Europe to get stronger cybersecurity laws

Summary:The European Commission has proposed new cybersecurity regulations, in the context of the increasing criminal use of botnets and the emergence of large-scale attacks such as Stuxnet

Europe is to strengthen its cybersecurity legislation in the context of increasingly powerful attacks, the European Commission said on Thursday.

New regulations are proposed that would see the perpetrators of cyberattacks and the producers of related and malicious software prosecuted, and criminal sanctions increased to a maximum two-year sentence. European countries would also be obliged to respond quickly to requests for help when cyberattacks are perpetrated, and new pan-European criminal offences will be created for the "illegal interception of information systems".

The European Network and Information Security Agency (Enisa), which has been operational for the last five years, will also be modernised and strengthened to help countries and private stakeholders prevent and combat cyberattacks. The proposals will have to be passed by the European Parliament and Council of Ministers if they are to come into effect.

"Making every European digital will only happen if citizens feel confident and safe online," digital agenda commissioner Neelie Kroes said in a statement. "Cyberthreats know no borders. A modernised European Network and Information Security Agency will bring new expertise and foster exchanges of best practice in Europe.

"Our EU institutions and governments must work ever [more] closely together, to help us understand the nature and scale of the new cyberthreats. We need Enisa's advice and support to help design efficient response mechanisms to protect our citizens and businesses online".

Home affairs commissioner Cecilia Malmström added that criminalising the creation and selling of malicious software and improving European police cooperation would help Europe "step up our efforts against cybercrime".

Enisa's new mandate will let the agency organise pan-European cybersecurity exercises, public-private network resilience partnerships, risk assessment and awareness campaigns. Enisa's funding will also be boosted, and its management board will get a "stronger supervisory role". Enisa's mandate is also to be extended by five years to 2017.

The new directive will also supersede a 2005 Council framework decision on cybercrime, because that previous regulation did not focus sufficiently on evolving threats — in particular, large-scale simultaneous attacks against information systems, such as Stuxnet, and the increasing criminal use of botnets. Stuxnet was recently used to attack Iran's nuclear power infrastructure, and a single botnet, Rustock, is estimated to be responsible for two-fifths of all the world's spam.

The previous legislation's penalisation of illegal access, illegal system interference and illegal data interference will be retained, and new offences will be added. These include the use of tools, such as botnets or "unrightfully obtained" computer passwords, for committing the offences. The "illegal interception of information systems" will also be made a criminal offence across Europe.

The Commission will gain a supervisory role over how EU member states implement the new legislation. All countries will also have to compile basic cybercrime statistics.

Topics: Security

About

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't be paying many bills. His early journalistic career was spent in general news, working behind the scenes for BBC radio and on-air as a newsreader for independent stations. David's main focus is on communications, of both... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.