European Union introduces new economic sanctions against cyber attacks


The regulatory framework

On 17 May 2019, the European Council issued Decision 2019/7299, “concerning restrictive measures against cyber-attacks threatening the Union or its Member States” (hereinafter “Decision”), which allows the European Union to impose targeted restrictive sanctions aimed at combating and discouraging cyber attacks where they pose a threat to the European Union or its Member States. These measures will also cover attacks against third States or international organizations, where these are deemed necessary to achieve common foreign and security policy objectives.

This is a provision that adds up to a wide range of other countermeasures that the European Union has put in place in recent years to implement the framework for the information security of the Member States that compose it, such as the NIS Directive and the Cybersecurity Act. This demonstrates an ever-increasing concern about the now disproportionate increase in malicious and particularly relevant conduct within cyberspace, aimed at undermining the integrity, security and economic competitiveness of the Union itself.

The adoption of the sanction mechanism has been promoted in particular by the Netherlands and the United Kingdom, already affected by the cyber attack against the Agency for the Prohibition of Chemical Weapons (Opac) last October and also affected by a growth of cyber attacks in recent months.


The Decision

As regards the substance of the provision, art. 1 of the Decision, in the first paragraph, states: ‘this Decision applies to cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Union or its Member States’ and again, in the second paragraph, ‘Cyber-attacks constituting an external threat includes those which: (a) originate, or are carried out, from outside the Union; (b) use infrastructure outside the Union; (c) are carried out by any natural or legal person, entity or body established or operating outside the Union; or (d) are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union”.

In the above mentioned article, the Council clarifies that the cyber attacks that will be affected by the new sanctions regime will be those characterized by “significant effects” and that come from, or are launched from, outside the European Union, utilize infrastructures outside the European Union, are carried out by persons or entities established or operating outside the European Union, or, are committed with the support of persons or entities operating outside the European Union.

In addition, it is specified how the sanctions will also affect “attempted” cyber attacks, which must in any case be qualified by a potentially significant effect.

It should be noted that Brussels does not provide a specific definition of ‘significant effects’ in this respect, which is fundamental to the characterization of the scope of application of the new sanction framework, with the exception of the statement contained in Article 3 of the measure in question, which is limited to providing a list of general features that may lead to this case. In this respect, the first paragraph states that ” the factors determining whether a cyber-attack has a significant effect as referred to in Article 1(1) includes any of the following: (a) the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety; (b) the number of natural or legal persons, entities or bodies affected; (c) the number of Member States concerned; (d) the amount of economic loss caused, such as as through large-scale theft of funds, economic resources or intellectual property; (e) the economic benefit gained by the perpetrator, for himself or for others; (f) the amount or nature of data stolen or the scale of data breaches; or (g) the nature of commercially sensitive data accessed”.

In fact, despite the aforementioned content of Article 3 of the Decision, it is not specified in the measure on what basis these elements will be assessed, both in qualitative and quantitative terms.


The sanctions

The decision is a binding act in all its elements, individual in scope, i.e. binding only on those to whom it is addressed.  When it imposes a pecuniary obligation on natural or legal persons, it constitutes for all intents and purposes an enforceable title within the meaning of Article 299 of the Treaty on the Functioning of the European Union.

This denotes the fact that, in order to implement the measure in question and to be able to offer adequate regulation for the protection of cyberspace, certain specifications relating to potential typing must be made. Nevertheless, it is considered fundamental that the European Union has decided to provide a regulatory framework to sanction not only individuals or organizations responsible for cyber attacks, but also those who finance them, assist them on a technological and technical level or are involved in various ways.

In this regard, going into the specifics of the sanctions, we can note that Articles 4 and 5 of the decision, in addition to indicating the extent of the sanction itself, provide a detailed list of the subjects affected by the latter, if they were in some way related to a case of cyber attack (even attempted).

In this regard, Article 4.1 of the Decision states: ‘Member States shall take the measures necessary to prevent the entry into, or transit through, their territories of: (a) natural persons who are responsible for cyber-attacks or attempted cyber-attacks; (b) natural persons who provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission; (c) natural persons associated with the persons covered by points (a) and (b)”.

It specifies that for actors, at various levels, of cyber attacks, there are real prohibitions of access and transit within a Member State, except for the cases of the following paragraphs. In particular, Article 4.2 of the Decision expresses the Council’s intention not to oblige a Member State to refuse access to its territory to its own nationals.

As far as the second sanction is concerned, art. 5.1 of the Decision states that ‘all funds and economic resources belonging to, owned, held or controlled by: (a) natural or legal persons, entities or bodies that are responsible for cyber-attacks or attempted cyber-attacks; (b) natural or legal persons, entities or bodies that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission; (c) natural or legal persons, entities or bodies associated with the natural or legal persons, entities or bodies covered by points (a) and (b) – shall be frozen.

The Council therefore proposes a complete freeze on the assets of the persons concerned, irrespective of whether they are natural or legal persons or entities, and adds in the second paragraph that no funds or economic resources should be made available to them, either directly or indirectly.

In this sense, the European Union shows that it is increasingly aware of the fact that behind the proponents of cyber attacks there are real organizations, both private and potentially state-owned, which move important economic interests and therefore need to be continuously funded to ensure greater efficiency. To ensure a greater impact in the fight against the “antagonists” of cyberspace, the Union also considered it necessary to shift the focus to the economic sphere.


The possible implications

The framework that emerges is not dissimilar to that created by the United Nations Security Council to combat the financing of terrorist activities by entities linked to national States or parastatal agencies.

What is important to underline and that, moreover, fosters the parallelism with this normative framework, is the concrete possibility to reach an effective identification of the sources of financing, in the above mentioned case, and of attack, in the cases provided for by the Decision.

The attribution, whether related to money flows or cybersecurity attacks, is a challenging topic and subject of constant international debate.

There is no universally accepted definition for the concept of “attribution”, but it is comparable to a process for identifying the position of an attacker within a geographical area. The more sophisticated the attack and, consequently, the more nodes involved, the less it will be possible to identify with certainty the perpetrators of the attacks.

The Kadi 1 and Kadi 2 cases, the Al Dulimi case and, finally, the situation generated by the 1970 Resolution of the United Nations Security Council, have determined a situation of profound uncertainty with regard to the capacity to establish a correct attribution with regard to the financing of terrorist groups. Concluding the parallelism that has been made, therefore, it is easy to imagine how even more difficult it will be, for the European Union, to resolve the problem of attribution in the so-called fifth domain, that is, cyberspace.

Nevertheless, the European Union, through Article 9 of the Decision in question, which states that ” In order to maximise the impact of the measures set out in this Decision, the Union shall encourage third States to adopt restrictive measures similar to those provided for in this Decision”, seems to be fully aware of the difficulties, in terms of application, that the Decision may encounter.

In this sense, the European Union is once again demonstrating its growing maturity in protecting cyberspace, not only in the Old Continent, but also outside Europe, encouraging third countries to adopt restrictive measures similar to their own. This is not only with the aim of maximizing the impact of the latter, but also and above all, because in order to promote a common defense plan a global cooperation is necessary to protect a cyber space that offers more and more opportunities, and for this reason it becomes more and more dangerous.