Skip to main content
European Commission logo
Migration and Home Affairs


Cybercrime consists of criminal acts committed online by using electronic communications networks and information systems. The EU has implemented laws and supports operational cooperation through non-legislative actions and funding.

Cybercrime is a borderless issue that can be classified in three broad definitions:

  • crimes specific to the internet, such as attacks against information systems or phishing (e.g. fake bank websites to solicit passwords enabling access to victims' bank accounts)
  • online fraud and forgery: large-scale fraud can be committed online through instruments such as identity theft, phishing, spam and malicious code
  • illegal online content, including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism and xenophobia

Many types of crime, including terrorism, trafficking in human beings, child sexual abuse and drugs trafficking, have moved online or are facilitated online. As a consequence, most criminal investigations have a digital component.

EU laws and actions aim to:

  • improve the prevention, investigation and prosecution of cybercrime and child sexual exploitation
  • build capacity in law enforcement and the judiciary
  • work with industry to empower and protect citizens


Crime leaves digital traces that can serve as evidence in court proceedings. That is why effective and common EU mechanisms to obtain digital evidence should be established.


The European Commission explores options how to support law enforcement authorities in overcoming challenges posed by encryption in the context of criminal investigations.

EU law on cybercrime

Digital investigations: horizontal issues


Encryption is regarded as an effective way of ensuring the protection of cybersecurity, data protection and privacy. It can help citizens and businesses to defend themselves against the abuse of IT technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.

Encryption can also be used by criminals, to hide their actions from law enforcement. This hinders lawful access to important electronic evidence, makes the work of law enforcement authorities’ more challenging, and complicates the process of criminal investigations.

What the Commission is doing

To support law enforcement authorities in overcoming challenges posed by encryption in the context of criminal investigations, the Commission proposed in the 11th progress report on a more effective and genuine Security Union, concrete non-legislative measures which respect the safeguarding of strong encryption, required for the functioning of the Digital Single Market and do not in any way prohibit, limit or weaken encryption.

Encryption remains an on-going and increasing challenge which the Commission will continue to tackle. Dialogues with experts and key stakeholders continue to offer different perspectives and insight on new developments and possible longer-term strategies, taking into account the increasing sophistication and widespread use of encryption tools in communication, as well as the need to safeguarding users’ personal data.

Data retention

Access to electronic data is important to enable police and public prosecutors to investigate crimes including when committed online or enabled by using internet or telecommunication networks. Access to (non-content) data in turn depends on its availability and retention by communication service providers. Access is always retrospective – a typical investigator’s question could be “Who was accessing the Internet using this IP address two months ago?”. To answer this question, data on all IP address usage would need to be kept, including that of all the persons who did not commit any crimes. As a result, data retention rules should respect fundamental rights such as privacy and data protection as enshrined in the European Charter of Fundamental Rights.

The Commission is monitoring developments at national level, and published a study on data retention. The objective is to fill knowledge gaps and gather information about the legal, operational and fundamental rights challenges of mandatory data retention frameworks for criminal investigations and prosecutions, issues of admissibility of evidence, and the impact on electronic communication service providers and their users.

Coordination and agency support