Civil Liberties Committee backed the draft law which proposes to punish by at least two years in prison the cyber attacks on IT systems. In addition, possession or distributing hacking software and tools would be an offences, as well as illegal access, interference or interception of data. However, no criminal sanctions should apply to "minor cases", i.e. when the damage caused by the offence is insignificant.

MEPs at the Civil Liberties Committee in the European Parliament adopted the proposal which sets that cyber attacks on IT systems would become a criminal offence. In particular, the proposal if adopted, would establish harmonised penal sanctions against perpetrators of cyber attacks against an information system - for instance a network, database or website. The proposal sets up that the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences. The European Commission unveiled two measures to ensure that Europe can defend itself from attacks against its key information (IT) systems in October 2010.

The Civil Liberties Committee agreed that the maximum penalty to be imposed by Member States for these offences would be at least two years' imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale (e.g. "botnet") attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data. Using another person's electronic identity (e.g. by "spoofing" their IP address), to commit an attack, and causing prejudice to the rightful identity owner would also be an aggravating circumstance.

The proposal, which was presented in form of the Directive, includes that legal persons would be liable for offences committed for their benefit (e.g. a company would be liable for hiring a hacker to get access to a competitor's database), whether deliberately or through a lack of supervision. They would also face penalties such as exclusion for entitlement to public benefits or judicial winding-up. On the other hand, in order to resist cross-border cyber-attacks, Member States need to ensure that their networks of national contact points are available round the clock, and can respond to urgent requests within a maximum of eight hours.