Sanctions Profile: Cyber-Attacks

At a glance

The EU adopted a new sanctions regime in May 2019 to deter and respond to malicious cyber activities on EU member states, third states and international organisations.

Subscribe for full access


UK post Brexit cyber sanctions regs published

The UK has published The Cyber (Sanctions) (EU Exit) Regulations 2020, which will come into force on “exit day” (currently 11pm on 31 December 2020). These regulations revoke The Cyber-Attacks (Asset-Freezing) Regulations 2019 (which currently implement the EU regime which targets those responsible for cyber-attacks on member states, third states or international organisations). “Relevant cyber-activity” that could be sanctionable under …


Third countries align with EU cyber sanctions

On 15 May 2020, the Council adopted Decision (CFSP) 2020/651 to renew for 1 year its cyber sanctions regime, which imposes targeted sanctions on people/entities to deter and respond to cyber-attacks constituting a threat to the EU member states, international organisations or third states. Turkey, Montenegro, Albania, Bosnia and Herzegovina, Iceland, Norway, Ukraine and Georgia have aligned themselves with this decision. Press …


Germany to seek EU sanctions on Russia for cyber-attack

The German Foreign Ministry has announced that it will ask the EU to invoke its cyber sanctions regime to impose sanctions (asset freezes and travel bans) on Russian people and/or entities responsible for the 2015 cyber-attack which targeted the German Parliament. The attack is believed to have been launched to gather intelligence data. Russian national Dmitri Badin, for whom the …

RussiaRussia Cyber-AttacksCyber-Attacks

EU Council renews cyber sanctions regime for 1 year

The EU Council has renewed its cyber-attack sanctions regime for 1 year until 18 May 2021. Under the regime, the EU can impose targeted sanctions (asset freezes and travel bans) on people or entities involved in cyber-attacks which cause a “significant impact” and constitute an “external threat” to EU member states, third states, or international organisations. The EU has not …


US continues malicious cyber activity sanctions for 1 year

In April 2015, the US adopted Executive Order 13694 (as amended), which declared a national emergency in respect of those engaging in “significant malicious cyber-enabled activities” originating from, or directed by, persons located outside of the US. The E.O. imposed asset freezing measures and travel restrictions. The US has renewed these sanctions for 1 year by continuing the national emergency …


Current Sanctions


Parent Regulation

Council Regulation (EU) 2019/796

Amended by:

Council Implementing Regulation (EU) 2020/1124

Parent Regulation

Council Decision (CFSP) 2019/797

Amended by:

Council Decision (CFSP) 2020/651

Council Decision (CFSP) 2020/1127

The Cyber-Attacks (Asset Freezing) Regulations 2019 (SI 2019/956)