18 November 2001. Thanks to Anonymous.
Original PDF: http://cryptome.org/eu-antihack.pdf (230KB)
Anonymous: This anti-hacking proposal of the EU Commission makes provisions worse than those already in COE Cybercrime Treaty. If this proposal becomes EU law, "illegal access" will be considered a "serious attack against information systems" even if the access was unintentional. As penalty for any indirect damage in course of "illegal access" the maximum sentence must a minimum of four years. The proposal has not been published and is to be presented November 27, 2001, in Brussels.
[26 pages.]
EN (VERSION OF 5.10.01)
COMMISSION OF THE EUROPEAN COMMUNITIES
Brussels,
COM(2001)
Proposal for a
(presented by the Commission)
Living in an area of freedom, security and justice
EXPLANATORY MEMORANDUM
1. INTRODUCTION
Electronic communication networks and information systems are now an essential part of the daily lives of EU citizens and are fundamental to the success of the EU economy. Networks and information systems are converging and becoming increasingly interconnected. Despite the many and obvious benefits of this development, it has also brought with it the worrying threat of intentional attacks against information systems. These attacks can take a wide variety of forms including illegal access, spread of malicious code and denial of service attacks. It is possible to launch an attack from anywhere in the world, to anywhere in the world, at any time. New, unexpected forms of attacks could occur in the future.
Attacks against information systems constitute a threat to the achievement of a safer Information Society and an Area of Freedom, Security and Justice, and therefore require a response at the level of the European Union. Part of the Commissions contribution to this response is this proposal for a Framework Decision on approximation of criminal law in the area of serious attacks against information systems.
1.1. Types of attacks against information systems
The phrase information system is deliberately used here in its broadest sense in recognition of the convergence between electronic communication networks and the various systems they connect. For the purpose of this proposal, information systems therefore include stand-alone personal computers, personal digital organisers, mobile telephones, intranets, extranets and, of course, the networks, servers and other infrastructure of the Internet.
In its Communication "Network and Information security - A European Policy Approach"1, the Commission has proposed the following description of threats against computer systems:
(a) Unauthorised access to information systems. This includes the notion of hacking. Hacking is gaining unauthorised access to a computer or network of computers. It can be undertaken in a variety of ways from simply exploiting inside information to brute force attacks and password interception. It is often though not always - with malicious intent to either copy, modify or destroy data. Intentional corruption of websites can be one of the aims of unauthorised access.(b) Disruption of information systems. Different ways exist to disrupt information systems through malicious attacks. One of the best known ways to deny or degrade the services offered by the Internet is a denial of service attack (DoS). In a way this attack is similar to fax machines being flooded with long and repeated messages. Denial of service attacks attempt to overload web servers or Internet Service Providers (ISPs) with automatically generated messages. Other types of attacks can include disrupting servers operating the domain name system (DNS) and attacks directed at routers. Attacks aimed at disrupting systems have been damaging for certain high profile websites like portals. Some studies have calculated that a recent attack caused damage worth several hundred million Euros, in addition to the intangible damage to reputation. Increasingly, companies rely on the availability of their websites for their business and those companies which depend on it for just in time supply are particularly vulnerable.
(c) Execution of malicious software that modifies or destroys data. The most well known type of malicious software is the virus. Infamous examples include the I Love You, Melissa and Kournikova viruses. About 11 % of European users have caught a virus on their home personal computer (PC). There are other types of malicious software. Some damage the PC itself, whereas others use the PC to attack other networked components. Some programs (often called logic bombs) can lie dormant until triggered by some event such as a specific date, at which point they can cause major damage by altering or deleting data. Other programs appear to be benign, but when opened release a malicious attack (often called Trojan Horses). Another variant is a program (often called a worm) that does not infect other programs as a virus, but instead creates copies of itself, which in turn create even more copies and eventually swamp the system.
(d) Interception of communications. Malicious interception of communications compromises the confidentiality and integrity requirements of users. It is often called sniffing.
(e) Malicious misrepresentation. Information systems offer new opportunities for misrepresentation and fraud. The taking of someone elses identity on the Internet, and using this for malicious purposes, is often called spoofing.
____________________
1 Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions Network and Information Security: Proposal for a European Policy Approach of 6.6.2001. COM (2001) 298 final.
1.2. The nature of the threat
There is a clear need to gather reliable information on the scale and nature of attacks against information systems.
Some of the most serious incidents of attacks against information systems are directed against electronic communications network operators and service providers or against electronic commerce companies. More traditional areas can also be severely affected given the ever-increasing amount of inter-connectivity in the modern communications environment: manufacturing industries; service industries; hospitals; other public sector organisations and governments themselves. But victims of attacks are not only organisations; there can be very direct, serious and damaging effects on individuals as well.
The type of attacks described above are often carried out by individuals acting on their own, sometimes by minors who perhaps do not fully appreciate the seriousness of their actions. However, the level of sophistication and ambition of the attack could grow. There is growing and worrying concern of organised criminals using communication networks to launch attacks against information systems for their own purposes. Organised hacking groups specialised in hacking and defacement of websites are more and more active at worldwide level. Examples include the Brazilian Silver Lords and the Pakistan Gforce, which try to extort money from their victims by offering them specialised assistance after hacking into their information systems. The arrest of large groups of hackers suggest that hacking could increasingly be an organised crime phenomenon. There have recently been sophisticated, organised attacks against intellectual property as well as attempts to steal substantial funds from banking services2.
Most seriously, there is a threat of a terrorist attack against vital information systems within the European Union. This threat must be taken very seriously following the unprecedented, tragic and murderous terrorist attacks against the people of the United States of America on 11 September 2001, in which hundreds of citizens of the European Union also died. These cowardly attacks highlight the need for an effective response to terrorism at the level of the European Union. This proposal forms part of the Commissions contribution to the response. It supplements the Commissions proposals to replace extradition within the European Union with a European Arrest Warrant3 and to approximate laws on terrorism4. The proposal for a Framework Decision on combating terrorism creates the terrorist offence of an attack against information system, but this need to be supplemented by greater approximation of the constituent elements of offences against information systems. This Framework Decision will provide a much greater level of approximation of the constituent elements of offences against information systems. Taken together, these instruments will ensure that Member States of the European Union have effective criminal laws in place to tackle cyberterrorism, and will enhance international co-operation against terrorism.
This proposal does not relate only to acts of terrorism directed at Member States. It also applies to conduct on the territory of the European Union which are directed against information systems on the territory of third countries. This reflects the Commissions commitment to tackle terrorism at a global as well as European Union level. Indeed, the Commission is working closely with Member States and third countries to combat international terrorism within the framework of international organisations and existing international co-operation mechanisms, particularly the United Nations and the G8.
In fact, there have already been several recent occasions where tensions in international relations have led to a spate of attacks against information systems, often involving attacks against websites. More serious attacks could not only lead to serious financial damage but, in some cases, could even lead to loss of life (e.g. hospital systems, air traffic control systems etc). The importance attached to it by Member States is demonstrated in the priority attached to various Critical Infrastructure Protection initiatives. For example, the EU Information Society Technologies (IST) Programme5 has established, in collaboration with the US Department of State, a Joint EC/US Task Force on Critical Infrastructure Protection.6
____________________
2 According to a survey published by the Communications Management Association (CMA), there have been hacking attacks against a third of UK's big companies and public sector organisations, including government offices, causing damage ranging from infiltrating corporate bank accounts to information theft. See the survey at http://www.cma.org.3 Proposal for a Council Framework Decision on the European arrest warrant and the surrender procedures between the Member States. COM(2001) 522 final. Adopted by the Commission on 19.9.2001.
4 Proposal for a Council Framework Decision on combating terrorism. COM(2001) 521 final. Adopted by the Commission on 19.9.2001
5 The IST Programme is managed by the European Commission. It is part of the 5th Framework Programme, which runs from 1998 to 2002. More information is available at http://www.cordis.lu/ist.
6 Under the auspices of the Joint Consultative Group of the EC/US Science and Technology Co-operation Agreement.
1.3. The need for accurate information and statistics
There are few reliable statistics available on the full scale of the computer-related crime phenomenon. The number of intrusions detected and reported up to now probably under-represent the scope of the problem. According to a US survey7, in 1999 only 32% of respondents who have suffered a computer intrusion in the previous year reported it to law enforcement. And this was an improvement on previous years when only 17% had reported. Numerous reasons have been given for non-reporting. Because of limited awareness and experience of system administrators and users, many intrusions are not detected. In addition, many companies are not willing to report cases of computer abuse, to avoid bad publicity and exposure to future attacks. Many police forces do not yet keep statistics on the use of computers and communication systems involved in these and other crimes8. Law enforcement authorities lack adequate training to detect, identify and investigate computer related offences. However, the European Union has started to address this issue by collecting some figures on attacks against information systems. In one Member State, it was estimated that there were between 30 000 and 40 000 attacks in 1999 on information systems, whereas no more than 105 official complaints were recorded in this field. Indeed, in 1999, seven Member States recorded a total of only 1844 official reports of crimes against information systems and computer data. Nevertheless, this is twice the figure reported in 1998, when only 972 cases were officially recorded in the seven Member States9.
In addition, a recent survey10 reported that 13 per cent of companies that had been victim to economic crime stated one of the crimes was cybercrime. The survey also reported increasing concern about cybercrime, with 43 per cent of respondents believing cybercrime would be a future risk. Another study concluded that hackers and viruses now pose the main cybercrime threat to organisations, with the main perpetrators being hackers (45 per cent), former employees (13 per cent), organised crime (13 per cent) and current employees (11 per cent)11. Such figures can be expected to continue to grow as the use of information systems and interconnectivity increases, and the willingness to report attacks improves. But it is clear that urgent measures are needed to produce a statistical tool for use by all Member States so that computer-related crime within the European Union can be measured both quantitatively and qualitatively. The starting point for such an analysis is a common definition at the level of the European Union of the offences involved in attacks against information systems.
____________________
7 The Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI) produce an annual "Computer Crime and Security Survey" published early in each year. CSI's website and further details about the survey may be found at www.gocsi.com8 The Italian Ministry of Interior recently published statistics on its operational activities against computer-related crime in 1999 and 2000 (see at http://www.mininterno.it/dip_ps/dcpsffp/index.htm). Official reports of hacking cases in 2000 are 98, four times the figure reported in 1999, when only 21 cases were officially recorded.
9 Council doc. 8123/01 ENFOPOL 38. Available from the Council website http://db.consilium.eu.int/jai
10 European Economic Crime Survey 2001, PricewaterhouseCoopers 2001 ( http://www.pwcglobal.com )
11 The Cybercrime Survey 2001, Confederation of British Industry (see http://www.cbi.org.uk )
1.4. European Union policy background
Against this background, at the Lisbon Summit of March 2000, the European Council stressed the importance of the transition to a competitive, dynamic and knowledge-based economy, and invited the Council and the Commission to draw up an eEurope Action plan to make the most of this opportunity.12 This Action Plan, prepared by the Commission and the Council, adopted by the Feira Summit of the European Council in June 2000, includes actions to enhance network security and the establishment of a co-ordinated and coherent approach to cybercrime by the end of 2002.
As part of the Commissions contribution to this mandate on cybercrime, the Commission published a Communication entitled Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime13. This proposed a balanced approach to tackling the problems of cybercrime, by taking full account of the views of all the interested parties including law enforcement agencies, service providers, network operators, other industry groups, consumer groups, data protection authorities and privacy groups. The Communication proposed a number of legislative and non-legislative initiatives.
One of the key issues addressed by the Communication was the need for effective action to deal with threats to the integrity, availability and dependability of information systems and networks. Much has already been achieved in the field of Community law. There are already several legal measures in place at Community level with specific implications for network and information security. In particular, the European telecommunication and data protection framework (Directives 95/46/EC and 97/66/EC14) contains provisions to ensure that providers of publicly available telecommunications services must take appropriate technical and organisational measures to safeguard the security and confidentiality of their services, and that these measures must ensure a level of security appropriate to the risk presented.
One of the most important and effective ways to address these problems is through prevention and education. The Communication underlined the importance of the availability, development, deployment and effective use of preventive technologies. It highlighted that there was a need to raise public awareness on the risks posed by computer-related crime, promote best practices for IT security, develop effective tools and procedures to combat computer-related crime as well as encourage further development of early warning and crisis management mechanisms. The EU Information Society Technologies (IST) Programme15 provides a framework to develop capability and technologies to understand and tackle emerging challenges related to computer crime.
More recently, the Stockholm European Council on 23-24 March recognised the need for further action in the area of network security and concluded "the Council together with the Commission will develop a comprehensive strategy on security of electronic networks including practical implementing action. This should be presented in time for the Göteborg European Council." The Commission responded to this call with its Communication on Network and Information Security: A European Policy approach (COM(2001, adopted 6 June 2001). This analysed the current problems in network security, and provided a strategic outline for action in this area. It is not yet a definitive action plan for network security in the European Union, since it will be thoroughly discussed with Member States and other interested actors prior to implementation in order to confirm both feasibility and added value. The Commission proposes to have a concrete implementing action plan before the end of 2001.
These initiatives are not in themselves sufficient to provide all the necessary responses to serious attacks against information systems. Both Commission Communications also recognised that there was an urgent need for approximation of substantive criminal law within the European Union in the area of attacks against information systems. This reflected the conclusions of the Tampere Summit of the European Council in October 199916 which include high-tech crime in a limited list of areas where efforts should be made to agree on common definitions, incriminations and sanctions, and was included in Recommendation 7 of the European Union strategy for the new Millennium on the prevention and control of organised crime adopted by the JHA Council in March 2000.17 This proposal for a Framework Decision is also part of the Commission Work Programme for the Year 200118 and the Scoreboard for the establishment of an area of Freedom, Security and Justice, produced by the Commission and noted by the Justice and Home Affairs Council on 28/29 May 200119.
____________________
12 Presidency Conclusions of the Lisbon European Council of 23 and 24 March 2000, available at http://ue.eu.int/en/Info/eurocouncil/index.htm.13 COM (2000) 890 final
14 OJ L. 281, 23-11-1995, p. 0031-0050, OJ L. 024, 30-01-1998, p. 0001-0008
15 The IST Programme is managed by the European Commission. It is part of the 5th Framework Programme, which runs from 1998 to 2002. More information is available at http://www.cordis.lu/ist.
16 http://db.consilium.eu.int/en/Info/eurocouncil/index.htm.
17 The Prevention and control of organised crime: A European Union strategy for the beginning of the new Millennium (OJ 2000 C124, 3.5.2000).
18 http://europa.eu.int/comm/off/work_programme/index_en.htm
19 http://europa.eu.int/comm/dgs/justice_home/pdf/com2001-278-en.pdf
1.5. The need for approximation of criminal law
Member States laws in this area contain some significant gaps and differences which could hamper the fight against organised crime and terrorism, as well as serious attacks against information systems by individuals. Approximation of substantive law in the area of high tech crime will ensure that national legislation is sufficiently comprehensive so that all forms of serious attacks against information systems can be investigated using the techniques and methods available under the criminal law. Perpetrators of these offences need to be identified, brought to justice, and the courts need to have appropriate and proportionate penalties at their disposal. This will send a strong deterrent message to those contemplating attacks against information systems.
In addition, these gaps and differences could act as a barrier to effective police and judicial co-operation in the area of serious attacks against information systems. Serious attacks against information systems could often be trans-national in nature, and would require international police and judicial co-operation. Approximation of laws will therefore improve this co-operation by ensuring that the dual criminality requirement is fulfilled (in which an activity must be an offence in both countries before mutual legal assistance can usually be provided to assist a criminal investigation). This will benefit EU Member States in co-operation between themselves, as well as improving co-operation between EU Member States and third countries (provided that an appropriate mutual legal assistance agreement exists).
1.6. Scope and purpose of the proposed Framework Decision
The objectives of this Council Framework Decision are therefore to approximate criminal law in the area of serious attacks against information systems, in particular to contribute to the fight against organised crime and terrorism, and to ensure the greatest possible police and judicial co-operation in the area of criminal offences related to attacks against information systems. It is not intended to require Member States to criminalise minor or trivial conduct. It is clear from Article 47 of the Treaty on European Union that this Framework Decision is without prejudice to Community law. In particular, it does not affect privacy or data protection rights and obligations provided for under Community law such as in Directives 95/46 and 97/66. It is not intended to require Member States to criminalise breaches of rules on access to / disclosure of personal data, secrecy of communications, security of processing of personal data, electronic signatures20 or intellectual property violations and it does not prejudice the Directive 2000/31 on certain legal aspects of information society services, in particular electronic commerce, in the internal market21. These are important issues, but they are already covered by existing Community legislation. Any approximation of criminal law in these areas to meet Community law objectives, such as the protection of personal data or intellectual property, therefore needs to be considered using the framework of Community law rather than Title VI of the TEU. For these reasons, this Framework Decision limits itself to addressing the conduct described in points (a)-(c) in section 1.1.
Legislative action at the level of the European Union also needs to take into account developments in other international fora. In the context of approximation of substantive criminal law on attacks against information systems, the Council of Europe (C.o.E.) is currently the most far-advanced. The Council of Europe started preparing an international Convention on cyber-crime in February 1997, and is expected to complete this task by the end of 2001.22 The draft Convention seeks to approximate a range of criminal offences including offences against the confidentiality, integrity and availability of computer systems and data. This Framework Decision is intended to be consistent with the approach adopted in the draft Council of Europe Convention for these offences.
In G8 discussions on high tech crime, two major categories of threats have been identified. First, threats to computer infrastructures, which concern operations to disrupt, deny, degrade or destroy information resident in computers and computer networks, or the computer and networks themselves. Secondly, computer-assisted threats, which concern malicious activities, such as fraud, money laundering, child pornography, infringement to intellectual property rights and drug trafficking, which are facilitated by the use of a computer. This proposal deals with the first category of threats.
Approximation at the level of the EU should take into account developments in international fora and should be consistent with current Community policies. This proposal also seeks to provide greater approximation within the EU than has been possible in other international fora.
____________________
20 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, OJ L. 13 of 19/01/200021 OJ L. 178, 17-7-200, p. 0001-0016
22 The Draft text is available on the web, in two languages, in French: http://conventions.coe.int/treaty/fr/projets/cybercrime.htm. and in English: http://conventions.coe.int/treaty/en/projets/cybercrime.htm. [These URLs produce error messages. See mirror: http://cryptome.org/cycrime-final.htm]
2. LEGAL BASIS
The objective of the establishment of an area of freedom, security and justice
must be achieved by preventing and combating crime, organised or otherwise,
including terrorism, through closer co-operation between law enforcement
and judicial authorities in the Member States and approximation of rules
in criminal matters of the Member States. This proposal for a Framework Decision
is therefore aimed at approximating laws and regulations of the Member States
in the area of police and judicial co-operation in criminal matters. It concerns
minimum rules relating to the constituent elements of criminal acts,
in particular, to a substantial degree, in the fields of organised crime
and terrorism. It also involves "ensuring compatibility in rules applicable
in the Member States" in order to facilitate and accelerate co-operation
between judicial authorities. The legal basis indicated in the preamble of
the proposal is therefore Articles 29, 30(a), 31 and 34(2)(b) of the Treaty
on European Union. The proposal will not entail financial implications for
the budget of the European Communities.
3. THE FRAMEWORK DECISION: ARTICLES
Article 1 - Scope and purpose of the Framework Decision
This Article explicitly states that the objectives of this Framework Decision are to approximate criminal law in the area of serious attacks against information systems, in particular to contribute to the fight against organised crime and terrorism, and by doing so to ensure the greatest possible judicial co-operation in the area of criminal offences related to attacks against information systems. It further states that, in accordance with Article 47 of the Treaty on European Union, this Framework Decision is without prejudice to Community law. In particular this includes privacy or data protection rights and obligations provided for under the Directives 95/46 and 97/66. It is not intended to require Member States to criminalise breaches of rules on access to / disclosure of personal data, secrecy of communications, security of processing of personal data, electronic signatures23 or intellectual property violations and it does not prejudice the Directive 2000/31 on certain legal aspects of information society services, in particular electronic commerce, in the internal market24.
This Article explicitly refers to serious attacks against information systems, which makes clear that the proposed Framework Decision is not intended to require Member States to criminalise minor or trivial conduct. Articles 3 and 4 define what is meant by a serious attack in the context of those particular offences. Any one of these criteria is sufficient to make the attack serious for the purposes of this Framework Decision, and thus should be covered by national law. These criteria are also consistent with the reservation possibilities in the draft Council of Europe Cybercrime Convention.
All the criminal offences covered in the framework decision need to be committed with intent. The term intentional is used explicitly in Articles 3, 4 and 5. This should be interpreted in accordance with the normal criminal law principles in Member States governing intent. Thus, this Framework Decision does not require criminalisation of actions where there is gross negligence or other recklessness, but no intent as such. An intent to unlawfully access or interfere with information systems in general should also be sufficient, rather than it being necessary to prove that the intent was directed at a specific information system. Moreover, the definition of serious attacks provides further qualifications to the nature of the intent of the perpetrator.
___________________
23 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, OJ L. 13 of 19/01/200024 OJ L. 178, 17-7-200, p. 0001-0016
Article 2 - Definitions
The proposed Council Framework Decision contains the following definitions:
(a) Electronic communications network. This definition is based on the definition in the proposal for a Directive on a common regulatory framework for electronic communications networks and services (COM 2000 393).(b) Computer. This definition is based on Article 1 of the draft Council of Europe Convention on Cybercrime. The definition also includes stand-alone personal computers, personal digital organisers and mobile telephones (provided they have some data processing functions, eg WAP and third generation), which would not be covered solely by the definition of electronic communication networks.
(c) Computer data. This definition is built upon the ISO25 definition of data. It is not intended to include physical items such as books. However, it does include a book stored in the form of computer data (e.g. saved in electronic form as a word processing file) or turned into computer data by means of scanning. For this reason, the definition makes clear that computer data needs to have been created or put into a form suitable for processing in an information system or suitable for causing a function of an information system.
____________________
25 The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from some 100 countries.(d) Information System. The definition of information systems is originally drawn from that adopted by the OECD in 1992 in its Guidelines for the Security of Information Systems and the previous definitions by referring to electronic communications networks, computers and computer data. The term has also been used in previous community law instruments, such as the Council Decision of 31 March 1992 in the field of security of information systems and the Council Recommendation of 7 April 1995 on common information technology security evaluation criteria. It is intended to be technology neutral, and to reflect accurately the concept of interconnected networks and systems containing data. It covers both the hardware and the software of the system, though not the content of the information itself. It also covers stand-alone systems. In the Commissions view, it is desirable to extend the protection afforded by the criminal law to stand-alone computers as well and not to limit it only to systems that are inter-connected.
(e) Legal person. This is a standard definition from previous Council Framework Decisions.
(f) Authorised person. This means any person who has the right, by contract or by law, or the lawful permission, to use, manage, control, test, conduct legitimate scientific research or otherwise operate an information system and who is acting in accordance with that right or permission. This includes persons acting in accordance with the lawful consent of someone given such an explicit authorisation. It is particularly important that the following categories of persons and legitimate activities (within the limits of the persons rights, permissions and responsibilities, and in accordance with Community laws on data protection and secrecy of communications) should not be criminalised when this Framework Decision is transposed into domestic law:
actions of ordinary users, whether private or business users, including their use of encryption to protect their own communications and data; reverse engineering, within the limits provided by Directive 91/250 of 14 May 1991 on the legal protection of computer programs26;
actions of managers, controllers and operators of networks and systems;
actions of authorised persons testing a system, whether within the company or person appointed externally and given permission to test the security of a system;
legitimate scientific research.
____________________
26 OJ L 122 , 17/05/1991 P. 0042 - 0046
(g) Without right. This is a broad notion, and leaves some flexibility to Member States to decide the precise scope of the offence. Nevertheless, to assist in the implementation of the Council Framework Decision in domestic laws, the Commission believes that it is necessary to indicate that certain activities should not fall within the scope of the offence. It is not possible, and probably not desirable, to draw up a comprehensive, exclusive list of exemptions at the level of the European Union. But the phrase without right builds on the previous definitions so as to exclude conduct by authorised persons. It also excludes any other conduct recognised as lawful under domestic law, including standard legal defences and other types of authority recognised in domestic law.
(h) Protected system. This means the whole or any part of an information system which is subject to specific protection measures. The specific protection measures could include conditional access mechanisms, suitable virus protection software and firewalls and may be necessary in the light of the services that it provides, the value of information that is stored therein and relevant Community law provisions.
(i) Serious attack. In accordance with the objective set out in Article 1, this definition defines a minimum set of criteria to be applied when determining whether an attack against an information system is serious. Any one of these criteria is sufficient to make the attack serious for the purposes of this Framework Decision, and thus should be covered by national law. The criteria for a serious attack are that the offences of illegal access or illegal interference are:
(i) against a protected system; or(ii) committed by a person with the intent to cause damage to a natural or legal person; or
(iii) committed by a person with the intent to result in an economic benefit for the person committing the offence or for a third party. This phrase is taken from the Council Framework Decision of 28 May 2001 on combating fraud and counterfeiting of non-cash means of payment27.
___________________
27 OJ L 182/1, 5.7.2001
Article 3 - Illegal Access to Information Systems
This offence is intended to cover the offence of illegal access to information systems. This includes the notion of hacking an information system. As recognised in Article 1, Member States are free to exclude minor or trivial cases from the scope of the offence when transposing the Framework Decision into domestic law. The offence is required to be established in Member States laws only to the extent that the offence has been committed in the context of a serious attack as defined in Article 2.
The Commission does not wish to undermine in any way the importance it attached
to the use of effective technical measures to protect information systems.
Nevertheless, it is an unfortunate fact that a high proportion of users leave
themselves exposed to attacks by not having adequate (or even any) technical
protection. To deter attacks against these users, it is necessary that criminal
law covers unauthorised access to their systems even though there may not
be adequate technical protection for their systems. For this reason, there
is no qualification to the offence that requires that security measures must
have been overcome for the offence to have been committed.
Article 4 - Interference with Information Systems
This offence covers:
(a) the hindering or interruption, without right, of the functioning of an information system by inputting or transmitting computer data. This specifically addresses the problem of so-called denial of service attacks where there is a deliberate attempt to overwhelm an information system. The offence also covers the interruption of the functioning of an information system, which could be inferred from the phrase hindering but is included here explicitly for the sake of clarity.(b) the hindering or interruption, without right, of the functioning of an information system by damaging, deleting, deteriorating, altering or suppressing computer data. This specifically addresses the problem of viruses, and other types of attacks, which are directed at hindering or interrupting the functions of the information system itself.
(c) the damaging, deletion, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system without right. This covers virus attacks aimed at the content (or computer data) on the information system, as well as corruption of websites.
Subparagraphs (a), (b) and (c) are intended to address the issue of denial of service attacks and attacks using malicious code often described as virus attacks. Subparagraphs (a) (b) use the word hindering or interruption as a constituent element of the offence in order to describe the effects of such an attack. The meaning of the word hindering is not defined, as hindering could take different forms and its level could vary depending upon the type of the attack and the technical capacities of the information system being attacked. Each Member State shall determine for itself what criteria must be fulfilled in order for an information system to be considered as hindered. However, minor nuisances or disruptions in the functioning of the services should not be considered as fulfilling the threshold of seriousness.
As above, Member States are free to exclude minor or trivial cases from the
scope of the offence when transposing the Framework Decision into domestic
law. The offences are required to be established in Member States laws
only to the extent that they have been committed in the context of a
serious attack as defined in Article 2.
Article 5 - Instigation, aiding, abetting and attempt
Article 5(1) puts an obligation on Member States to ensure that the intentional instigation of, aiding or abetting offences against information systems as described in Articles 3 and 4 are punishable.
Article 5(2) specifically concerns attempt. It puts an obligation on Member
States to ensure that attempt to commit any of the offences against information
systems described in Articles 3 and 4 is punishable.
Article 6 Penalties
Paragraph 1 requires Member States to take the necessary measures to ensure that the offences defined in Articles 3-5 are punishable by effective, proportionate and dissuasive penalties28.
By virtue of this paragraph, Member States are required to lay down penalties commensurate with the gravity of the offence, which includes custodial sentences with a maximum term of imprisonment of no less than one year in serious cases. The maximum penalty of at least one year imprisonment brings these offences under Article 2 and 3 within the scope of the Council Framework Decision of 26 June 200129 on money laundering, the identification, tracing, freezing, seizing and confiscation of the instrumentalities and the proceeds from crime.
In keeping with the nature of all framework decisions, which are binding on the Member States as regards the result to be achieved, but leave the choice of form and means to their discretion, the Member States retain some degree of flexibility to adapt their legislation to these rules and to determine the severity of the penalties that apply, within the limits imposed by the Framework Decision, particularly the aggravating circumstances in Article 7. The Commission would stress that it is for the Member States to decide the criteria for determining the gravity of an offence, on the basis of their respective legal systems.
Punishment need not always take the form of imprisonment. Paragraph 2 provides the possibility for Member States to impose fines in addition to or as an alternative to custodial sentences, in line with their respective traditions and legal systems.
____________________
28 The phrase is taken from the Judgment given by the Court of Justice on 21 September 1989 in Case 68/88 [1989] ECR 2965.29 OJ L 182, 5-7-2001, p.1
Article 7 - Aggravating circumstances
This Article provides for Member States to increase the penalties defined in Article 6 under certain circumstances. The Commission would stress that the list of aggravating circumstances provided in this Article is without prejudice to any other circumstances regarded as aggravating in Member States' legislation. This list takes into account the aggravating circumstances described in the national provisions in Member States and as laid down in previous Commission proposals for Framework Decisions.
If one of the following conditions listed in paragraph 1 is fulfilled then the maximum term of imprisonment may not be less than four years:
(a) a person participating in a criminal organisation as defined by Joint Action 98/733 JHA, and acting for the benefit of that organisation;(b) the offence was intended to cause, or result in, substantial direct or indirect economic loss, physical harm to a natural person or substantial damage to part of the critical infrastructure of the Member State;
(c) the offence was intended to cause, or result in, substantial proceeds; or
(d) the offender has been convicted of one or more similar offences by a final judgement in a Member State of the Union. This is the principle of recidivism, which takes account of any convictions obtained in other Member States.
Article 8 - Mitigating circumstances
This article provides for mitigating circumstances in which a Member State
may decide to reduce the penalties referred to in Articles 6 and 7 where,
in the opinion of the competent judicial authority, the offender caused only
minor damage.
Article 9 - Liability of legal persons
In line with the approach taken in a number of legal instruments adopted at EU level to combat different types of criminality, it is necessary also to cover the situation in which legal persons are involved in attacks against information systems. Article 9 therefore contains provisions for holding a legal person liable for the offences envisaged by Articles 3, 4 and 5, committed for their benefit by any person with certain leading positions, acting either individually or as a part of the organ of the legal person. The term liability should be construed so as to include either criminal or civil liability.
In addition, according to standard practice, paragraph 2 provides that a
legal person can also be held liable when the lack of supervision or control
by a person in a position to exercise control, has rendered possible the
commission of the offences for its benefit. Paragraph 3 indicates that legal
proceedings against a legal person do not preclude parallel legal proceedings
against a natural person.
Article 10 - Sanctions on legal persons
Article 10 sets out a requirement for sanctions for legal persons held liable
for the offences referred to in Articles 3, 4 and 5. It requires effective,
proportionate and dissuasive sanctions, where the minimum obligation is to
impose criminal or non-criminal fines. Other sanctions that could typically
apply to legal persons are also indicated.
Article 11 - Jurisdiction
The international nature of offences involving attacks against information systems means that an effective legal response requires procedural provisions on jurisdiction and extradition which should be clear and far-reaching at the European Union level, to ensure that offenders cannot escape prosecution.
Paragraph 1 sets out a series of criteria for conferring jurisdiction on national judicial authorities to prosecute and investigate cases involving the offences referred to in this framework decision. A Member State will establish its jurisdiction in three situations:
(a) where the offence is committed in whole or in part on its territory, irrespective of the status of the legal person or the nationality of the natural person involved (territoriality principle);(b) where the offender is a national of that Member State (active personality principle) and the act affects individuals or groups of that State. Member States that make no provision for extradition are responsible for prosecuting their own nationals who have committed offences abroad;
(c) where the offence is committed for the benefit of a legal person established in the territory of that Member State.
Paragraph 2 is intended to ensure that when establishing its jurisdiction over the offences based on the territoriality principle in paragraph 1(a), each Member State ensures that its jurisdiction includes cases where:
(a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory. For example, a person obtaining illegal access to (hacking) an information system in a third country from the territory of the Member State; or(b) the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory. For example, a person obtaining illegal access to (hacking) an information system on the territory of the Member State from the territory of a third country.
Given that not all Member States' legal traditions recognise extraterritorial jurisdiction for all types of criminal offence, the first subparagraph of paragraph 3 allows them not to apply the rules on jurisdiction set out in paragraph 1 as regards the situations covered by paragraph 1(b) and (c).
Paragraph 4 states that the Member States shall inform the General Secretariat
of the Council and the Commission where they decide to apply paragraph 3.
Article 12 - Extradition and prosecution
This article shall no longer be applicable as soon as the Commission's proposal for a European arrest warrant is adopted, which will replace extradition within the EU. In particular, the European arrest warrant proposal does not foresee that nationality be a ground for refusal.
Article 12 takes account of the fact that some Member States do not extradite their own nationals and seeks to ensure that persons suspected of having committed serious attacks against information systems do not evade prosecution because extradition is refused on the grounds that they are nationals of that State.
A Member State which does not extradite its own nationals must take the necessary measures to establish its jurisdiction over and, where appropriate, prosecute the offences concerned when committed by its own nationals on the territory of another Member State.
____________________
[Footnotes 30 and 31 not keyed to text.]30 OJ C 316, 27.11.1995.
31 OJ L 105, 27.4.1996.
Article 13 Exchange of Information
The purpose of Article 13 is to facilitate the exchange of information by ensuring that there are operational points of contact. This is important for effective police co-operation. In particular, the need for all Member States to join the G8 network of points of contact was recognised by the Justice and Home Affairs Council on 19 March 1998 and more recently when it adopted a Council Recommendation on contact points maintaining a 24-hour service for combating high-tech crime34.
____________________
[Footnotes 32 and 33 not keyed to text.]32 OJ L 191, 7.7.1998.
33 OJ L 324, 21.12.2000.
34 OJ C 187/5, 3.7.2001
Article 14 - Implementation
Article 14 concerns the implementation and follow-up of this Framework Decision.
Paragraph 1 requires the Member States to take the necessary measures to comply with this Framework Decision not later than 30 June 2003.
Paragraph 2 states that the Member States shall transmit by that date to
the General Secretariat of the Council and to the Commission the provisions
transposing the obligations imposed on them under this Framework Decision
into national law. The Council shall assess within one year, on the basis
of that information and a Commissions written report, the extent to
which Member States have complied with the obligations imposed by the Framework
Decision.
Article 15 Entry into force
Article 15 states that the Framework Decision will enter into force on the
twentieth day following that of its publication in the Official Journal of
the European Communities.
__________________________________________________
2001/ (CNS)
Proposal for a
COUNCIL FRAMEWORK DECISION
on combating serious attacks against information systems
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on European Union, and in particular Articles 29, 30(a), 31 and 34(2)(b) thereof;
Having regard to the proposal of the Commission;
Having regard to the opinion of the European Parliament;
Whereas:
(1) There is evidence of serious attacks against information systems, in particular as a result of the threat from organised crime, and increasing concern at the potential of terrorist attacks against information systems which form part of the critical infrastructure of the Member States. This constitutes a threat to the achievement of a safer Information Society and an Area of Freedom, Security and Justice, and therefore requires a response at the level of the European Union.(2) An effective response to such threats requires a comprehensive approach to network and information security, as underlined in the eEurope Action Plan and in the Communication by the Commission Network and Information Security: Proposal for a European Policy Approach1.
(3) Significant gaps and differences in Member States laws in this area hamper the fight against organised crime and terrorism, and act as a barrier to effective police and judicial co-operation in the area of serious attacks against information systems. The trans-national and borderless character of modern electronic communication networks means that attacks against information systems are often international in nature, thus underlining the urgent need for further action to approximate criminal laws in this area.
(4) The Action Plan of the Council and the Commission on how to best implement the provisions of the Treaty of Amsterdam on an area of freedom, security and justice2, the Tampere European Council on 15-16 October 1999, the Santa Maria da Feira European Council on 19-20 June 2000, the Commission in the Scoreboard3 and the European Parliament in its Resolution of 19 May 20004 indicate or call for legislative action against high technology crime, including common definitions, incriminations and sanctions.
(5) It is necessary to complement the work performed by international organisations, in particular the Council of Europes work on approximating criminal law and the G8s work on transnational co-operation in the area of high tech crime, by providing a common approach in the European Union in this area. This call was further elaborated by the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime5.
(6) The objectives of this Framework Decision are to approximate criminal law in the area of serious attacks against information systems, in particular to contribute to the fight against organised crime and terrorism, and to ensure the greatest possible police and judicial co-operation in the area of criminal offences related to serious attacks against information systems.
(7) Article 29 of the Treaty of the European Union specifically refers to terrorism and organised crime as forms of crime which must be prevented and combated at European level through closer co-operation between police forces and judicial authorities and approximation of the criminal law provisions of Member States.
(8) The Framework Decision on combating terrorism6 creates the terrorist offence of an attack against information system, but this need to be supplemented by greater approximation of the constituent elements of offences against information systems. This Framework Decision provides that greater level of approximation and will thus improve police and judicial co-operation in the area of terrorist offences against information systems.
(9) In accordance with Article 47 of the Treaty on European Union, this Framework Decision is without prejudice to Community law, and in particular to privacy or data protection rights and obligations provided for under Community law in accordance to the Directives 95/46/EC and 97/66/EC. Much has already been achieved in the field of Community law to protect information systems, such as under Directives 95/46/EC and Directive 97/66/EC, and in particular that providers of publicly available telecommunications services must take appropriate technical and organisational measures to safeguard the security or confidentiality of their services, and that these measures must ensure a level of security appropriate to the risk presented.
(10) Common definitions in this area, particularly of information systems and computer data, are important to ensure a consistent approach in Member States in the application of this Framework Decision.
(11) There is a need to achieve a common approach to the constituent elements of criminal offences by providing for a common offence of illegal access to an information system, and illegal interference with an information system.
(12) There is a need to avoid over-criminalisation, particularly of trivial or minor conduct, as well as the need to avoid criminalising right-holders and authorised persons such as legitimate private or business users, managers, controllers and operators of networks and systems, legitimate scientific researchers, and authorised persons testing a system, whether a person within the company or a person appointed externally and given permission to test the security of a system.
(13) There is a need for Member States to provide penalties for attacks against information systems which are effective, proportionate and dissuasive, including custodial sentences in serious cases;
(14) It is necessary to provide for more severe penalties when certain circumstances accompanying a serious attack against an information system make it an even greater threat to society. In such cases, sanctions on perpetrators should be sufficient to allow for serious attacks against information systems to be included within the scope of instruments already adopted for the purpose of combating organised crime such as the 98/733/JHA Joint Action7 on making it a criminal offence to participate in a criminal organisation.
(15) Measures should be taken to enable legal persons to be held liable for the criminal offences referred to by this act which are committed for their benefit, and to ensure that each Member State has jurisdiction over offences committed against information systems in situations where the offender is physically present on its territory or where the information system is on its territory.
(16) Measures should also be foreseen for the purposes of cooperation between Member States with a view to ensuring effective action against attacks against information systems.
(17) In accordance with the principles of subsidiarity and proportionality this Council Framework Decision confines itself to the minimum required in order to achieve those objectives at European level and does not go beyond what is necessary for that purpose.
(18) This Framework Decision respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and specifically Chapter XI on Justice thereof
____________________
1 COM (2001) 2982 OJ C 19, 23.1.1999
3 COM (2001) 278 final
4 A5-0127/2000
5 COM (2000) 890
6 Proposal for a Council Framework Decision on combating terrorism. COM(2001) 521 final. Adopted by the Commission on 19.9.2001
7 OJ L 351/1, 29.12.1998
HAS ADOPTED THIS FRAMEWORK DECISION:
Article 1
Scope and objective of the Framework Decision
The objective of this Framework Decision is to improve co-operation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of serious attacks against information systems with special regard to organised crime and terrorism.
This Framework Decision is without prejudice to Community law.
Article 2
Definitions
1. For the purposes of this Framework Decision, the following definitions shall apply:
(a) Electronic communications network means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, irrespective of the type of information conveyed or technology employed.(b) Computer means any device or group of inter-connected or related devices, one or more of which, pursuant to a program, performs automatic processing of computer data.
(c) Computer data means any representation of facts, information or concepts which has been created or put into a form suitable for processing in an information system, including a program suitable for causing an information system to perform a function.
(d) Information System means computers and electronic communication networks, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.
(e) Legal person means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.
(f) Authorised person means any person who has the right, by contract or by law, or the lawful permission, to use, manage, control, test, conduct legitimate scientific research or otherwise operate an information system and who is acting in accordance with that right or permission.
(g) Without right shall exclude conduct by authorised persons or other conduct recognised as lawful under domestic law.
(h) Protected system means the whole or any part of an information system which is subject to specific protection measures.
(i) Serious attack means illegal access or illegal interference:(i) against a protected system; or
(ii) committed by a person with the intent to cause damage to a natural or legal person; or
(iii) committed by a person with the intent to result in an economic benefit for the person committing the offence or for a third party.
Article 3
Serious attacks through illegal access to Information Systems
Each Member State shall take the necessary measures to ensure that the
intentional access, without right, to the whole or any part of an information
system is punishable as a criminal offence where the conduct constitutes
a serious attack.
Article 4
Serious attacks through interference with Information Systems
Each Member State shall take the necessary measures to ensure that the following intentional conduct, without right, is punishable as a criminal offence where it constitutes a serious attack:
(a) the serious hindering or interruption of the functioning of an information system by inputting or transmitting computer data.(b) the serious hindering or interruption of the functioning of an information system by damaging, deleting, deteriorating, altering or suppressing computer data.
(c) the damaging, deletion, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system.
Article 5
Instigation, aiding, abetting and attempt
1. Each Member State shall take the necessary measures to ensure that the intentional instigation of, aiding or abetting an offence referred to in Articles 3 and 4 is punishable.
2. Each Member State shall take the necessary measures to ensure that attempt
to commit the offences referred to in Articles 3 and 4 is punishable.
Article 6
Penalties
1. Each Member State shall take the necessary measures to ensure that an offence referred to in Articles 3-5 is punishable by effective, proportionate and dissuasive penalties including a custodial sentence with a maximum term of imprisonment of no less than one year.
2. Member States shall provide for the possibility of imposing fines in addition
to or as an alternative to custodial sentences.
Article 7
Aggravating circumstances
Without prejudice to any other aggravating circumstances defined in their national legislation, Member States shall provide for a maximum term of imprisonment of no less than four years when one of the following aggravating circumstances in respect of the offences referred to in Articles 3, 4 and 5 are fulfilled:
(a) a person is participating in a criminal organisation as defined by Joint Action 98/733 JHA, and is acting for the benefit of that organisation;(b) the offence was intended to cause, or result in, substantial direct or indirect economic loss, physical harm to a natural person or substantial damage to part of the critical infrastructure of the Member State;
(c) the offence was intended to cause, or result in, substantial proceeds; or
(d) the offender has been convicted of one or more similar offences by a final judgement in a Member State of the Union.
Article 8
Mitigating circumstances
Without prejudice to any other mitigating circumstances defined in their
national legislation, Member States shall take the necessary measures to
ensure the penalties referred to in Articles 6 and 7 can be reduced, where,
in the opinion of the competent judicial authority, the offender caused only
minor damage.
Article 9
Liability of legal persons
1. Each Member State shall take the necessary measures to ensure that legal persons can be held liable for conducts referred to in Articles 3, 4 and 5, committed for their benefit by any person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on:
(a) a power of representation of the legal person, or(b) an authority to take decisions on behalf of the legal person, or
(c) an authority to exercise control within the legal person.
2. Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 3, 4 and 5 for the benefit of that legal person by a person under its authority.
3. Liability of a legal person under paragraphs 1 and 2 shall not exclude
criminal proceedings against natural persons who commit offences or engage
in the conduct referred to in Articles 3, 4 and 5.
Article 10
Sanctions for legal persons
1. Member States shall ensure that a legal person held liable pursuant to Article 9(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and may include other sanctions, such as:
a) exclusion from entitlement to public benefits or aid;b) temporary or permanent disqualification from the practice of commercial activities;
c) placing under judicial supervision; or
d) a judicial winding-up order.
2. Each Member State shall take the necessary measures to ensure that a legal
person held liable pursuant to Article 9(2) is punishable by effective,
proportionate and dissuasive sanctions or measures.
Article 11
Jurisdiction
1. Each Member State shall establish its jurisdiction with regard to the offences referred to in Articles 3, 4 and 5 where the offence has been committed:
(a) in whole or in part within its territory; or(b) by one of its nationals and the act affects individuals or groups of that State; or
(c) for the benefit of a legal person that has its head office in the territory of that Member State.
2. When establishing jurisdiction in accordance with paragraph (1)(a), each Member State shall ensure that it includes cases where:
(a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or(b) the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory.
3. A Member State may decide not to apply, or to apply only in specific cases or circumstances, the jurisdiction rule set out in paragraphs 1(b) and 1(c).
4. Member States shall inform the General Secretariat of the Council and
the Commission accordingly where they decide to apply paragraph 3, where
appropriate with an indication of the specific cases or circumstances in
which the decision applies.
Article 12
Extradition and prosecution
1. A Member State which, under its law, does not extradite its own nationals shall establish its jurisdiction over the offences referred to in Articles 3, 4 and 5 when committed by its own nationals on the territory of another Member State.
2. Each Member State shall, when one of its nationals is alleged to have committed, in another Member State, an offence referred to in Articles 3, 4 and 5, and it does not extradite that person to that other Member State solely on the ground of his nationality, submit the case to its competent authorities for the purpose of prosecution if appropriate. In order to enable prosecution to take place, the Member State in which the offence was committed shall forward to the competent authorities of the other State all the relevant files, information and exhibits relating to the offence in accordance with the procedures laid down in Article 6(2) of the European Convention on Extradition of 13 December 1957. The requesting Member State shall be informed of the initiation and outcome of any prosecution.
3. For the purpose of this Article, a "national" of a Member State shall
be constructed in accordance with any declaration made by that State under
Article 6(1)(b) and (c) of the European Convention on Extradition.
Article 13
Exchange of information
1. For the purpose of exchange of information relating to the offences referred to in Articles 3-5, and in accordance with data protection rules, Member States shall ensure that they establish operational points of contact available twenty four hours a day and seven days a week.
2. Each Member State shall inform the General Secretariat of the Council
and the Commission of its appointed point of contact for the purpose of
exchanging information on offences relating to attacks against information
systems. The General Secretariat shall notify that information to the other
Member States.
Article 14
Implementation
1. Member States shall bring into force the measures necessary to comply with this Framework Decision by 30 June 2003.
2. By 30 June 2003, Member States shall forward to the General Secretariat
of the Council and to the Commission the text of the provisions transposing
into their national law the obligations imposed upon them under this Framework
Decision. The Council shall, by 30 June 2004, on the basis of a report
established on the basis of this information and a written report by the
Commission, assess the extent to which Member States have taken the necessary
measures in order to comply with this Framework Decision.
Article 15
Entry into force
This Framework Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Communities.
Done at Brussels,
For the Council
The President
Transcription and HTML by Cryptome.