The draft directive requires EU countries to set their maximum terms of imprisonment at not less than two years for the crimes of illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences. "Minor" cases are excluded, but it is up to each country to determine what constitutes a "minor" case.





"Botnets"





The text sets up a penalty of at least three years' imprisonment for using "botnets", i.e. establishing remote control over a significant number of computers by infecting them with malicious software.





Attacks on critical infrastructure





Attacks against "critical infrastructure", such as power plants, transport networks and government networks, can lead to a five-year prison sentence. The same applies if an attack is committed by a criminal organisation or if it causes serious damage.





Eight-hour deadline for urgent requests





Member states will be required to respond quickly to urgent requests for help in the event of cyber attacks, so as to render police cooperation more effective. They will have to make better use of the existing 24/7 network of contact points to respond to urgent requests within eight hours.





Liability of legal persons





Legal persons, such as firms, would be liable for offences committed for their benefit (e.g. for hiring a hacker to get access to a competitor's database). Penalties could include exclusion from entitlement to public benefits or closure of establishments.





Next steps





The text, adopted by 541 votes to 91, with 9 abstentions, is expected to be formally adopted by the Council very shortly. The new directive builds on rules that have been in force since 2005. Once adopted, member states will have two years to transpose it into national law.





Note to UK, Irish and Danish editors:





The UK and Ireland have decided to apply this directive but Denmark will not be bound by it.





Procedure:Co-decision (Ordinary Legislative Procedure), 1st reading agreement

#cybercrime