Skip to main content
Logoul Comisiei Europene
Migration and Home Affairs


Cybercrime consists of criminal acts committed online by using electronic communications networks and information systems. The EU has implemented laws and supports operational cooperation through non-legislative actions and funding.

Cybercrime is a borderless issue that can be classified in three broad definitions:

  • crimes specific to the internet, such as attacks against information systems or phishing (e.g. fake bank websites to solicit passwords enabling access to victims' bank accounts)
  • online fraud and forgery: large-scale fraud can be committed online through instruments such as identity theft, phishing, spam and malicious code
  • illegal online content, including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism and xenophobia

Many types of crime, including terrorism, trafficking in human beings, child sexual abuse and drugs trafficking, have moved online or are facilitated online. As a consequence, most criminal investigations have a digital component.

EU laws and actions aim to:

  • improve the prevention, investigation and prosecution of cybercrime and child sexual exploitation
  • build capacity in law enforcement and the judiciary
  • work with industry to empower and protect citizens

EU law on cybercrime

EU rules on cybercrime correspond to and build on different provisions of the Council of Europe Convention on Cybercrime.

The directive aims to tackle large-scale cyber-attacks by requiring EU countries to strengthen national cyber-crime laws and introduce tougher criminal sanctions.

The directive includes measures that better address new developments in the online environment, such as grooming (offenders posing as children to lure minors for the purpose of sexual abuse).

Digital investigations: horizontal issues


Encryption is regarded as an effective way of ensuring the protection of cybersecurity, data protection and privacy. It can help citizens and businesses to defend themselves against the abuse of IT technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.

Encryption can also be used by criminals, to hide their actions from law enforcement. This hinders lawful access to important electronic evidence, makes the work of law enforcement authorities’ more challenging, and complicates the process of criminal investigations.

What the Commission is doing

To support law enforcement authorities in overcoming challenges posed by encryption in the context of criminal investigations, the Commission proposed in the 11th progress report on a more effective and genuine Security Union, concrete non-legislative measures which respect the safeguarding of strong encryption, required for the functioning of the Digital Single Market and do not in any way prohibit, limit or weaken encryption.

Encryption remains an on-going and increasing challenge which the Commission will continue to tackle. Dialogues with experts and key stakeholders continue to offer different perspectives and insight on new developments and possible longer-term strategies, taking into account the increasing sophistication and widespread use of encryption tools in communication, as well as the need to safeguarding users’ personal data.

Data retention

Access to electronic data is important to enable police and public prosecutors to investigate crimes including when committed online or enabled by using internet or telecommunication networks. Access to (non-content) data in turn depends on its availability and retention by communication service providers. Access is always retrospective – a typical investigator’s question could be “Who was accessing the Internet using this IP address two months ago?”. To answer this question, data on all IP address usage would need to be kept, including that of all the persons who did not commit any crimes. As a result, data retention rules should respect fundamental rights such as privacy and data protection as enshrined in the European Charter of Fundamental Rights.

The Commission is monitoring developments at national level, and published a study on data retention. The objective is to fill knowledge gaps and gather information about the legal, operational and fundamental rights challenges of mandatory data retention frameworks for criminal investigations and prosecutions, issues of admissibility of evidence, and the impact on electronic communication service providers and their users.

Coordination and agency support

Set up by Europol, acts as the focal point in the fight against cybercrime in the Union, pooling European cybercrime expertise to support Member States' cybercrime investigations and providing a collective voice of European cybercrime investigators across law enforcement and the judiciary.

The Commission ensures alignment of EC3's work with the EU cybercrime policy, ensures that EC3 has sufficient resources, and promotes its work.


Related links