EU ministers want to extend the Framework Decision on cybercrime
The Attorney General of the Council of the European Union wants to extend the Framework Decision on attacks against information systems, dating from the year 2005. The Framework Decision suggested penalties of at least between two and five years imprisonment for "illegal system or data interference". The present document suggests that the penalties be extended and that they should include the production and distribution of the tools that make such crimes possible. In a press release, the example is given of "malicious software designed to create 'botnets' or unrightfully obtained computer passwords". Also, illegal interception of computer data is to be declared a crime.
Depending on the extent of the crimes, such as the number of affected IT systems, penalties should again be for a maximum of two to five years. The maximum penalty will be for organised criminals or those causing "serious damage". The EU Council claims that these extensions are in response to the increasing threats in recent times and large-scale attacks against public facilities. On this basis, it is suggested that in addition to the current cooperation between the European authorities in combating cybercrime, the legal basis should be improved for collecting statistical data in this area. The proposals will now move to the EU Parliament.
The Framework Decision in 2005 provided the first EU-wide minimum standards of criminal law in the field of cybercrime. This criminalised acts such as the unauthorised intrusion into computer systems, spreading of viruses or attacks on online services such as denial of service attacks. Critics feared at the time, however, that even legitimate security testers could be criminalised.
The press release notes that "While the UK and Ireland participate in the adoption and application of this directive, Denmark would not be bound by it".