Regulatory

Blog

Regulatory

Contributors

Aki Corsoni-Husain
Aki Corsoni-Husain
  • Aki Corsoni-Husain

  • Partner
  • Cyprus
George Apostolou
George Apostolou
  • George Apostolou

  • Partner
  • Cyprus
Chiara Deceglie
Chiara Deceglie
  • Chiara Deceglie

  • Partner
  • Luxembourg
Massimiliano della Zonca
Massimiliano della Zonca
  • Massimiliano della Zonca

  • Senior Associate
  • Luxembourg
Philip Graham
Philip Graham
  • Philip Graham

  • Partner
  • British Virgin Islands
Ayana Hull
Ayana Hull
  • Ayana Hull

  • Counsel
  • British Virgin Islands
Katerina Katsiami
Katerina Katsiami
  • Katerina Katsiami

  • Associate
  • Cyprus
Petros Kiteos
Petros Kiteos
  • Petros Kiteos

  • Associate
  • Cyprus
Andrew Knight
Andrew Knight
  • Andrew Knight

  • Partner
  • Luxembourg
Evi Koutsioumpa
Evi Koutsioumpa
  • Evi Koutsioumpa

  • Senior Associate
  • Luxembourg
Joshua Mangeot
Joshua Mangeot
  • Joshua Mangeot

  • Counsel
  • British Virgin Islands
Mirza Manraj
Mirza Manraj
  • Mirza Manraj

  • Counsel
  • Hong Kong
Elina Mantrali
Mirza Manraj
  • Elina Mantrali

  • Associate
  • Cyprus
Vanessa Molloy
Vanessa Molloy
  • Vanessa Molloy

  • Partner
  • Luxembourg
Andrea Moundi Savvides
Andrea Moundi Savvides
  • Andrea Moundi Savvides

  • Associate
  • Cyprus
Marina Stavrou
Marina Stavrou
  • Marina Stavrou

  • Associate
  • Cyprus
Matt Taber
Matt Taber
  • Matt Taber

  • Partner
  • Cayman Islands
Carolynn Vivian
Carolynn Vivian
  • Carolynn Vivian

  • Senior Associate
  • Cayman Islands

EU cyber-sanctions become a benchmark for the region (and beyond)

Recent developments across a number of otherwise unconnected legislatures and jurisdictions have confirmed the increasing global acceptance of cyber sanctions introduced by the EU in 2019.

Firstly, on the 19 June 2020, the High Representative of the EU issued a declaration confirming the alignment of the following third countries with the EU’s cyber-sanctions regime:

  • EU Candidate Countries: Turkey, North Macedonia, Montenegro and Albania
  • EU potential Candidate Country: Bosnia and Herzegovina
  • EFTA Countries: Iceland and Norway (though not neutral Switzerland)
  • EU Associates: Ukraine and Georgia

The press release on the declaration can be found here.

Secondly, in March 2020 the UK extended the Union’s cyber sanctions regime to its Overseas Territories (UKOTs) covering the following key financial centres such as Bermuda, the Cayman Islands, the British Virgin Islands. 

Our recent blog post on relevant UKOT developments is here.

Thirdly, the UK in its explanatory memorandum to the Cyber (Sanctions) (EU Exit) Regulations 2020 has indicated that post-Brexit, ie from 2021 onwards, material elements of the Union’s regime will continue, save for the ability for the UK to make “autonomous” amendments as necessary.

More about EU cyber-sanctions

The legal framework establishing the cyber sanctions regime is contained in Council Regulation (EU) 2019/796 and Council Decision (EU) 2019/797, both enacted on 17 May 2019. The regime seeks to counter and deter cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations. 

As with most EU sanctions regimes, a series of restrictive measures can be imposed by the Council on perceived bad actors. Measures include: travel bans to (and in) the EU; an asset freeze on listed persons and entities; and a prohibition on EU persons and entities making funds available to those listed.

The call for the EU to introduce an autonomous cyber-sanctions regime has a long and interesting history but was largely triggered following an attempted cyber-attack in October 2018 on the Organisation for the Prohibition of Chemical Weapons (OPCW). The OPCW is based in the Hague and was responsible for investigating chemical weapons attacks during the Syrian civil war and those on Sergei Skripal and his daughter in Salisbury (UK). Following the incident, the Netherlands accused Russia of the attempt and expelled four Russian GRU agents in response. 

Renewal of the regime

Finally, the EU itself has once again validated the regime by extending its application for another year with the passing of Decision (CFSP) 2020/651 of 14 May 2020. The regime will come up for review in mid-2021 adopted in May 2020 to renew one more year its cyber sanctions regime, imposing targeted sanctions on people and entities taking action to prevent cyber-attacks that are a threat to the European Union member states, international organisations or third countries.