EU introduces sanctions in relation to cyberattacks

On 30 July 2020, the European Council announced that asset freezing sanctions were to be imposed on six Chinese and Russian individuals and three entities (based in China, Russia and North Korea) responsible for, or involved in, various cyberattacks, including the attempted cyberattack against the Organisation for the Prohibition of Chemical Weapons and those publicly known as “WannaCry”, “NotPetya” and “Operation Cloud Hopper”.

The new EU sanctions entered into force on 30 July with the publication in the Official Journal of Council Implementing Regulation (EU) 2020/1125, which amends Council Regulation (EU) 2019/796 (the “Regulation”), the legislation which introduced the EU’s cyber sanctions in 2019. These designations are the first to be made under the Regulation.

The asset freezing measures imposed by the Regulation operate in the same way as other EU asset freezes. Therefore EU persons are:

1. required to freeze all funds and economic resources belonging to, owned, held or controlled by the newly designated persons; and
2. prohibited from making funds or economic resources available, directly or indirectly, to or for the benefit of, the newly designated persons.

By way of background, the Regulation was introduced in 2019 to provide for the imposition of sanctions on natural or legal persons, entities or bodies:

1. who are responsible for cyberattacks or attempted cyberattacks;
2. that provide financial, technical or material support for, or are otherwise involved in, such attacks, including by planning, participating in, directing, assisting or encouraging such attacks, or facilitating them (whether by action or omission); and
3. associated with persons covered by (a) or (b) above.

The Regulation applies to cyberattacks with a “significant effect”, which constitute an “external threat” to the EU or its Member States and sets out various detail on the types of attacks which fall within this definition. These include, among others:

1. cyberattacks carried out against the EU’s institutions, other bodies and special representatives; and
2. cyberattacks affecting Member State information systems relating to critical infrastructure, essential services, and critical state functions including defence and governance (including the voting process).

The UK’s Office of Financial Sanctions Implementation (OFSI) published a notice on 31 July, confirming that the nine designated persons mentioned above have been added to the UK’s consolidated list of asset freeze targets. (As readers will recall, during the Brexit transitional period, the UK will continue to implement and apply EU sanctions as normal.)

The UK has already introduced the Cyber (Sanctions) (EU Exit) Regulations 2020 which will come into force at the end of the Brexit transition period, replacing the EU regime set out in the Regulation, and which will allow the UK to designate individuals and entities involved in cyber-activity such as accessing or interfering with information systems or data where such activity:

1. undermines (or is intended to undermine) the integrity, prosperity or security of the UK or another country;
2. directly or indirectly causes (or is intended to cause) economic loss to, or prejudice to the commercial interests of, those affected by the activity;
3. undermines (or is intended to undermine) the independence or effective functioning of (i) an international organisation; or (ii) a non-governmental organisation or forum whose mandate or purposes relate to the governance of international sport or the internet; or
4. otherwise affects a significant number of persons in an indiscriminate manner.

It remains to be seen whether the UK will take the opportunity to introduce its own unilateral cyber designations on the above grounds after Brexit. In welcoming the introduction of the EU measures, the Foreign & Commonwealth Office (FCO) noted that “the UK was at the forefront of efforts to establish the EU Cyber Sanctions regime and will continue to implement this regime at the end of the Transition Period, through our own autonomous UK Cyber Sanctions regime”. HSF will continue to publish updates on changes to the UK’s autonomous sanctions.