The Council of the European Union (the Council) on May 17, 2021 agreed to prolong, for the second time, the sanctions framework concerning restrictive measures against cyber-attacks threatening the European Union (EU) or its Member States for another year, until May 18, 2022. The Council’s press release is available here.

Cyber sanctions are part of the EU cyber diplomacy toolbox and seek to prevent, discourage and respond to malicious cyber-attacks that have a significant impact on the EU. This framework was adopted in May 2019 under Council Decision (CFSP) 2019/797 and Council Regulation (EU) 2019/796, and is reviewed by the Council on a yearly basis. It allows the EU to sanction persons and entities deemed to be involved in major cyber-attacks threatening the EU or its Member States by imposing asset freezes or travel bans against those listed in the Council’s legal acts. The EU can also target those involved in attempted cyber-attacks with a potentially significant effect.

Since the framework came into effect, it has been used on two occasions. In July 2020, the Council of the EU imposed sanctions against Russian, Chinese and North Korean hackers involved in various cyber-attacks such as the so-called “Wannacry” and “NotPetya” attacks. In October 2020, a new set of sanctions was imposed against Russian hackers for participating in the cyber-attack that hit the German Parliament in 2015.

Further listings can be expected under the cyber-attack sanctions framework in view of the recent cyber-attacks against the EU, in particular against hospitals in a number of Member States.

The sanction lists are relevant for all organizations, across sectors, especially when confronted themselves with a ransom payment request. Indeed, even with inherent difficulties around attribution of attacks, payment to listed persons amount to a violation of sanctions regime. Financial institutions facilitating such payments or insurance companies providing cyber coverage that includes ransom payments are similarly on the hook. Previous coverage on the matter can be found here.