Cybercrime consists of criminal acts committed online by using electronic communications networks and information systems. The EU has implemented laws and supports operational cooperation through non-legislative actions and funding.
Cybercrime is a borderless issue that can be classified in three broad definitions:
- crimes specific to the internet, such as attacks against information systems or phishing (e.g. fake bank websites to solicit passwords enabling access to victims' bank accounts)
- online fraud and forgery: large-scale fraud can be committed online through instruments such as identity theft, phishing, spam and malicious code
- illegal online content, including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism and xenophobia
Many types of crime, including terrorism, trafficking in human beings, child sexual abuse and drugs trafficking, have moved online or are facilitated online. As a consequence, most criminal investigations have a digital component.
EU laws and actions aim to:
- improve the prevention, investigation and prosecution of cybercrime and child sexual exploitation
- build capacity in law enforcement and the judiciary
- work with industry to empower and protect citizens
Crime leaves digital traces that can serve as evidence in court proceedings. That is why effective and common EU mechanisms to obtain digital evidence should be established.
EU law on cybercrime
EU rules on cybercrime correspond to and build on different provisions of the Council of Europe Convention on Cybercrime.
- 2020: Proposal for Interim Regulation on the processing of personal and other data for the purpose of combatting child sexual abuse
- 2019: Directive on non-cash payment fraud
The directive updates the legal framework, removing obstacles to operational cooperation and enhancing prevention and victims’ assistance, to make law enforcement action against fraud and counterfeiting of non-cash means of payment more effective.
- 2018: Proposals for Regulation and Directive facilitating cross-border access to electronic evidence for criminal investigations
- 2013: Directive on attacks against information systems
The directive aims to tackle large-scale cyber-attacks by requiring EU countries to strengthen national cyber-crime laws and introduce tougher criminal sanctions.
The directive includes measures that better address new developments in the online environment, such as grooming (offenders posing as children to lure minors for the purpose of sexual abuse).
Digital investigations: horizontal issues
Encryption is regarded as an effective way of ensuring the protection of cybersecurity, data protection and privacy. It can help citizens and businesses to defend themselves against the abuse of IT technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.
Encryption can also be used by criminals, to hide their actions from law enforcement. This hinders lawful access to important electronic evidence, makes the work of law enforcement authorities’ more challenging, and complicates the process of criminal investigations.
What the Commission is doing
To support law enforcement authorities in overcoming challenges posed by encryption in the context of criminal investigations, the Commission proposed in the 11th progress report on a more effective and genuine Security Union, concrete non-legislative measures which respect the safeguarding of strong encryption, required for the functioning of the Digital Single Market and do not in any way prohibit, limit or weaken encryption.
Encryption remains an on-going and increasing challenge which the Commission will continue to tackle. Dialogues with experts and key stakeholders continue to offer different perspectives and insight on new developments and possible longer-term strategies, taking into account the increasing sophistication and widespread use of encryption tools in communication, as well as the need to safeguarding users’ personal data.
Access to electronic data is important to enable police and public prosecutors to investigate crimes including when committed online or enabled by using internet or telecommunication networks. Access to (non-content) data in turn depends on its availability and retention by communication service providers. Access is always retrospective – a typical investigator’s question could be “Who was accessing the Internet using this IP address two months ago?”. To answer this question, data on all IP address usage would need to be kept, including that of all the persons who did not commit any crimes. As a result, data retention rules should respect fundamental rights such as privacy and data protection as enshrined in the European Charter of Fundamental Rights.
The Commission is monitoring developments at national level, and published a study on data retention. The objective is to fill knowledge gaps and gather information about the legal, operational and fundamental rights challenges of mandatory data retention frameworks for criminal investigations and prosecutions, issues of admissibility of evidence, and the impact on electronic communication service providers and their users.
Coordination and agency support
- EU level: The European Cybercrime Centre
Set up by Europol, acts as the focal point in the fight against cybercrime in the Union, pooling European cybercrime expertise to support Member States' cybercrime investigations and providing a collective voice of European cybercrime investigators across law enforcement and the judiciary.
The Commission ensures alignment of EC3's work with the EU cybercrime policy, ensures that EC3 has sufficient resources, and promotes its work.
- Public-private cooperation: WePROTECT Global Alliance (child sexual exploitation online)
- Internet governance: Public Safety Working Group (PSWG) of the Governmental Advisory Committee of the Internet Corporation for Assigned Names and Numbers (ICANN)
- International level: Council of Europe Convention on Cybercrime
- Directive on attacks against information systems
- Report assessing the actions taken by the EU countries to Implement Child Sexual Abuse Directive
- Directive on non-cash means of payment
- Report assessing the measures against websites containing child pornography
- Report: Internet Organised Crime Threat Assessment (IOCTA) 2020
- Study on data retention