Last week, the European Parliament committee on Civil Liberties, Justice and Home Affairs has approved a draft for a directive whose objective is to "approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities."
The proposal is scheduled to be voted on by the European Parliament in July, and if the draft gets approved, the directive will become a concrete proposal on the basis of which member states will be urged to model their laws regarding attacks against information systems.
Individuals that are found guilty of illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offenses should be sentenced to no less than two years in prison, states the document.
The maximum term of imprisonment for attacks against "critical infrastructure" should be at least five years (applies also if an attack is committed by a criminal organization or if it causes serious damage), and convicted botnet creators and herders should spend at least three years in prison.
The directive also says that member states will be obligated to respond within eight hours to urgent requests for help from other member states in the event of cyber attacks, and that firms should be penalized for actions such as hiring hackers to disrupt the competition. In these cases, the firms could end up with no public benefits or could even get shut down by the government.
Finally, the directive would also make a distinction between attackers that commit offenses with and without criminal intent (testing or protection of information systems), in order to ensure whistleblower protection.