The Council of the European Union has agreed a common approach for its forthcoming anti-hacking regulations, which member states must adopt into their national law by 31 December 2003. The Council framework decision on attacks against information systems will require member states to make unauthorised access to computer systems a criminal offence.

Precise details of the framework and suggested penalties for offences have yet to be formally announced. However, the initial proposal of April 2002 called for a maximum penalty in serious cases of at least one year's imprisonment.

Security experts welcomed the council's interest in harmonising anti-hacking laws across Europe. "IT security is suffering from inconsistency both technically and legislatively at the moment," said Mark Lillycrop, chief executive of research firm Arcati. "Any attempts to provide a united European approach to combating cyber crime have to be applauded." He added that the forthcoming regulations should reduce the opportunities for hackers to exploit legal loopholes or seek refuge in countries with more liberal laws.

According to the council, the lack of harmony in member states' laws make it difficult to tackle cross-border attacks, and could hamper investigations. The framework is intended to improve cooperation between police and judicial systems during investigations, and to establish penalties across Europe to stop attackers.

However, the framework will not necessarily lead to new UK laws, because existing legislation might already cover the requirements, said Joanne Brook, a solicitor at Sprecher Grier Halberstam, . She added that as well as harmonising anti-hacking laws, the framework could encourage the harmonisation of information and systems for policing. "But there have to be checks and restraints to ensure that the law is not used to prevent free speech," Brook added.

The framework may be similar in its requirement to the Council of Europe Cybercrime Convention, another European initiative underway, designed to deal with computer attacks and enable cross-border investigations."[But] that does not mean the EU activity [regarding the framework] is pointless, seeing as ratification of the Cybercrime Convention seems to be going very slowly," said Rupert Battcock, an IT lawyer at law firm Nabarro Nathanson.

Battcock said that harmonised penalties could help to deter attacks. He noted that Simon Vallor, creator of Gokar and other viruses, was sentenced to two years' in prison by UK courts, while in the Netherlands the author of the Anna Kournikova worm was sentenced to 150 hours' community service - a relatively mild deterrent.

Have your say: reply to IT Week