Cyber attacks on IT systems would become a criminal offense punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee.
Possessing or distributing hacking software and tools would also be an offense, and companies would be liable for cyber attacks committed for their benefit.
The proposal, which would update existing EU legislation on cyber attacks, was approved with by 50 votes in favor, 1 against and 3 abstentions.
"We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year. No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world," said rapporteur Monika Hohlmeier (EPP, DE).
The proposal would establish harmonized penal sanctions against perpetrators of cyber attacks against an information system - for instance a network, database or website. Illegal access, interference or interception of data should be treated as a criminal offense, MEPs say.
The maximum penalty to be imposed by Member States for these offenses would be at least two years' imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale (e.g. "botnet") attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data.
Using another person's electronic identity (e.g. by "spoofing" their IP address), to commit an attack, and causing prejudice to the rightful identity owner would also be an aggravating circumstance - for which MEPs say Member States must set a maximum penalty of at least three years.
MEPs also propose tougher penalties if the attack is committed by a criminal organization and/or if it targets critical infrastructure such as the IT systems of power plants or transport networks.
However, no criminal sanctions should apply to "minor cases", i.e. when the damage caused by the offense is insignificant.
The proposal also targets tools used to commit offenses: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offenses.