EU Parliament adopts stricter penalties for cyber-attacks

On Thursday, with 541 to 91 votes and 9 abstentions, the EU Parliament adopted the EU Commission's draft directive on attacks against information systems. For activities like the illegal accessing of network devices such as servers, the unlawful interfering with systems, and the unauthorised interception of non-public data communications, the directive stipulates prison sentences of at least two years, and in serious cases at least five years. It is also considered a criminal offence to intentionally produce and sell tools that can be used to commit such crimes. The draft directive has yet to be ratified by the Council of Europe. After that, member states will have two years to incorporate it into their national legislation.

A prison sentence of at least three years will be imposed when botnets are used to establish remote control over "a significant number of computers" by infecting them with malicious software. Attacks against "critical infrastructure" such as power plants, transport networks and government networks can lead to a five-year prison sentence. The same applies if an attack is committed by a criminal organisation or if it causes serious damage.

EU member states must establish "national contact points" that can respond within eight hours to urgent assistance requests related to cyber-attacks. This measure aims to make police cooperation more effective. The directive also stipulates that companies can be held liable for offences that are committed for their benefit, for example when they hire a hacker to get access to a competitor's database. Liable companies could be excluded from entitlement to public benefits. The directive does not impose criminal liability where the offences are committed "without criminal intent", for example when a penetration test or other unauthorised intrusion into a company's or authority's information systems is carried out on behalf of that company or authority.

(sno)