Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Summaries of EU Legislation

EU restrictive measures against cyber-attacks

SUMMARY OF:

Decision (CFSP) 2019/797 — restrictive measures against cyber-attacks threatening the EU or its Member States

Regulation (EU) 2019/796 — restrictive measures against cyber-attacks threatening the EU or its Member States

WHAT ARE THE AIMS OF THE DECISION AND THE REGULATION?

Decision (CFSP) 2019/797 and Regulation (EU) 2019/796 introduce a framework which allows the European Union (EU) to impose sanctions to deter and respond to cyber-attacks1 constituting an external threat to the EU or to EU Member States. These cyber-attacks include those against third countries or international organisations where action is considered necessary to achieve the EU’s common foreign and security policy objectives.

KEY POINTS

Sanctions for listed persons and entities

  • This framework allows the EU to impose sanctions on persons or entities responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them. Restrictive measures include bans on persons travelling to the EU, and asset freezing.
  • Persons subject to such sanctions will be listed in Annex I of Decision (CFSP) 2019/797, as identified by the Council of the European Union; all funds and economic resources belonging to, owned, held or controlled by any natural or legal person, entity or body listed in Annex I will be frozen.
  • Member States are responsible for setting out rules on penalties for infringements.

Cyber-attacks

The cyber-attacks falling within the scope of this new sanctions regime are those which have significant impact and which:

  • originate or are carried out from outside the EU; or
  • use infrastructure outside the EU; or
  • are carried out by persons or entities established or operating outside the EU; or
  • are carried out with the support of person or entities operating outside the EU.

Cyber-attacks which are a threat to Member States include those affecting information systems relating to:

  • critical infrastructure essential to the vital functions of society, or citizens’ health, safety, security, and economic or social well-being;
  • services necessary for essential social and economic activities, in particular energy, transport, banking; finance, healthcare, drinking water, digital infrastructure;
  • critical state functions, in particular defence, the governance and functioning of institutions, public elections, economic and civil infrastructure, internal security, and external relations, including diplomatic missions;
  • the storage or processing of classified information; or
  • government emergency response teams.

FROM WHEN DO THE DECISION AND THE REGULATION APPLY?

They have applied since .

BACKGROUND

A joint communication issued in June 2018 pointed out that activities by State and non-state actors such as cyber-attacks disrupting the economy and public services, through targeted disinformation campaigns, to hostile military actions continue to pose a serious and acute threat to the EU and to Member States. It identified areas where action should be intensified to further deepen and strengthen the EU contribution to addressing these threats, and called upon Member States and the European Commission to ensure swift follow-up.

In October 2018, in the wake of the cyber-attacks on the Organisation for the Prohibition of Chemical Weapons, the European Council adopted conclusions calling for measures to be drawn up to further strengthen the EU’s deterrence, resilience and response to hybrid, cyber as well as chemical, biological, radiological and nuclear threats. The Council was called upon to devise a sanctions regime specific to cyber-attacks.

For further information, see:

KEY TERMS

  1. Cyber-attacks: unauthorised actions involving access to and interference with information systems, data interference or data interception.

MAIN DOCUMENTS

Council Decision (CFSP) 2019/797 of concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, , pp. 13–19).

Successive amendments to Decision (CFSP) 2019/797 have been incorporated in the original text. This consolidated version is of documentary value only.

Council Regulation (EU) 2019/796 of concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, , pp. 1–12).

See consolidated version.

last update

Top