Global menu

Our global pages


UK adopts new EU-driven restrictive measures to deter and respond to external cyber-attacks through financial sanctions

  • United Kingdom
  • Financial services disputes and investigations
  • Privacy, data protection and cybersecurity


On 17 May 2019, the European Council established a framework and implemented a new sanctions regime which now allows the EU to impose targeted sanctions to “deter and respond to cyber-attacks which constitute an external threat to the EU and its member states, including cyber-attacks against third States or international organisations” (Council Regulation (EU) 2019/796 (“the Regulation”)) (Press Release dated 17 May 2019).


The increasing frequency and impact of malicious cyber activities have concerned nations across the globe and the EU has taken a significant number of steps to seek to stem the tide. 

Those steps have largely taken the form of compelling businesses in the EU or targeting EU citizens to have appropriate cyber security in place, through the General Data Protection Regulation (EU) 2016/679 (“GDPR”).  The EU Directive on security of network and information systems (“NIS Directive”) also creates an obligation on Member States to have a requisite level of preparedness to deal with attacks on critical national infrastructure and to cooperate between each other in relation to the sharing of information.

Those previous steps have been intra-community measures, whereas, the Regulation is focused on targeting the attackers themselves. 


Under the Regulation, restrictive measures can be imposed on those “responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways”.  Sanctions may also be imposed on persons or entities associated with those responsible.

Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed. 

The cyber-attacks must have significant impact (or attempted cyber-attacks must have potential significant impact) and constitute an external threat to the EU or its Member States, and:

  • originate or are being carried out from outside the EU;
  • use infrastructure outside the EU;
  • be carried out by persons or entities established or operating outside the EU; or
  • be carried out with the support of person or entities operating outside the EU.

Definition of cyber-attacks

Cyber-attacks are defined as unauthorised acts that fall into the following categories:

  1. access to information systems;
  2. information system interference;
  3. data interference; or
  4. data interception,

where such actions are not authorised by the owner or by another right holder of the system or data, or are not permitted under the law of the Union or of the Member State concerned.

UK: National transposition

On 20 May 2019, the UK implemented the Regulation into domestic law through The Cyber-Attacks (Asset-Freezing) Regulations 2019 (“the UK Regulations”) along with an explanatory memorandum.

In a statement regarding the UK Regulation, the UK Foreign Secretary, Jeremy Hunt, stated that it was a "decisive action" to deter future cyber attacks.  He commented that, "For too long now, hostile actors have been threatening the EU's security through disrupting critical infrastructure, attempts to undermine democracy and stealing commercial secrets and money running to billions of Euros".

The UK Regulations will come into force on 11 June 2019 and include an asset freeze with respect to any persons and entities listed in Annex I of the Regulation whilst prohibiting the making available of any funds or economic resources to them.  No entities or individuals have been designated yet and so it is important to keep updated on additions that the EU will make shortly.

A breach of the UK Regulations is dealt with by a maximum term of 12 month’s imprisonment and/or an unlimited fine.