Development of Cybercrime Law in the European Union

At the European Union level, although the possibility of having a comprehensive legal framework dealing with cyber crimes was not a far stretched idea owing to the cooperation at the Union level, however, this idea was not considered until the late 1990s.

Taking into account the growing incidents of cyber crimes, their peculiar nature, and the essential element of international cooperation in this regard, a series of initiatives were taken at the EU level in the form of recommendations and Council conclusions. This was followed by the first legislative proposal by the Commission in early 1998 to deal with certain aspects of computer crimes, i.e. credit card frauds and forgery of non-cash means of payment. However, it was only in May 2001 that the Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment was adopted.[1]

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

During the same time, the Council of Europe was taking a number of steps and engaging in negotiations, in collaboration with the G8 countries, USA, Canada, Japan, United Kingdom, Germany, France, Italy, and Russia, with respect to judicial cooperation in this field.  As a result, an agreement was reached in 1997 pertaining to an action plan to combat high-tech and computer-related crimes. One of the action plan’s initiatives is the 24/7 network of law enforcement contact points to combat cybercrime, which is now a part of the current legal framework at the EU level. This network furthers the objective of international cooperation, specifically with respect to the investigation of cybercrimes.

In October 1999, the G8 met again as a follow-up measure of the action plan. This follow-up concluded that the biggest roadblock in combating computer crimes is the identification and tracking of criminals in cyberspace. To overcome this roadblock, many principles were adopted to ensure transnational access to data, simplified mutual assistance, and general permission to access publicly available material in another state without express permission. These principles now form the basis of the current legal regime at the EU level[2].

Meanwhile, the European Committee on Crime Problems[3] (CDPC) decided to set up a committee of experts to deal with cyber-crime in November 1996. Subsequently, the Report submitted by Professor H.W.K. Kaspersen concluded that “it should be looked to another legal instrument with more engagement than a Recommendation, such as a Convention. Such a Convention should not only deal with criminal substantive law matters but also with criminal procedural questions as well as with international criminal law procedures and agreements”.[4]

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Taking into account the Report submitted to the CDPC, the Council of Europe was successful in formulating the Convention on Cybercrime[5], with an aim to bring minimum harmonization in the acts termed as ‘cybercrime’ in the Member States of the EU.

The Explanatory Report of the Cybercrime Convention highlights the changing nature of crimes and the subsequent need to develop a legal framework to prosecute such crimes exclusively. It states that-

The technological developments have given rise to unprecedented economic and social changes, but they also have a dark side: the emergence of new types of crime as well as the commission of traditional crimes by means of new technologies.[6] Criminals are increasingly located in places other than where their acts produce their effects. However, domestic laws are generally confined to a specific territory. Thus, solutions to the problems posed must be addressed by international law, necessitating the adoption of adequate international legal instruments”.[7]

The Convention on Cybercrime adopts a holistic approach in dealing with both substantive and procedural aspects[8] of cybercrimes at the EU level. Section 1 of Chapter II covers both criminalization provisions and other connected provisions in the area of computer or computer-related crime by defining nine offences (illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights) grouped into four different categories (offences against the confidentiality, integrity and availability of computer data and systems, computer-related offences, content-related offences and offences related to copyright and neighbouring rights)[9]. It further deals with ancillary liability and sanctions[10].

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Furthermore, the Convention also contains provisions for traditional as well as computer crime-related mutual assistance and extradition.[11] It also provides for transborder access to stored computer data without mutual assistance, either with consent or without consent, in the case of publicly available data. It also provides for the setting up of a 24/7 network to ensure speedy assistance among the Parties.

Lastly, at the Union level, to address the issue of cooperation at, the Union level, the European Network and Information Security Agency (ENISA) was established in 2004. ENISA was given the responsibility to develop expertise to enhance cooperation between public and private sectors and provide assistance to the Commission and Member States of the EU in their dialogue with industry for the purpose of addressing security-related problems in hardware and software products. It was also required to promote risk assessment activities as well as interoperable risk management routines.[12]

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

[1] EUR-Lex, (last visited May 3, 2021).

[2] These principles can now also be found in the Cybercrime Convention.

[3] Decision CDPC/103/211196.

[4] Salaheddin J. Juneidi, Council of Europe Convention on Cyber Crime, IPICS (2002).

[5] The Cybercrime Convention.

[6] Explanatory Report to the Cybercrime Convention, part I(5).

[7] Explanatory Report to the Cybercrime Convention, part I(6).

[8] Supra note 29, chapter II, § 2.

[9] Supra note 29, chapter II, § 1.

[10] Supra note 29, chapter II, §1, title 5.

[11] Supra note 29, art. 25.

[12] ENISA, (last visited May 6, 2021).