Second time EU imposes sanctions due to cyberattacks: Bundestag hack
For a second time, the EU has imposed restrictive measures through a CFSP Decision and Council Implementing Regulation – on two individuals and one body – for taking part in a cyberattack on the German Federal Parliament, the legal framework for doing so having been adopted in May 2019 (CFSP Decision 2019/797, Article 21 TEU) and extended until 18 May 2021. The first time the EU applied sanctions was in July this year, addressing cyberattacks relating to the Organisation for the Prohibition of Chemical Weapons and ‘WannaCry’, ‘NotPetya’ and ‘Operation Cloud Hopper’.
The Bundestag hack is said to have taken place in April and May 2015, targeting the parliament’s information system, affecting its ability to operate for several days, and leading to a significant amount of data being stolen – the email account of Chancellor Angela Merkel also being affected.
Sanctions on the two individuals and body include a travel ban and asset freeze, and EU persons and entities are forbidden from making funds available to them. They have been imposed through Council Implementing Regulation 2020/1536 and CFSP Decision 2020/1537.
Together with the first-ever measures imposed on this basis, eight persons and four entities and bodies are on the EU’s cyberattacks-sanctions list.
Read the published EU measures by clicking on the respective links above, and the Council’s press release here. Read a former Declaration about cyberattack-sanctions from the High Representative Josep Borrell, in which he describes cyber-attacks as undermining “international security and stability and the benefits provided by the Internet and the use of Information and Communication Technologies”.