An EU first: sanctions, cyber-attacks and a global approach to prevention

01 September 2020

At the end of July, the EU announced it was imposing its first ever sanctions against cyber-attacks. The sanctions, including a travel ban and an asset freeze, were put in place against the six individuals and three entities responsible for or involved in cyber-attacks such as WannaCry, NotPetya, Operation Cloud Hopper and the attempted attack against the Organisation for the Prohibition of Chemical Weapons (OPCW).

Part of the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, (also known as the “cyber diplomacy toolbox”) adopted by the European Council in May 2019, sanctions form part of targeted restrictive measures used to deter and respond to cyber-attacks within the EU.

So far so straightforward, you might think. But with the threat of cyber-attacks and cyber-crime more generally on the rise, this is a significant step for the EU – pointing towards a new and effective global approach to keeping personal data safe from harm.

Two sides of the same coin

The European Council on Foreign Relations recently observed that Covid-19 has revealed the critical importance of technology for economic and health resilience, making Europe’s digital transformation and sovereignty a question of existential importance. Rising US-China tensions are an additional incentive for Europe to develop and protect its digital economy.

This requires a stable and secure cultural environment to ensure it can thrive, and sufficient policing to ensure that data within that economy remains safe. The GDPR, (introduced in 2018) provides the necessary framework to ensure stability and security, while these sanctions are evidence of a robust approach to policing those who are intent upon wrongdoing with malicious intent.

A deterrent fit for the crime

The GDPR is, without a doubt a handy piece of regulation which helps keep corporates and other organisations on the straight and narrow when it comes to safeguarding the personal data they hold and process. But this is no accident: from the outset, there have been draconian fines in place for those who do not abide by its rules – and this is a very obvious deterrent.

What happens though, if the data breach or threat comes from outside an organisation – from a rogue element? The organisation facing a threat could be doing everything right, but personal data is still at risk. In this scenario, just as when the criminal activity takes place within an organisation, there needs to be a suitably effective punishment to not only deal with the level of harm that has been caused but acts as a deterrent for other would-be cyber-criminals as well.

Within Europe, law enforcement agencies including Interpol can help track down those responsible for such attacks, and punishment can be metred out through the usual legal channels. But if the wrongdoer is somewhere outside the EU, those laws do not apply.

Taking it global

The use of sanctions might seem unusual in this instance – after all, it is nation-states or large corporate entities who are usually on the receiving end of them. But by adopting and applying the sanctions regime to cyber-criminals, the EU is recognising not just the importance of keeping people’s data safe and the implications of wrongdoing concerning that data, but the global nature of these crimes.

As the newest global criminal masterminds on the block, cyber-criminals typically trample over borders without a second thought. So if normal jurisdictional rules don’t apply, what happens if you take away some of the freedoms that keep the wheels of that cyber-crime turning?

Practical punishment

Individuals facing sanctions can typically expect a block on their bank accounts as well as any other assets in the custody of banks. Access via a third party on their behalf is also not permitted – unless under a specific licence. And loans and other forms of credit can be subject to an immediate up-front payment.

It doesn’t stop there though: trusts set up for the benefit of their children by a person under sanctions will also face the same restrictions, even if these arrangements precede the sanctions. In fact, all financial institutions operating within EU jurisdictions will not accept any instructions or provide services to a sanctioned individual.

This includes bank accounts for daily living, which are only allowed if there is a special licence in place. But in most jurisdictions, getting a licence requires legal representation - which is hard to acquire once sanctions are in place, not least because banks don’t allow law firms to access the accounts of a sanctioned person in order to receive fees.

All companies and other assets owned (or controlled) by a sanctioned person face the same restrictions, and many banks choose to end their relationship with sanctioned individuals even after restrictions have been removed, considering the risk to be simply too high.

In addition to the financial impact, sanctioned individuals can also expect to see their ability to travel freely curtailed, so that they cannot move to another country where life might be more convenient.

Even just one element of this example – removing access to a bank account for daily living expenses, makes it almost impossible for individuals to live, let alone work, in a way that would be considered normal. Combine all of these elements, and it is highly unlikely that the cyber-criminals in question will be able to continue their nefarious activities. Finally, there is a punishment that is proportionate to the crime in question.

The gold standard (or stick)

For the EU, there is much at stake here, reputationally as well as practically. The GDPR provides the so-called gold-standard of data protection, and the vast fines companies face for non-compliance are in essence, a giant stick with which to ensure they do the right thing. It’s perhaps not surprising then that the EU also wants to maintain a similarly high standard of protection when it comes to cyber-crime.

Imposing sanctions might seem like a draconian measure, but as anything else is jurisdictionally limited, it’s one of the only effective global tools still at the EU’s disposal. Unfortunately for those on the receiving end of them, in comparison with the GDPR and its systems of fines, sanctions are an equally effective way of going after people who have exploited or manipulated information for criminal gain, and this is unlikely to be the last we’ll see of them in this context.

Receive our monthly newsletter

About the Author

Magnus Boyd


Magnus protects individual and corporate reputations by helping clients to manage unwanted media attention. He also advises on information security and helps clients manage the risks to reputation that arise in the event of data loss.

+44 (0)20 7034 9000
Our 24 hour number
+44 (0)20 7034 9000
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.