Following years of legislative debate, on 17 May 2019 the European Union (EU) adopted a legal framework setting out sanctions targeting persons and entities responsible for significant cyber-attacks aiming to undermine the integrity, security and economic competitiveness of the EU. The framework and the new sanctions regime are set out in Council Decision 2019/797 (the Decision) and Council Regulation (EU) 2019/796 (the Regulation). Support for the new regime has been declared by a number of third countries, i.e. Turkey, North Macedonia, Montenegro, Serbia, Albania, Bosnia and Herzegovina, Iceland, Norway, Moldova and Georgia, which joined the EU High Representative’s declaration of 12 April 2019 on respect for a rules-based order in cyberspace. It now remains to be seen how many of these countries will follow through and use the momentum to enact their own legislation targeting cyber-attacks.
How does the sanctions regime define a cyber-attack?
The Decision and Regulation define a cyber-attack as any action involving access to information systems, information systems interference, data interference or data interception that is not authorized by the owner or holder of the relevant rights of the system or the data, or which is illegal under the laws of the relevant Member State. To fall under the scope of the relevant legislative framework, a cyber-attack must (1) be an external threat to the interests of the EU or its Member States, and (2) have a potentially significant effect.
When are the EU’s or its Member States’ interests affected by an external threat?
The legal framework against cyber-attacks identifies three sets of external threats that could trigger an EU response, i.e. a threat to EU interests, a threat to Member State interests and a threat to certain third states or international organizations.
Pursuant to the EU sanctions framework, the EU’s interests are threatened if a cyber-attack is carried out against its institutions, bodies, offices and agencies, international delegations, security and defence operations and missions as well as special representatives.
Member State interests are threatened when cyber-attacks are committed against critical infrastructure, services that are necessary for maintaining essential social and / or economic activities, critical state functions, storage or processing of classified information or government emergency response teams. Furthermore, cyber-attacks against third states or international organizations can also be caught under the scope of the measures to the extent that is necessary to achieve the EU’s common foreign and security policy objectives.
To qualify as an external threat, the cyber-attack must either originate or be carried out from outside the EU, or by using non-Union infrastructure, or be carried out by persons or entities established or operating outside the EU, or carried out with the support or under the control of anyone outside the EU.
When does a cyber-attack have a potential significant effect?
As noted earlier, the EU seeks to target cyber-attacks that have a potentially significant effect. The specific factors determining whether a cyber-attack has a potentially significant effect are:
- Scope, scale, impact or severity of the disruption caused, including to economic and social activities, essential services, critical state functions, public order or public safety;
- Number of natural or legal persons, entities or bodies affected;
- Number of Member States concerned;
- Amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property;
- Economic benefit gained by the perpetrator, for himself or for others;
- Amount or nature of data stolen or the scale of data breaches;
- Nature of commercially sensitive data accessed.
What sanctions can be imposed under the new anti-cyber-attacks measures?
The Decision and the Regulation allow the imposition of a travel ban and an asset freeze against persons deemed responsible for cyber-attacks, and enables a ban on funds or economic resources to be imposed on those persons. It should be noted that these measures may not only be imposed against those deemed directly responsible for an actual or attempted cyber-attack. Persons and entities having provided support or participated in the planning of the cyber-attack, as well as persons and entities associated with those responsible, can also be targeted.
The relevant list of targeted persons and entities is annexed to the Regulation and the Decision. At the moment, the list is still empty. The Council of the EU is authorized to list and delist persons and entities by acting in unanimity upon a proposal by a Member State or the EU High Representative for Foreign Affairs and Security Policy. As with all other EU restrictive measures, the anti-cyber-attacks sanctions will also be enforced by the Member States.
We will continue to monitor further developments and keep you updated. Please do not hesitate to contact us in case of any questions.
- Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129, 17.05.2019, p. 13) and Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129, 17.05.2019, p. 1).↩
- Critical infrastructure is that which is essential for the maintenance of vital functions of society, or the health, safety, security and economic or social well-being of people.↩
- In particular the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure and “any other sector which is essential to the Member State concerned”.↩
- In particular, the areas of defence, governance and the functioning of institutions, including for public elections or the voting process, the functioning of economic and civil infrastructure, internal security and external relations.↩