In recent years, the EU has intensified its efforts to build up capacity to prevent, impede and reply to cyber attacks and other malicious cyber activities.
The measures include:
- the creation of a cyber diplomacy toolbox in June 2017, which allows the EU and its member states to use all EU policies and instruments and restrictive measures to ensure an open, safe and stable cyberspace;
- the EU Cyber Security Act in April 2019 establishing an EU cyber security certification framework and creating the EU Agency for Cyber Security (ENISA); and
- the May 2019 adoption of a specific cyber security sanctions regime, enabling the EU to impose restrictive measures to deter and respond to cyber attacks.
These measures are currently being put to test. Since the beginning of the COVID-19 pandemic, the EU and its member states are facing a significant increase in cyber attacks and other malicious cyber activities directed against key operators in member states and their international partners. The activities include phishing and malware distribution campaigns, scanning activities and distributed denial-of-service attacks.
In light of the recent rise in cyber attacks and noting that some of them are aimed at critical infrastructure, such as healthcare, the EU Council has now extended its cyber sanctions programme, for one year, until May 2021.
The EU cyber sanctions target malicious cyber activities by third-country actors or using third-country infrastructure that pose an external threat to the EU and/or its member states. Such cyber attacks could be directed against information systems relating to – among other things – critical infrastructure, defence, public elections or the retention of classified information.
Cyber sanctions can now be imposed against persons/entities who are:
- responsible for cyber-attacks or their attempts;
- providing financial/technical or material assistance for such attacks or attempted attacks; or
- otherwise involved, including through planning, directing, assisting, encouraging or facilitating such activities by any acts or omissions.
Sanctions can also be imposed in response to attacks against third countries or international organisations (and are not limited to attacks against the EU or its member states).
Like many other EU sanctions programmes, the cyber sanctions allow for the imposition of asset freezes and travel bans on persons/entities covered by the sanctions framework and also include a prohibition on making funds or other economic resources available to such persons/entities.
Some third countries, such as Albania, Bosnia and Herzegovina, Georgia, Iceland, Montenegro, North Macedonia, Norway, Serbia and Ukraine, have aligned themselves with the EU cyber sanctions regime. The UK transposed these EU sanctions into national law in 2019.
While the EU has not yet put any individuals or entities on its cyber sanctions list, given the recent wave of attacks, it seems likely that we will soon see the first cyber sanctions designations.
Such cyber sanctions are expected to become more and more relevant in the context of sanctions compliance management systems and transactions-related due diligence exercises.