Illegal access to information systems and the Directive 2013/40/EU

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013, on attacks against information systems, came into force on 3 September 2013, replacing Council Framework Decision 2005/222/JHA. It maintains existing offences and criminalizes new activities such as illegal interception and the usage of certain tools for committing offences. The offence that is the focus of this article – illegal access to information systems – is set out in Article 3. It represents a change from the wording of Art 2 (2) of the Framework Decision 2005/222/JHA in that under Art 3 of the Directive the incrimination of illegal access to information systems now depends upon whether such access infringes a security measure. This paper provides an overview of the impetus for the introduction of cybercrime laws and analysis of the key provisions of the Directive before exploring whether the wording of Art 3 is a sensible legislative approach.