This post was written by Cynthia O’Donoghue.

In early July, the European Parliament adopted a new directive harmonizing the criminal laws relating to cyberattacks (Directive). It will replace the current nonbinding agreement between EU countries from 2005 (Framework Decision 2005/222/JHA). The Directive aims to harmonise the approach to cybercrime, by requiring all Member States to introduce maximum imprisonment sentences ranging from two to five years for various forms of cyberattack. ”Cyber crime does not stop at borders, so it is vital to have a comprehensive and joint set of rules to prevent and fight it successfully,” said Monika Hohlmeier, a German lawmaker responsible for overseeing the Directive’s passage through the European Parliament.

The Directive would set a three-tier system of maximum prison sentences applicable to cybercrimes, and it will be in each Member States’ discretion to define which attacks would be classified as minor. In addition, perpetrators benefitting from their cybercrime would face penalties ranging disbarment from public benefits to being closed down.

All infringements will need to carry at least a 2 year maximum prison sentence. The crimes range from illegal interference with IT systems or data, access of information systems, interception of data, as well as producing, selling or distributing tools designed for a cyberattack. The penalty for illegal interference with systems or data should be increased to a maximum 3 year sentence when the perpetrator used tools specifically designed for large-scale attacks or another person’s electronic identity. A maximum term of 5 years should apply to illegal interference with “critical” infrastructures (e.g. government information systems or energy networks), attacks which cause serious damage, attacks committed by criminal organisations and using "botnets" – establishing remote control over a significant number of computers by infecting them with malicious software.

The Directive also creates a system for effective exchange of information on cyberattacks. Member States will need to maintain an operational national point of contact which must be available on a 24/7 basis with a required response time for urgent reports of 8 hours.

The Directive was adopted in the European Parliament and will be considered by the EU Council at a forthcoming meeting. Once the Directive is fully approved and published, Member States will have two years to transpose its provisions into their national laws, except in relation to Denmark which used its opt-out right for legislation affecting law enforcement.