EU adopts new sanctions framework targeting external cyber-attacks

Authors: Susannah Cogman, Daniel Hudson and Hannah Lau

On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”.

BACKGROUND

In recent years, the EU has taken a series of actions to tackle cyber threats. On 19 June 2017, the EU developed a framework for a joint response to malicious cyber threats (known as the “Cyber Diplomacy Toolbox”), and subsequent implementing guidelines envisaged sanctions as one of the tools available. The timing of the announcement of the new regime is also notable given its proximity to the EU Parliament elections which started on 23 May.

Reported concerns amongst officials from the EU and certain member states in the past have related to hacking incidents or threats linked to China, Russia and North Korea. However, the legislation explicitly states that the imposition of sanctions against a person or entity does not amount to attribution of responsibility to a third state, which is a political decision.

SCOPE OF THE SANCTIONS REGIME

The sanctions will target persons involved in cyber-attacks with a significant effect which constitute an external threat to the EU and/or its member states. It also covers attempted attacks with a potentially significant effect.

“External”

Cyber-attacks constituting an external threat include those which:

  1. originate, or are carried out, from outside the EU;
  2. use infrastructure outside the EU;
  3. are carried out by any person or entity established or operating outside the EU; or
  4. are carried out with the support, at the direction of or under the control of any person or entity operating outside the EU.

“Threat to member states or the EU”

Attacks which are a threat to member states are envisaged to be cyber-attacks targeting: (a) critical infrastructure; (b) social and economic services (such as in the energy, health and financial markets sector); (c) critical state functions (such as areas of defence and public elections); and (d) classified information.

Threats to the EU include cyber-attacks carried out against its various institutions and its common security and defence policy (“CFSP”). The legislation also reserves the right to apply sanctions in relation to cyber-attacks against third States and international organisations where deemed necessary to achieve CFSP objectives, giving it a potentially broad scope.

“Significant effect”

Whether an attack has a “significant effect” will depend on a range of factors including the scale of disruption, the number of persons or entities concerned, the loss caused, and the nature of the data stolen.

Who can be penalised

There is a broad scope for those who could be listed. The sanctions could target individuals or entities who:

  1. carry out (attempted) cyber-attacks;
  2. provide financial, technical or material support for such attacks including facilitating such attacks by action or omission; or
  3. are associated with those in (a) or (b) above.

The type of sanctions imposed

The sanctions available will include a ban on any listed persons from travelling to the EU and asset freezes. EU persons and entities will also be forbidden from making funds or economic resources available directly or indirectly to those listed.

PRACTICAL CONSIDERATIONS

The new regime emphasises the continuing willingness of the EU to use sanctions to address concerns, noting the similarity of these sanctions to recent EU sanctions aimed at targeting the use of chemical weapons. While no one has yet been listed under this framework, there is a continuing need for companies to ensure that they have thorough, up-to-date and ongoing screening to identify any listed persons they might directly or indirectly deal with.

It is noted that the UK government has said that in the event of a “no deal” Brexit, it will look to carry over all EU sanctions through regulations made under the Sanctions and Anti-Money Laundering Act 2018, in order to ensure a smooth transition. These UK regulations will come into force on 11 June 2019.

Susannah Cogman
Susannah Cogman
Partner, London
+44 20 7466 2580
Daniel Hudson
Daniel Hudson
Partner, London
+44 20 7466 2470
Hannah Lau
Hannah Lau
Associate, London
+44 20 7466 2314

Andrew Moir
Andrew Moir
Partner, London
+44 20 7466 2773
Elena Hogg
Elena Hogg
Associate, London
+44 20 7466 2590

The month ahead in financial services regulatory developments…

In this blog post, we round-up forthcoming developments in the UK and at EU and International levels in financial services regulation for June 2019.

3 Jun
5 Jun
8-9 Jun
  • G20 ministerial meetings:
    • finance ministers and central bank governors (Fukuoka, Japan)
    • trade and digital economy (Tsubuka, Japan)
10 Jun
11 Jun
12 Jun
13-14 Jun
14 Jun
15-16 Jun
19-20 Jun
20-21 Jun
21 Jun
26 Jun
27 Jun
28-29 Jun
29 Jun
  • Deadline for responses to the European Securities and Markets Authority (ESMA) CP on ELTIF RTS
By 30 Jun
End Jun
Jun
Jun/Jul
Jun-Aug

Corporate Crime Update – Winter 2019

Welcome to the Winter 2019 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters. Our update now covers a number of jurisdictions.

For the full update on each jurisdiction, please click on the name of the jurisdiction below. Below we provide a brief overview of what is covered in each update.

Continue reading

Anti-money laundering regulatory round-up

Author: Susannah Cogman

Late 2018 and early 2019 saw a flurry of regulatory developments and proposals relating to anti-money laundering. We have reported on these in brief in our regular corporate crime updates, but for those who have been – for example – too immersed in Brexit to read the underlying documents in detail, we have taken this opportunity to bring together an overview of, and commentary on, a number of recent anti-money laundering/counter-terrorist financing (“AML/CTF”) developments. In particular, we discuss in this briefing:

  • the FCA’s report on data submitted in the first annual financial crime data return;
  • recent developments in the EU’s list of high risk third countries;
  • amendments to compliance requirements in respect of anonymous safety deposit boxes;
  • the FCA’s thematic review on money laundering risks in the e-money sector;
  • a Decision Notice issued by the FCA to a CEO for failings in his oversight of his bank’s AML systems and inadequate supervision of the MLRO to whom he had delegated relevant responsibilities;
  • proposals relating to money laundering supervision in the EU;
  • the FATF’s Mutual Evaluation Review of the UK;
  • FATF guidance on a risk-based approach to the securities sector;
  • other FATF developments of interest, in particular in relation to virtual assets;
  • reform of the UK Suspicious Activity Reporting regime;
  • a recent RUSI paper on the scale of money laundering in the UK;
  • AML-related amendments to the Financial Crime Guide (FC), following consultation GC 18/1; and
  • an overview of the current position regarding AML compliance post-Brexit, in the event of a no-deal exit.

Please click here to read our full briefing.

Continue reading

#MAR_bitesize

Managers' Transactions – Restrictions and Notification Requirements

As was the case under the previous market abuse regime, MAR imposes various obligations on persons discharging managerial responsibility (PDMRs) in listed companies and their dealings in the securities of the company which they are connected to.

Notification requirement

Continue reading

Market abuse update – July 2016

The Market Abuse Regulation (MAR) and the Criminal Sanctions (Market Abuse) Directive came into application in Europe on 3 July 2016.  Various outstanding pieces of secondary legislation were published in the Official Journal shortly before then, and further material has emerged since 3 July. ESMA published final form guidelines in relation to delay in disclosure of inside information and market soundings and an updated MAR Q&A document on 13 July, and on 26 July, its final report on Draft Implementing Technical Standards on sanctions and measures under MAR. Further guidelines are expected later this year.

In our latest update, we discuss the implications of these developments, the secondary legislation under MAR and the changes made to the UK regulatory regime to accommodate it.  We also look at some recent enforcement actions in a range of different jurisdictions.

 

EU extends Russian sectoral sanctions

On 1 July, the Council of the EU announced that its sectoral sanctions against Russia (which were previously due to expire on 31 July 2016) will be extended for a further six months until 31 January 2017.  This extension was effected by Council Decision (CFSP) 2016/1071 of 1 July 2016 (the "Decision"), amending Council Decision 2014/512/CFSP.  The Decision came into force upon publication in the Official Journal on 2 July 2016.  For further detail on the sectoral sanctions currently in force, please see our previous briefings here and here

Continue reading