Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 32019R0796

EU restrictive measures against cyber-attacks

Date of last review:
18/05/2022
Initial creation date:
27/03/2020
Author:
Publications Office of the European Union
Responsible entity(ies):
Council of the European Union

EU restrictive measures against cyber-attacks

 

SUMMARY OF:

Decision (CFSP) 2019/797 — restrictive measures against cyber-attacks threatening the EU or its Member States

Regulation (EU) 2019/796 — restrictive measures against cyber-attacks threatening the EU or its Member States

WHAT ARE THE AIMS OF THE DECISION AND THE REGULATION?

They introduce a framework which allows the EU to impose sanctions to deter and respond to cyber-attacks* constituting an external threat to the EU or to EU countries. These cyber-attacks include those against non-EU countries or international organisations where action is considered necessary to achieve the EU’s common foreign and security policy objectives.

KEY POINTS

Sanctions for listed persons and entities

  • This framework allows the EU to impose sanctions on persons or entities responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them. Restrictive measures include bans on persons travelling to the EU, and asset freezing.
  • Persons subject to such sanctions will be listed in Annex I of Decision CFSP 2019/797, as identified by the Council; all funds and economic resources belonging to, owned, held or controlled by any natural or legal person, entity or body listed in Annex I will be frozen.
  • EU countries are responsible for setting out rules on penalties for infringements.

Cyber-attacks

The cyber-attacks falling within the scope of this new sanctions regime are those which have significant impact and which:

  • originate or are carried out from outside the EU; or
  • use infrastructure outside the EU; or
  • are carried out by persons or entities established or operating outside the EU; or
  • are carried out with the support of person or entities operating outside the EU.

Cyber-attacks which are a threat to EU countries include those affecting information systems relating to:

  • critical infrastructure essential to the vital functions of society, or citizens’ health, safety, security, and economic or social well-being;
  • services necessary for essential social and economic activities, in particular energy, transport, banking; finance, healthcare, drinking water, digital infrastructure;
  • critical state functions, in particular defence, the governance and functioning of institutions, public elections, economic and civil infrastructure, internal security, and external relations, including diplomatic missions;
  • the storage or processing of classified information; or
  • government emergency response teams.

FROM WHEN DO THE DECISION AND THE REGULATION APPLY?

They have applied since 18 May 2019.

BACKGROUND

A joint communication issued in June 2018 pointed out that activities by State and non-state actors such as cyber-attacks disrupting the economy and public services, through targeted disinformation campaigns, to hostile military actions continue to pose a serious and acute threat to the EU and to EU countries. It identified areas where action should be intensified to further deepen and strengthen the EU contribution to addressing these threats, and called upon EU countries and the Commission to ensure swift follow-up.

In October 2018, in the wake of the cyber attacks on the Organisation for the Prohibition of Chemical Weapons, the European Council adopted conclusions calling for measures to be drawn up to further strengthen the EU’s deterrence, resilience and response to hybrid, cyber as well as chemical, biological, radiological and nuclear threats. The Council was called upon to devise a sanctions regime specific to cyber-attacks.

See also:

KEY TERMS

Cyber-attacks: unauthorised actions involving access to and interference with information systems, data interference or data interception.

MAIN DOCUMENTS

Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, pp. 13-19)

Successive amendments to Decision (CFSP) 2019/797 have been incorporated in the original text. This consolidated version is of documentary value only.

Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, pp. 1-12)

Successive amendments to Regulation (EU) No 2019/796 have been incorporated in the original text. This consolidated version is of documentary value only.

RELATED DOCUMENTS

Joint communication to the European Parliament, the European Council and the Council — Increasing resilience and bolstering capabilities to address hybrid threats (JOIN(2018) 16 final, 13.6.2018)

last update 18.05.2022

Top