The European Commission today unveiled two new measures to ensure that Europe can defend itself from attacks against its key information (IT) systems. A proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks, is complemented by a proposal for a Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA).

The two initiatives are foreseen by the Digital Agenda for Europe and the Stockholm Programme to boost trust and network security. Under the proposed Directive, the perpetrators of cyber attacks and the producers of related and malicious software could be prosecuted, and would face heavier criminal sanctions. Member States would be also obliged to quickly respond to urgent requests for help in the case of cyber-attacks, rendering European justice and police cooperation in this area more effective. Strengthening and modernising ENISA would also help the EU, Member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cyber-security challenges. Both proposals will be forwarded to the European Parliament and the EU's Council of Ministers for adoption.

While Europe is engaged in taking full advantage of the potential of network and information systems, it should not become more vulnerable to disruptions caused by accidental or natural events (like submarine cable breaks) or through malicious actions (like hacking or other cyber-attacks). These could be based on, for example, increasingly sophisticated tools which hijack large numbers of computers and manipulate them simultaneously as an army of robots on the internet (“botnets”) without their owners' knowledge. These infected computers can later be used to carry out devastating cyber-attacks against public and private IT systems. The number of attacks against information systems has risen steadily since the EU first adopted rules on attacks against information systems in February 2005. In March 2009, the computer systems of government and private organizations in more than 100 countries were attacked by a network of compromised computers which extracted sensitive and classified documents. In this instance again, malicious software created 'botnets', networks of infected computers that can be remotely controlled to stage a coordinated attack.

The package proposed by the Commission will strengthen Europe's response to cyber disruptions. The Commission's proposal on cybercrime builds on rules that have been in force since 2005, and introduces new aggravating circumstances and higher criminal sanctions that are necessary to fight more effectively the growing threat and occurrence of large scale attacks against information systems.

Moreover, it would pave the way for an improvement of cooperation between the judiciary and the police of the Member States, introducing the obligation for Member States to make better use of the existing 24/7 network of contact points by treating urgent requests in a specified timeframe. Finally, the proposed Directive would provide for the establishment of a system to record and trace cyber attacks.

Reinforced cooperation across countries and industrial sectors

To help co-ordinate Europe's response, the Commission is proposing a new Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA), which was first established in 2004. This would reinforce cooperation across EU Member States, law enforcement authorities and the industrial sector. ENISA will play an important role in boosting trust, which underpins the development of the Information Society, by enhancing the security and privacy of users.

Under its new mandate, ENISA would engage EU Member States and private sector stakeholders in joint activities across Europe, such as cyber security exercises, public private partnerships for network resilience, economic analyses and risk assessment and awareness campaigns.

A modernised ENISA would have greater flexibility and adaptability and would be available to providing EU countries and institutions with assistance and advice on regulatory matters.

Finally, to respond to the increased intensity of cyber security challenges, the proposed Regulation would extend ENISA's mandate for five years and gradually increase its financial and human resources. The Commission proposes that ENISA's governance structure would also be strengthened with a stronger supervisory role of the Management Board, in which the EU Member States and the European Commission are represented.

The proposed Directive on attacks against information systems repeals the Council Framework Decision 2005/222/JHA. Member States would have an obligation to comply with the new Directive on cyber crime, and transpose it into national legislation within two years from its adoption at the latest.