On Friday 17 May, the EU Council adopted a legal framework to impose sanctions on those responsible for cyber attacks that threaten the EU or its Member States, including attacks against non-member countries or international organisations (see EUROPE 12253/20).
This legal framework —currently without content—makes it possible to impose measures on persons or entities responsible for cyber attacks or attempted cyber attacks, for providing financial, technical or material support for such attacks, or who are otherwise involved in them. Sanctions may also be imposed on persons or entities linked to them.
According to the decision of the EU Council, cyber attacks are unauthorised actions involving access to information systems, attacks on the integrity of an information system, attacks on data integrity, or the interception of data. They pose a threat to Member States, in particular when they attack critical infrastructure, services that are necessary to maintain critical social and/or economic activities, critical functions of Member States, the storage or processing of classified information, or emergency response teams put in place by public authorities. Cyber attacks that threaten the EU include those directed against its institutions, bodies, offices and agencies, delegations to non-member States or international organisations, operations and missions organised under the Common Security and Defence Policy (CSDP) and its Special Representatives.
To fall under the scope of this regime, cyber attacks must have had a “significant impact” and must have originated or been carried out outside of the EU, or have made use of non-Member State infrastructure. Restrictive measures also cover attacks carried out by persons or entities established or operating outside of the EU, or those carried out with the support of persons or entities acting outside of the European Union.
Attempts to carry out a cyber attack may also be punished if they have “significant potential effects”, according to the EU Council.
Restrictive measures include a visa ban and freezing of assets. EU citizens and entities are also prohibited from making funds available to listed natural persons or entities.
This decision to impose sanctions on those responsible for cyber attacks follows on from the European Council's request of October 2018 to adopt such a regime involving restrictive measures (see EUROPE 12120/5). Last April, the EU also asked non-Member States to take action against cyber attacks (see EUROPE 12236/14).
Back in June 2017, the EU Council had already adopted a “cyberdiplomacy toolbox”, a framework for a common EU diplomatic response to cyber-malicious acts that mentioned the possibility of sanctions (see EUROPE 11811/27). (Original version in French by Camille-Cerise Gessant)