Recent developments across a number of otherwise unconnected legislatures and jurisdictions have confirmed the increasing global acceptance of cyber sanctions introduced by the EU in 2019.
Firstly, on the 19 June 2020, the High Representative of the EU issued a declaration confirming the alignment of the following third countries with the EU’s cyber-sanctions regime:
- EU Candidate Countries: Turkey, North Macedonia, Montenegro and Albania
- EU potential Candidate Country: Bosnia and Herzegovina
- EFTA Countries: Iceland and Norway (though not neutral Switzerland)
- EU Associates: Ukraine and Georgia
The press release on the declaration can be found here.
Secondly, in March 2020 the UK extended the Union’s cyber sanctions regime to its Overseas Territories (UKOTs) covering the following key financial centres such as Bermuda, the Cayman Islands, the British Virgin Islands.
Our recent blog post on relevant UKOT developments is here.
Thirdly, the UK in its explanatory memorandum to the Cyber (Sanctions) (EU Exit) Regulations 2020 has indicated that post-Brexit, ie from 2021 onwards, material elements of the Union’s regime will continue, save for the ability for the UK to make “autonomous” amendments as necessary.
More about EU cyber-sanctions
The legal framework establishing the cyber sanctions regime is contained in Council Regulation (EU) 2019/796 and Council Decision (EU) 2019/797, both enacted on 17 May 2019. The regime seeks to counter and deter cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations.
As with most EU sanctions regimes, a series of restrictive measures can be imposed by the Council on perceived bad actors. Measures include: travel bans to (and in) the EU; an asset freeze on listed persons and entities; and a prohibition on EU persons and entities making funds available to those listed.
The call for the EU to introduce an autonomous cyber-sanctions regime has a long and interesting history but was largely triggered following an attempted cyber-attack in October 2018 on the Organisation for the Prohibition of Chemical Weapons (OPCW). The OPCW is based in the Hague and was responsible for investigating chemical weapons attacks during the Syrian civil war and those on Sergei Skripal and his daughter in Salisbury (UK). Following the incident, the Netherlands accused Russia of the attempt and expelled four Russian GRU agents in response.
Renewal of the regime
Finally, the EU itself has once again validated the regime by extending its application for another year with the passing of Decision (CFSP) 2020/651 of 14 May 2020. The regime will come up for review in mid-2021 adopted in May 2020 to renew one more year its cyber sanctions regime, imposing targeted sanctions on people and entities taking action to prevent cyber-attacks that are a threat to the European Union member states, international organisations or third countries.