The Council of the European Union established a framework that allows the EU, for the first time, to impose “restrictive measures” – sanctions – on individuals and entities who carry out cyber attacks against it from outside the bloc. It said the aim of the new framework was to to “deter and respond to cyber-attacks that constitute an external threat to the EU or its member states.” It will also apply to cyber attacks on third states or international organisations “where restrictive measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP),” the EU stated.

It said the new rules will apply to cyber attacks that:

  • Originate or are carried out from outside the EU
  • Use infrastructure outside the EU
  • Are carried out by persons or entities established or operating outside the EU
  • Are carried out with the support of person or entities operating outside the EU

The EU said it could also impose sanctions for “attempted cyber-attacks with a potentially significant effect”.

What sanctions could the EU impose?

The EU said its “restrictive measures” included banning people from travelling to the EU, and freezing assets of individuals and entities. Additionally, they would be barred from receiving funds from EU citizens and entities.

EU leaders agreed to begin work on a new sanctions framework for the perpetrators of cyber attacks last October, per Sputnik News. This came after the Netherlands had reported an alleged attempt to hack the WiFi system of the Organisation for the Prohibition of Chemical Weapons.