European Union legislators have approved a draft law that would make cyber attacks on IT systems a criminal offense, punishable by at least two years in prison. The proposed law is an update to an existing one, and would also prohibit anyone from producing or selling the kinds of programs that can be used for these attacks — essentially making it impossible for a company to make software that could be used to test its own security, since it could also be used to attack others. While the penalty for these offenses would start at two years, in cases involving "aggravating circumstances" (i.e. a large-scale attack that causes plenty of financial damage), the sentence would be at least five years. The EU voted overwhelmingly in favor of the law, with 50 votes for as opposed to just one against, and a final decision is expected to be made over the summer.