EU nations give nod to tougher cybercrime jail terms

European countries have agreed to tougher penalties for cybercrimes, including new punishments for botnet creators, in an effort to clamp down on massive attacks.

The new rules are part of a European Commission proposal, adopted by the Council of the European Union on Friday, which now goes to the European Parliament for approval. It aims to update existing EU rules on cybercrime, introduced in 2005, which cover interference with data and systems, and illegal access.

One new measure is the introduction of penalties for people who develop and supply malware or other tools for creating botnets or stealing passwords. Additionally, the illegal interception of computer data will become a criminal offence.

If a botnet is used to commit crime online, or if the perpetrators spoof the identity of a business, these will be seen as aggravating factors that will carry more punishment.

"These new forms of aggravating circumstances are intended to address the emerging threats posed by large-scale cyberattacks, which are increasingly reported across Europe and have the potential to severely damage public interests," the Council said in a statement.

New minimum thresholds for maximum penalties were also introduced. General cybercrimes should carry a highest sentence of at least two years, while offences involving a large number of IT systems, such as the creation of a botnet, should carry a top penalty of at least three years. If the attacks have been made by an organised criminal group or have caused serious damage by affecting a critical IT system, the lowest maximum term of imprisonment is five years.

In addition, the scheme aims to strengthen European co-operation on cybercrime by including an obligation for member states' authorities to provide feedback within eight hours of urgent requests and to collect basic statistical data on cybercrimes.