Cyber criminals will face tougher penalties in the EU, under new rules adopted by Parliament on Thursday. The draft directive, already informally agreed with member states, also aims to facilitate prevention and to boost police and judicial cooperation in this field. In the event of a cyber attack, EU countries will have to respond to urgent requests for help within eight hours.
The draft directive requires EU countries to set their maximum terms of imprisonment at not less than two years for the crimes of illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences. "Minor" cases are excluded, but it is up to each country to determine what constitutes a "minor" case.
The text sets up a penalty of at least three years' imprisonment for using "botnets", i.e. establishing remote control over a significant number of computers by infecting them with malicious software.
Attacks on critical infrastructure
Attacks against "critical infrastructure", such as power plants, transport networks and government networks, can lead to a five-year prison sentence. The same applies if an attack is committed by a criminal organisation or if it causes serious damage.
Eight-hour deadline for urgent requests
Member states will be required to respond quickly to urgent requests for help in the event of cyber attacks, so as to render police cooperation more effective. They will have to make better use of the existing 24/7 network of contact points to respond to urgent requests within eight hours.
Liability of legal persons
Legal persons, such as firms, would be liable for offences committed for their benefit (e.g. for hiring a hacker to get access to a competitor's database). Penalties could include exclusion from entitlement to public benefits or closure of establishments.
The text, adopted by 541 votes to 91, with 9 abstentions, is expected to be formally adopted by the Council very shortly. The new directive builds on rules that have been in force since 2005. Once adopted, member states will have two years to transpose it into national law.
Note to UK, Irish and Danish editors:
The UK and Ireland have decided to apply this directive but Denmark will not be bound by it.