On 17 May 2019, the EU adopted a new sanctions regime to deter and respond to cyber attacks through the possible imposition of various restrictive measures (i.e., asset-freezing measures and travel bans) against the perpetrators of such attacks.
The new sanctions regime is set out in Council Regulation 2019/796 and Council Decision 2019/797; its main features are summarised below.
The notion of cyber attacks
The new sanctions regime targets cyber attacks that constitute a threat to the EU or to the EU Member States.
First, cyber attacks comprise the following (unauthorised/unlawful) actions:
- access to information systems;
- information system interference; and/or
- data interference/interception.
Second, cyber attacks constitute a threat to the EU where, among others, they are carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organisations, its common security and defence policy operations and missions, and its special representatives.
Third, cyber attacks constitute a threat to the EU Member States where, among others, they affect information systems that relate to:
- critical infrastructure essential for the maintenance of vital functions of society, or the health, safety, security, and economic or social well-being of people;
- services necessary for the maintenance of essential social and/or economic activities, including in the sectors of energy, transport, banking, financial market infrastructures, drinking water supply and distribution, and digital infrastructure;
- critical State functions, including in the areas of defence, governance and the functioning of institutions (e.g., public elections or the voting process), the functioning of economic and civil infrastructure, internal security, and external relations;
- the storage or processing of classified information; and/or
- government emergency response teams.
The potential EU restrictive measures
The new sanctions regime allows the EU to impose asset-freezing measures and travel bans against the perpetrators of cyber attacks.
First, asset-freezing measures consist in:
- the freezing of all funds and economic resources of the perpetrators of cyber attacks; and
- a prohibition to make funds and economic resources available to the perpetrators of cyber attacks (except in the framework of exceptional and pre-determined circumstances).
Second, travel bans consist in preventing the perpetrators of cyber attacks from entering into, or transiting through, the territories of the EU Member States (except in the framework of exceptional and pre-determined circumstances).
Third, the perpetrators of cyber attacks include:
- natural or legal persons, entities or bodies that are responsible for cyber attacks or attempted cyber attacks (as well as natural or legal persons, entities or bodies associated therewith);
- natural or legal persons, entities or bodies that provide financial, technical or material support for or are otherwise involved in cyber attacks or attempted cyber attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission (as well as natural or legal persons, entities or bodies associated therewith).
The Council of the EU will be responsible for establishing the list of perpetrators of cyber attacks subject to asset-freezing measures and/or travel bans (the list will be annexed to Regulation 2019/796).
As in the case of the other EU sanctions regimes, the new sanctions regime is directly applicable in all EU Member States that are responsible for adopting and enforcing the penalties for breaches of the applicable asset-freezing measures and/or travel bans.
The UK has already adopted the necessary legislation to transpose the new sanctions regime into domestic law, which indicates that the UK intends to continue applying such regime after it leaves the EU.
Consequences for global businesses
The new sanctions regime adds a layer to the due diligence exercise that EU-based companies (and EU individuals in the EU and abroad) must routinely undertake in the framework of their global operations.
In addition to making sure that they are not entering into a transaction prohibited or restricted under existing EU economic sanctions regimes (targeting e.g., specific sectors, activities and/or persons), they will now also have to verify that their activities are fully compliant with the restrictions applicable to perpetrators of cyber attacks.
