The draft directive adopted by the parliament on Thursday defines specific criminal offences for cyber-crime and sets specific sanctions for each. It also requires EU countries to assist fellow member states and respond to urgent requests for help within eight hours in the event of a cyber-attack.
The text has already been informally agreed with member states, and that agreement is expected to be formalised shortly. The member states will the have two years to implement it in national law.
Under the draft law, using botnets to establishing remote control over a significant number of computers by infecting them with malicious software carries a penalty of at least three years’ imprisonment.
Meanwhile criminals responsible for cyber-attacks against “critical infrastructure”, such as power plants, transport networks and government network would face at least five years in jail. The same would apply if an attack is committed by a criminal organisation or if it causes serious damage.
“Attacks against information systems pose a growing challenge to businesses, governments and citizens alike. Such attacks can cause serious damage and undermine users’ confidence in the safety and reliability of the Internet,” said Home Affairs Commissioner, Cecilia Malmström, welcoming the news.
Companies or organisations would also be liable for offences committed for their benefit, for example hiring a hacker to get access to a competitor’s database.
The directive, which updates rules that have been in place since 2005, also requires member states to allow judges the possibility to sentence criminals to two years in jail for the crimes of illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences.
Minor cases are excluded, but it is up to each country to determine what constitutes a “minor” case.
However technology blogger Glynn Moody expressed concern about possible mission-creep. “I predict laws will be abused by EU governments to attack coders and geeks,” he said on Twitter.
The directive will apply across all EU member states with the exception of Denmark, which decided to opt out.