Amendment to the Criminal Code: targeting the tools of cybercriminals

The governmental draft bill amending the Criminal Code (Sejm Paper No. 2398, draft UC128) seeks to close existing gaps in the legal framework for combating cybercrime. The objective of the proposed amendments is to more effectively “disarm” perpetrators of attacks against information systems – almost in the literal sense of the term.

Why was the amendment necessary?

The primary aim of the legislative changes is to eliminate deficiencies in the transposition of Article 7 of
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems.
The existing Polish regulations were deemed insufficient with regard to the criminalisation of the production, acquisition and dissemination of tools (such as computer programs, passwords or access codes) intended to be used to commit specific cyber offences.

In particular, the provisions relating to the acts referred to in Article 3 of the Directive (illegal access to information systems) and Article 6 of the Directive (illegal interception of data) had not been fully implemented. As a consequence, the European Commission initiated infringement proceedings against Poland (INFR(2021)2053) pursuant to Article 258 of the Treaty on the Functioning of the European Union (TFEU).

The purpose and significance of Directive 2013/40/EU

Directive 2013/40/EU aims to approximate the criminal law regulations of the Member States in the field of attacks against information systems and to improve cooperation between law enforcement authorities across the European Union. The EU legislator emphasises that IT systems constitute the foundation of modern society, while the scale and complexity of threats continue to increase.

The Directive highlights, inter alia, threats related to botnets and attacks against critical infrastructure, pointing to the need to establish coherent minimum standards for the definition of criminal offences and sanctions.

The essence of the amendment: expanding the catalogue of prohibited tools

The key change concerns Article 269b § 1 of the Criminal Code, which criminalises the production, acquisition, sale and dissemination of tools used to commit cyber offences. Until now, this provision referred exclusively to Article 267 § 3 of the Criminal Code, covering surveillance and eavesdropping devices.

The proposed amendment extends this reference to the full scope of Article 267 (§§ 1–3) of the Criminal Code, significantly broadening the catalogue of prohibited tools, software and access data.

Unauthorised access to information (Article 267 § 1 of the Criminal Code)

Following the amendment, the dissemination of tools enabling the breaking or bypassing of specific IT or electronic safeguards for the purpose of obtaining unauthorised access to information will also be subject to criminal liability.

Unauthorised access to an information system (Article 267 § 2 of the Criminal Code)

Criminalisation will also extend to tools, passwords and access codes that enable unauthorised access to all or part of an information system.

Clarifying these provisions is of fundamental importance in the context of combating preparatory acts related to ransomware attacks and preventing the creation of botnets – networks of malware‑infected systems remaining under the remote control of cybercriminals.

Safe legal framework for lawful IT activities

The proposed amendment does not alter the foundations of criminal liability for cyber offences, but strengthens the ability to prosecute them effectively. From the perspective of the cybersecurity sector, it is crucial that the introduced changes do not in any way infringe or limit the exclusion of criminal liability provided for in Article 269b § 1a of the Criminal Code.

This specific statutory exemption remains in force, ensuring that actions undertaken solely for the purpose of securing an information system or developing methods of its protection – including the lawful activities of penetration testers and security researchers – continue not to constitute a criminal offence.

Entry into force

The draft bill received a positive opinion from the Justice and Human Rights Committee. In accordance with the assumptions of the legislator, the amendment is to enter into force 14 days after its publication.