European Union legislators have approved a draft law that would make cyber attacks on IT systems a criminal offense. The proposed law is an update to an existing one, and would also prohibit anyone from producing or selling the kinds of programs that can be used for these attacks. The proposal would establish harmonised penal sanctions against perpetrators of cyber attacks against an information system – for instance a network, database or website.
“We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year” said rapporteur Monika Hohlmeier (EPP, DE). “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world” she added.
The maximum penalty to be imposed by Member States for these offences would be at least two years’ imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data.