“The Directive on attacks against information systems builds on rules that have been in force since 2005 (Council Framework Decision 2005/222/JHA). While retaining a number of current provisions, it introduces new offences, such as the use of tools to commit large-scale attacks, new aggravating circumstances and higher criminal sanctions that are necessary to fight more effectively large scale attacks against information systems. Moreover, the Directive improves cross-border cooperation between the judiciary and the police of the Member States, introducing the obligation for Member States to make better use of the existing 24/7 network of contact points by treating urgent requests within 8 hours. Finally, the Directive provides for the obligation to collect statistical data on cyber-attacks and for Member States to have reporting channels in place for reporting of the offences to competent authorities. Once it’s published in the EU Official Journal, Member States will have an obligation to comply with the new Directive and implement its provisions into national legislation within two years at the latest. For more information on this issue see MEMO/13/661.”