Cyber attacks

Sanctions regime

Overview

EU Sanctions

The EU adopted by Council Regulation (EU) 2019/796 and Council Decision (CFSP) 2019/797 in 2019 a new sanctions regime to deter and respond to malicious cyber activities on EU member states, third states and international organisations by non-state actors.

EU sanctions are imposed on natural or legal persons, entities or bodies:

  • who are responsible for cyber-attacks or attempted cyber-attacks;

 

  • that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;

 

  • associated with the natural or legal persons, entities or bodies covered by either of the above points.

UK Sanctions

The UK adopted The Cyber (Sanctions) (EU Exit) Regulations 2020 in 2021 to prevent cyber activity that undermines the integrity, prosperity or security of the UK, causes economic loss, undermines the effective functioning of international organisations or NGOs, or affects a significant number of persons in an indiscriminate manner.

UK sanctions are imposed on natural or legal persons, entities or bodies involved in:

  • the commission, planning or preparation of relevant cyber activity;

 

  • providing financial services, or making available funds or economic resources, that could contribute to relevant cyber activity;

 

  • providing technical assistance that could contribute to relevant cyber activity;

 

  • involved in the supply of goods or technology that could contribute to relevant cyber activity, or in providing financial services relating to such supply;

 

  • involved in any other action, policy, activity or conduct which promotes, enables or facilitates the commission of relevant cyber activity; and

 

  • involved in assisting the contravention or circumvention of any relevant provision.

The Secretary of State can also designate persons owned or controlled by, acting on behalf of, or associated with “involved persons”.

US Sanctions

Under EO 13757 and EO 13694, the US imposes sanctions on persons responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

Sanctions are also imposed on persons who are responsible for or complicit in, or have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled mean.

Current EU Sanctions

The EU adopted by Council Regulation (EU) 2019/796 and Council Decision (CFSP) 2019/797 in 2019 a new sanctions regime to deter and respond to malicious cyber activities on EU member states, third states and international organisations by non-state actors.

EU sanctions are imposed on natural or legal persons, entities or bodies:

  • who are responsible for cyber-attacks or attempted cyber-attacks;

 

  • that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;

 

  • associated with the natural or legal persons, entities or bodies covered by either of the above points.

Current UK Sanctions

The UK adopted The Cyber (Sanctions) (EU Exit) Regulations 2020 in 2021 to prevent cyber activity that undermines the integrity, prosperity or security of the UK, causes economic loss, undermines the effective functioning of international organisations or NGOs, or affects a significant number of persons in an indiscriminate manner.

UK sanctions are imposed on natural or legal persons, entities or bodies involved in:

  • the commission, planning or preparation of relevant cyber activity;

 

  • providing financial services, or making available funds or economic resources, that could contribute to relevant cyber activity;

 

  • providing technical assistance that could contribute to relevant cyber activity;

 

  • involved in the supply of goods or technology that could contribute to relevant cyber activity, or in providing financial services relating to such supply;

 

  • involved in any other action, policy, activity or conduct which promotes, enables or facilitates the commission of relevant cyber activity; and

 

  • involved in assisting the contravention or circumvention of any relevant provision.

The Secretary of State can also designate persons owned or controlled by, acting on behalf of, or associated with “involved persons”.

Current US Sanctions

Under EO 13757 and EO 13694, the US imposes sanctions on persons responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

Sanctions are also imposed on persons who are responsible for or complicit in, or have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled mean.

Footer