Malicious cyber-attacks: EU sanctions two individuals and one body over 2015 Bundestag hack

The Council today imposed restrictive measures on two individuals and one body that were responsible for or took part in the cyber-attack on the German Federal Parliament (Deutscher Bundestag) in April and May 2015. This cyber-attack targeted the parliament’s information system and affected its ability to operate for several days. A significant amount of data was stolen and the email accounts of several members of parliament, including that of Chancellor Angela Merkel, were affected.

Today’s sanctions consist of a travel ban and an asset freeze imposed on the individuals, and an asset freeze imposed on the body. In addition, EU persons and entities are forbidden from making funds available to those listed.

The Council’s decision means that a total of 8 persons and 4 entities and bodies have been targeted by restrictive measures in relation to cyber-attacks targeting the EU or its member states.

Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to preventdiscouragedeter and respond to continuing and increasing malicious behaviour in cyberspace.

The relevant legal acts, including the names of the individuals and the body concerned, have been published in the Official Journal.


The legal framework for restrictive measures imposed in response to cyber-attacks was put in place by the Council in May 2019 and first used in July 2020. The application of the sanctions regime is reviewed by the Council on a yearly basis, and was last extended until May 2021.

The EU remains committed to a global, open, stable, peaceful and secure cyberspace and therefore reiterates the need to strengthen international cooperation in order to uphold the rules‑based order in this area.