The Directive on attacks against information systems builds on rules that have been in force since 2005 (Council Framework Decision 2005/222/JHA). While retaining a number of current provisions, it introduces new offences, such as the use of tools to commit large-scale attacks, new aggravating circumstances and higher criminal sanctions that are necessary to fight more effectively large scale attacks against information systems.