Skip to content

ChannelsContributorsSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
AboutProductsJoin
Search
Close

New EU Framework to Target Malicious Cyber-Attacks from Outside the Union

By Stefan Tsakanakis, Evan Abrams, Simon Hirsbrunner & Guy Soussan
May 29, 2019
EmailTweetLikeLinkedIn

On 17 May 2019, the Council of the EU established a framework against external cyber-attacks which constitute an external threat to the EU or its Member States. The new rules, which reportedly follow a diplomatic push by the UK and the Netherlands, provide for a strong legal instrument to deter and respond to cyber-attacks against the EU or its Member States. The new framework enables the EU for the first time to impose sanctions against persons, entities and bodies because of cyber-attacks. While no names have been added to the sanctions list yet, the new mechanism is expected to allow the EU to move quickly in the future. However, the new framework does not help companies that are under attack. Victims of cyber-attacks are on their own when it comes to fighting off a cyber-attack.

Sanctions under the new framework are country neutral. In other words, they do not target specific third countries but specific malicious actors. Member States are free to make their own determinations with respect to the attribution of responsibility for cyber-attacks to third countries but such determinations have no impact on the EU sanctions.

The new rules cover cyber-attacks that have either been carried out or attempted, have a significant impact and

  • originate or are carried out from outside the EU;
  • use infrastructure outside the EU;
  • are carried out by persons, entities or bodies established or operating outside the EU; or
  • are carried out with the support of persons, entities or bodies operating outside the EU.

The framework allows the EU to deter and respond to cyber-attacks that constitute an external threat to Member States or the EU. Cyber-attacks may be considered a threat to Member States if they affect information systems relating to critical infrastructure, services necessary for the maintenance of essential social and/or economic activities, critical State functions, the storage or processing of classified information, or government emergency response teams. Cyber-attacks constituting a threat to the EU include those carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organizations, its common security and defense policy (CSDP) operations and missions and its special representatives. Perhaps one of the most striking features of the new framework concerns cyber-attacks directed against third countries or international organizations. Under certain circumstances, the EU may intervene in support of such countries or organizations and apply sanctions in response to such cyber-attacks.

The new regime allows the EU for the first time to impose sanctions on persons, entities or bodies that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Persons, entities or bodies associated with them may also be sanctioned.

Restrictive measures include travel bans. Member States shall take the measures necessary to prevent the entry into or transit through their territories of sanctioned persons. Furthermore, the new rules provide for an asset freeze on funds and economic resources of sanctioned persons, entities or bodies. Persons or organizations falling under EU jurisdiction are forbidden from making funds or economic resources available to or for the benefit of those listed.

It is important to note that the decision-making process leaves room for discretion in the sanctioning of cyber-attackers. The Council establishes and amends the sanctions lists only by a unanimous decision of EU Member States upon a proposal from any Member State or from the High Representative for Foreign Affairs and Security Policy. Thus, the outcome of the decision-making process will be pre-conditioned by the ability of the Member States to align their geopolitical interests. Persons, entities or bodies from third countries perceived as strategic allies may be less likely to be sanctioned than those from isolated rogue states.

The EU hopes to utilize the new framework as a benchmark for similar anti-cyber-attack measures by other jurisdictions worldwide. In order to maximize the impact of the restrictive measures, the EU will encourage third countries to adopt similar sanctions.

Similar regimes already exist in a number of jurisdictions, including in the United States where an executive order issued in 2015 (and amended in 2016) authorizes the imposition of blocking sanctions (i.e. asset freezing) against persons engaged in certain cyber-attacks. This includes certain activity aimed at harming, or having the effect of harming, US national security, foreign policy goals, or the US economy or financial system, as well as specific acts related to the stealing of “trade secrets.”

While the above US order covers certain cyber-attacks related to “interfering with or undermining election processes or institutions,” given the heightened concern in the United States regarding foreign election interference, the Trump Administration has recently issued an additional executive order authorizing blocking sanctions for a wide-variety of election interference-related conduct, including certain cyber-based activities.

While worded differently, both the EU and US regimes are quite broad in nature and therefore are likely to cover most of the same conduct in their respective jurisdictions.

Photo of Evan Abrams Evan Abrams

Evan Abrams counsels multinational corporations, financial institutions, and individuals on various international regulatory and compliance matters. He assists foreign and domestic companies in navigating national security reviews by the Committee on Foreign Investment in the United States (CFIUS). He has represented companies in…

Evan Abrams counsels multinational corporations, financial institutions, and individuals on various international regulatory and compliance matters. He assists foreign and domestic companies in navigating national security reviews by the Committee on Foreign Investment in the United States (CFIUS). He has represented companies in industries including semiconductors, metals, and digital security. Evan’s anti-money laundering (AML) practice focuses on helping financial institutions comply with federal and state AML rules, particularly money transmitters and entities involved in creating, exchanging, or dealing in cryptocurrencies and tokens. Evan counsels clients in a variety of export controls and sanctions matters related to the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and various sanctions programs under US and international law. In addition, Evan routinely assists clients on anti-corruption investigations and enforcement actions.

Read Evan’s full bio.

Read more about Evan Abrams
Show more Show less
Photo of Simon Hirsbrunner Simon Hirsbrunner

Simon Hirsbrunner is a dual-qualified Swiss and German lawyer. His practice involves EU and Swiss regulatory compliance, including advice on economic sanctions against third countries such as Iran, Libya, Syria and Russia. He has particular experience in advising banks on EU and Swiss…

Simon Hirsbrunner is a dual-qualified Swiss and German lawyer. His practice involves EU and Swiss regulatory compliance, including advice on economic sanctions against third countries such as Iran, Libya, Syria and Russia. He has particular experience in advising banks on EU and Swiss financial sanctions. Simon is also well-known for his trade policy advice on Swiss-EU relations and he has particular industry expertise in financial services, energy and aviation. He takes a particular interest in the trade policy consequences of Brexit and has published various papers on this topic. Prior to joining Steptoe, Simon occupied various positions in public administration, including the Swiss Federal Office of Justice, the European Commission and the European Free Trade Association – EFTA, bringing more than two decades of experience in EU affairs.

Read Simon’s full bio.

Read more about Simon Hirsbrunner
Show more Show less
Photo of Guy Soussan Guy Soussan

Guy Soussan advises clients on various aspects of EU and French export control regulations, including controls and licensing regimes for both military and commercial products and technologies. His export practice covers compliance development and implementation, internal investigations, and enforcement matters, including voluntary disclosures.

Guy Soussan advises clients on various aspects of EU and French export control regulations, including controls and licensing regimes for both military and commercial products and technologies. His export practice covers compliance development and implementation, internal investigations, and enforcement matters, including voluntary disclosures. He also provides advice and assistance with EU economic sanctions targeting specific countries such as Iran, Libya, Syria, and most recently, Ukraine and Russia. His experience covers a wide range of industries, including manufacturing, energy, telecommunications, banking and insurance, petroleum and petro-chemicals, aerospace, and defense. He has conducted internal compliance audits, provided assistance on company compliance programs, and counseled clients on the application of the rules to specific transactions.

Read Guy’s full bio.

Read more about Guy Soussan
Show more Show less
  • Posted in:
    Corporate & Commercial, International
  • Blog:
    International Compliance Blog
  • Organization:
    Steptoe & Johnson LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Publishing Solutions
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status

New to the Network

  • IP Litigation Blog
  • The Privacy Hacker
  • From Briefs to Books
  • Retail Patent Litigation
  • Chicago IP Litigation
Copyright © 2019, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog