Overview
EU Sanctions
The EU adopted by Council Regulation (EU) 2019/796 and Council Decision (CFSP) 2019/797 in 2019 a new sanctions regime to deter and respond to malicious cyber activities on EU member states, third states and international organisations by non-state actors.
EU sanctions are imposed on natural or legal persons, entities or bodies:
- who are responsible for cyber-attacks or attempted cyber-attacks;
- that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;
- associated with the natural or legal persons, entities or bodies covered by either of the above points.
UK Sanctions
The UK adopted The Cyber (Sanctions) (EU Exit) Regulations 2020 in 2021 to prevent cyber activity that undermines the integrity, prosperity or security of the UK, causes economic loss, undermines the effective functioning of international organisations or NGOs, or affects a significant number of persons in an indiscriminate manner.
UK sanctions are imposed on natural or legal persons, entities or bodies involved in:
- the commission, planning or preparation of relevant cyber activity;
- providing financial services, or making available funds or economic resources, that could contribute to relevant cyber activity;
- providing technical assistance that could contribute to relevant cyber activity;
- involved in the supply of goods or technology that could contribute to relevant cyber activity, or in providing financial services relating to such supply;
- involved in any other action, policy, activity or conduct which promotes, enables or facilitates the commission of relevant cyber activity; and
- involved in assisting the contravention or circumvention of any relevant provision.
The Secretary of State can also designate persons owned or controlled by, acting on behalf of, or associated with “involved persons”.
US Sanctions
Under EO 13757 and EO 13694, the US imposes sanctions on persons responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.
Sanctions are also imposed on persons who are responsible for or complicit in, or have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled mean.
Current EU Sanctions
The EU adopted by Council Regulation (EU) 2019/796 and Council Decision (CFSP) 2019/797 in 2019 a new sanctions regime to deter and respond to malicious cyber activities on EU member states, third states and international organisations by non-state actors.
EU sanctions are imposed on natural or legal persons, entities or bodies:
- who are responsible for cyber-attacks or attempted cyber-attacks;
- that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;
- associated with the natural or legal persons, entities or bodies covered by either of the above points.
Current UK Sanctions
The UK adopted The Cyber (Sanctions) (EU Exit) Regulations 2020 in 2021 to prevent cyber activity that undermines the integrity, prosperity or security of the UK, causes economic loss, undermines the effective functioning of international organisations or NGOs, or affects a significant number of persons in an indiscriminate manner.
UK sanctions are imposed on natural or legal persons, entities or bodies involved in:
- the commission, planning or preparation of relevant cyber activity;
- providing financial services, or making available funds or economic resources, that could contribute to relevant cyber activity;
- providing technical assistance that could contribute to relevant cyber activity;
- involved in the supply of goods or technology that could contribute to relevant cyber activity, or in providing financial services relating to such supply;
- involved in any other action, policy, activity or conduct which promotes, enables or facilitates the commission of relevant cyber activity; and
- involved in assisting the contravention or circumvention of any relevant provision.
The Secretary of State can also designate persons owned or controlled by, acting on behalf of, or associated with “involved persons”.
Current US Sanctions
Under EO 13757 and EO 13694, the US imposes sanctions on persons responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.
Sanctions are also imposed on persons who are responsible for or complicit in, or have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled mean.
- Legislation
31 CFR Part 578 – Cyber-Related Sanctions Regulations
EO 13757 – Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (December 28, 2016)
EO 13694 – Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (April 1, 2015)
- Sanctions List
Search “CYBER2” Program on the OFAC SDN List
- Guidance
Sanctions Compliance Guidance for the Virtual Currency Industry (October 15, 2021)
Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Updated September 21, 2021)
North Korea Cyber Threat Advisory (April 15, 2020)
- US General Licences
Cyber General License 1C – Authorizing Certain Transactions with the Federal Security Service (April 27, 2023)
- Judgments
-
Loon v. Dep’t of Treasury 1:23-CV-312-RP
-