On May 14 2020, the Council of the European Union (the "EU Council") announced its decision to extend the sanctions regime on persons involved in cyberattacks (or attempted cyberattacks) targeting the EU, a member state, a third state or an international organization (the "Sanctions Regime") for a year, i.e., until May 18, 2021.

The Sanctions Regime was adopted in May 2019 by the EU Council as one of the steps to strengthen EU cyber-resilience capabilities.1 Sanctions are typically asset freezes for those responsible for the attack and a prohibition of making funds available to these persons by EU persons or entities. These sanctions are subject to certain limited exceptions, which are common across other EU asset freeze regimes. Targeted individuals are additionally subject to travel bans, meaning that a member state must prevent these individuals from entering or transiting its territory.

With this extension, the EU is therefore keeping the ability to act against those engaged in, associated with, or providing financial, technical or material support for cyberattacks or attempted cyberattacks that have or would have a significant impact on and pose an external threat to the EU or its member states. Attacks that could trigger these sanctions would include those that (i) originated or were carried out from outside the EU; (ii) engaged the use of infrastructure outside the EU; and (iii) were conducted by or with the support of persons or entities established or operating outside the EU.

Although the Sanctions Regime has not yet been applied,2 its one-year-extension comes at a time when it might be needed more than ever. Indeed, cyberattacks and malicious cyber activities exploiting the COVID-19 outbreak are flourishing in Europe as well as globally, targeting, among many others, essential operators in the EU member states, including operators in the health care sector.


1 For our comments on the initial sanction regime, check out our previous Legal Update.

2 First and only attempt publicly disclosed so far is dated back February 2020 and, according to information made publicly available, was considering targeting Russian and Chinese entities even if the actual incidents involved were not disclosed.

Originally published May 20, 2020

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.