On 16 May 2022, the Council of the EU (the Council) decided for the third time to prolong its restrictive measures against cyber-attackers threatening the EU, its Member states or its allies. The measures are set to remain in place for a further three years until May 18, 2025. The Council’s press release on this is available here.

As mentioned in our previous post on the topic, the EU set up a cyber diplomacy toolbox (Toolbox) that enables the EU and its Member states to trigger measures from the Common Foreign and Security Policy (CFSP). The CFSP is the foreign policy framework of the EU, whereby Member states agree common positions on defense diplomacy and common positions on how to respond to security threats. This enables the Council to impose restrictive measures in order to prevent, discourage, deter and respond to malicious cyber activities that target the integrity and security of the EU and its member states. If necessary, the CFSP and the toolbox permit the Council to impose sanctions on those responsible for cyber-attacks from third counties or international organizations.

Sanctions were first imposed in July 2020, following an attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) by those publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’. Later that year, in October 2020, sanctions were imposed on two individuals and one entity for a cyber-attack against the German Federal Parliament in 2015. Those responsible were suspected to be working for Russian military intelligence. To date, eight individuals and four entities are subject to the Council’s sanctions regime that includes asset freezes, travel bans and bans on EU persons making funds available to them. This list will be re-assessed on May 18, 2023.

The purpose of this new extension is to send out a strong signal to hackers; cyberattacks are not tolerated.