On 17 May 2019, the EU adopted a brand new sanctions regime to deter and respond to cyber-attacks (here and here). This follows the adoption, on June 2018, by the European Council of conclusions outlining the necessity to strengthen the EU ability to address cyber threats originating from outside the EU.
By Olivier Coulon | Loyens & Loeff, May 22, 2019
The new regime applies to cyber-attacks and attempted cyber-attacks having a significant or potentially significant effect and constituting a threat to the EU or its Member States. The cyber-attacks, which must have a nexus with non-EU territory to fall within the scope of the sanctions, are defined as actions involving (i) access to information systems ; (ii) information system interference ; (iii) data interference ; or (iv) data interception.
Although the notion of a threat to the EU or its Member States is not defined, a non-exhaustive list of critical information systems is put forward, ranging from energy, transport or health infrastructures to critical State functions such as the defence sector or the organisation of elections, and the EU institutions.
The regime provides for well-known types of sanctions, i.e. the travel ban, asset freeze and the prohibition for EU persons and entities to make funds and economic resources available to those listed.
Interestingly, the rules provide for the ability to sanction not only persons and entities responsible, or providing financial, technical or material support to the cyber-attacks, but also any person or entity “otherwise involved in cyber-attacks […] by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission”. It is also possible to sanction “natural or legal persons, entities or bodies associated with [listed entities and individuals]”. This scope of application – ostensibly the broadest of all EU sanctions regimes – therefore seems to target not only positive actions, but also passive involvement by omission and simple association with a targeted person or entity.
One wonders whether such a broad scope of application – also covering omission and simple association – can withstand the test of primary EU law, notably the EU Charter of Fundamental Rights. There seems little doubt that this new regime has the potential to draw a lot of attention and comments.