The EU ventured into new territory on 31 July 2020 by imposing its first ever cyber-sanctions under Council Regulation (EU) 2019/796 of 17 May 2019 ("EU-Cyber Sanctions Regulation"). The new sanctions regime is part of the comprehensive "cyber diplomacy toolbox" which the EU has been developing since 2017.
The original regulation imposed sanctions on persons and entities listed in an Annex, which, until now, had no content, meaning the regulation was essentially ineffective.
The EU and its Member States have long been concerned by the threat of cyberattacks and the harm they may cause to public interests and infrastructure. As a result, six individuals and three entities who have been involved in successful or attempted cyber-attacks against the EU or its Member States, have now been added to the Annex.
Sanctions target specific cyber attacks
The EU has singled out several specific cyber-attacks attributed to Chinese, Russian and North Korean individuals or entities, because of their alleged involvement in "Operation Cloud Hopper", "WannaCry", "NotPetya" and "Eternal Petya". Reference is also made to an attempted cyber-attack against the OPWC (Organisation for the Prohibition of Chemical Weapons) as well as cyber theft in the financial sector.
Individuals and entities listed in Annex I to the regulation are now subject to the usual so called "financial sanctions" of the EU. These financial sanctions consist of two elements, (i) an “asset freeze” blocking bank accounts and other assets of the listed individuals and entities in the EU and (ii) a prohibition of directly or indirectly making available funds or economic resources to the listed individuals and entities.
It is important to recall that the financial sanctions do not just apply to the persons and entities listed in the Annex, but also to entities which are owned or controlled by the listed persons or entities, even if such owned or controlled entities are not listed.
As set out in an opinion issued recently, the EU Commission clarified that not only the prohibition to make funds available but also the asset freeze is not limited to the persons and entities actually listed, but extends to the entities owned or controlled by listed persons or entities.
New additions to the Annex are only the first step
Given the worldwide increase of cyber-attacks we expect that going forward the EU will add further individuals and entities to the list, as announced in a press release stating it will continue cooperation on “advance international security and stability in cyberspace”, “increase global resilience” and “raise awareness on cyber threats and malicious cyber activities."
What should companies do now?
Companies should update their internal sanctions compliance system and ensure compliance with the export control rules. The consolidated, almost 500 pages long list of persons, entities or bodies with which EU companies may no longer do business is very extensive. There are also further EU sanctions against around 30 countries which restrict trading.
Non-compliance with sanctions may result in fines but also carry the risk of prison sentences for individuals and managers. Export control compliance should therefore be a top priority in any compliance programme.
Kai Neuhaus and Moritz Pottek advise on EU sanctions and restrictive measures and other trade related compliance issues from our EU Law Office in Brussels.