The Council of the European Union (the “EU Council”) today adopted a framework that would allow the European Union to impose targeted restrictive measures on persons or entities that are responsible for cyberattacks or attempted cyberattacks against the EU, a member state or even a third state or an international organisation. The framework targets cyberattacks of significant impact originated or carried out from outside the EU, using infrastructure outside the EU, by persons or entities established or operating outside the EU, or with the support of persons or entities operating outside the EU.
Available measures range from a travel ban to an asset freeze. They would be directed at those responsible for the attack—who provided financial, technical or material support for the attack or were otherwise involved. The framework will also have correlative effects for other EU persons or entities, which will be forbidden from making funds available to those individuals or entities subject to sanctions.