On 17 May 2019, the Council adopted Council Regulation (EU) 2019/796 (the “Regulation”), which establishes a framework for the EU to impose sanctions in relation to cyber-attacks which constitute an external threat to the EU or its Member States. Cyber-attacks against third states or international organisations also fall within the ambit of the framework where necessary to achieve the objectives of the EU’s Common Foreign and Security Policy. The UK and the Netherlands played a key part in pushing through the cyber sanctions framework, following suspected cyber attacks in 2018 by Russia’s military intelligence service, GRU, and the ongoing threat of external interference in the European elections. It is no coincidence that the Regulation catches within its scope threats to the information systems relating to the “governance and the functioning of institutions, including for public elections or the voting process“.
The Regulation is not specific to any particular country, but is intended to catch all external cyber threats. To date, no persons or entities have been listed in the Annex, the amendment of which requires a unanimous decision of the Council following a proposal by a Member State or the High Representative of the Union for Foreign Affairs and Security Policy. Member States are themselves responsible for designating competent authorities, establishing penalties and implementing them.
- Scope of framework
The scope of the framework includes actual and attempted cyber-attacks which:
- have or could potentially have a “significant effect”; and
- originate or are carried out from outside the EU; or
- use infrastructure outside the EU; or
- are carried out by persons or entities established or operating outside the EU; or
- are carried out with the support of person or entities operating outside the EU.
Whether a cyber attack has a “significant effect” will be determined by reference to its scope and severity, number of people and Member States affected, the economic loss caused, the economic benefit gained by the perpetrator and the amount and nature of the data accessed or stolen.
- Persons / entities which may be sanctioned
The EU may impose sanctions on persons or entities which:
- are responsible for cyber-attacks or attempted cyber-attacks;
- provide financial, technical or material support for cyber attacks caught by the framework; or
- are associated with the natural or legal person, or bodies involved.
- Substance of sanctions
Sanctions under this framework can take the form of:
- travel bans; and
- asset freezes.