing of the computer data of the software used for the purpose.

Under Article 5 of Directive 2013/40, Member States are obliged to criminalise logical attacks directed against computer data. The provision identifies illegal data interference as deleting, damaging, impairing, altering, or suppressing computer data in an information system, or rendering such data inaccessible. Such interference includes both deleting data and installing software on the compromised computer, facilitating further illegal activities (e.g. data theft), or carrying out a DDoS attack (Distributed Denial of Service) by using malware to connect a compromised computer to a botnet.

The first “new” prohibited act (in relation to Framework Decision 2005/222) was illegal interception, defined in Article 6 of Directive 2013/40 as intercepting, by technical means, non-public transmissions of computer data to, from, or within, an information system, including electromagnetic emissions from an information system carrying such computer data, intentionally and without right.

Another type of offence, which was not provided for in Framework Decision 2005/222, is referred to in Article 7 of Directive 2013/40. Under the said provision, Member States are required to criminalise the intentional production, sale, procurement, importing, possession, and distribution, or otherwise making available, of tools (colloquially referred to as “hacking tools”) used, without right, to commit any of the offences referred to in Articles 3 to 6 of Directive 2013/40, in which such acts are performed with the intention to commit the said offences.

“Tools” means

  1. (1)

    a computer programme, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6

  2. (2)

    a computer password, access code, or similar data, by which the whole or any part of an information system is capable of being accessed.

In line with Article 9(1) of Directive 2013/40, the offences referred to in the said Directive (including incitement, aiding and abetting, and attempting to commit offences under Articles 4 and 5—see Article 8(1) and (2)), should be punishable by effective, proportionate, and dissuasive, criminal penalties. At the same time, it is stipulated that the offences referred to in Articles 3 to 7 of Directive 2013/40 (which means that it does not apply to incitement, aiding and abetting, and attempting to commit offences) should be punishable by a maximum term of imprisonment of at least 2 years, at least for cases which do not involve a minor (Article 9(2)).

Furthermore, Article 9 of Directive 2013/40 provides for a number of aggravating circumstances. However, they only apply to offences listed in Articles 4 and 5 (i.e. illegal system interference and illegal data interference). The first aggravating circumstance includes a situation in which a significant number of information systems have been affected through the use of a tool, referred to in Article 7 of Directive 2013/40, designed or adapted primarily for that purpose. In such an event, the perpetrator should be sentenced to a maximum term of imprisonment of at least 3 years (Article 9(3) of Directive 2013/40).

Under Article 9(4) of Directive 2013/40, aggravating circumstances, resulting in the possibility of the perpetrator’s being sentenced for a maximum sentence of imprisonment of at least 5 years, include the commitment of offences within the framework of a criminal organisation, as defined in Framework Decision 2008/841/JHA of the 24th of October 2008 on the combating organised crime,Footnote 47 causing serious damage, and the committing of an offence against a critical-infrastructure information system.Footnote 48

The last aggravating circumstance affecting penal liability (Article 9(5)) is a situation in which the offences referred to in Articles 4 and 5 are committed by misusing the personal data of another person (identity theft).Footnote 49

The Directive was criticised for the failure to provide severe sanctions, especially in relation to acts, which can be classified as terrorist attacks against IT systems. This reservation can currently be considered outdated. Discussing the issue of making more stringent the penal liability of a perpetrator accused of an offence of a terrorist nature, one should take into account the legal regulations laid down in Directive 2017/541. Pursuant to point (i) of Article 3(1), in conjunction with Article 3(2) of the said Directive (see remarks above), illegal system interference as referred to in Article 4 of the Directive in cases in which Article 9(3) or points (b) or (c) of Article 9(4) of that Directive applies, and illegal data interference as referred to in Article 5 of that Directive, in cases in which point (c) of Article 9(4) of that Directive applies, constitute a terrorist offence. This means that terrorist offences should include acts involving illegal system interference committed with one of the aims listed in Article 3(2) of Directive 2017/541, with the use of one of the tools referred to in Article 7 of Directive 2013/40, designed or adapted primarily for that purpose, in which a significant number of information systems have been intentionally affected, or in which substantial damage has been inflicted. In addition, an unlawful act under Article 5 should be considered a terrorist offence if it has been directed against a critical-infrastructure information system.Footnote 50