Europe is to strengthen its cybersecurity legislation in the context of increasingly powerful attacks, the European Commission said on Thursday.
New regulations are proposed that would see the perpetrators of cyberattacks and the producers of related and malicious software prosecuted, and criminal sanctions increased to a maximum two-year sentence. European countries would also be obliged to respond quickly to requests for help when cyberattacks are perpetrated, and new pan-European criminal offences will be created for the "illegal interception of information systems".
The European Network and Information Security Agency (Enisa), which has been operational for the last five years, will also be modernised and strengthened to help countries and private stakeholders prevent and combat cyberattacks. The proposals will have to be passed by the European Parliament and Council of Ministers if they are to come into effect.
"Making every European digital will only happen if citizens feel confident and safe online," digital agenda commissioner Neelie Kroes said in a statement. "Cyberthreats know no borders. A modernised European Network and Information Security Agency will bring new expertise and foster exchanges of best practice in Europe.
"Our EU institutions and governments must work ever [more] closely together, to help us understand the nature and scale of the new cyberthreats. We need Enisa's advice and support to help design efficient response mechanisms to protect our citizens and businesses online".
Home affairs commissioner Cecilia Malmström added that criminalising the creation and selling of malicious software and improving European police cooperation would help Europe "step up our efforts against cybercrime".
Enisa's new mandate will let the agency organise pan-European cybersecurity exercises, public-private network resilience partnerships, risk assessment and awareness campaigns. Enisa's funding will also be boosted, and its management board will get a "stronger supervisory role". Enisa's mandate is also to be extended by five years to 2017.
The new directive will also supersede a 2005 Council framework decision on cybercrime, because that previous regulation did not focus sufficiently on evolving threats — in particular, large-scale simultaneous attacks against information systems, such as Stuxnet, and the increasing criminal use of botnets. Stuxnet was recently used to attack Iran's nuclear power infrastructure, and a single botnet, Rustock, is estimated to be responsible for two-fifths of all the world's spam.
The previous legislation's penalisation of illegal access, illegal system interference and illegal data interference will be retained, and new offences will be added. These include the use of tools, such as botnets or "unrightfully obtained" computer passwords, for committing the offences. The "illegal interception of information systems" will also be made a criminal offence across Europe.
The Commission will gain a supervisory role over how EU member states implement the new legislation. All countries will also have to compile basic cybercrime statistics.