The main objective of the Framework Decision, through an approximation of Member States' rules on criminal law in the area of attacks against information systems, is to improve cooperation between judicial and other competent authorities, including police and other Member States' specialised law enforcement services.

Since the Council Framework Decision 2005/222/JHA was adopted, successive criminal attacks against information systems have repeatedly underlined the need for closer European coordination in response to attacks of this type. The massive denial of service attack against Estonia's information infrastructure in May 2007 served as a timely reminder of the disruptive and destructive effects of such attacks. Consequently, the need for a complete and accurate implementation of the FD by every Member State has intensified since the FD was adopted.

Within the dispositions of the FD, there was the obligation for Member States to notify any provisions transposing the obligations imposed under the FD into their national law. This Report highlights the fact that, at the moment, only seven Member States have fulfilled that obligation.

The report concludes that the FD has been implemented in very different ways in the 20 Member States. In most States, the wording of the national law is close to that used in the FD. In others, a more indirect and general method of implementation has been applied. In many cases this means that the legal concepts and expressions used are not easily comparable. As far as possible, this report will take the general criminal law of the Member States into account and indicate any particular difficulties associated with this approach.

The report provides a first insight into implementation of the FD by the Member States. It confirms the wide diversity in the ways the Member States have implemented penal legislation and the resulting difficulty with fully assessing the national legislation without looking into how it is applied in practice.

The Commission notes that the FD is still being implemented in Member States. Significant progress has been made in practically all the 20 Member States assessed in this report, where the level of implementation has been found to be relatively good. The major concern for the Commission are the seven Member States that have yet to communicate any implementing measures.

The obligations imposed by the FD to Member States that have been analysed by the Commission in this report are:

• Illegal access to information systems
• Illegal system interference
• Illegal data interference
• Instigation, aiding and abetting and attempt
• Penalties and aggravating circumstances
• Liability of legal persons and penalties for legal persons
• Jurisdiction of MS for the obligations contained in the FD
• Exchange of information

At European level the European Network and Information Security Agency (ENISA) serves as a centre of expertise for both Member States and EU Institutions, to seek advice in Network and Information Security matters. As such, ENISA supports the capability of the Member States, the EU-institutions and the business community to prevent, address and respond to Network and Information Security problems.