Cyber-Landscape I: Cyber Security Laws

To ensure a high degree of cyber resilience, several countries worldwide have introduced regulations on cyber security. These legal acts have, inter alia, repercussions for business activities in these countries. This interactive map illustrates the current state of regulations on cyber security in general in selected countries. Please move your cursor over a country and click to receive further country-specific information.

European Union

EU Cybersecurity Act

REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (''Cybersecurity Act'')

The proposal was approved by the European Parliament on 12 March 2019. The EU Council ratified the Act on 7 June 2019. It entered into force 20 days thereafter, with the exception of Articles 58, 60, 61, 63, 64 and 65 which will apply from 28 June 2021.

The regulation provides a comprehensive set of measures that build on previous actions and fosters mutually reinforcing specific objectives. The EU Cybersecurity Act consists of two parts:

The Act clarifies the status of the European Union Agency for Cybersecurity (ENISA) in Articles 3-46:

  • A permanent mandate for the European Union Agency for Cybersecurity (ENISA). ENISA will be the focal point for all EU cybersecurity topics.
  • Increasing capabilities and preparedness of Member States, EU bodies and businesses
  • Improving cooperation and coordination across Member States and EU institutions, agencies and bodies
  • Increasing EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises
  • Increasing awareness of citizens and businesses on cybersecurity issues

In addition, the EU Cybersecurity Act outlines the procedures concerning the European cybersecurity certification framework (Articles 46-65): 

  • Avoding fragmentation of certification schemes in the EU as well as related security requirements, and evaluation criteria across Member States and sectors by establishing a European cybersecurity certification framework. The Act sets out how these schemes are prepared, adopted and reviewed. Schemes can be grouped under one of three Assurance levels (low, substantial and high).

Recommendation N° R (89) 9 of the Committee of Ministers to Member States on Computer-Related Crime

Recommends the governments of member states to:

  1. Take into account, when reviewing their legislation or initiating new legislation, the report on computer-related crime elaborated by the European Committee on Crime Problems, and in particular the guidelines for the national legislatures;
  2. Report to the Secretary General of the Council of Europe during 1993 on any developments in their legislation, judicial practice and experiences of international legal co-operation in respect of computer-related crime.

(Recommendation N° R (89) 9 of the Committee of Ministers to Member States on Computer-Related Crime)

Budapest Convention on Cybercrime

The convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (short: NIS Directive)

As part of the EU Cybersecurity strategy the European Commission proposed the EU Network and Information Security directive. The NIS Directive (see EU 2016/1148) is the first piece of EU-wide cybersecurity legislation. The goal is to enhance cybersecurity across the EU. The NIS directive was adopted in 2016 and subsequently, because it is an EU directive, every EU member state has started to adopt national legislation, which follows or ‘transposes’ the directive. EU directives give EU countries some level of flexibility to take into account national circumstances, for example to re-use existing organizational structures or to align with existing national legislation. The deadline for national transposition by the EU member states is 9 May 2018.The NIS Directive has three parts:

  • National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.
  • Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.
  • National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, and finance sector), ex-post supervision for critical digital service providers (internet exchange points, domain name systems, etc.).

USA

Federal Information Security Management Act of 2002 (FISMA)

  • FISMA defines  specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to strengthen information security systems:
  • Requires the Director of the Office of Management and Budget to oversee Federal agency information security policies and practices, including by requiring each Federal agency to identify and provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized use, disclosure, disruption, modification, or destruction of information or information systems.
  • Requires each agency's senior officials to provide security for the information and systems that support their operations and assets and to develop plans and procedures to ensure the continuity of such information and systems.
  • Authorizes appropriations for FY 2003 through 2007 for information security.
  • Requires the Director (currently, the Secretary of Commerce) to promulgate standards and guidelines pertaining to Federal information (currently, computer) systems.
  • Requires the National Institute of Standards and Technology to: (1) develop and submit to the Director standards and guidelines for information (currently, computer) systems used or operated by or for a Federal agency, other than national security systems; and (2) provide adequate security for such systems. Establishes in the Institute an Office for Information Security Programs. (US Congress)

Federal Information Security Modernization Act of 2014

  • The Federal Information Security Modernization Act of 2014 (FISMA 2014) updates the Federal Government's cybersecurity practices by:
  • Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems;
  • Amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices; and by
  • Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting.“ (US Congress)

Gramm-Leach-Bliley Act (GLBA)

  • content of the GLBA:
    • mandates financial institutions and insurance companies to protect their systems and information

Health Insurance Portability and Accountability Act (HIPAA)

  • scope of the HIPAA:
    • mandates healthcare organizations to protect their systems and information

Homeland Security Act (HAS)

  • scope of the HAS:
    • mandates federal agencies to protect their systems and information

Cybersecurity Information Sharing Act (CISA)

  • scope of the CISA:
    • Identifies the federal government’s permitted uses of cyber threat indicators and defensive measures, while also restricting the information’s disclosure, retention and use
    • Authorizes entities to share cyber threat indicators and defensive measures with each other and with DHS, with liability protection
    • Requires the federal government to release periodic best practices. Entities will then be able to use the best practices to further defend their cyber infrastructure
    • Protects personally identifiable information by requiring entities to remove identified PII from any information that is shared with the federal government. It requires that any federal agency that receives cyber information containing PII to protect the PII from unauthorized use or disclosure. The U.S. Attorney General and Secretary of the Department of Homeland Security will publish guidelines to assist in meeting this requirement

Cybersecurity Enhancement Act of 2014

  • scope of the Cybersecurity Enhancement Act:
    • provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
    • The bill calls for the NIST to closely coordinate with the private sector in developing standards.
    • Continued support of basic research, expansion of scholarships, and increases in research and development, standards development and coordination, and public outreach at NIST

National Cybersecurity Protection Advancement Act

  • The National Cybersecurity Protection Advancement Act

    • amends the Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives.

    • designates NCCIC as the central hub for cyber threat indicator sharing between government and the private sector

France

White Paper on Defence and National Security

  • Presented 17 June 2008
  • Develop the capacity to prevent and respond to cyber-attacks, and to make this a major priority of its national security organization
  • In the field of cyberdefence, it stressed the need for an early detection capability for cyber-attacks, and for an organisation to counter attacks
  • In the field of prevention, it advocated greater use of high-security products and networks, and the establishment of a pool of skills serving government departments and operators of vital importance
  • Comply with the security standards defined by ANSSI in liaison with the operators
  • Have strong detection mechanisms in place, operated by ANSSI or buy trusted service providers
  • Report major incidents to ANSSI
  • The law empowered ANSSI to conduct or request audits on these systems to verify security levels
  • In the event of a major crisis, to request implementation of the necessary measures as defined by the government
  • Alongside the creation of ANSSI, the White Paper set in place a zonal cybersecurity observatory (OzSSI) for each area of defence and security on the national territory. The purpose of these observatories is the nationwide roll-out of measures adopted to improve cybersecurity (ANSSI)

Military Programming Law (Law No. 2013-1168)

  • The Military Programming Law (Law No. 2013-1168) enabled national public and private sector operators of vital importance to better protect themselves and ANSSI – and other State bodies – to better support them in the event of a cyber-attack. (ANSSI)

Godfrain Law

The so called Godfrain Law (LoiGodfrain: extraits du code pénalrelatif à la loi N° 88-19 du 5 janvier 1988 – Article 323-1 à 323-7) is part of the French Penal Code and the first French cyber crime law, penalizing under

  • Article 323-1 Hacking
  • Article 323-2 DoS
  • Etc.

French Penal Code

The French Penal Code (Codepénal (version consolidée au 1er janivier 2014) penalizes under Article 226-4-1 Identity theft and in this regard points out the use of online communication networks

United Kingdom

The Network and Information Systems Regualtions 2018

  • Affected sectors: Energy, Transport, Health, Water, Digital Infrastructure
  • content:
    • Managing Security Risk
    • Detecting cyber security events
    • Protecting against cyber attack
    • Minimizing the impact of cyber security incidents

Communications Act

Part 2 Networks, services and the radio spectrum, Chapter 1 Electronic communications networks and services of the  Communications Act includes following provisions related to cyber security:

  • Section 124A-124N Online infringement of copyright: Obligations of internet service providers
  • Section 125-127 Offences relating to networks and services
  • Section 128-131 Persistent misuse of network service

Computer Misuse Act

An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.

  • Article 1 Unauthorised access to computer material
  • Article 2 Unauthorised access with intent to commit or facilitate commission of further offences.
  • Article 3 Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
  • Article 3ZA Unauthorised acts causing, or creating risk of, serious damage.
  • Article 3A Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA

Fraud Act

The Fraud Act penalizes under following articles:

  • Article 6 Possession etc. of articles for use in frauds
  • Article 7 Making or supplying articles for use in frauds
  • Article 8 refers to computer-related fraud (and includes articles 6 and 7)

China

Cybersecurity Law

  • scope of the Cybersecurity Law:
    • Personal informationprotection
      • Collection of personal information is only allowed when the individuals are informed and accept the scope and aims
      • Standardization approaches for obtaining personal information
    • Preservation of sensitive information
      • Personal information and important data of critical information infrastructure must be stored domestically
      • Personal information and data that is stored overseas, must be transferred and stored in China
    • Network Operators – Owners and administrators of networks and network service providers
      • Establishment of security administration to clarify responsibilities, design rules, regulations and processes to ensure network security
      • Adaptation of technologies to prevent, combat and investigate cyber attacks to mitigate network risks
      • Ensuring data availability and confidentiality with back-ups and encryption
    • Certification of security products
      • Providers can only sell or provide critical network equipment and special cybersecurity products after receiving security certifications
      • Critical information infrastructure operators should actively respond to national security reviews
    • Legal liabilities
      • Clearly stated penalties, may include suspension of business activities
      • Serious illegal action may lead to the closing of businesses or revocation of licenses
      • Maximum fine may reach up to RMB 1,000,000 (~€130,000) to network operators, network product or service providers and operators of critical information infrastructure
    • Critical information infrastructure
      • Required regular cyber risk assessments and reporting of evaluation for operators of critical infrastructure according to the Cybersecurity Law

Switzerland

Federal Telecommunications Act

  • scope of the Federal Telecommunications Act:
    • Guideline on Security and Availability of Telecommunications Infrastructures and Services recommends:
      • Implementation of a Information Security Management System, as e.g. described in ISO 27001
      • Business Continuity Plans
      • Disaster Recovery Plan
    • Art. 48a: The Federal Council may issue technical and administrative regulations for the security and availability of telecommunications infrastructures and services. (The Federal Council of Switzerland)

Swiss Criminal Code

The Swiss Criminal Codepenalizes under

  • Article 143 Hacking
  • Article 143 bis DoS attacks
  • Article 144 Damage to data
  • Article 147 Computer fraud
  • Article 162 Electronic theft
  • Article 179 Break of privacy
  • Article 251 Forgery of documents

Information Security Draft law

In Parliamentary consultation 2017–2019

Brazil

Cybersecurity Policy

The Cybersecurity Policy:

  • Guides activities and proceedings related to cyber defence and cyberwarfare at the strategic and operational levels
  • Establishes principles, objectives and guidelines for the consolidation of cyber­security

Penal Code

The Brazilian Penal Code (Codigo Penal (Decreto-Lei n° 2.848, de 7 de dezembro de 1940 alterado pela Lei n° 12.234 de maio de 2010) penalizes under following Articles:

  • Article 154 A: Hacking, Malware
  • Article 266: DoS

White Paper on National Defence

The White Paper on National Defence outlines the objectives of the National Defence Policy for the following two decades and establishes a budget.

  • Under Army coordination, significant advances have been made in training specialized personnel and in the development of advanced technological solutions. The following
  • premises were set for the project:
    • contemplate multidisciplinarity and duality of use
    • promote the defense industrial base
    • induce the national industry to produce innovative systems
    • produce critical national components
  • The Army Center for Cyber Defense is adding efforts to those of other existenting government organizations and seeks to:
    • develop human resources
    • update doctrine
    • strengthen security
    • respond to network incidents
    • incorporate lessons learned
    • protect against cyber-attacks (Ministry of Defence)

Brazilian Civil Rights Framework for the Internet, Law No. 12,965/14

The Brazilian Civil Rights Framework for the Internet addresses several issues, such as:

  • net neutrality
  • privacy
  • data retention
  • the social function of the internet
  • freedom of expression and transmission of knowledge
  • obligations related to the civil liability of both users and providers

Carolina Dieckmann Law

The Carolina Dieckmann Law:

  • defines certain cybercrimes, such as hacking into computers, violating user data or taking down websites.
  • provides increased penalties if the invasion causes economic loss or if there is any disclosure, commercialization or transmission of data or information to third parties

National Strategy for Defence

The National Strategy for Defence

  • identifies three strategic sectors (outer space, cybernetics and nuclear energy) as essential for national security
  • grants powers to the Brazilian armed forces on matters involving cybersecurity

Russian Federation

Criminal Code (Federal Law No. 63-FZ of June, 1996)

The Criminal Code penalizes under

  • Article 272 Illegal Accessing of Computer Information
  • Article 273 Creation, Use, and Dissemination of Harmful Computer Viruses
  • Article 274 Violation of Rules for the Operation of Computers, Computer Systems, or Their Networks

Federal Law No 187 FZ on the security of critical information infrastructure (2017)

The Federal Law (in Russian only) sets out the basic foundations and principles for ensuring security of Russia’s critical information infrastructure, including the foundations for the functioning of the state system for detecting, preventing and liquidating the consequences of cyberattacks against Russian Federation information resources. This is a unified system, distributed across the country and endowed with the capability and resources needed to detect, prevent and liquidate the consequences of cyberattacks and respond to cyber incidents.

The Federal Law sets out the mechanism for preventing cyber incidents at important components of critical information infrastructure, which will considerably reduce the negative impact for the country in the event of cyberattacks against Russia.

The Federal Law defines the powers of state bodies for ensuring the security of critical information infrastructure and the rights and obligations of the various actors in this area.

Federal Law No. 149-FZ of July 27, 2006, on Information, Information Technologies and Protection of Information (as amended up to Federal Law No. 327-FZ of November 25, 2017)

The principles and requirements in the domain of data privacy and data protection are contained in the Federal Law No. 149-FZ of July 27, 2006, on Information, Information Technologies and Protection of Information.

Federal Law No. 241-FZ On Amendments to Articles 10.1 and 15.4 of the Federal Law "On Data, Information Technologies and Data Security (the “IM Law”)

Regulation of the activities of messenger services:

  • Identification of users
  • Preventing the distribution of prohibited content

Federal Law No. 242-FZ

The Federal Law No. 242-FZ requires processing of personal data of Russian citizens with the use of servers located in Russia. Operators that process personal data of Russian citizens have to notify Roscomnadzor of the location of their servers where such personal data is stored.

Federal Law No. 276-FZ "On Amendments to the Federal Law "On Data, Information Technologies and Protection of Information (the "VPN Law")

Federal Law No. 276-FZ regulates the technologies that can be used to access restricted websites in Russia.

India

National Cyber Security Policy

  • scope of the National Cyber Security Policy:
    • Set up of a 24x7 National Critical Information Infrastructure Protection Center
    • Creation of cyber security task force
    • Provision of fiscal schemes and incentives to encourage upgrade of information infrastructure with respect to cyber security
    • Requiring organizations to designate a CISO and allocate a security budget
    • Use of open standards for cyber security
    • Development of a dynamic legal framework to address cyber security challenges
    • Encouragement of wider use of PKI for government services
    • Establishment of Centers of Excellence, cyber security concept labs and e-Governance
    • Development of an infrastructure for evaluation and certification of ICT security products

Information Technology Act

The Information Technology Act penalizes under following sections:

  • Section 43 Damage to computer, computer systems, etc.
  • Section 43A Compensation for failure to protect data
  • Section 66 Computer related offences
  • Section 66C Identity theft
  • Section 66D Cheating by personation by using computer resource
  • Section 72 Breach of confidentiality

Canada

Protecting Canadians from Online Crime Act

  • This enactment amends the Criminal Code to provide for
    • a new offence of non-consensual distribution of intimate images as well as complementary amendments to authorize the removal of such images from the Internet and the recovery of expenses incurred to obtain the removal of such images, the forfeiture of property used in the commission of the offence, a recognizance order to be issued to prevent the distribution of such images and the restriction of the use of a computer or the Internet by a convicted offender;
    • the power to make preservation demands and orders to compel the preservation of electronic evidence;
    • new production orders to compel the production of data relating to the transmission of communications and the location of transactions, individuals or things;
    • a warrant that will extend the current investigative power for data associated with telephones to transmission data relating to all means of telecommunications;
    • warrants that will enable the tracking of transactions, individuals and things and that are subject to legal thresholds appropriate to the interests at stake; and
    • a streamlined process of obtaining warrants and orders related to an authorization to intercept private communications by ensuring that those warrants and orders can be issued by a judge who issues the authorization and by specifying that all documents relating to a request for a related warrant or order are automatically subject to the same rules respecting confidentiality as the request for authorization.
  • It also amends the Competition Act to make applicable, for the purpose of enforcing certain provisions of that Act, the new provisions being added to the Criminal Code respecting demands and orders for the preservation of computer data and orders for the production of documents relating to the transmission of communications or financial data. It also modernizes the provisions of the Act relating to electronic evidence and provides for more effective enforcement in a technologically advanced environment.
  • Lastly, it amends the Mutual Legal Assistance in Criminal Matters Act to make some of the new investigative powers being added to the Criminal Code available to Canadian authorities executing incoming requests for assistance and to allow the Commissioner of Competition to execute search warrants under the Mutual Legal Assistance in Criminal Matters Act. (Government of Canada)

Anti-Spam Act

  • An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. (Government of Canada)

Further Legislation

Korea

Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

The purpose of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. is to contribute to improving citizens’ lives and enhancing public welfare by facilitating utilization of information and communications networks, protecting personal information of people using information and communications services, and developing an environment in which people can utilize information and communications networks in a healthier and safer way:

  • The act prohibits and punishes any violations to the information and communications networks
  • Creation of a pre-inspection system of information security, rating of information security management, inspection of security vulnerabilities, and technical support for information and communications service providers
  • Obligation to report security incidents, sharing information, basis for emergency response

Act on the Protection of Information and Communications Infrastructure

The purpose of the Act on the Protection of Information and Communications Infrastructure is to contribute to the improvement of citizens‘ lives and the enhancement of public welfare by facilitating utilization of information and communications networks, protecting personal information of people using

information and communications services, and developing an environment in which people can utilize information and communications networks in a sounder and safer way:

  • Formation of the Committee for Protection of Information and Communications Infrastructure, which shall coordinate protection policies about critical information and communications infrastructure
  • Protection from electronic intrusions and establish and implement plans for protection of critical information and communications infrastructure
  • Analyze and evaluate vulnerabilities of infrastructure to establish protective measures and inform the Korea Internet & Security Agency (KISA) so that necessary measures can be taken to prevent the spread of such incident
  • Support information sharing
  • Punishment to illegal acts against information infrastructure

Singapore

Cybersecurity Act 2018

  • Affected industries: Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.
  • scope of the Cybersecurity Act 2018:
    • Strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks. CII are computer systems directly involved in the provision of essential services. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their obligations to proactively protect the CII from cyber-attacks.
    • Authorize CSA to prevent and respond to cybersecurity threats and incidents. The Act empowers the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising. The powers that may be exercised are calibrated according to the severity of the cybersecurity threat or incident and measures required for response.
    • Establish a framework for sharing cybersecurity information. The Act also facilitates information sharing, which is critical as timely information helps the government and owners of computer systems identify vulnerabilities and prevent cyber incidents more effectively. The Act provides a framework for CSA to request information, and for the protection and sharing of such information.
    • Establish a light-touch licensing framework for cybersecurity service providers. CSA adopts a light-touch approach to license only two types of service providers currently, namely penetration testing and managed security operations center (SOC) monitoring. (CSA Singapore)

Computer Misuse Act

The Computer Misuse Act penalizes under following sections:

  • Section 3 Hacking, Phishing
  • Section 4 and 5 Identity theft
  • Section 5 Malware
  • Section 7 DoS
  • Section 8 A Electronic theft

South Africa

Cybercrimes and Cybersecurity Bill

  • scope of the Cybercrimes and Cybersecurity Bill:
    • to create offences and impose penalties which have a bearing on cybercrime
    • to criminalize the distribution of data messages which is harmful and to provide for interim protection orders
    • to further regulate jurisdiction in respect of cybercrimes
    • to further regulate the powers to investigate cybercrimes
    • to further regulate aspects relating to mutual assistance in respect of the investigation of cybercrime
    • to provide for the establishment of a 24/7 Point of Contact
    • to further provide for the proof of certain facts by affidavit
    • to impose obligations on electronic communications service providers and financial institutions to assist in the investigation of cybercrimes and to report cybercrimes
    • to provide for the establishment of structures to promote cybersecurity and capacity building
    • to regulate the identification and declaration of critical information infrastructures and measures to protect critical information infrastructures
    • to provide that the Executive may enter into agreements with foreign States to promote cybersecurity
    • to delete and amend provisions of certain laws and to provide for matters connected therewith.

(Ministry of Justice and Correctional Services)

Electronic Communications and Transactions Act (ECT)

The Electronic Communications and Transactions Act (ECT) provides for the facilitation and regulation of electronic communications and transactions; to provide for the development of a national e-strategy for the Republic; to promote universal access to electronic communications and transactions and the use of electronic transactions by SMMEs; to provide for human resource development in electronic transactions; to prevent abuse of information systems; to encourage the use of e-government services; and to provide for matters connected therewith. (ECT)

  • Chapter 13 of this Act penalizes under following sections:  
    • Section 86(1): Hacking
    • Section 86 (2):
    • Section 86 (3-4): Malware
    • Section 86 (5): DoS
    • Section 87 Computer fraud and forgery (section 87)
    • Section 88 Attempt, and aiding and abetting in the abovementioned acts

The Electronic Communications and Transactions Amendment Bill 2012

The Electronic Communications and Transactions Amendment Bill 2012 seeks to re-write parts of The Electronic Communications and Transactions Act 25 of 2002. This amendment provides a right to remedy upon receipt of a take-down notice by Internet Service Providers and also provides provisions for the creation and aims of Cyber Security Hub.

United Arab Emirates

Federal Decree-Law No. 5 of 2012 on Combating Cybercrimes

Israel

Computer Law

In Chapter Two of the Computers Law 5755-1995 penalizes under following sections:

  • Section 2 Disrupting or interfering with a computer or computer material
  • Section 3 False information or false output
  • Section 4 Unlawful penetration into computer material
  • Section 5 Penetration into computer material in order to commit another offense
  • Section 6 A computer virus

Penal Law 5737-1977

  • content of the Penal Law 5737-1977(consolidated version of 2014):
    • Obtaining anything by deceit: If a person obtains a thing by deceit, then he is liable to three years imprisonment; if the offense is committed under aggravating circumstances, then he is liable to five years imprisonment.
    • Trickery: If a person obtains anything by trickery or by deliberately taking advantage of another person's error without deceit, then he is liable to two years imprisonment.

 

Government Resolution 2444 Promoting National Preparedness for Cyber Defense

  • This resolution established the National Cyber Defense Authority (NCDA)

Government Resolution 3611

  • This resolution reorganised national cybersecurity policy by establishing the National Cyber Bureau (NCB)
  • content:
    • To establish a National Cyber Bureau (hereafter: the Bureau) in the Prime Minister’s Office, as detailed in Addendum A.
    • To regulate responsibility for dealing with the cyber field, as detailed in Addendum B.
    • To advance defensive cyber capabilities in Israel and advance research and development in cyberspace and supercomputing, as detailed in Addendum A.
    • The budget to implement this Resolution will by determined by the Prime Minister in consultation with the Minister of Finance, and will be submitted to the government for approval within two months of this Resolution being passed.
    • Despite the aforementioned matters in this Resolution, and in order to remove any doubt, it is hereby clarified that this Resolution does not apply to special bodies. Special arrangements will apply to them, as agreed upon between them and the Bureau within 120 days of its establishment. (Prime Minister’s Office)

Cyber Security Draft Law

The Draft Law contains 3 parts:

  • First part: Establishment of the Israeli National Cyber Directorate (INCD) and describing its tasks: national defense against cyber threats, enhancing capability to handle cyber attacks, advising the government, etc.
  • Second part: Powers of the INCD. The INCD is allowed to collect and obtain information that support detecting, handling or preventing cyber attacks. For this purpose the INCD will operate the national CERT
  • Third part: Setting of a framework for the national regulation of cyber security to ensure the resilience and response of organizations

Iran

Computer Crimes Act

The Computer Crimes Act penalizes in its Chapter 1 crimes against confidentiality of Data and Computer and Telecommunications Systems

Chapter 2 Crimes against Integrity and validity of Data and Computer and Telecommunication Systems

Chapter 3 Computer Related Theft and Fraud

The Section 2 of the act contains procedural law and regulates in

Chapter 2 Collecting Digital Evidence

Chapter 3 Admissibility of Digital Evidence

Turkey

Electronic Communication Law No. 5809 (ECL)

scope of the Electronic Communication Law No. 5809 (ECL):

  • Alongside the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems thereof; manufacture, import, sale, construction and operation of all kinds of electronic communications equipments and systems, planning and assignment of scarce resources including frequency and the regulation, authorization, supervision and reconciliation activities relating to such issues are also subject to this Law.
  • This Law shall apply without prejudice to the provisions of Certain Laws regarding national security and public order and the provision of electronic communications services in case of extraordinary situations such as martial law, mobilization, war and natural disasters as well as the provisions of “Law On How Transportation and Communication Services Are To Be Carried Out In Extraordinary Situations” no. 697 dated 16/7/1965; “Law On The Organization And Duties Of The Ministry Of Transport” no. 3348 dated 9/4/1987, “Law On Provision of Universal Services and Amendments to Certain Laws” no. 5369 dated 16/6/2005, “Law on Amendments to Certain Laws” no. 5397 dated 3/7/2005 and “Law on the Regulation of Publications on Internet and Suppression of Crimes Committed by means of Such Publications” no. 5651 dated 4/5/2007.
  • Provisions of this Law, except for Article 36 and Article 39, shall not apply to electronic communications equipment, systems and networks of Turkish Armed Forces, General Command of Gendarmerie and Coast Guard Commands as well as electronic communications equipment, systems and networks of Ministry of Foreign Affairs, Telecommunication Communication Presidency, Undersecretariat of National Intelligence Agency and the General Directorate of Security limited with issues relating to their purview set out in establishment laws and on the equipment, systems and networks which were installed or to be installed by the operators and whose fees have been paid by the above mentioned institutions. (Electronic Communications Law)

Penal Code No. 5237

Under following Articles of the Turkish Penal Code

  • Article 243 - Illegal Access to a Computer Network System
  • Article 244 - Preventing the Functioning of a System and Deletion, Alteration or Corrupting of Data
  • Article 245/A - Prohibited devices and programs
  • Article 246 - Implementation of Security Measures on Legal Entities
  • Article 158/1-f - Computer and communications fraud
  • Article 142/2.e - Larceny committed by use of data processing systems
  • Article 245/3 - Counterfeiting.

Criminal Procedure Code No. 5271

  • Article 135 - Injunction for providing data or granting access to data
  • Article 134 - Search and seizure of computer data
  • Article 135 - Interception of communications
  • Article 140 - Surveillance with technical means.

Further Legislation:

  • Regulation on the Protection of Network and Data in the Electronic Communications Sector (the Network Regulation)
  • Regulation on the Information Security in Industrial Control Systems used in the Energy Sector (the Energy Regulation)

Mexico

Mexican Penal Code

The Código Penal Federal penalizes under following articles

  • Article 211 bis Hacking, phishing, electronic theft
  • Article 386 Computer fraud

Legal Acts tackling Cybersecurity issues:

Australia

Cybercrime Act

content of the Australian Cybercrime Act

  • Definition of cyber crime
    • Unauthorized access, modification or impairment to commit a serious offence
    • Unauthorized modification to cause impairment
    • Unauthorized impairment of electronic communication
    • Possession of data with the intent to commit computer offence
    • Supply of data with the intent to commit a computer offence
    • Unauthorized access to restricted data
    • Unauthorized impairment of data held
  • Australian Federal Police has the authority for prosecution (Cybercrime Act)

Commonwealth Criminal Code Act

This Commonwealth Criminal Code Act penalizes under following divisions

  • Division 477: Serious computer offences
  • Division 478: Other computer offences (as hacking, malware, electronic theft)

Criminal Code Act

The Criminal Code Act contains provisions on:

  • the theft of confidential electronic records
  • computer and electronic fraud
  • digital forgery

Crimes Act

The Section 3LA of the Crimes Act states: Person with knowledge of a computer or a computer system to assist access etc. includes provisions on access and seizure of computer and data storage devices.

Egypt

Law on Combating ICT Crimes

The Law on Combating ICT Crimes is divided into three parts including eight chapters, amongst them:

  • Chapter I: Offences Against the Integrity of Information Networks, Systems, and Technologies (including offences like online piracy, illegal access, data interference, computer sabotage, email account hacking, websites hacking, and offences against state-owned information systems)
  • Chapter II: Crimes Committed by Means of Information Systems and Technologies (including theft of information)
  • Chapter III: Crimes Related to Invasion of Privacy and Illegal Content
  • Chapter IV: Crimes Committed by Web Administrators
  • Chapter V: Criminal Liability of Service Providers
  • Chapter VII: Criminal Liability of Legal Persons

Electronic Signature Law

The Electronic Signature Law stresses the protection of Information and Communication Technology beside of further general provisions and provisions on e-signatures.

The Authority aims at achieving the following objectives:

a) Encouraging and developing information and communications technology

b) Transferring and using advanced information technology

c) Increasing opportunities for exporting communications and information technology services and the products thereof.

d) Participating in the development and improvement of entities operating in the ICT field.

e) Directing, encouraging and developing investments in the ICT industry

f) Protecting the common interests of information technology activities

g) Supporting ICT research and studies and encouraging utilization thereof.

h) Promoting and supporting small and medium enterprises (SMEs) in the area of using and applying the electronic transaction mechanisms (applications).

i) Regulating the activities of e-signature services and other activities in relation to e-transactions and the information technology industry.

Philippines

Cyber Crime Prevention Act of 2012

  • scope of the Cyber Crime Prevention Act of 2012:
    • Penalizing illegal acts done via the Internet that were not covered by old law
    • addresses crimes committed against and by means of computer system

Electronic Commerce Act

Part V of the Electronic Commerce Act penalizes under following sections

  • Section 33 (a) Hacking
  • Section 33 (b) Piracy

Italy

Italian Penal Code

The Italian Penal Code is penalizing under following articles different cyber crimes:

  • Article 494 Fake identity
  • Article 615-ter. Unautorized access to telecommunication or electronic systems
  • Article 615-quater. Unauthorized possession and distribution of access codes to computer or electronic systems
  • Article 615-quinquies. Distribution of equipment, devices or computer programs aimed at damaging or interrupting an IT or telematics systems
  • Article 622-623. Disclosure of professional, commercial and scientific secrets
  • Article 635-bis. DoS
  • Article 640-ter. Digital fraud

Germany

Criminal Code

The German Criminal Code penalizes following acts:

  • Section 202a Hacking, electronic theft
  • Section 202b Phishing
  • Section 202c Possession of hacking tools
  • Section 202d Handling stolen data
  • Section 206 Violation of postal and communications secrets
  • Section 263 Fraud
  • Section 303b DoS, computer sabotage

Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz, BSIG)

The BSIG describes the organisation and the duties of Bundesamt für Informationssicherheit (the German Authority for Information Security).

Its duties are e.a.:

  • Protection of threats to the security of information technology systems of the federal state
  • The BSI is the notification center for information security
  • Collection and analysis of information security threats and security measures against these
  • Development of criteria, processes and tools to assess the security of information technology systems
  • Assessment and evaluation of the security of information technology systems

Section 8 of the BSIG defines measures for the protection of critical infrastructures and digital service providers and corresponding duties.

IT-Sicherheitsgesetz 2015 (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme; Version 2.0 is currently in legislative process)

The IT Security Law amends the BSIG and focuses on the protection of critical infrastructures. It amends the Telemediengesetz and the Telekommunikationsgesetz e.a. as well. Therefore, the providers of critical Infrastructure are subject to higher security standards and defined security measures and are obliged to report any cyber incident to the BSI.

Telemediengesetz

The Telemediengesetz was amended by the IT-Sicherheitsgesetz and obliges providers of telemedia to implement security measures to its organisation and processes to protect personal data as well as their information infrastructure (section 13).

Telekommunikationsgesetz

The Telekommunikationsgesetz (Telecommunication Law) was amended by the IT-Sicherheitsgesetz and obliges providers of telecommunication to implement security measures to its organization and processes to protect personal data as well as their information infrastructure (section 109). The Bundesnetzagentur will assess the measures on a regular basis (at least bi-yearly). The Bundesnetzagentur published therefore a catalogue of corresponding requirements in the:

Katalog von Sicherheitsanforderungenfür das Betreiben von Telekommunikations- Datenverarbeitungssystemensowiefür die VerarbeitungpersonenbezogenerDatennach § 109 TKG)

IT-Grundschutz-Kataloge

The Grundschutz-Kataloge, are a collection of documents from the BSI that provide useful information for detecting weaknesses and preventing attacks in the information technology (IT) environment.

Gesetz zur Umsetzung der NIS-Directive

Germany implemented the EU NIS-Directive with the GesetzzurUmsetzung der NIS-Directive.