Council extends cyber sanctions regime until 18 May 2021

The Council today adopted a decision extending for one more year, until 18 May 2021, the restrictive measures framework against cyber-attacks which threaten the EU or its member states.

The European Union will therefore keep its ability to impose targeted restrictive measures on persons or entities involved in cyber-attacks which cause a significant impact, and constitute an external threat to the EU or its member states. Restrictive measures can also be imposed in response to cyber-attacks against third states or international organisations where such measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).

The underlying purpose remains that of deterring and responding to cyber activities directed against the EU or its member states. Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.

The decision comes just a few days after a declaration of the European Union and its member states on malicious cyber activities which exploit the coronavirus pandemic that noted the EU’s determination to prevent, discourage, deter and respond to malicious cyber activities, including as a part of its wider response to the COVID-19 crisis.


Over recent years, the EU has scaled-up its resilience and ability to prevent, discourage, deter and respond to cyber threats and malicious cyber activities in order to safeguard European security and interests.

In June 2017, the EU has stepped up its response by establishing a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (the “Cyber Diplomacy Toolbox“). The framework allows the EU and its member states to use all CFSP measures, including restrictive measures if necessary, to prevent, discourage, deter and respond to malicious cyber activities targeting the integrity and security of the EU and its member states.

More recently, in April 2019, the Council adopted a regulation called the ‘Cybersecurity Act’, which introduces a system of EU-wide certification schemes and an EU Agency for Cyber Security to take over from the existing European Union Agency for Network and Information Security.

The legal framework establishing the cyber sanctions regime was adopted in May 2019, creating the basis on which the EU can impose targeted restrictive measures to respond to cyber-attacks.

The EU remains committed to a global, open, stable, peaceful and secure cyberspace and therefore re-iterates the need to strengthen international cooperation in order to promote the rules-based order in this area.