Electronic communication networks and information systems are now an essential part of the daily lives of EU citizens and are fundamental to the success of the EU economy.
Networks and information systems are converging and becoming increasingly interconnected. Despite the many and obvious benefits of this development, it has also brought with it the worrying threat of intentional attacks against information systems. These attacks can take a wide variety of forms including illegal access, spread of malicious code and denial of service attacks. It is possible to launch an attack from anywhere in the world, to anywhere in the world, at any time. New, unexpected forms of attacks could occur in the future.
Attacks against information systems constitute a threat to the achievement of a safer Information Society and an Area of Freedom, Security and Justice, and therefore require a response at the level of the European Union. Part of the Commission's contribution to this response is this proposal for a Framework Decision on approximation of criminal law in the area of attacks against information systems.
1.1. Types of attacks against information systems
The phrase “information system” is deliberately used here in its broadest sense in recognition of the convergence between electronic communication networks and the various systems they connect. For the purpose of this proposal, information systems therefore include “stand-alone” personal computers, personal digital organisers, mobile telephones, intranets, extranets and, of course, the networks, servers and other infrastructure of the Internet.
In its Communication "Network and Information security - A European Policy Approach"
(1) , the Commission has proposed the following description of threats against computer systems:
(a) Unauthorised access to information systems (...);
(b) Disruption of information systems (...);
(c) Execution of malicious software that modifies or destroys data (...)...
1.2. The nature of the threat
There is a clear need to gather reliable information on the scale and nature of attacks against information systems.
Some of the most serious incidents of attacks against information systems are directed against electronic communications network operators and service providers or against electronic commerce companies. More traditional areas can also be severely affected given the ever-increasing amount of inter-connectivity in the modern communications environment: manufacturing industries; service industries; hospitals; other public sector organisations and governments themselves. But victims of attacks are not only organisations; there can be very direct, serious and damaging effects on individuals as well. The economic burden imposed by certain of these attacks on public bodies, companies and individuals alike is considerable and threatens to make information systems more costly and less affordable to users.
The type of attacks described above are often carried out by individuals acting on their own, sometimes by minors who perhaps do not fully appreciate the seriousness of their actions. However, the level of sophistication and ambition of the attack could grow. There is growing and worrying concern of organised criminals using communication networks to launch attacks against information systems for their own purposes. Organised hacking groups specialised in hacking and defacement of web-sites are more and more active at world-wide level. Examples include the Brazilian Silver Lords and the Pakistan Gforce, which try to extort money from their victims by offering them specialised assistance after hacking into their information systems. The arrest of large groups of hackers suggest that hacking could increasingly be an organised crime phenomenon.
(...)
Security breaches at e-commerce merchant databases where access is gained to customers' information, including credit card numbers, are also a cause for concern. These attacks result in increased opportunities for payment fraud and in any case force the banking industry to cancel and re-issue thousands of cards.
(...)
This proposal also forms part of the Commission's contribution to the response to the threat of a terrorist attack against vital information systems within the European Union. It supplements the Commission's proposals to replace extradition within the European Union with a European Arrest Warrant
(2) and to approximate laws on terrorism
(3) on which political agreement was reached at the Laeken European Council on 14/15 December 2001. Taken together, these instruments will ensure that Member States of the European Union have effective criminal laws in place to tackle cyber-terrorism, and will enhance international co-operation against terrorism.
This proposal does not relate only to acts directed at Member States. It also applies to conduct on the territory of the European Union which is directed against information systems on the territory of third countries. This reflects the Commission's commitment to tackle attacks against information systems at a global as well as European Union level.
In fact, there have already been several recent occasions where tensions in international relations have led to a spate of attacks against information systems, often involving attacks against web-sites. More serious attacks could not only lead to serious financial damage but, in some cases, could even lead to loss of life (e.g. hospital systems, air traffic control systems etc). The importance attached to it by Member States is demonstrated in the priority attached to various Critical Infrastructure Protection initiatives. For example, the EU Information Society Technologies (IST) Programme
(4) has established, in collaboration with the US Department of State, a Joint EU/US Task Force on Critical Infrastructure Protection.
(5)
1.3. The need for accurate information and statistics
There are few reliable statistics available on the full scale of the computer-related crime phenomenon. The number of intrusions detected and reported up to now probably under-represent the scope of the problem. According to a US survey
(6) in 1999 only 32% of respondents who have suffered a computer intrusion in the previous year reported it to law enforcement. And this was an improvement on previous years when only 17% had reported. Numerous reasons have been given for non-reporting. Because of limited awareness and experience of system administrators and users, many intrusions are not detected. In addition, many companies are not willing to report cases of computer abuse, to avoid bad publicity and exposure to future attacks. Many police forces do not yet keep statistics on the use of computers and communication systems involved in these and other crimes
(7) . Law enforcement authorities lack adequate training to detect, identify and investigate computer related offences. However, the European Union has started to address this issue by collecting some figures on attacks against information systems. In one Member State, it was estimated that there were between 30 000 and 40 000 attacks in 1999 on information systems, whereas no more than 105 official complaints were recorded in this field. Indeed, in 1999, seven Member States recorded a total of only 1844 official reports of crimes against information systems and computer data. Nevertheless, this is twice the figure reported in 1998, when only 972 cases were officially recorded in the seven Member States
(8) .
In addition, a recent survey
(9) (...) also reported increasing concern about cybercrime, with 43 per cent of respondents believing cybercrime would be a future risk. Another study concluded that hackers and viruses now pose the main cybercrime threat to organisations, with the main perpetrators being hackers (45 per cent), former employees (13 per cent), organised crime (13 per cent) and current employees (11 per cent)
(10) Such figures can be expected to continue to grow as the use of information systems and interconnectivity increases, and the willingness to report attacks improves. But it is clear that urgent measures are needed to produce a statistical tool for use by all Member States so that computer-related crime within the European Union can be measured both quantitatively and qualitatively. The starting point for such an analysis is a common definition at the level of the European Union of the offences involved in attacks against information systems.
1.4. European Union policy background
Against this background, at the Lisbon European Council of March 2000, the European Council stressed the importance of the transition to a competitive, dynamic and knowledge-based economy, and invited the Council and the Commission to draw up an eEurope Action plan to make the most of this opportunity.
(11) This Action Plan, prepared by the Commission and the Council, adopted by the Feira Summit of the European Council in June 2000, includes actions to enhance network security and the establishment of a co-ordinated and coherent approach to cybercrime by the end of 2002.
As part of the Commission's contribution to this mandate on cybercrime, the Commission published a Communication entitled “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime”
(12) . This proposed a balanced approach to tackling the problems of cybercrime, by taking full account of the views of all the interested parties including law enforcement agencies, service providers, network operators, other industry groups, consumer groups, data protection authorities and privacy groups. The Communication proposed a number of legislative and non-legislative initiatives.
An important example of an ongoing action is within the IDA Programme, where Member States and the Commission are already working on a common security policy and implementing a secure network for exchange of administrative information.
One of the key issues addressed by the Communication was the need for effective action to deal with threats to the authenticity, integrity, confidentiality and availability of information systems and networks. Much has already been achieved in the field of Community law. There are already several legal measures in place at Community level with specific implications for network and information security.
This Framework Decision supplements what has already been achieved in the field of Community law to protect information systems, such as under Directives 95/46/EC, Directive 97/66/EC and Directive 98/84/EC on the legal protection of services based on, or consisting of, conditional access. In particular, the European telecommunication and data protection framework (Directives 95/46/EC and 97/66/EC
(13) ) contains provisions to ensure that providers of publicly available telecommunications services must take appropriate technical and organisational measures to safeguard the security and confidentiality of their services, and that these measures must ensure a level of security appropriate to the risk presented.
(...)
More recently, the Stockholm European Council on 23-24 March recognised the need for further action in the area of network and information security and concluded "the Council together with the Commission will develop a comprehensive strategy on security of electronic networks including practical implementing action. This should be presented in time for the Göteborg European Council."
The Commission responded to this call with its Communication on “Network and Information Security: A European Policy approach”
(14) . This analysed the current problems in network security, and provided a strategic outline for action in this area. It was followed by a Council Resolution of 6 December 2001 on a common approach and specific actions in the area of network and information security.
(...)
Both Commission Communications also recognised that there was an urgent need for approximation of substantive criminal law within the European Union in the area of attacks against information systems. This reflected the conclusions of the Tampere Summit of the European Council in October 1999
(15) which include high-tech crime in a limited list of areas where efforts should be made to agree on common definitions, incriminations and sanctions, and was included in Recommendation 7 of the European Union strategy for the new Millennium on the prevention and control of organised crime adopted by the JHA Council in March 2000.
(16) . This proposal for a Framework Decision is also part of the Commission Work Programme for the Year 2001
(17) and the Scoreboard for the establishment of an area of Freedom, Security and Justice, produced by the Commission on 30 October 2001
(18)
1.5. The need for approximation of criminal law
Member States' laws in this area contain some significant gaps and differences which could hamper the fight against organised crime and terrorism, as well as serious attacks against information systems by individuals. Approximation of substantive law in the area of high tech crime will ensure that national legislation is sufficiently comprehensive so that all forms of serious attacks against information systems can be investigated using the techniques and methods available under the criminal law. Perpetrators of these offences need to be identified, brought to justice, and the courts need to have appropriate and proportionate penalties at their disposal. This will send a strong deterrent message to those contemplating attacks against information systems.
In addition, these gaps and differences could act as a barrier to effective police and judicial co-operation in the area of attacks against information systems. Attacks against information systems could often be trans-national in nature, and would require international police and judicial co-operation. Approximation of laws will therefore improve this co-operation by ensuring that the dual criminality requirement is fulfilled (in which an activity must be an offence in both countries before mutual legal assistance can usually be provided to assist a criminal investigation). This will benefit EU Member States in co-operation between themselves, as well as improving co-operation between EU Member States and third countries (provided that an appropriate mutual legal assistance agreement exists).
There is also a need to supplement existing instruments at European Union level. The Framework Decision on the European Arrest Warrant, the Annex to the Europol Convention
(19) and the Council Decision setting up Eurojust contain references to computer-related crime which need to be defined more precisely. For the purposes of such instruments, computer-related crime should be understood as including attacks against information systems as defined in this Framework Decision, which will provide a much greater level of approximation of the constituent elements of such offences. This Framework Decision also complements the Framework Decision on combating terrorism which covers terrorist actions causing extensive destruction of an infrastructure facility, including an information system, likely to endanger human life or result in major economic loss.
1.6. Scope and purpose of the proposed Framework Decision
The objectives of this Council Framework Decision are therefore to approximate criminal law in the area of attacks against information systems and to ensure the greatest possible police and judicial co-operation in the area of criminal offences related to attacks against information systems. Moreover, this proposal contributes to the efforts of the European Union in the fight against organised crime and terrorism. It is not intended to require Member States to criminalise minor or trivial conduct.
It is clear from Article 47 of the Treaty on European Union that this Framework Decision is without prejudice to Community law. In particular, it does not affect privacy or data protection rights and obligations provided for under Community law such as in Directives 95/46 and 97/66. It is not intended to require Member States to criminalise breaches of rules on access to / disclosure of personal data, secrecy of communications, security of processing of personal data, electronic signatures
(20) or intellectual property violations and it does not prejudice the Directive 98/84/EC on the legal protection of services based on, or consisting of, conditional access
(21)
(...)
Legislative action at the level of the European Union also needs to take into account developments in other international fora. In the context of approximation of substantive criminal law on attacks against information systems, the Council of Europe (C.o.E.) is currently the most far-advanced. The Council of Europe started preparing an international Convention on cyber-crime in February 1997, and the Convention was formally adopted and opened for signature in November 2001
(22) . The Convention seeks to approximate a range of criminal offences including offences against the confidentiality, integrity and availability of computer systems and data. This Framework Decision is intended to be consistent with the approach adopted in the Council of Europe Convention for these offences.
In G8 discussions on high tech crime, two major categories of threats have been identified. First, threats to computer infrastructures, which concern operations to disrupt, deny, degrade or destroy information resident in computers and computer networks, or the computer and networks themselves. Secondly, computer-assisted threats, which concern malicious activities, such as fraud, money laundering, child pornography, infringement to intellectual property rights and drug trafficking, which are facilitated by the use of a computer. This proposal deals with the first category of threats.
Approximation at the level of the EU should take into account developments in international fora and should be consistent with current Community policies. This proposal also seeks to provide greater approximation within the EU than has been possible in other international fora.
THE COUNCIL OF THE EUROPEAN UNION
Having regard to the Treaty on European Union, and in particular Articles 29, 30(1)(a), 31 and 34(2)(b) thereof,
Having regard to the proposal of the Commission
Having regard to the opinion of the European Parliament
Whereas:
(1) There is evidence of attacks against information systems, in particular as a result of the threat from organised crime, and increasing concern at the potential of terrorist attacks against information systems which form part of the critical infrastructure of the Member States. This constitutes a threat to the achievement of a safer Information Society and an Area of Freedom, Security and Justice, and therefore requires a response at the level of the European Union.
(2) An effective response to those threats requires a comprehensive approach to network and information security, as underlined in the eEurope Action Plan, in the Communication by the Commission “Network and Information Security: Proposal for a European Policy Approach”
(23) and in the Council Resolution of 6 December 2001 on a common approach and specific actions in the area of network and information security.
(3) The need to further increase awareness of the problems related to information security and provide practical assistance has also been stressed in the European Parliament Resolution of 5th September 2001
(24) .
(4) Significant gaps and differences in Member States' laws in this area hamper the fight against organised crime and terrorism, and act as a barrier to effective police and judicial co-operation in the area of attacks against information systems. The trans-national and borderless character of modern electronic communication networks means that attacks against information systems are often international in nature, thus underlining the urgent need for further action to approximate criminal laws in this area.
(5) The Action Plan of the Council and the Commission on how to best implement the provisions of the Treaty of Amsterdam on an area of freedom, security and justice, the Tampere European Council on 15-16 October 1999, the Santa Maria da Feira European Council on 19-20 June 2000, the Commission in the Scoreboard
(25) final and the European Parliament in its Resolution of 19 May 2000
(26) indicate or call for legislative action against high technology crime, including common definitions, incriminations and sanctions.
(6) It is necessary to complement the work performed by international organisations, in particular the Council of Europe's work on approximating criminal law and the G8's work on transnational co-operation in the area of high tech crime, by providing a common approach in the European Union in this area. This call was further elaborated by the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime”
(27) .
(7) Criminal law in the area of attacks against information systems should be approximated in order to ensure the greatest possible police and judicial co-operation in the area of criminal offences related to attacks against information systems, and to contribute to the fight against organised crime and terrorism.
(8) The Framework Decision on the European Arrest Warrant the Annex to the Europol Convention and the Council Decision setting up Eurojust contain references to computer-related crime which needs to be defined more precisely. For the purposes of such instruments, computer-related crime should be understood as including attacks against information systems as defined in this Framework Decision which provides a much greater level of approximation of the constituent elements of such offences. This Framework Decision also complements the Framework Decision on combating terrorism which covers terrorist actions causing extensive destruction of an infrastructure facility, including an information system, likely to endanger human life or result in major economic loss.
(9) All Member States have ratified the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. The personal data processed in the context of the implementation of this Framework Decision will be protected in accordance with the principles of the said Convention.
(10) Common definitions in this area, particularly of information systems and computer data, are important to ensure a consistent approach in Member States in the application of this Framework Decision.
(11) There is a need to achieve a common approach to the constituent elements of criminal offences by providing for a common offence of illegal access to an information system, and illegal interference with an information system.
(12) There is a need to avoid over-criminalisation, particularly of trivial or minor conduct, as well as the need to avoid criminalising right-holders and authorised persons such as legitimate private or business users, managers, controllers and operators of networks and systems, legitimate scientific researchers, and authorised persons testing a system, whether a person within the company or a person appointed externally and given permission to test the security of a system.
(13) There is a need for Member States to provide penalties for attacks against information systems which are effective, proportionate and dissuasive, including custodial sentences in serious cases;
(14) It is necessary to provide for more severe penalties when certain circumstances accompanying an attack against an information system make it an even greater threat to society. In such cases, sanctions on perpetrators should be sufficient to allow for attacks against information systems to be included within the scope of instruments already adopted for the purpose of combating organised crime such as the 98/733/JHA Joint Action of 21 December 1998 adopted by the Council on the basis of Article K.3 of the Treaty on European Union on making it a criminal offence to participate in a criminal organisation in the Member States of the European Union
(28) .
(15) Measures should be taken to enable legal persons to be held liable for the criminal offences referred to by this act which are committed for their benefit, and to ensure that each Member State has jurisdiction over offences committed against information systems in situations where the offender is physically present on its territory or where the information system is on its territory.
(16) Measures should also be foreseen for the purposes of co-operation between Member States with a view to ensuring effective action against attacks against information systems. Operational contact points should be established for the exchange of information.
(17) Since the objectives of ensuring that attacks against information systems be sanctioned in all Member States by effective, proportionate and dissuasive criminal penalties and improving and encouraging judicial co-operation by removing potential obstacles, cannot be sufficiently achieved by the Member States individually, as rules have to be common and compatible, and can therefore be better achieved at the level of the Union, the Union may adopt measures, in accordance with the principle of subsidiarity as referred to in Article 2 of the EU Treaty and as set out in Article 5 of the EC Treaty. In accordance with the principle of proportionality, as set out in the latter Article, this Framework Decision does not go beyond what is necessary in order to achieve those objectives.
(18) This Framework Decision is without prejudice to the powers of the European Community.
(19) This Framework Decision respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and notably Chapters II and VI thereof.HAS ADOPTED THIS FRAMEWORK DECISION:
Article 1
Scope and objective of the Framework Decision
The objective of this Framework Decision is to improve co-operation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of attacks against information systems.
Article 2
Definitions
For the purposes of this Framework Decision, the following definitions shall apply:
(a) “Electronic communications network” means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed
(b) “Computer” means any device or group of inter-connected or related devices, one or more of which, pursuant to a program, performs automatic processing of computer data.
(c) “Computer data” means any representation of facts, information or concepts which has been created or put into a form suitable for processing in an information system, including a program suitable for causing an information system to perform a function.
(d) “Information System” means computers and electronic communication networks, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.
(e) “Legal person” means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.
(f) “Authorised person” means any natural or legal person who has the right, by contract or by law, or the lawful permission, to use, manage, control, test, conduct legitimate scientific research or otherwise operate an information system and who is acting in accordance with that right or permission.
(g) “Without right” means that conduct by authorised persons or other conduct recognised as lawful under domestic law is excluded.
Article 3
Illegal access to Information Systems
Member States shall ensure that the intentional access, without right, to the whole or any part of an information system is punishable as a criminal offence where it is committed:
(i) against any part of an information system which is subject to specific protection measures; or
(ii) with the intent to cause damage to a natural or legal person; or
(iii) with the intent to result in an economic benefit.
Article 4
Illegal interference with Information Systems
Member States shall ensure that the following intentional conduct, without right, is punishable as a criminal offence:
(a) the serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data;
(b) the deletion, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system where it is committed with the intention to cause damage to a natural or legal person.
Article 5
Instigation, aiding, abetting and attempt
1. Member States shall ensure that the intentional instigation of, aiding or abetting an offence referred to in Articles 3 and 4 is punishable.
2. Member State shall ensure that attempt to commit the offences referred to in Articles 3 and 4 is punishable.
Article 6
Penalties
1. Member States shall ensure that offences referred to in Articles 3, 4 and 5 are punishable by effective, proportionate and dissuasive penalties including a custodial sentence with a maximum term of imprisonment of no less than one year in serious cases. Serious cases shall be understood as excluding cases where the conduct resulted in no damage or economic benefit.
2. Member States shall provide for the possibility of imposing fines in addition to or as an alternative to custodial sentences.
Article 7
Aggravating circumstances
1. Member States shall ensure that the offences referred to in Articles 3, 4 and 5 are punishable by a custodial sentence with a maximum term of imprisonment of no less than four years when they are committed under the following circumstances:
(a) the offence has been committed within the framework of a criminal organisation as defined in Joint Action 98/733/ JHA of 21 December 1998 on making it a criminal offence to participate in a criminal organisation in the Member States of the European Union, apart from the penalty level referred to therein;
(b) the offence caused, or resulted in, substantial direct or indirect economic loss, physical harm to a natural person or substantial damage to part of the critical infrastructure of the Member State;
(c) the offence resulted in substantial proceeds; or
2. Member States shall ensure that the offences referred to in Articles 3 and 4 are punishable by custodial sentences greater than those foreseen under Article 6, when the offender has been convicted of such an offence by a final judgement in a Member State.
Article 8
Particular circumstances
Notwithstanding Articles 6 and 7, Member States shall ensure the penalties referred to in Articles 6 and 7 can be reduced, where, in the opinion of the competent judicial authority, the offender caused only minor damage.
Article 9
Liability of legal persons
1. Member States shall ensure that legal persons can be held liable for conducts referred to in Articles 3, 4 and 5, committed for their benefit by any person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on:
(a) a power of representation of the legal person, or
(b) an authority to take decisions on behalf of the legal person, or
(c) an authority to exercise control within the legal person.
2. Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 3, 4 and 5 for the benefit of that legal person by a person under its authority.
3. Liability of a legal person under paragraphs 1 and 2 shall not exclude criminal proceedings against natural persons who commit offences or engage in the conduct referred to in Articles 3, 4 and 5.
Article 10
Sanctions for legal persons
1. Member States shall ensure that a legal person held liable pursuant to Article 9(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and may include other sanctions, such as:
a) exclusion from entitlement to public benefits or aid;
b) temporary or permanent disqualification from the practice of commercial activities;
c) placing under judicial supervision; or
d) a judicial winding-up order.
2. Member States shall ensure that a legal person held liable pursuant to Article 9(2) is punishable by effective, proportionate and dissuasive sanctions or measures.
Article 11
Jurisdiction
1. Each Member State shall establish its jurisdiction with regard to the offences referred to in Articles 3, 4 and 5 where the offence has been committed:
(a) in whole or in part within its territory; or
(b) by one of its nationals and the act affects individuals or groups of that State; or
(c) for the benefit of a legal person that has its head office in the territory of that Member State.
2. When establishing jurisdiction in accordance with paragraph (1)(a), each Member State shall ensure that it includes cases where:
(a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or
(b) the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory.
3. A Member State may decide not to apply, or to apply only in specific cases or circumstances, the jurisdiction rule set out in paragraphs 1(b) and 1(c).
4. Each Member State shall take the necessary measures also to establish its jurisdiction over the offences referred to in Articles 3 to 5 in cases where it refuses to hand over or extradite a person suspected or convicted of such an offence to another Member State or to a third country.
5. Where an offence falls within the jurisdiction of more than one Member State and when any of the States concerned can validly prosecute on the basis of the same facts, the Member States concerned shall co-operate in order to decide which of them will prosecute the offenders with the aim, if possible, of centralising proceedings in a single Member State. To this end, the Member States may have recourse to any body or mechanism established within the European Union in order to facilitate co-operation between their judicial authorities and the co-ordination of their action.
6. Member States shall inform the General Secretariat of the Council and the Commission accordingly where they decide to apply paragraph 3, where appropriate with an indication of the specific cases or circumstances in which the decision applies.
Article 12
Exchange of information
1. For the purpose of exchange of information relating to the offences referred to in Articles 3, 4 and 5, and in accordance with data protection rules, Member States shall ensure that they establish operational points of contact available twenty four hours a day and seven days a week.
2. Each Member State shall inform the General Secretariat of the Council and the Commission of its appointed point of contact for the purpose of exchanging information on offences relating to attacks against information systems. The General Secretariat shall notify that information to the other Member States.
Article 13
Implementation
1. Member States shall bring into force the measures necessary to comply with this Framework Decision by 31 December 2003.
2. They shall communicate to the General Secretariat of the Council and to the Commission the text of any provisions they adopt and information on any other measures taken to comply with this Framework Decision.
3. On that basis, the Commission shall, by 31December 2004, submit a report to the European Parliament and to the Council on the operation of this Framework Decision, accompanied where necessary by legislative proposals.
4. The Council shall assess the extent to which Member States have complied with this Framework Decision.
Article 14
Entry into force
This Framework Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Communities.
Done at Brussels,
For the Council
The President