Cyber sanctions: time to act

The Internet plays a vital role in our lives, which is why we need to protect ourselves against cyber-attacks. Today, the EU imposed its first-ever cyber sanctions, to defend its citizens and companies from cyber threats.


Not many inventions have changed the lives of people as much as the Internet. It removes geographical barriers, connects billions of people with multiple devices and allows for communication and commerce at a global scale. People all over the world benefit from it. If I compare the opportunities that the Internet offers to me today with those I had when I was 20 years old, the gap is staggering.

However, the open, accessible and interconnected Internet that brings freedom, enhances our well-being and spurs economic growth, is being misused. States and non-state actors alike have realised that cyberspace and the Internet in particular are powerful tools to pursue malicious activities, including fraud, extortion, data theft or money-laundering. Many will remember cyber-attacks like WannaCry and NotPetya, which affected computers worldwide. Or they have heard about the problem of cyber-enabled theft of commercially sensitive data of companies. The Internet has also become an arena for ideological battles, the spread of disinformation and the theft of intellectual property, with some states increasingly using it to curtail liberties and advance their geopolitical goals.

So cyber threats are on the rise and in permanent evolution. A cyber-attack can leave a country crippled within seconds, causing electricity blackouts or navigational disruptions for international air and maritime transport. We see governments and political systems being destabilised through cyber-attacks and electoral interference. Its effects can be significant and irreversible, harming millions of people and putting the security and stability of our societies are at risk. This unfortunately is today's reality. And we have even seen this happening during the Coronavirus pandemic, with attacks against hospitals and data centres, putting peoples’ lives as risk.

As EU we prioritise international cooperation and dialogue to tackle these malicious activities. In particular, we believe that respect for international law and the continued work in the United Nations on norms of responsible state behaviour is essential to maintaining international security and stability in cyberspace. However, some actors seem to undermine this important work and the achievements of the international community to date. This is unacceptable. We have repeatedly signalled our concerns and condemned these malicious cyber activities, warning those that undertake these activities, both publicly and privately.

Since 2017, the EU has put in place a comprehensive cyber diplomacy toolbox to prevent, deter and respond to malicious behaviour in cyberspace. One of its tools is the EU autonomous cyber-sanctions regime, adopted in 2019, which makes it possible to apply restrictive measures to persons and entities involved in significant cyber-attacks threatening the EU or its member states, regardless of nationality or the location of the perpetrator. Listings are also possible for attempted cyber-attacks, as well as for cyber-attacks against third states or international organisations. The restrictive measures are a travel ban and/or asset freeze. Moreover, EU persons and entities are forbidden from making funds available to those listed.

Today, for the first time, we have decided to make use of this sanctions regime by imposing travel bans and assets freezes against six individuals as well as assets freezes against three entities or bodies. They were involved in significant cyber-attacks, or attempted cyber-attacks against the EU and its member states.  These individuals and entities have been involved in cyber-attacks against companies located in the EU, such as those known as WannaCry, NotPetya, Operation Cloud Hopper or the attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons (OPCW).

Today, for the first time, we have decided to make use of this sanctions regime by imposing travel bans and assets freezes against six individuals as well as assets freezes against three entities or bodies.

These targeted measures will ensure that those individuals and entities are held accountable for their actions. They send a strong message to the world that we will not tolerate such cyber-attacks: we have the tools to protect ourselves and the determination to use them.

We will of course continue to push for international cooperation to build a global, open, stable, peaceful and secure cyberspace, including by reducing the ability of potential perpetrators to misuse cyberspace. For decades, the EU has invested significantly in increasing global cyber resilience and tackle cybercrime through our capacity building programmes - and we will continue to do so. Advancing international security and stability will remain our priority so that everyone can reap the benefits that the Internet and the use of technologies provide.

Everyone has a responsibility and we call on all actors to step up efforts to prevent cyber-attacks from happening. With today’s decision, the EU has shown it is ready to do its part and the wider efforts continue.   


HR/VP box
HR/VP Josep Borrell cartoon

“A Window on the World” – by HR/VP Josep Borrell

Blog by Josep Borrell on his activities and European foreign policy. You can also find here interviews, op-eds, selected speeches and videos.