In the early 2000, cybersecurity breaches were classified as “Internet crimes” and therefore managed through the tools of the criminal justice system. The Budapest Convention on Cybercrime forged new incriminating provisions and new procedural guidelines, updating the categories of criminal law and criminal procedure for the digital age. This style, unfortunately, has proved to be insufficient. To face the growing number of threats, the EU has shifted towards a much more preemptive, administrative-law-based approach to cybersecurity, with a view to protect critical infrastructure and industries from disruptive attacks. The criminal layer, however, has not been replaced: the relevant, international instruments are still there, and they have been recently extended to cover more ground. The essay will examine the new wave of legislation on cybercrime such as the United Nations Cybercrime Treaty, trying to identify the interactions and the frictions between two different contrast strategies to abusive cyber operations.
