Council of the European Union, 30 July 2020
This past July, the Council of the European Union announced Council Decision (CFSP) 2020/1127 of 30 July 2020 amending Decision (CFSP) 2019/797 concerning restrictive measures against cyber-attacks threatening the Union or its Member States.
For the first time, the Council used the “options available in the EU’s cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states,” placing restrictive measures on six individuals and three entities responsible for or involved in various attacks such as an attempted attack against the Organisation for the Prohibition of Chemical Weapons and also included WannaCry, NotPetya, and Operation Cloud Hopper. The sanctions consist of “a travel ban and an asset freeze. In addition, EU persons and entities are forbidden from making funds available to those listed.”
In 2017, EU foreign affairs ministers endorsed the development of an European diplomatic framework, the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, also known as the Cyber Diplomacy Toolbox. On 17 May 2019, the Council officially established the framework which gives the EU the ability to deter and respond to cyber attacks that “constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).”
The purpose of the toolbox is to “develop signalling and reactive capacities at an EU and member state level with the aim to influence the behaviour of potential aggressors, taking into account the necessity and proportionality of the response.”
The Toolbox confirms the EU’s recognition of the opportunities that cyberspace provides, while at the same time noting the growing need to protect the EU against cyber threats carried out by both state and non-state actors and the importance of keeping “cyberspace open, free, stable and secure where fundamental rights and the rule of law fully apply.”
Both attempted attacks with a potentially significant effect and those which are considered to have a significant effect are within the scope of sanctions, including those that:
- originate or are carried out from outside the EU;
- use infrastructure outside the EU;
- are carried out by persons or entities established or operating outside the EU; or
- are carried out with the support of persons or entities operating outside the EU.