That divergence is not the product of inconsistent drafting. It is the direct, structural consequence of minimum harmonization as a legislative technique: a floor invites variation above it by design. The variation carries a practical cost at the point where cybercrime prosecution crosses a national border: extradition typically turns on double criminality, the rule that conduct must be criminal on both sides of the request, and divergent statutory definitions can turn what looks like a shared European offense into a genuine jurisdictional gap.
Three developments are changing this picture through the second half of 2026: the NIS2 Directive's new personal liability exposure for corporate management, the e-Evidence Regulation's full application on 18 August 2026, and the Second Additional Protocol to the Budapest Convention, signed by 22 parties in 2022 but ratified by only three as of early 2026.
The Budapest Convention: The Treaty Beneath EU Cybercrime Law
The Council of Europe's Convention on Cybercrime, ETS No. 185, opened for signature in 2001 and entered into force in 2004. It was the world's first international treaty dedicated specifically to cybercrime, and it remains the widest in reach: 68 parties have signed on, a group that includes the United States and Japan alongside its European members. That last point corrects a common misconception worth stating directly. The Budapest Convention is not an EU instrument. It is a Council of Europe treaty open to states well beyond Europe's borders, and its authority does not depend on EU membership.
What the Convention actually does falls into three parts. First, it defines a common set of substantive offenses: illegal access, illegal interception, data interference, system interference, misuse of devices, and computer-related forgery and fraud. Second, it gives investigators shared procedural powers: expedited preservation of stored data, production orders directed at data holders, and search and seizure of stored computer data. Third, it builds an international cooperation framework around those powers, including a 24/7 network of national points of contact so that one party can reach another quickly when digital evidence needs to move fast.
EU member states are near-universally parties to the Budapest Convention, and this matters for everything that follows. Rather than draft a separate vocabulary of offenses from scratch, the EU's own legislation builds on the Convention's definitions. Directive 2013/40/EU, examined next, is the clearest example of that inheritance.
Directive 2013/40/EU: A Floor, Not a Ceiling
Directive 2013/40/EU, formally titled "on attacks against information systems," replaced the earlier Council Framework Decision 2005/222/JHA. It entered into force in September 2013, with a transposition deadline of 4 September 2015 for member states to write its requirements into national law.
The Directive requires member states to criminalize four categories of conduct: illegal access to information systems, illegal system interference, illegal data interference, and illegal interception. It also reflects two elements aimed squarely at how cybercrime actually operates in practice. First, it explicitly criminalizes tools designed to seize remote control of networks of computers, the botnet model that underlies much large-scale attack infrastructure. Second, it treats identity theft used to gain a third party's trust as an aggravating circumstance. Impersonation is often the mechanism that makes a subsequent attack work, and the Directive treats it accordingly.
Beyond substantive offenses, the Directive imposes operational obligations on member states themselves. Urgent cross-border requests for assistance must receive a response within 8 hours, and states must maintain periodic statistical reporting on cybercrime prevalence and convictions.
The single most important fact about Directive 2013/40/EU, for understanding everything that follows in this article, is that it is a minimum harmonization measure. It establishes a floor that every member state must meet, not a ceiling that all must match. That specific structural choice, not any drafting inconsistency between national parliaments, is the direct cause of the penalty divergence documented in the next section.
Same Floor, Different Ceilings: How Italy, Germany, France, and Spain Diverge
Each of the four has built a distinct statutory structure, and a different penalty architecture, on top of that shared Budapest Convention and Directive 2013/40/EU floor.
Italy criminalizes unauthorized system access under Article 615-ter of the Codice Penale, the Italian Penal Code. The base offense carries a sentence of up to 3 years, rising to 5 years where the offender uses violence, carries weapons, or holds public office, and up to 8 years where the targeted system serves public health or national security. The provision traces back to Law 547/1993, Italy's first cyber-specific criminal statute, and was substantially reinforced in 2024 by Legge 90/2024 (Law 90/2024), discussed in the next section.
Italy is also the only one of these four states to layer corporate criminal liability on top of individual liability for cybercrime. Since 2008, Italy's Decreto Legislativo 231/2001 (D.Lgs. 231/2001) has allowed direct criminal liability of a company itself when certain cybercrimes are committed by its personnel for the company's benefit. Article on how EU data-protection obligations intersect with criminal liability covers this corporate-liability question, along with the broader question of how privacy law and criminal exposure interact, in full.
Germany takes a more granular approach, splitting the same underlying conduct across several distinct provisions of the Strafgesetzbuch, the German Criminal Code, rather than folding it into one access offense. Section 202a (Ausspähen von Daten, or data espionage) punishes unauthorized access to specially secured data with up to 3 years or a fine. Section 303a (Datenveränderung, data alteration) carries up to 2 years or a fine. Section 303b addresses computer sabotage, and Section 263a covers computer fraud. Where Italy concentrates access-related conduct into a single offense with tiered aggravating factors, Germany separately codifies access, alteration, and sabotage as distinct crimes.
France built its framework earliest, through the 1988 Loi Godfrain, now codified as Articles 323-1 through 323-8 of the Code pénal, the French Criminal Code. Article 323-1 punishes fraudulent access to, or remaining within, an automated data-processing system (STAD), carrying 2 years and a fine of 30,000 euros, rising to 3 years and 45,000 euros where data is deleted, modified, or the system disrupted. Article 323-2, covering obstruction or falsification of a STAD's operation, carries 5 years and a fine of 75,000 euros. The nearly four-decade-old drafting has proven flexible enough to absorb newer conduct through periodic amendment, including a 2004 addition criminalizing the sale of attack tools.
Spain reformed comprehensively through Organic Law 1/2015, which explicitly implements both Directive 2013/40/EU and the Budapest Convention, ratified by Spain in 2010. Article 197 bis of the Código Penal, the Spanish Penal Code, punishes unauthorized access achieved by breaching security measures with 6 months to 2 years, and interception of non-public data transmissions with 3 months to 2 years or a fine, rising to 3 to 5 years where patrimonial damage occurs or secrets are revealed. Article 264 of the same code covers data damage at 6 months to 3 years, while Article 264 bis specifically targets DDoS-style obstruction of systems, with penalties reaching 3 to 8 years plus a fine of triple the damage where critical infrastructure is the target.
| Jurisdiction | Core Statute | Penalty Range | Corporate Liability |
|---|---|---|---|
| Italy | Art. 615-ter Codice Penale | Up to 3 years (base); up to 8 years (aggravated) | Yes, via D.Lgs. 231/2001 |
| Germany | StGB §§202a, 303a, 303b, 263a | Up to 2-3 years or a fine per provision | No equivalent entity-liability regime discussed here |
| France | Code pénal Art. 323-1 to 323-8 | 2-5 years plus fines up to EUR 75,000 | No equivalent entity-liability regime discussed here |
| Spain | Código Penal Art. 197 bis, 264, 264 bis | 3 months to 8 years depending on offense | No equivalent entity-liability regime discussed here |
Same treaty floor, different statutory shape, different penalty ceilings, and, among these four states, an added corporate-liability dimension found only in Italy.
Italy's 2024 Reckoning: Legge 90/2024 and the NIS2 Transposition
Legge 90/2024 toughened cybercrime penalties directly within the Codice Penale and added new aggravating circumstances, entering into force on 17 July 2024. It created a new offense of extortion committed via cybercrime, inserted as Article 629, paragraph 3, and extended preliminary-investigation deadlines for computer crimes targeting systems tied to military or public interest. The law also gave the Agenzia per la Cybersicurezza Nazionale (ACN), Italy's national cybersecurity authority, a formal coordinating role. It added mandatory immediate-transmission obligations for serious cybercrime reports that connect ACN, the national anti-mafia and anti-terrorism prosecutor, judicial police, and public prosecutors into a single reporting chain. Separately, the law expanded the D.Lgs. 231/2001 predicate-crime list specifically for cybercrime.
Decreto Legislativo 138/2024 (D.Lgs. 138/2024), in force since 16 October 2024, transposed NIS2 into Italian law. It expanded scope from the prior NIS regime to 18 sectors, 11 designated "highly critical" and 7 "critical," covering more than 80 categories of public and private entities, and confirmed ACN as the single point of contact and competent authority for the new regime. The sanctions structure is progressive. Simply failing to register by the 28 February 2025 deadline triggered fines of 0.1% of global turnover for entities classified as "essential" and 0.07% for those classified as "important." Substantive violations of the regime can reach 10,000,000 euros or 2% of global annual turnover, whichever figure is higher.
Together, the two statutes turn Italy into a working benchmark: a member state that moved on the criminal code and on cybersecurity regulation within the same calendar year. Other jurisdictions now have a concrete point of comparison for how fast a legislative response can move once the political will exists.
NIS2 and the New Personal Liability for Corporate Management
NIS2, Directive (EU) 2022/2555, reads, on its face, like a cybersecurity risk-management directive rather than a criminal-law instrument. That framing understates what its 2024-2026 national transpositions have actually done. Across the member states that have completed transposition, implementing laws attach personal liability to individuals within a covered entity's management body, and that exposure reaches well past formal board seats to anyone holding legal-representative authority or de facto control, including liability for gross negligence.
Transposition remains incomplete. As of May 2026, 22 of the 27 member states had transposed NIS2, while France, Ireland, Luxembourg, the Netherlands, and Spain remained in legislative procedure. Enforcement is a step further behind still: as of mid-2026, no national authority, not Germany's BSI, Belgium's CCB, France's ANSSI, Italy's ACN, or any of their counterparts, had published a finalized NIS2 administrative fine. That gap makes 2026 the year first enforcement is expected to actually begin, now that the supervisory structures behind the directive are operationally live.
For a legal audience, one seam is worth naming plainly rather than glossing over: how administrative penalty proceedings under NIS2 interact with criminal liability is not settled uniformly, and the answer differs by member state. NIS2 is not a purely administrative or technical compliance regime; its personal liability provisions carry criminal-law-adjacent weight for the individuals who run a covered entity, not only a fine on the entity itself.
Jurisdiction Without Borders: Double Criminality and Cross-Border Cooperation
Cybercrime strains the classical, territorial basis for criminal jurisdiction. The conduct, its effect, the victim, and the evidence can each sit in a different country, and cloud architecture means the underlying data is frequently distributed and replicated across multiple states, sometimes without the user's own knowledge of where. That mismatch produces real conflicts: parallel investigations, duplicated prosecutions, and contested extraditions.
Extradition between states typically requires double criminality: the underlying conduct must be a crime under the law of both the requesting state and the requested state. The clearest illustration remains the "Love Bug" case. The ILOVEYOU virus affected millions of users across roughly 20 countries, yet the identified author could not be extradited, because launching it was not a crime under Philippine law at the time.
That gap is precisely what the institutional cooperation layer exists to narrow. Eurojust, the European Union Agency for Criminal Justice Cooperation, and Europol, the European Union Agency for Law Enforcement Cooperation, operate as parallel but linked bodies, with Europol's work on cybercrime concentrated in EC3, its European Cybercrime Centre. The sharpest operational tool between them is the Joint Investigation Team (JIT): a formal cross-border agreement combining prosecutors, police, and judges from two or more states around a specific case, typically running 12 to 24 months.
The scale of Eurojust and Europol's cybercrime cooperation is measurable. In a single snapshot year, 2018, Eurojust supported 219 cybercrime investigations, including setting up 4 Joint Investigation Teams, holding 28 coordination meetings, and running 2 dedicated action days. More recent operational output includes Operation Endgame, an ongoing multi-country effort against the malware-dropper ecosystem behind tools such as IcedID, Pikabot, Smokeloader, Bumblebee, and Trickbot, which has disrupted 1,025 servers and seized 20 domains across a ten-country coalition.
A 2018-2019 joint report from Europol and Eurojust identified the diagnosis the e-Evidence Regulation and the Second Additional Protocol are designed to answer: the practical difficulty of lawfully obtaining electronic evidence quickly enough across borders, a bottleneck that traditional mutual legal assistance channels were too slow to solve.
What Changes in August 2026: The e-Evidence Regulation
Regulation (EU) 2023/1543, paired with Directive (EU) 2023/1544, whose transposition deadline fell on 18 February 2026, together let a judicial authority in one member state issue a European Production Order directly to a service provider located in, or simply offering services to, another member state. That order can reach subscriber data, IP-address data, traffic data, or content data, regardless of where the underlying data is actually stored, and every in-scope provider must designate an establishment or legal representative able to receive and execute such an order.
The framework enters full application across the EU, with the exception of Denmark, on 18 August 2026. Sanctions for non-compliant providers are capped at 2% of worldwide annual turnover. This is the direct legislative answer to the jurisdictional problem named in the previous section: data that sits in a cloud spanning multiple states no longer routes exclusively through the slower channels of that state's own authorities. How evidence obtained this way is actually admitted at trial, and what forensic and chain-of-custody standards apply once it arrives, is a distinct question this article does not take up; how that evidence holds up as admissible proof in court is covered in full elsewhere in this collection.
A parallel development sits at the treaty level rather than the EU level. The Second Additional Protocol to the Budapest Convention opened for signature on 12 May 2022, and 22 parties, including Italy and Spain, signed on day one. Signature has not translated quickly into ratification, however. As of early 2026, only three parties, Serbia, Japan, and Hungary, which ratified on 5 February 2026, had completed the process. A signature is a statement of intent; only ratification brings the Protocol into force for that state, and the gap between the two remains wide.
Frequently Asked Questions About EU Cybercrime Legislation
Is the Budapest Convention an EU law? No. It is a treaty administered by the Council of Europe, a separate international organization from the EU, and its 68 parties include non-European states such as the United States and Japan. EU legislation, including Directive 2013/40/EU, draws on the Convention's offense definitions but exists as a legally distinct body of law.
If every EU country implements Directive 2013/40/EU, why are the penalties different? Because the Directive sets a minimum standard rather than a fixed one. Once a state meets that baseline, it is free to legislate further, and Italy, Germany, France, and Spain have each taken that freedom in a different direction, producing four separate statutory structures over the same shared floor.
Does NIS2 expose individual executives, or only the company, to liability? National transpositions of NIS2 reach individuals, not just entities. Anyone holding management authority over a covered organization, including people with de facto control who never held a formal board title, can face personal liability, including for gross negligence.
Has the Second Additional Protocol to the Budapest Convention taken effect? Not broadly, no. A state's signature is a statement of intent, not a binding commitment; ratification is the step that actually brings the instrument into force for that state. More than twenty parties signed within the first day in 2022, but only three had completed ratification by early 2026.
Can an Italian company face criminal liability for a cybercrime committed by its own staff? Yes, and this is a genuine outlier among the four countries examined here. Since 2008, Italian law under D.Lgs. 231/2001 has allowed a company itself, not only the individual who acted, to face direct criminal liability when the conduct was carried out by its personnel for the company's benefit.
Why does EU-wide harmonization still leave cross-border cybercrime prosecution difficult? Harmonization sets shared minimum offenses, but extradition runs on a separate rule: double criminality, which requires the conduct to be a crime in both the country asking for extradition and the country being asked. The ILOVEYOU virus case remains the standard example, since its author could not be extradited when the underlying act was not a crime where he was located at the time.
Related Articles
This article set the legislative floor: a shared Council of Europe treaty, an EU minimum-harmonization directive built on top of it, and four national systems that took that shared baseline in four different directions. The remaining articles follow that floor into specific domains where it actually gets tested: how EU data-protection obligations intersect with criminal liability, how digital evidence gathered under instruments like the e-Evidence Regulation is actually admitted in court, how these same jurisdictional and liability questions apply to AI-enabled crime, and how criminal defamation law is adapting to conduct that plays out on social media.