Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The EU has adopted a new sanctions regime to tackle cyber attacks, which adds a layer to the due diligence exercise that companies must routinly undertake in the framework of their global operations
On 17 May 2019, the EU adopted a new sanctions regime to deter and respond to cyber attacks through the possible imposition of various restrictive measures (i.e., asset-freezing measures and travel bans) against the perpetrators of such attacks.
The new sanctions regime is set out in Council Regulation 2019/796 and Council Decision 2019/797; its main features are summarised below.
The new sanctions regime targets cyber attacks that constitute a threat to the EU or to the EU Member States.
First, cyber attacks comprise the following (unauthorised/unlawful) actions:
Second, cyber attacks constitute a threat to the EU where, among others, they are carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organisations, its common security and defence policy operations and missions, and its special representatives.
Third, cyber attacks constitute a threat to the EU Member States where, among others, they affect information systems that relate to:
The new sanctions regime allows the EU to impose asset-freezing measures and travel bans against the perpetrators of cyber attacks.
First, asset-freezing measures consist in:
Second, travel bans consist in preventing the perpetrators of cyber attacks from entering into, or transiting through, the territories of the EU Member States (except in the framework of exceptional and pre-determined circumstances).
Third, the perpetrators of cyber attacks include:
The Council of the EU will be responsible for establishing the list of perpetrators of cyber attacks subject to asset-freezing measures and/or travel bans (the list will be annexed to Regulation 2019/796).
As in the case of the other EU sanctions regimes, the new sanctions regime is directly applicable in all EU Member States that are responsible for adopting and enforcing the penalties for breaches of the applicable asset-freezing measures and/or travel bans.
The UK has already adopted the necessary legislation to transpose the new sanctions regime into domestic law, which indicates that the UK intends to continue applying such regime after it leaves the EU.
The new sanctions regime adds a layer to the due diligence exercise that EU-based companies (and EU individuals in the EU and abroad) must routinely undertake in the framework of their global operations.
In addition to making sure that they are not entering into a transaction prohibited or restricted under existing EU economic sanctions regimes (targeting e.g., specific sectors, activities and/or persons), they will now also have to verify that their activities are fully compliant with the restrictions applicable to perpetrators of cyber attacks.