The EU has just established a new legal framework for sanctions targeting malicious external cyber activities. Coming just days before the elections to the European Parliament on May 23 – 26, this a novel sanctions regime with an intentionally broad reach. It is specifically designed to address cyber-attacks that undermine the bloc's integrity, security and economic competitiveness.
Cyber-attacks falling within the scope of the regime will be those which have "significant effect", taking into account factors that include the:
- Scope, scale, impact or severity of disruption caused, including to economic and societal activities;
- Amount of economic loss caused, including through damage to intellectual property;
- Amount or nature of data stolen; and
- Number of Member States or persons or entities affected. Importantly, this includes attacks on non-EU States and international organisations.
The cyber-attacks must represent an "external threat" to the EU and its members. This means that the attack must originate or be carried out from outside the EU, use infrastructure outside the EU, or be carried out by/supported by persons or entities established or operating outside the EU.
Asset freezes will be imposed on responsible persons or entities, or on those that provide financial, technical or material support for the behaviour. The sanctions can apply to companies incorporated or registered under the law of a Member State, as well as to non-EU companies doing business in part in the EU. In addition, EU persons and entities (such as EU banks) will be forbidden from making funds available to those listed.
While no individual or entity has yet been listed (a process that would require unanimity from EU members), it is understood that the genesis of this regime is the result of substantial lobbying from the governments of the United Kingdom and the Netherlands. This follows intelligence that uncovered attacks targeting the Organisation for the Prohibition of Chemical Weapons, based in The Hague, after the attack in Salisbury last year.
This is the first framework in the world that seeks to use a sanctions regime to move against those responsible for actual or attempted cyber-attacks. It therefore remains to be seen how it will be applied in practice. For UK and EU-registered businesses, effective enforcement of this novel framework may prove invaluable in order to protect the integrity of their operations and intellectual property.