The European fight against cybercriminals: ‘cyber sanctions’

The European Council recently added a group of hackers from Russia who are held responsible for the cyber-attack on the German Bundestag in 2015 to the so-called 'cyber sanction list'. The two individuals involved and the entity will be subject to restrictive measures.

The European Union's cyber sanctions regime is effective since 2019. The hacking attempt by a Russian military intelligence (GRU) team on the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague, which was prevented by the Netherlands Defence Intelligence and Security Service on 13 April 2018, was one of the reasons why some EU countries, including the Netherlands, insisted on the possibility of so-called 'cyber sanctions'. The underlying aim is to increase the EU's resilience and ability to prevent, discourage, combat and respond to cyber threats and malicious cyber activities, so that European security and interests are protected.

The European legal framework for the regulation of cyber sanctions was adopted in May 2019. It forms the basis for issuing targeted restrictive measures in response to cyber-attacks. On 13 May 2019, all Member States of the European Union agreed to a European Sanctions List for Cybercriminals, after which the European Council adopted the Decision and the Regulation concerning restrictive measures against cyber-attacks threatening the Union or its Member States on 17 May 2019. The Council extended the framework for restrictive measures against cyber-attacks that threaten the EU or its Member States by 1 year, until 18 May 2021.

Under the sanctions regime, restrictive measures can include a ban on listed persons traveling to the EU, and an asset freeze. In addition, EU persons and entities are forbidden from making funds available to those listed. These sanctions seek to ensure a more secure EU cyberspace. Sanctions can be imposed on people regardless of where they live or what their nationality is, but only with the consent of all EU countries. A similar penal system already existed for people who are involved in an attack with chemical weapons, such as the one in Salisbury in early 2018.

With the recent addition of the Russian hacker group to this cyber sanction list, the total number of people sanctioned comes to twelve: eight individuals and four organizations. The recent extension of the framework for restrictive measures against cyber-attacks comes a few days after the declaration of the European Union, in which Member States condemn malicious cyber activities exploiting the coronavirus pandemic. It is a matter of time before more cybercriminals will be placed on the sanction list. With the European cyber-toolbox, the EU not only wants to restrain malicious actors in order to protect its interests and those of its member states, but also to continue its efforts to strengthen global cyber resilience.