On 30 July 2020, the EU designated the first individuals and entities under its 2019 sanctions framework targeting parties involved in cyber-attacks that undermine the EU’s integrity, security and economic competitiveness.
More than a year after the EU put in place a sanctions framework to designate parties involved in or facilitating planned or actual cyber-attacks that undermine the "EU's integrity, security and economic competitiveness, including increasing acts of cyber-enabled theft of intellectual property",1 the EU has designated nine persons.
Under this framework, which is country neutral, two Chinese and four Russian nationals have been designated, as well as the following entities:2
- Tianjin Hyaying Haitai Science and Technology Development Co. Ltd (China)
- Chosun Expo (North Korea); and
- Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU)
These nine persons have been listed for their role in an attempted cyber-attack to undermine the Organisation for the Prohibition of Chemical Weapons (OPCW, based in the Netherlands), cyber-activities including cyber-enabled theft of intellectual property (including those carried out by APT10), as well as the cyber-attacks publicly known as “WannaCry”, “NotPetya” and “Operation Cloud Hopper”.
As of 30 July 2020, they are subject to the EU asset freeze, meaning that all funds and economic resources belonging to or controlled by them and falling under EU jurisdiction (e.g., held by EU banks) must be frozen. Furthermore, parties falling under EU jurisdiction cannot make funds or economic resources available directly or indirectly to or for the benefit of these parties. The designated individuals are also subject to a travel ban.
1 See our alert of 20 May 2019
2 See Council Decision (CFSP) 2020/1127
amending Council Decision (CFSP) 2019/797
concerning restrictive measures against cyber-attacks threatening the Union or its Member States and Council Implementing Regulation (EU) 2020/1125
implementing Council Regulation (EU) 2019/796
concerning restrictive measures against cyber-attacks threatening the Union or its Member States.