Shearman & Sterling LLP | FinReg | EU Council Regulation to Combat Cyber-Attacks Published
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
  • EU Council Regulation to Combat Cyber-Attacks Published

    The EU Council Regulation concerning restrictive measures against cyber-attacks threatening the European Union or its Member States came into force on May 17, 2019 and will apply directly across the EU from May 18, 2019.

    For the purposes of the Regulation, cyber-attacks include unpermitted access to, or interference with, information systems and interference with, or interception of, data. The Regulation applies only to cyber-attacks with a significant effect that constitute a threat to the Union or Member States. This includes attacks that affect critical infrastructure, services necessary for the maintenance of essential social and/or economic activities, including banking and financial market infrastructures, State functions and government emergency response teams, as well as attacks carried out on EU institutions, bodies and agencies. The cyber-attacks must have originated, or been carried out, from outside the EU, used infrastructure based outside the EU or been supported or directed by a non-EU individual or entity. The Regulation applies within the territory of the EU, on board any aircraft or vessel under a Member State's jurisdiction, to any natural person who is a Member State national (whether situated inside or outside the EU), to any legal entity incorporated under the law of a Member State and to any legal entity in respect of any business done in whole or in part within the EU.

    The Regulation establishes a series of measures designed to deter and respond to such cyber-attacks. These measures include:
    • the freezing of assets held by persons or entities that may, from time to time, be specified under the Regulation;
    • the mandatory provision of information by those subject to the Regulation to competent authorities within Member States, which would assist compliance with the Regulation; and
    • a general prohibition on any entity or individual participating in any activities designed to circumvent the asset-freezing provisions.

    The Council of the European Union has the power to specify which individuals or entities will be listed under the Regulation as being subject to asset-freezing controls. Those so listed will be notified by the European Council and will have the opportunity to present observations on the decision, which will be reviewed by the Council. The list of specified targets will be reviewed regularly, and at least every 12 months.

    The penalties applicable for breach of the Regulation will be specified by Member States in relation to their respective jurisdictions. Competent authorities of Member States are also given powers to release frozen funds in certain circumstances, for instance where the relevant funds are necessary to pay for key items (e.g. the basic needs of a natural person and their dependants, reasonable professional fees, service charges for the routine holding of frozen funds). Other situations in which Member States may release funds include where they will be used to satisfy a claim that is the subject of an arbitral decision rendered prior to the date the relevant party was listed under the Regulation, or the payment will not otherwise be made for the benefit of a listed individual or entity. Financial or credit institutions that receive funds transferred by third parties are able to credit frozen accounts, provided those assets are also frozen and the Member State competent authority is informed about the transaction without delay.

    View the EU Cyber-Attacks Regulations 2019.

    Return to main website.