|Title:||Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems|
|Topic:||General decision aiming to harmonise national provisions in the field of cybercrime, encompassing material criminal law (i.e. definitions of specific crimes), procedural criminal law (including investigative measures and international cooperation) and liability issues.|
|Direct / indirect relevance||Indirect. The legal liability rules imply an indirect obligation to assess one’s legal risk in the applicable jurisdictions.|
|Scope:||Requires Member States to implement the provisions of the Framework Decision in their national legal frameworks.|
|Legal force:||The Council Decision is binding, and requires Member States to ensure compliance of their national legal frameworks with the Framework Decision by 16 March 2007.|
|Affected sectors:||Generic; the provisions can be relevant to any entity involved with information systems and data processing, in view of the topic of the normative text.|
|Relevant provision(s):||Article 8 – Liability of legal persons
1. Each Member State shall take the necessary measures to ensure that legal persons can be held liable for offences referred to in Articles 2, 3, 4 and 5, committed for their benefit by any person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on:
(a) a power of representation of the legal person, or
(b) an authority to take decisions on behalf of the legal person, or
(c) an authority to exercise control within the legal person.
2. Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 2, 3, 4 and 5 for the benefit of that legal person by a person under its authority.
3. Liability of a legal person under paragraphs 1 and 2 shall not exclude criminal proceedings against natural persons who are involved as perpetrators, instigators or accessories in the commission of the offences referred to in Articles 2, 3, 4 and 5.
Article 9 - Penalties for legal persons
1. Each Member State shall take the necessary measures to ensure that a legal person held liable pursuant to Article 8(1) is punishable by effective, proportionate and dissuasive penalties, which shall include criminal or non-criminal fines and may include other penalties, such as:
(a) exclusion from entitlement to public benefits or aid;
(b) temporary or permanent disqualification from the practice of commercial activities;
(c) placing under judicial supervision; or
(d) a judicial winding-up order.
2. Each Member State shall take the necessary measures to ensure that a legal person held liable pursuant to Article 8(2) is punishable by effective, proportionate and dissuasive penalties or measures.
Article 10 – Jurisdiction
1. Each Member State shall establish its jurisdiction with regard to the offences referred to in Articles 2, 3, 4 and 5 where the offence has been committed:
(a) in whole or in part within its territory; or
(b) by one of its nationals; or
(c) for the benefit of a legal person that has its head office in the territory of that Member State.
2. When establishing its jurisdiction in accordance with paragraph (1)(a), each Member State shall ensure that the jurisdiction includes cases where:
(a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or
(b) the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory.
|Relevance to RM/RA:||Apart from the definitions of a series of criminal offences in articles 2 to 5, the Framework decision is relevant to RM/RA because it contains the conditions under which legal liability can be imposed on legal entities for conduct of certain natural persons of authority within the legal entity. Thus, the Framework decision requires that the conduct of such figures within an organisation is adequately monitored, also because the Decision states that a legal entity can be held liable for acts of omission in this regard.
Additionally, article 10 defines a series of criteria under which jurisdictional competence can be established. These include the competence of a jurisdiction when a criminal act is conducted against an information system within its borders (art.10, 2, (b)). Thus, legal entities need to be aware of the applicable laws in countries where their infrastructure is established, even if they conduct no further business there.