Sanctions against cyber attacks

Description of the sanctions

The sanctions consist of travel restrictions and freezing of the assets of individuals, entities or bodies. Likewise, no funds may be made available to individuals or entities who are on lists of individuals against whom sanctions are targeted.

The sanctions regime is horizontal. Sanctions can thus be imposed against those who meet the criteria for inclusion on the list, regardless of their nationality or where they are located.

Travel restrictions

There is a ban on the entry into – and transit through – EU Member States for individuals and entities responsible for cyber attacks or attempted cyber attacks. The same restrictions apply to individuals who provide financial, technical or material support to – or are otherwise involved in – cyber attacks or attempted cyber attacks. This includes planning, preparing, participating in, directing, assisting, encouraging or facilitating such attacks, either through actions or neglect. The restrictions also apply to those associated with individuals, entities or bodies covered herein.

Competent authorities in each Member State may, in exceptional cases, grant entry and transit, for example to fulfil certain obligations under international law, on the basis of urgent humanitarian grounds, or to enable participation in international meetings and conferences.

Freezing of assets and prohibition on making funds available

All assets that are owned, held or controlled by individuals, entities or bodies that are directly responsible for cyber attacks or attempted cyber attacks must be frozen. Assets of individuals, entities or bodies that provide financial, technical or material support to – or are otherwise involved in – cyber attacks or attempted cyber attacks must also be frozen. This includes planning, preparing, participating in, directing, assisting, encouraging or facilitating such attacks, either through actions or neglect. This also applies to those associated with these individuals, entities or bodies. It is also prohibited to directly or indirectly make funds available to these individuals.

Competent authorities in each Member State may, in exceptional cases, grant the unfreezing of certain frozen assets or decide to make funds available.

Relevant EU documents

The restrictive measures were imposed through Council Decision (CFSP) 2019/797 of 17 May 2019 and Council Regulation (EU) 2019/796 of the same date.

Please refer to the EU sanctions map and EUR-Lex for updated information about applicable legal instruments.

Competent Swedish authorities

The Government has appointed the Swedish Social Insurance Agency, the Swedish Financial Supervisory Authority and the National Board of Trade as the competent authorities for the examination of various issues related to the restrictive measures concerning cyber attacks.

The Swedish Social Insurance Agency grants exemptions from the freezing of assets, but not for routine administration (see the Swedish Financial Supervisory Authority).

The Swedish Financial Supervisory Authority receives information about frozen accounts and grants exemptions from the freezing of assets for routine administration.

The National Board of Trade approves permits for exemption from the freezing of assets of non-natural persons (legal persons, entities and bodies), but not for routine administration (see the Swedish Financial Supervisory Authority).

Background to the sanctions

On 19 June 2017, the European Council adopted conclusions on a framework for a common diplomatic response to harmful IT activities (called the Cyber Diplomacy Toolbox), in which the Council expressed concern over the increasing ability and will of state and non-state actors to attempt to achieve their objectives by engaging in harmful IT activities. The Council confirmed the growing need to protect the privacy and security of the European Union, the Member States and their citizens against cyber threats and harmful IT activities. The purpose of the framework was – through foreign policy instruments – to prevent, avert and manage harmful acts in cyberspace, as a component of the Common Foreign and Security Policy.

On 28 June 2018, the European Council adopted conclusions in which the need to strengthen the capacity to manage cyber security threats from countries outside the EU was emphasised. The Council urged the institutions and Member States to implement the measures referred to in the Joint Communication by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy, to increase resilience and strengthen the capacity to respond to hybrid threats, including the practical application of the Cyber Diplomacy Toolbox.

On 18 October, the European Council adopted conclusions urging continued efforts for capacity to respond to and deter cyber attacks through EU restrictive measures, with reference to the Council conclusions of 19 June 2017.

In light of this, the Council of the European Union adopted Decision (CFSP) 2019/797 on 17 May 2019. In the Decision (CFSP) 2019/797, a framework for targeted restrictive measures is established, to deter and respond to cyber attacks with a significant effect that constitute an external threat to the EU and its Member States.

If it is considered necessary to achieve the CFSP objectives in the relevant provisions in Article 21 of the Treaty on European Union, restrictive measures may – according to this Decision – also be applied as a response to cyber attacks with a significant effect on third countries or international organisations.