Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32026R1078

Council Implementing Regulation (EU) 2026/1078 of 11 May 2026 implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member States

ST/7283/2026/INIT

OJ L, 2026/1078, 12.5.2026, ELI: http://data.europa.eu/eli/reg_impl/2026/1078/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2026/1078/oj

European flag

Official Journal
of the European Union

EN

L series

2026/1078

12.5.2026

COUNCIL IMPLEMENTING REGULATION (EU) 2026/1078

of 11 May 2026

implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member States

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (1), and in particular Article 13 thereof,

Having regard to the proposal from the High Representative of the Union for Foreign Affairs and Security Policy,

Whereas:

(1)

On 17 May 2019, the Council adopted Regulation (EU) 2019/796.

(2)

The Council has reviewed the list of natural and legal persons, entities and bodies in Annex I to Regulation (EU) 2019/796. On the basis of that review, the reasons for including four persons and one entity in the list of natural and legal persons, entities and bodies subject to restrictive measures should be updated.

(3)

Annex I to Regulation (EU) 2019/796 should therefore be amended accordingly,

HAS ADOPTED THIS REGULATION:

Article 1

Annex I to Regulation (EU) 2019/796 is amended in accordance with the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 11 May 2026.

For the Council

The President

K. KALLAS

(1)   OJ L 129 I, 17.5.2019, p. 1, ELI: http://data.europa.eu/eli/reg/2019/796/oj.

ANNEX

Annex I to Regulation (EU) 2019/796 is amended as follows:

(1)

under the heading ‘A. Natural Persons’, entries 1, 2, 13 and 14 are replaced by the following corresponding entries:

 

Name

Identifying information

Reasons

Date of listing

‘1.

GAO Qiang

Date of birth: 4 October 1983

Place of birth: Shandong Province, China

Address: Room 1102, Guanfu Mansion, 46 Xinkai Road, Hedong District, Tianjin, China

Nationality: Chinese

Gender: male

Gao Qiang is linked to the “APT10” (“Advanced Persistent Threat 10”) umbrella (a.k.a. “Red Apollo”, “CVNX”, “Stone Panda”, “MenuPass” and “Potassium”), and has been involved in “Operation Cloud Hopper”, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States.

“Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.

Gao Qiang is associated with APT10 command and control infrastructure. Moreover, Huaying Haitai, a company used by APT10, and designated for providing support to and facilitating “Operation Cloud Hopper”, employed Gao Qiang. He is also associated with Zhang Shilong, who is linked to APT10 and who has also been employed by Huaying Haitai.

30.7.2020

2.

ZHANG Shilong

Date of birth: 10 September 1981

Place of birth: China

Address: Hedong, Yuyang Road No 121, Tianjin, China

Nationality: Chinese

Gender: male

Zhang Shilong is linked to the “APT10” (“Advanced Persistent Threat 10”) umbrella (a.k.a. “Red Apollo”, “CVNX”, “Stone Panda”, “MenuPass” and “Potassium”), and has been involved in “Operation Cloud Hopper”, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States.

“Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.

Zhang Shilong is associated with APT10, including through the malware he developed and tested in connection with the cyber-attacks carried out by APT10.

Moreover, Huaying Haitai, a company used by APT10, and designated for providing support to and facilitating “Operation Cloud Hopper”, employed Zhang Shilong.

He is associated with Gao Qiang, who is linked to APT10 and who has also been employed by Huaying Haitai.

30.7.2020

13.

Mikhail Mikhailovich TSAREV

Михаил Михайлович ЦАРЕВ

Date of birth: 20.4.1989

Place of birth: Serpukhov, Russian Federation

Nationality: Russian

Address: Serpukhov

Gender: male

Mikhail Mikhailovich Tsarev took part in cyberattacks with a significant effect, which constitute an external threat to EU Member States.

Mikhail Mikhailovich Tsarev, also known by the online monikers “Mango”, “Alexander Grachev”, “Super Misha”, “Ivanov Mixail”, “Misha Krutysha”, and “Nikita Andreevich Tsarev” is a key-player in the deployment of the “Conti” and “Trickbot” malware programs and is involved in the Russia-based threat group “Wizard Spider”. Wizard Spider continues to evolve and intensify its operations.

The Conti and Trickbot malware programs were created and developed by Wizard Spider. Wizard Spider has conducted ransomware campaigns in a variety of sectors, including essential services such as health and banking.

The group has infected computers worldwide and their malware has been developed into a highly modular malware suite. Campaigns by Wizard Spider, using malware such as Conti, “Ryuk” TrickBot or Black Basta, are responsible for substantial economic damage in the European Union.

Mikhail Mikhailovich Tsarev is therefore involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States.

24.6.2024

14.

Maksim Sergeevich GALOCHKIN

Максим Сергеевич ГАЛОЧКИН

Date of birth: 19.5.1982

Place of birth: Abakan, Russian Federation

Nationality: Russian

Gender: male

Maksim Galochkin took part in cyberattacks with a significant effect, which constitute an external threat to EU Member States.

Maksim Galochkin is also known by the online monikers “Benalen”, “Bentley”, “Volhvb”, “volhvb”, “manuel”, “Max17” and “Crypt”. Galochkin is a key player in the deployment of the “Conti” and “Trickbot” malware programs and is involved in the Russia-based threat group “Wizard Spider”. He has led a group of testers, with responsibilities for the development, supervision, and implementation of tests for the TrickBot malware program, created and deployed by Wizard Spider. Wizard Spider continues to evolve and intensify its operations.

Wizard Spider has conducted ransomware campaigns in a variety of sectors, including essential services such as health and banking. The group has infected computers worldwide and their malware has been developed into a highly modular malware suite. Campaigns by Wizard Spider, using malware such as Conti, “Ryuk” TrickBot or Black Basta, are responsible for substantial economic damage in the European Union.

Maksim Galochkin is therefore involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States.

24.6.2024’;

(2)

under the heading ‘B. Legal persons, entities and bodies’, entry 1 is replaced by the following:

 

Name

Identifying information

Reasons

Date of listing

‘1.

Tianjin Huaying Haitai Science and Technology Development Co. Ltd (Huaying Haitai)

a.k.a.: Haitai Technology Development Co. Ltd

Location: Tianjin, China

Huaying Haitai provided financial, technical or material support for and facilitated “Operation Cloud Hopper”, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States.

“Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.

The actor publicly known as “APT10” (“Advanced Persistent Threat 10”) (a.k.a. “Red Apollo”, “CVNX”, “Stone Panda”, “MenuPass” and “Potassium”) carried out “Operation Cloud Hopper”.

Huaying Haitai can be linked to APT10. Moreover, Huaying Haitai employed Gao Qiang and Zhang Shilong, who are both designated in connection with “Operation Cloud Hopper”. Huaying Haitai is therefore also associated with Gao Qiang and Zhang Shilong.

30.7.2020’.

ELI: http://data.europa.eu/eli/reg_impl/2026/1078/oj

ISSN 1977-0677 (electronic edition)

Top