Cyber-attacks: EU Council is now able to impose sanctions

 

On 17 May, the EU Council established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its Member States.

 

Such threats may include cyber-attacks against third states or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy.

 

Cyber-attacks falling within the scope of this new sanctions regime are those which have a significant impact and which:

 

- originate or are carried out from outside the EU, or

- use infrastructure outside the EU, or

- are carried out by persons or entities established or operating outside the EU, or

- are carried out with the support of persons or entities operating outside the EU.

 

Attempted cyber-attacks with a potentially significant effect are also covered by this sanctions regime.

 

Sanctions may also be imposed on persons or entities associated with them.  

 

Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.