On 17 May, the EU Council established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its Member States.
Such threats may include cyber-attacks against third states or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy.
Cyber-attacks falling within the scope of this new sanctions regime are those which have a significant impact and which:
- originate or are carried out from outside the EU, or
- use infrastructure outside the EU, or
- are carried out by persons or entities established or operating outside the EU, or
- are carried out with the support of persons or entities operating outside the EU.
Attempted cyber-attacks with a potentially significant effect are also covered by this sanctions regime.
Sanctions may also be imposed on persons or entities associated with them.
Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.
Find out more