According to a press release of 15 May 2019 the European Council has agreed on extention of the sanctions regime to cyber-attacks. Just like in the existing sanctions, measures include asset freezing and travelling bans.
The press release:
Cyber-attacks: Council is now able to impose sanctions
The EU and its member states are getting ready to be more resistant and to respond to cyber-attacks.
On 17 May 2019, the Council established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).
Cyber-attacks falling within the scope of this new sanctions regime are those which have significant impact and which:
• originate or are carried out from outside the EU or
• use infrastructure outside the EU or
• are carried out by persons or entities established or operating outside the EU or
• are carried out with the support of person or entities operating outside the EU.
Attempted cyber-attacks with a potentially significant effect are also covered by this sanctions regime.
More specifically, this framework allows the EU for the first time to impose sanctions on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them.
Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.
The EU recognises that cyberspace offers significant opportunities, but also presents continuously evolving challenges. It is concerned at the rise of malicious behaviour in cyberspace that aims at undermining the EU’s integrity, security and economic competitiveness, with the eventual risk of conflict.
On 19 June 2017 the Council adopted a framework, the cyber diplomacy toolbox, which helps improve cooperation, prevent conflict, mitigate potential cyber threats as well as deter and influence the behaviour of potential aggressors. This was in response to growing concern at the increased ability and willingness of state and non-state actors to undertake malicious cyber activities.
On 16 April 2018, the Council adopted conclusions on malicious cyber activities which underlined the importance of a global, open, free, stable and secure cyberspace, and expressed concern about the activity of malicious actors.
On 28 June 2018 and 18 October 2018 the European Council called for work on the capacity to respond to and deter cyber-attacks to be taken forward.
On 12 April 2019, the High Representative issued a declaration on behalf of the EU stressing the need to respect the rules-based order in cyberspace, urging actors to stop undertaking malicious cyber activities including the theft of intellectual property, and calling on all partners to strengthen international cooperation to promote security and stability in cyberspace.
The EU remains committed to keeping cyberspace open, stable and secure and reiterates its attachment to the settlement of international disputes in cyberspace by peaceful means. In this context, all of the EU’s diplomatic efforts should aim as a matter of priority to promote security and stability in cyberspace through increased international cooperation, and reduce the risk of misperception, escalation and conflict that may stem from Information and Communications Technologies (ICT) incidents.
- Council Decision concerning restrictive measures against cyber-attacks threatening the Union or its member states (pdf)
- Declaration by the High Representative on behalf of the EU on respect for the rules-based order in cyberspace, 12 April 2019
- European Council conclusions, 18 October 2018
- Response to malicious cyber activities: Council adopts conclusions, 16 April 2018
- Cyber-attacks: EU ready to respond with a range of measures, including sanctions, 19 June 2017
Read also the discussion paper of 18 March 2019, “Responding to cyberattacks” (pdf).