The EU has introduced new powers to impose travel bans and freeze assets of individuals and entities that carry out cyber-attacks which constitute an external threat to the EU or its Member States.
From the alleged plot by Russian agents to hack the Organisation for the Prevention of Chemical Weapons last year, to the cyber-attack on the German Parliament in early 2019 and, most recently, a UN report claiming that North Korea has used cyberspace to launch attacks to steal funds from financial institutions of up to USD 2 billion, cyber-attacks aimed at undermining the security and economy of the EU are firmly in the EU’s sights.
This has now culminated in the adoption of Regulation 2019/796 on 17 May 2019. The Regulation introduces the power to impose sanctions which are intended to deter and respond to cyber-attacks that originate outside of the EU (those which originate within the EU are out of scope).
Which cyber-attacks fall within the scope of the new Regulation?
In order to attract sanctions, a cyber-attack must have, or potentially have, “a significant impact”. This will be determined by reference to the following factors:
- the scope, scale, impact or severity of the disruption;
- the number of people affected;
- the number of Member States concerned;
- the economic impact of the attack, particularly if it involves large scale theft of funds, economic resources or intellectual property;
- the economic benefit for the perpetrator;
- the scale of any data breaches; and/or
- the nature of any commercially sensitive data which is accessed.
Cyber-attacks are defined as actions involving unauthorised or illegal access to, or interference with/interception of, information systems or data.
The Council of the EU gives, as examples, attacks which affect information systems relating to:
- critical infrastructure, such as submarine cables and satellites;
- services related to the maintenance of energy, transport, banking and financial market, health, water supply or digital infrastructure sectors;
- state functions, such as defence, institutional governance (public elections and voting etc.), internal security, and international relations; or
- the storage or processing of classified information.
What is the scope of sanctions that can be imposed?
Cyber sanctions will target the individuals responsible for cyber-attacks and those who provide them with financial, technical or material support, along with their associates. Sanctions can also apply to companies incorporated or registered under the law of an EU Member State, or to other non-EU companies in respect of business done in whole or in part in the EU.
Enforcement involves unilateral measures to prevent the entry into and transit through Member States of targeted individuals and the freezing of all funds and economic resources of those targeted by the sanctions. The EU will also encourage third states to adopt similar restrictive measures.
The sanctions are country neutral and do not mention any specific third country. So far, no individuals or entities have been listed for sanction by the EU, and the Council will require unanimous approval to designate individuals or entities. It will be interesting to see how they are implemented, particularly against individuals who may be acting as proxies for third states. For example, in relation to the North Korean allegations mentioned above, the EU would not be able to list North Korea as a subject of cyber sanctions, but would instead need to identify the individuals or entities behind the attacks. This may be an extremely difficult task.
It is worth noting, though, that an EU Member State will not be obliged to refuse to allow its own nationals to enter its territory.
How will this affect companies operating in the EU?
Whilst there is no express restriction on dealing with sanctioned entities, the Regulation prohibits parties under EU jurisdiction from making funds or economic resources available to those listed as subject to sanctions. This may affect the performance of contracts, and should certainly be on the radar of compliance officers as the cyber sanction regime develops.
Whilst companies targeted by cyber-attacks will welcome the Regulation in principle, it will take some time before the efficacy and impact can be ascertained. In particular, it will be interesting to understand what extra resource, if any, the EU will dedicate to fighting cyber-crime.
The signs are positive. On 18 March 2019, the European Policy Centre published its paper “Responding to cyber-attacks: Prospects for the EU Cyber Diplomacy Toolbox“. That paper concluded that closer cooperation with the private sector should be pursued. Recommendations included strengthening cyber capabilities and improving detection. The EPC also advised that “To improve their defence mechanisms, EU member states should also increase their investment in cyber offensive capabilities”.
For the moment, however, the burden remains on companies to ensure that they are protected from cyber-attacks – with hefty potential fines under the Data Protection Act 2018, GDPR and / or NIS Regulations for those companies that have not taken adequate appropriate technical and organisational measures to protect themselves.