The Council of the European Union (EU) has as the last legislative body of the European Union now also approved the draft directive on attacks against information systems, which could already pass the Parliament in Strasbourg in early June. Germany, for example, has a thematically similar “hacker law” since 2007.
In future, the unauthorized intrusion into computer systems and the proliferation of so-called “hacker tools” should be among EU-wide penalties of at least two up to five years. According to the newly adopted Directive, the illegal access to computer systems or unauthorized interception of non-public data transfers will have the maximum penalties of at least two years and in severe cases of at least five years in prison.
Everybody will be punished who manufactures, sells or spreads such “hacker tools” in the EU member states. The operation of “botnets” is then punishable with a penalty of at least three years in prison. The penalty is increased to at least five years if critical infrastructure such as nuclear power plants, energy companies, transport networks or public networks came under attack by these acts and / or the operating of such “botnets”.
The Swedish EU Home Affairs Commissioner, Cecilia Malmström, has welcomed the definitive adoption of the rules by the EU Council, because in her views, these new rules will on the one hand improve the defence preparedness of the European Union (EU) against cyber-attacks and on the other hand, the Swedish EU Home Affairs Commissioner, Cecilia Malmström, thinks that these new paragraphs will also strengthen the citizens’ trust to the internet. Also, the EU-wide exchange of such incidents will be increased, according to Cecilia Malström.
The now adopted policy, which was approved despite fierce criticism, has to be implemented in national law within the next two years by the EU member states.
The criticism is on the one hand directed against the Directive as such because it does not alter the lax attitude to security in businesses and governments and on the other hand, the critics say that companies have to be taken in regress in case of a cyber-attack against the companies when the security measures of the companies were too inadequate.
Another criticism is that hackers, who inform companies about vulnerabilities and security holes in their systems are to be criminalized. Security researchers and hackers who mean it well have often to use a previously found security hole / vulnerability in systems of companies by themselves because after they informed the companies about these vulnerability, nothing has happened and the security hole is e.g. still open after months.
Such hacks will probably decrease in the European Union (EU) in future and thus, this would lead to less security rather than more security. In addition, these security holes and vulnerabilities would then often end up in dark channels and cause even more damage.