EU Parliament Approves Stricter Penalties for Cyber Attacks

Botnet attacks will carry a five year jail term under the new rules, which EU member states are expected to adopt shortly

Cyber criminals could face tougher penalties across the European Union under new rules adopted by the European Parliament, which include the creation of a specific offence of using botnets.

The draft directive adopted by the parliament on Thursday defines specific criminal offences for cybercrime and sets specific sanctions for each. It also requires E.U. countries to assist fellow member states and respond to urgent requests for help within eight hours in the event of a cyber attack.

The text has already been informally agreed with member states, and that agreement is expected to be formalized shortly. The member states will the have two years to implement it in national law.

Under the draft law, using botnets to establishing remote control over a significant number of computers by infecting them with malicious software carries a penalty of at least three years' imprisonment.

Meanwhile criminals responsible for cyber attacks against "critical infrastructure", such as power plants, transport networks and government network would face at least five years in jail. The same would apply A if an attack is committed by a criminal organisation or if it causes serious damage.

"Attacks against information systems pose a growing challenge to businesses, governments and citizens alike. Such attacks can cause serious damage and undermine users' confidence in the safety and reliability of the Internet," said Home Affairs Commissioner, Cecilia MalmstrAPm, welcoming the news.

Companies or organizations would also be liable for offences committed for their benefit, for example hiring a hacker to get access to a competitor's database.

The directive, which updates rules that have been in place since 2005, also requires member states to allow judges the possibility to sentence criminals to two years in jail for the crimes of illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences.

Minor cases are excluded, but it is up to each country to determine what constitutes a "minor" case.

However technology blogger Glynn Moody expressed concern about possible mission-creep. "I predict laws will be abused by E.U. governments to attack coders and geeks," he said on Twitter.

The directive will apply across all E.U. member states with the exception of Denmark, which decided to opt out.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.

This story, "EU Parliament Approves Stricter Penalties for Cyber Attacks" was originally published by IDG News Service .

Join the discussion
Be the first to comment on this article. Our Commenting Policies