On 17 May 2019, the Council of the EU established a framework against external cyber-attacks which constitute an external threat to the EU or its Member States. The new rules, which reportedly follow a diplomatic push by the UK and the Netherlands, provide for a strong legal instrument to deter and respond to cyber-attacks against the EU or its Member States. The new framework enables the EU for the first time to impose sanctions against persons, entities and bodies because of cyber-attacks. While no names have been added to the sanctions list yet, the new mechanism is expected to allow the EU to move quickly in the future. However, the new framework does not help companies that are under attack. Victims of cyber-attacks are on their own when it comes to fighting off a cyber-attack.

Sanctions under the new framework are country neutral. In other words, they do not target specific third countries but specific malicious actors. Member States are free to make their own determinations with respect to the attribution of responsibility for cyber-attacks to third countries but such determinations have no impact on the EU sanctions.

The new rules cover cyber-attacks that have either been carried out or attempted, have a significant impact and

  • originate or are carried out from outside the EU;
  • use infrastructure outside the EU;
  • are carried out by persons, entities or bodies established or operating outside the EU; or
  • are carried out with the support of persons, entities or bodies operating outside the EU.

The framework allows the EU to deter and respond to cyber-attacks that constitute an external threat to Member States or the EU. Cyber-attacks may be considered a threat to Member States if they affect information systems relating to critical infrastructure, services necessary for the maintenance of essential social and/or economic activities, critical State functions, the storage or processing of classified information, or government emergency response teams. Cyber-attacks constituting a threat to the EU include those carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organizations, its common security and defense policy (CSDP) operations and missions and its special representatives. Perhaps one of the most striking features of the new framework concerns cyber-attacks directed against third countries or international organizations. Under certain circumstances, the EU may intervene in support of such countries or organizations and apply sanctions in response to such cyber-attacks.

The new regime allows the EU for the first time to impose sanctions on persons, entities or bodies that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Persons, entities or bodies associated with them may also be sanctioned.

Restrictive measures include travel bans. Member States shall take the measures necessary to prevent the entry into or transit through their territories of sanctioned persons. Furthermore, the new rules provide for an asset freeze on funds and economic resources of sanctioned persons, entities or bodies. Persons or organizations falling under EU jurisdiction are forbidden from making funds or economic resources available to or for the benefit of those listed.

It is important to note that the decision-making process leaves room for discretion in the sanctioning of cyber-attackers. The Council establishes and amends the sanctions lists only by a unanimous decision of EU Member States upon a proposal from any Member State or from the High Representative for Foreign Affairs and Security Policy. Thus, the outcome of the decision-making process will be pre-conditioned by the ability of the Member States to align their geopolitical interests. Persons, entities or bodies from third countries perceived as strategic allies may be less likely to be sanctioned than those from isolated rogue states.

The EU hopes to utilize the new framework as a benchmark for similar anti-cyber-attack measures by other jurisdictions worldwide. In order to maximize the impact of the restrictive measures, the EU will encourage third countries to adopt similar sanctions.

Similar regimes already exist in a number of jurisdictions, including in the United States where an executive order issued in 2015 (and amended in 2016) authorizes the imposition of blocking sanctions (i.e. asset freezing) against persons engaged in certain cyber-attacks. This includes certain activity aimed at harming, or having the effect of harming, US national security, foreign policy goals, or the US economy or financial system, as well as specific acts related to the stealing of “trade secrets.”

While the above US order covers certain cyber-attacks related to “interfering with or undermining election processes or institutions,” given the heightened concern in the United States regarding foreign election interference, the Trump Administration has recently issued an additional executive order authorizing blocking sanctions for a wide-variety of election interference-related conduct, including certain cyber-based activities.

While worded differently, both the EU and US regimes are quite broad in nature and therefore are likely to cover most of the same conduct in their respective jurisdictions.