European Union establishes a sanction regime for cyber-attacks

On 17 May 2019, the Council of the European Union adopted Council Decision (CFSP) 2019/797 and Council Regulation (EU) 2019/796 concerning restrictive measures against cyber attacks threatening the Union or its Member States. The new legislation evolved from the conclusions on a framework for a joint diplomatic response to malicious cyber activities (the Cyber Diplomacy Toolbox), which was adopted by the Council on 19 June 2017, and set a framework of measures against possible aggressors. Based on the Toolbox and its principles, the Council Decision and Regulation of May 2019 forms an important step forward to face emerging security threats in cyberspace at the EU level.


The legislation was promoted particularly by the United Kingdom and the Netherlands, which both suffered major cyber attacks in the months prior to adopting the Decision. In the UK case, the UK intelligence services gathered and presented evidence of a coordinated hacking campaign conducted by the Chinese state-linked group Advanced Persistent Threat 10 (APT 10). Even though the Member States considered a joint diplomatic response against the hacking group, they only managed to adopt a Council Declaration where the APT 10 was not directly mentioned. However, just one month later, the Council adopted legislation that enabled the EU to impose restrictive measures (an expression that the EU uses to refer to its sanctions) against aggressors in cyberspace.

In general, the EU sanctions should be imposed only on the basis of a legislative framework that foresees the adoption of sanctions in a specific area. Until May 2019, the EU could impose sanctions only on persons and entities involved either in terrorism [1] [2] or in the proliferation of chemical weapons [3] [4]. Therefore, it is crucial to have legislation that specifically tackles cyberspace-related threats and enables the Council to act when these occur.

Sanction regime

For the purpose of imposing the sanctions, a cyber attack means an action that includes: (a) access to information systems; (b) information system interference; (c) data interference; or (d) data interception. Sanctions can be imposed to respond not only to completed actions, but also to actions attempted. To be subject to sanctions, a cyber attack must fulfil two criteria: (a) the attack has a significant effect; and (b) the attack constitutes an external threat to the Union or its Member States.

To consider whether a cyber attack has a significant effect, a series of indicators are to be considered: (a) the scope, scale, impact or severity of disruption caused; (b) the number of natural or legal persons, entities or bodies affected; (c) the number of Member States concerned; (d) the amount of economic loss caused; (e) the economic benefit gained by the perpetrator, for themself or for others; (f) the amount or nature of data stolen or the scale of data breaches; and (g) the nature of commercially sensitive data accessed.

The second condition of constituting an external threat is fulfilled when an attack (a) originates, or is carried out, from outside the Union; (b) uses infrastructure outside the Union; (c) is carried out by any natural or legal person, entity or body established or operating outside the Union; or (d) is carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union. Other persons, entities and bodies – those with an origin and operating in the EU – remain subject to national jurisdiction. This is an important difference from the regime of the EU anti-terrorist sanctions which can also be imposed on EU citizens or entities such as ETA, the IRA and their members.

Sanctions can be taken not only against subjects directly responsible for cyber attacks, but against all subjects that provide financial, technical or material support or are otherwise involved in a cyber attack and all subjects associated with those involved. This substantially broadens the ratione personae of the application of the sanctions, which is of great importance because criminal networks in cyberspace can be very complex.

The cyber attacks can be directed either at the EU (its institutions, bodies or offices, its delegations to third countries or to international organisations, its common security and defence policy operations and missions or its special representatives) or at a Member State (its critical infrastructure, services necessary for the maintenance of essential social and/or economic activities, critical State functions, the storage or processing of classified information, and government emergency response teams). Where it is necessary to achieve an EU common security and defence policy objective, sanctions can also be imposed as a response to cyber attacks with a significant effect against third States or international organisations.

Finally, the sanctions that the EU can impose are twofold. The first is a prevention of the entry of the sanctioned into, or transit through, territories of EU Member States. The second is a funds and economic resources freeze: no funds or economic resources shall be made available directly or indirectly to or for the benefit of the listed.

Attributing the responsibility and targeting the sanctions

The sanctions can be directed only against natural or legal persons, other entities or bodies different from a State (i.e. non-State actors). Therefore, it is important to stress that State actors remain out of the scope of the sanction regime. The EU refrains from attributing cyber attacks to third States, stating that this would be a sovereign political decision that every Member State has to consider itself on a case-by-case basis.

Focusing exclusively on individually listed non-State actors, the sanctions are targeted or ‘smart’ in their nature, i.e. intended to harm a precisely defined subject which represents a threat, not to affect a whole State and its population. This minimises the impact on human rights and compels non-State actors to refrain from executing cyber attacks.

Listing process

Listing and delisting the aggressors is within the exclusive competence of the Council. This means, inter alia, that the listing process has a clear political nature because of the Council’s composition. To make the listing process political in nature also makes the attribution of responsibility for a cyber attack political. The nature of the attribution is not merely political, though. Each listing decision has to be supported by an introduction of grounds for listing.

The Council’s decision will be taken unanimously upon a proposal from a Member State or the High Representative of the Union for Foreign Affairs and Security Policy. The unanimity of the decision of a political body of the EU should ensure that the Member States will comply with their obligations and will implement the sanctions without further objections.

Upon their objection, listed subjects can be excepted from the list, as has occurred regularly after the imposition of anti-terrorist sanctions. The Council has an obligation to communicate its decisions referred to listing and delisting to the subjects concerned, including the grounds for listing. The listed subjects can present observations and when they do, the Council must review the decisions on the basis of this information. Once the decision is taken, the subjects may also request a judicial examination of their case. Claims of violations of the right to respect for private and family life, the right to property, the right to effective judicial protection or the right to a fair trial have followed many anti-terrorist sanctions and are also to be expected in the case of new cyber sanctions.

Member States have an obligation to designate competent authorities and implement the imposed sanctions. They can also moderate the sanctions imposed by the Council. First, they may grant exemptions from the travel ban when such an exemption is justified. However, the granting of an exemption can be blocked by the Council. This block cannot be realised when a Member State decides to unfreeze certain assets, which is the second moderation available to Member States.

Effectiveness of the sanctions

The sanctions are a product of the framework for a joint diplomatic response of the EU set in the Cyber Diplomacy Toolbox. Freezing of assets and travel ban sanctions fall within restrictive measures, which means sanctions with which the EU responds to malicious activities that have already occurred. The sanctions’ purpose is not only to react but also to deter those considering any kind of participation in a cyber attack against the EU or its Members in the long term. To underline the importance of the sanctions, it should be stressed that the travel ban and especially the freezing of assets are among the most powerful responses that the EU as a whole is able to impose. Moreover, the EU has an ambition to encourage third States to impose sanctions similar to those imposed by the Council.

What next?

The regime is in place. The sanctions are available, yet none have been imposed so far. One of the key questions is on whom the EU is going to impose its sanctions. There is a model that the EU could follow: the US sanction regime, which is very similar to that of the EU. The US has already imposed sanctions against many non-State actors. A wide range of entities and individuals has appeared on the US list, including the Russian Main Intelligence Directorate (GRU) and its senior officers, the Federal Security Service (FSB) and private Iranian-based companies. For the US, it is easier to list someone because there is no need to reach unanimity in a political decision across various States. The EU has, however, showed its willingness to tackle those responsible for cyber attacks in the EU jurisdiction by adopting a tool that allows the EU to react; now it is up to the Council to use this tool.

Author: Adam Botek, National Cyber and Information Security Agency of the Czech Republic

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.