Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Summaries of EU Legislation

Convention on cybercrime

 

SUMMARY OF:

The Budapest Convention on Cybercrime (Council of Europe)

Additional Protocol to the Convention on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems

Second Additional Protocol to the Convention on Cybercrime on enhanced cooperation and disclosure of electronic evidence

Decision (EU) 2023/436 authorising Member States to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime

WHAT IS THE AIM OF THE CONVENTION, THE PROTOCOLS AND THE DECISION?

  • The convention aims to help in the fight against crimes that can only be committed through the use of technology, where the devices are both the tool for committing the crime and the target of the crime, and crimes where technology has been used to enhance another crime, such as fraud. It provides guidelines for any country developing domestic laws on cybercrime and serves as a basis for international cooperation between parties to the convention.
  • The first additional protocol aims to criminalise the dissemination of racist and xenophobic material through computer systems, along with racist and xenophobic-motivated threats and insults.
  • The second additional protocol aims to provide common rules at international level to enhance cooperation on cybercrime and the collection of evidence in electronic form for criminal investigations or proceedings.
  • The decision authorises European Union (EU) Member States to ratify the second additional protocol in the interest of the EU.

KEY POINTS

Cybercrime convention

  • The convention covers:
    • the criminalisation of conduct – ranging from illegal access, data and systems interference to computer-related fraud and dissemination of child abuse material;
    • procedural powers to investigate cybercrime and secure electronic evidence in relation to any crime;
    • efficient international cooperation between parties.
  • Parties are members of the Cybercrime Convention Committee and share information and experience, assess implementation of the convention or interpret the convention through guidance notes.
  • Of the 27 Member States, 26 have ratified the convention – Ireland has signed but not yet ratified it.

Additional Protocol 1

  • This protocol extends the scope of the convention to cover xenophobic and racist propaganda disseminated through computer systems, providing more protection for victims. It furthermore:
    • reinforces the legal framework through a set of guidelines for criminalising xenophobia and racist propaganda in cyberspace;
    • enhances the ways and means for international cooperation in the investigation and prosecution of racist and xenophobic crimes online.

Additional Protocol 2

  • This protocol aims to further enhance international cooperation.
  • It addresses the particular challenge of electronic evidence relating to cybercrime and other offences being held by service providers in foreign jurisdictions, but with law enforcement powers limited to national boundaries.
  • Its main features are:
    • a new legal basis permitting a direct request to registrars in other jurisdictions to obtain domain name registration information;
    • a new legal base permitting direct orders to service providers in other jurisdictions to obtain subscriber information;
    • enhanced means for obtaining subscriber information and traffic data through government-to-government cooperation;
    • expedited cooperation in emergency situations including the use of joint investigation teams and joint investigations.

Decision (EU) 2023/436

  • Only Member States, and not the EU itself, can accede to the convention as only states can be parties.
  • The decision sets out a number of reservations, declarations, notifications and communications which Member States must adopt before completing their ratification processes. These ensure that the protocol is compatible with EU law and policy and the uniform application of the protocol by Member States in their relations with non-EU countries.
  • Denmark and Ireland did not take part in the adoption of Decision (EU) 2023/436 and are not bound by it or subject to its application.

The EU supports the convention and its protocols as part of both its EU security union strategy (see summary) and its cybersecurity strategy.

DATE OF ENTRY INTO FORCE

  • The convention entered into force on 1 July 2004.
  • Additional Protocol 1 entered into force on 1 March 2006.
  • Additional Protocol 2 has not yet entered into force.
  • Decision (EU) 2023/436 has applied since 14 February 2023.

BACKGROUND

For further information, see:

MAIN DOCUMENTS

The Budapest Convention on Cybercrime, Council of Europe, Budapest, 23.11.2001.

Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, Council of Europe, 28.1.2003.

Second Additional Protocol to the Convention on Cybercrime on enhanced cooperation and disclosure of electronic evidence (OJ L 63, 28.2.2023, pp. 28–47).

Council Decision (EU) 2023/436 of 14 February 2023 authorising Member States to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced cooperation and disclosure of electronic evidence (OJ L 63, 28.2.2023, pp. 48–53).

RELATED DOCUMENTS

Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy (COM(2020) 605 final, 24.7.2020).

Joint communication to the European Parliament and the Council: The EU’s Cybersecurity Strategy for the Digital Decade (JOIN(2020) 18 final, 16.12.2020).

last update 28.11.2023

Top