The EU has imposed its first set of sanctions under its cyber sanctions regime

 On 30 July 2020, the EU imposed sanctions against six individuals and three companies in Russia, China and North Korea for various cyber-attacks. These include the ‘WannaCry’ and ‘NotPetya’.

The sanctions, which include a travel ban and an asset freeze, are the first set of restrictive measures the EU has implemented under the legal framework adopted by the EU Council in May 2019 and recently renewed. The restrictive measures also forbid EU persons and entities from making funds available to the sanctioned individuals and entities.


During the last few years, the EU has stepped up its response to cyber threats and malicious cyber activities to ensure the protection of European security and interests. In June 2017, the EU established a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (the “cyber diplomacy toolbox”) which gave the EU and its member states the power to impose restrictive measures (among other powers) if necessary in response to cyber-attacks, with the aim that these measures would act as a deterrent.

UK Government reaction

Notwithstanding Brexit, the UK has welcomed the decision of the EU to issues these sanctions. The UK Government stated that it played a leading part in the EU's efforts to establish the EU Cyber Sanctions regime, which will be mirrored after Brexit through the UK Cyber Sanctions regime, which the Foreign Secretary Dominic Raab has confirmed the UK ‘will continue to implement…after the end of the Transition Period’. The UK regime, which is already in force, will allow the government to impose similar restrictive measures against state and non-state actors who undertake malicious cyber activities.