cyber-security 21 May 2020

European Council extends cyber sanctions regime for one year

The European Council (‘EC’) has extended its restrictive measures framework against cyber attacks until 18 May of next year. This means the EU will retain its ability to impose targeted restrictive measures on any person or entity involved in cyber attacks that cause a significant impact and constitute an external threat to the EU or its Member States.

‘Restrictive measures can also be imposed in response to cyber attacks against third states or international organisations where such measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (‘CFSP’),’ the Council said.

‘The underlying purpose remains that of deterring and responding to cyber activities directed against the EU or its member states. Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed,’ it added.

The decision comes just a few days after a declaration by the European Union and its Member States on malicious cyber activities that exploit the coronavirus pandemic. That declaration noted the EU’s determination to prevent, discourage, deter and respond to malicious cyber activities, including as a part of its wider response to the Covid-19 crisis.

In June 2017, the EU established the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, allowing the EU and its Member States to use all CFSP measures, including necessary restrictive measures ‘to prevent, discourage, deter and respond to malicious cyber activities targeting the integrity and security of the EU and its member states.’

In April last year, the Council adopted the Cybersecurity Act, which introduced a system of EU-wide certification schemes and the EU Agency for Cyber Security to take over from the existing European Union Agency for Network and Information Security.