On May 14 2020, the Council of the European Union (the "EU Council") announced its decision to extend the sanctions regime on persons involved in cyberattacks (or attempted cyberattacks) targeting the EU, a member state, a third state or an international organization (the "Sanctions Regime") for a year, i.e., until May 18, 2021.
The Sanctions Regime was adopted in May 2019 by the EU Council as one of the steps to strengthen EU cyber-resilience capabilities.1 Sanctions are typically asset freezes for those responsible for the attack and a prohibition of making funds available to these persons by EU persons or entities. These sanctions are subject to certain limited exceptions, which are common across other EU asset freeze regimes. Targeted individuals are additionally subject to travel bans, meaning that a member state must prevent these individuals from entering or transiting its territory.
With this extension, the EU is therefore keeping the ability to act against those engaged in, associated with, or providing financial, technical or material support for cyberattacks or attempted cyberattacks that have or would have a significant impact on and pose an external threat to the EU or its member states. Attacks that could trigger these sanctions would include those that (i) originated or were carried out from outside the EU; (ii) engaged the use of infrastructure outside the EU; and (iii) were conducted by or with the support of persons or entities established or operating outside the EU.
Although the Sanctions Regime has not yet been applied,2 its one-year-extension comes at a time when it might be needed more than ever. Indeed, cyberattacks and malicious cyber activities exploiting the COVID-19 outbreak are flourishing in Europe as well as globally, targeting, among many others, essential operators in the EU member states, including operators in the health care sector.
1 For our comments on the initial sanction regime, check out our previous Legal Update.