Home Knowledge Hopping on the Bandwagon: The Council of the European Union Imposes its First Sanctions for Cyber-attacks

Hopping on the Bandwagon: The Council of the European Union Imposes its First Sanctions for Cyber-attacks


On 30 July 2020, the Council of the European Union (Council) imposed the first ever sanctions under the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (Cyber Diplomacy Toolbox) against six individuals and three entities.

Cyber Diplomacy Toolbox

The Council noted that, the Cyber Diplomacy Toolbox, which was established in June 2017, allows for targeted restrictive measures to be taken in response to cyber-attacks with a significant effect:

  • which constitute an external threat to the European Union (EU) or its member states; and/or
  • against third states or international organisations, where deemed necessary to achieve common foreign and security policy objectives set out in the relevant provisions of Article 21 of the Treaty on European Union.

The restrictive measures can be imposed on the persons or entities that are responsible for attempted or successful cyber-attacks, who provide financial, technical or material support for such attacks, or who are involved in other ways. Sanctions can also be imposed on associated persons and entities. These measures include travel bans, asset freezing and a prohibition on making funds available to specified persons and entities.

Council Decision and Sanctions Imposed

The Council found that the individuals and entities were responsible for, provided support for or were involved in, or facilitated various attempted and successful cyber-attacks, including the ‘WannaCry’, ‘NotPetya’ and ‘Operation Cloud Hopper’ attacks as well as the attempted attacks on the Organisation for the Prohibition of Chemical Weapons. These attacks caused significant damage and economic loss in the EU and beyond.

The sanctions imposed were a travel ban and asset freeze on the individuals and an asset freeze on the entities. There is also a prohibition on directly or indirectly making funds available to the listed individuals and entities.

The decision demonstrates the Council’s determination to protect the integrity, security, social-wellbeing and prosperity of our free and democratic societies, as well as the rules-based order and the solid functioning of its international organisations. The Council will continue to strengthen cooperation to advance international security and stability in cyberspace, increase global resilience and to raise awareness on cyber threats and malicious cyber activities. This decision demonstrates the Council’s commitment to protecting individuals and businesses in the EU.

INTERPOL, in its COVID-19 Cybercrime Analysis Report – August 2020, predict a further increase in cybercrime stemming from the vulnerabilities which relate to working from home, coronavirus themed scams and business email compromise schemes. INTERPOL expect a large spike in phishing activity when a COVID-19 vaccination becomes available.  We recommend that businesses should make their employees aware of these threats. To see our article on COVID-19: Protecting Your Business From Cybercriminals, click here.  

For expert assistance in relation to protecting your organisation and dealing with the legal implications of a cybersecurity or data breach please contact David Cullen, Leo Moore or your usual William Fry contact.


Contributed by Colin Russell.