On 11 June 2019, the Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956) (the “U.K. Regulations”) come into force in the United Kingdom. The U.K. Regulations implement the domestic requirements of EU Regulation (2019/796), which sets out restrictive measures against cyber-attacks (i.e., malicious cyber activities) threatening the European Union or its Member States.
The U.K. Regulations apply to U.K. nationals or any body incorporated in the United Kingdom but also have extra-territorial effect for conduct (which includes acts and omissions) committed wholly or partly outside the U.K. by a U.K. national or body incorporated in the United Kingdom.
Interactions with funds or resources belonging to a “designated person” can trigger liability under the U.K. Regulations. The definition of a “designated person” is taken from EU Regulation (2019/796) and includes those who:
- are responsible for cyber-attacks or attempted cyber-attacks;
- provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission; or
- are associated with the natural or legal persons, entities or bodies covered by points (a) and (b) of this paragraph.
The nature of the cyber-attack must be significant and originate or be carried out from outside the EU in order to fall within scope.
The U.K Regulations prohibit:
- dealing with funds or economic resources owned, held or controlled by a designated person;
- making funds available to, or for the benefit of, a designated person; and
- making economic resources available (directly or indirectly) to a designated person.
Suspicion or having reasonable cause to suspect that any of the above will occur is enough to constitute an offence. Conviction of an offence under the U.K. Regulations can lead to a term of imprisonment or an unlimited fine.
It is possible to protect against liability by obtaining a licence from HM Treasury granting permission to deal with funds or resources linked with a designated person.
It is important to note that, as yet, no one is listed as a “designated person” under Annex 1 of EU Regulation (2019/796). This means that firms will need to monitor developments in this area to ensure they are not dealing with such persons. Firms should also review the situation following the U.K. leaving the EU as the U.K. may still seek to agree a position with the EU on this issue.