From the first linked article:
Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on Tuesday.
The maximum penalty to be imposed by Member States for these offences would be at least two years' imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale (e.g. "botnet") attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data.
At first glance these two paragraphs do appear to be contradicting each other - but it isn't clear which of these paragraphs is an EU press release and which is the journalist's interpretation. The article (and as a result the slashdot summary) may be misinterpreting the press release.
"maximum" may be a misprint here, or, the EU may, as usual, be trying to obfuscate the intent of their legislation.