Cordery

Legal.Compliance.

EU Imposes Sanctions for Cyber-Attacks

What’s this all about?

Since 2019 the Council of the European Union has had legislation in place to be able to impose so-called restrictive measures (“sanctions”) in order to respond to or deter cyber-attacks that threaten the EU or its (27) Member States. These measures can be deployed against individuals, entities, international organisations or countries. The EU recently used this power imposing sanctions on individuals and entities in response to a number of cyber-attacks, which is the first time that the EU has done this.

Which cyber-attacks does this concern?

The cyber-attacks in question, that occurred in recent years, were as follows:

  • The cyber-attack known as “Operation Cloud Hopper”, initiated in China, which targeted the information systems of multinational companies in the EU (and elsewhere throughout the world) gaining unauthorised access to commercially sensitive data resulting in significant economic loss;
  • An attempted cyber-attack to undermine the integrity of the Organisation for the Prohibition of Chemical Weapons in Holland to gain unauthorised access to the organisation’s Wi-Fi network, initiated in Russia;
  • The cyber-attack known as “WannaCry”, initiated in North Korea, which disrupted information systems (globally) by targeting information systems with ransomware and blocking access to data, affecting information systems of EU companies including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States (such as the Polish Financial Supervision Authority); and,
  • The cyber-attack known as “NotPetya”, initiated in Russia, which rendered data inaccessible in a number of companies in EU (and elsewhere globally) by targeting computers with ransomware and blocking access to data, resulting among other things in significant economic loss (the attack on a Ukrainian power grid resulted in parts of it being switched off during winter).

What are the sanctions and who were they imposed on?

The sanctions consist of travel bans, asset freezes and prohibitions on making funds and economic resources available to the sanctioned individuals and entities. These sanctions have been imposed on six named individuals (two Chinese nationals and four Russian individuals) and three named entities (one Chinese, one North Korean and one Russian).

What are the takeaways?

 

Although it has taken some time to come about the EU has now shown that it is prepared to take action when significant cyber-attacks occur, no doubt setting a trend for future similar action when other such cyber-attacks occur.

Cordery’s GDPR Navigator includes resources to help deal with data protection compliance, including data breaches. GDPR Navigator includes:

  • Detailed guidance on the security aspects of GDPR in paper and on film;
  • A template data breach log;
  • A template data breach plan; and,
  • A template data breach reporting form.

For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/

We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.

For more about GDPR please also see our GDPR FAQs which can be found here:  http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

The EU decision sanctions can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2020.246.01.0012.01.ENG&toc=OJ:L:2020:246:TOC and the EU legislation empowering it to impose sanctions can be found here  https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:32019D0797.

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.