I crimini cibernetici nell'ordinamento giuridico nazionale e internazionale

Aspetti generali ed evoluzione normativa

1. Introduction

Since the beginning of the pandemic, there has been a rapid increase in cybercrime. In fact, INTERPOL has reported that in recent months, many criminals have exploited the vulnerability of computer systems and networks - increasingly used by companies and public bodies as a result of restrictive measures imposed by States to deal with the spread of Covid-19 - in order to steal data, make a profit or cause damage. According to data reported by Check Point Software (CPS), an Israeli company specialized in cyber security, the number of cyber attacks reported every day at a global level has in fact increased from 200 in the pre-pandemic period to over 5,000. These attacks targeted public administrations, public and private companies, as well as individual citizens. The disproportionate increase in these crimes has brought public attention back to the measures taken to combat these offences. What do national and international law provide for in this regard? In this contribution we will first of all try to give a definition of cybercrime, the notion of which is still hazy. Then we will analyse the relevant provisions, both at national and international level. Particular attention will be paid to instruments adopted by the Council of Europe and national legislation

2. From the technological to the criminal revolution

The technological revolution that in the eighties and nineties led to the spread of personal computers and the Internet also opened a new frontier for organized crime. The digital revolution was accompanied by a 'criminal revolution': by its very nature, cyberspace soon proved to be a fertile ground for new expressions of organized crime. Today, it is enough to have a computer with internet access to be able to make big money at low cost. The cybernetic space then guarantees anonymity to those who use it: the criminals, in fact, are almost never identifiable and cannot be precisely located. These characteristics have led to a prolification of crimes in the net, which becomes more and more accentuated as the interdependence between man and informatics instruments grows. [1]

3. The definition of "cybercrimes"

To date, there is no globally shared definition of 'cybercrime', since this concept includes a series of very different types of illegal conduct, the only common denominator of which is the use of computer devices. In general terms, however, it can be said that 'cybercrimes' are hostile acts that exploit the cyber dimension to commit crimes. [2] This definition is to be understood in its broadest sense: it includes both crimes in which the conduct or the material object of the offence is related to a computer or telematic system (the so-called computer as a tool), and crimes committed by exploiting or affecting computer systems (the so-called computer as a target). The range of crimes is also particularly broad: in fact, it refers both to crimes committed entirely by computer, such as hacker attacks, and to traditionally non-computer crimes, such as terrorism, which can be implemented or facilitated by means of computer or telematic technologies. [3]
Among the most common computer crimes are damage to data, programs and computer systems, computer fraud, unauthorized access, possession and dissemination of access codes, falsification of computer documents, unlawful interference in communications and the issuance of computer devices or programs designed to interrupt or damage an informed or computer system.

4. The provisions adopted by the Council of Europe on cybercrime

In 1989, the Council of Europe adopted Recommendation No. R (89)-9 on the suppression of cybercrime, the first key European regulatory reference for cybercrime. [4] In it, reference is made to a first cataloguing of cybernetic crimes, divided into two lists: one indicating the conduct that the States are invited to prosecute (the so-called minimum list); the other, indicating the conduct to be indicted only in a possible way (the so-called optional list).
The Recommendation had a strong impact on those Council of Europe Member States that had not yet developed their own criminal legislation on cybercrime. [5] However, it is only with the Convention on Cybercrime (or 'Budapest Convention') that there is real progress in promoting a common criminal policy on cybercrimes.
The Convention, adopted by the Council of Europe on 23 November 2001 and entered into force on 1 July 2004, is the first multilateral instrument on cybercrime. [6] To date, it is one of the most relevant legal acts in this field: it was the first step towards institutionalizing a universal classification of cybercrime at the legal level.
The offences are outlined in four macro-categories:

1. Offences against the confidentiality, integrity and availability of data and information systems (Articles 2-6);
2. Computer crimes (articles 7-8);
3. Crimes related to content (art. 9);
4. Crimes against intellectual property and related rights (art. 10).

Each signatory State is required to criminalise the offences mentioned herein at national level, to harmonise its internal legal systems and to coordinate with other countries in order to prevent and combat such offences. To date, 65 States have joined the Convention, 21 of which are not members of the Council of Europe. [7]

5. Cybercrimes in the Italian legal system

Although the first draft laws on the criminal regulation of computer-related offences were presented to Parliament as early as the early 1980s [8], the first Italian legislation on computer-related crime was Law No. 547 of 1993 ('Modifications and additions to the provisions of the Criminal Code and the Code of Criminal Procedure on computer-related crime'), adopted by the Italian Parliament in implementation of the above mentioned Recommendation. [9] In particular, Law No. 547/93 introduced into the Italian legal system some new cases [10] and modified other pre-existing cases. [11] The offences governed by our legislation can be divided into four macro-categories:

1. Computer fraud (art. 640 ter of the Criminal Code);
2. Unauthorized access to a computer and telematic system (art. 615 ter of the Penal Code);
3. The unauthorized possession and dissemination of access codes to computer and telematic systems (art. 615 quater of the Criminal Code);
4. The diffusion of equipment, devices or computer programs aimed at damaging or interrupting a computer or telematic system (art. 615 quinquies of the Penal Code).

In 2008, the Italian regulation of computer crimes was again amended with the approval of Law No. 48/2008, which ratified the Budapest Convention. [12] Significant changes were thus introduced to the Criminal Code and the Code of Criminal Procedure, with stricter penalties for computer crimes, new rules to combat child pornography on the Internet, penalties for companies, the possibility for law enforcement agencies to ask the provider to freeze computerized data for six months and greater protection for the processing of personal data.

6. The limits of the regulations in force

Technological development and the evolution of the Internet have brought many benefits to society; at the same time, however, they have also provided fertile ground for new criminal behaviour. For this reason, it has proved necessary to take new measures to combat cybercrime. In this respect, the instruments adopted by the Council of Europe (and in particular the Budapest Convention) have been essential for the consolidation of a common criminal policy on cybercrime. Nevertheless, the continuous development of cybercrime and information technology makes it difficult to draw up legal legislation covering the whole phenomenology of cybercrime in a comprehensive and unchanging way over time. Technological development should in fact be matched by a constant updating of regulatory instruments on the subject, but this is often not the case: although the Budapest Convention was adopted 19 years ago, it still remains the reference legal text for the fight against cybercrime. The current legislation on cybercrime is therefore very rigid and difficult to change in a timely manner - especially when the enactment of new regulations takes place in the face of a long and complex process, as in the Italian case. On the other hand, it would be desirable to have more activity at a national and even more international level to constantly update the regulations adopted on cybercrime in order to ensure greater protection against cyber threats. This is even more evident in the face of the current sudden increase in cybercrime caused by the Covid-19 emergency.

7. Sources

[1] Piero Lorusso, L'insicurezza dell'era digitale. Tra cybercrimes e nuove frontiere dell'investigazione, Milano, Franco Angeli, 2011, pagina 15.

[2] House of Representatives (XVIII Legislatura), Dominio cibernetico, nuove tecnologie e politiche di sicurezza e difesa cyber, Documentation and research, No. 83, 24 settembre 2019, pagina 19.

[3] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge University Press, 2017, Regola 13, paragrafo 2.

[4] Council of Europe, Recommendation No. R (89) 9, 13 September 1989.

[5] Italy was among the last member Countries of the Council of Europe to transpose the Recommendation No. R (89) - 9 in its own system. See, in this regard, paragraph 4 of this contribution.

[6] Council of Europe, Convention on Cybercrime, 23 November 2001.

[7] For more details on the ratification of the Cybercrime Convention, see the following link:

[8] See, in this regard, the following draft laws: ddl n. 1210 of 27 January 1984; ddl n. 1602 of 2 October 1987; ddl n. 1602 of 2 October 1987; ddl n. 4367 of 21 November 1989; ddl n. 5076 of 18 September 1990; ddl n.182 of 23 April 1992; and ddl 1526 of 1 September 1992.

[9] To consult the text of Law No. 547 of 1993, see the following link:

[10] See, in particular: art. 491-bis; art. 615-ter (Unauthorised access to a computer or telematic system); art. 615-quater (Unauthorised possession and dissemination of access codes to a computer or telematic system); art. 615-quinquies (Dissemination of programs aimed at damaging or interrupting a computer system); art. 617-quater (Interception, obstruction or unlawful interruption of computer or telematic communications); art. 617-quinquies (Installation of equipment designed to intercept, prevent or interrupt computer or telematic communications); art. 617-sexies (Falsification, alteration or suppression of the content of computer or telematic communications); art. 623-bis (Revelation of telematic communications); art. 635-bis (Damage to computer or telematic systems); and art. 640-ter (Computer fraud).

[11] See, in particular: art. 392 (Arbitrary exercise of one's own reasons by computer damage); art. 420 (Attack on electronic systems of public utility); art. 616 (Violation of telematic correspondence); and art. 621 (Disclosure of the contents of secret documents on computer supports).

[12] To consult the text of Law No.48/2008, see the following link:

Translated by Noemi Monaco

Share the post

  • L'Autore

    Marta Stroppa

    Marta Stroppa si laurea in Scienze Internazionali e Istituzioni Europee presso l’Università degli Studi di Milano nel 2016, per poi proseguire i suoi studi con una laurea magistrale in Relazioni Internazionali presso la medesima università e un Master of Laws in International and European Law presso l’Università di Tilburg, nei Paesi Bassi. Si specializza in diritti umani, diritto umanitario e diritto internazionale penale.

    Durante i suoi studi, ha partecipato a diversi progetti di ricerca, alcuni co-finanziati dall’Unione Europea, collaborando con numerosi esperti nella tutela dei diritti umani. Nel dicembre 2017, si avvicina per la prima volta al mondo del no-profit, svolgendo un tirocinio presso la Redazione e l’Ufficio Stampa della Onlus Gariwo – La foresta dei Giusti. Nel gennaio 2019, parte per gli Stati Uniti, dove lavora nell’ufficio legale della Rappresentanza Permanente d’Italia alle Nazioni Unite a New York.

    All'interno di Mondo Internazionale, è Consulente Legale e Project Manager di Legalytics.


Sections International Organizations and Institutions International Security Cybersecurity Society Law


Legalytics cybercrime crimini cibernetici Legge diritto penale Convenzione di Budapest

You might be interested in


Labels and expectations

Alessandro Solazzi
Log in to your Mondo Internazionale account
Forgot Password? Get it back here