Understanding The New EU Cyber-Attack Asset-Freezing Regulations

On 11th June 2019, the Cyber-Attacks (Asset-Freezing) Regulations 2019 came into force in the UK, making provision for the enforcement of Council Regulation (EU) (2019/796) and bringing in a raft of deterrence measures relating to cyber attacks threatening the EU or its Member States.   

We covered these in brief on the day in our article ‘HM Treasury Given Powers To Freeze Assets Of Cyber Criminals And Supporters’; in this article we will reflect on just why this is so important and what it may mean for the UK and the EU.

What led to the new regulations?

The EU has long been concerned with the lack of strong sanctions available to deter and punish against cyber-attacks.  Specifically, they were (and still are) deeply concerned by the increasing capacity and determination of state and non-state actors to undertake malicious cyber activities; as was demonstrated last year when the WannaCry hack crippled organisations including the NHS.

As a result of the EU’s increasing concern about their lack of ability to respond in a unified way to a cyber attack, back in 2017, they implemented what they called the ‘cyber diplomacy toolbox’, a framework for a joint EU diplomatic response to a cyber crime, one component of which eventually led to the drafting and introduction of the new asset-freezing regulations.  Also, in the toolbox are mechanisms designed to prevent conflict, mitigate cyber threats, and to forge greater stability in international relations.  In the words of the European Council, “the framework is expected to encourage cooperation, facilitate mitigation of immediate and long-term threats, and influence the behaviour of potential aggressors in the long term.”

Following the introduction of the toolbox, in April 2018, the EU Council further expressed the importance of a “global, open, free, stable and secure cyberspace”, and raised concerns about the activity of malicious state and non-state actors.

The new regulations mirror the US cyber attack sanctions programme initiated by President Barack Obama, aimed at tackling cyber-enabled crimes originating from outside of the country, trade secrets appropriated through cyber means, and materially assisting cyber crime.

Why are the EU asset freezing regulations so important for cyber security?

What makes these regulations so significant is their breadth of scope.  The EU asset freezing regulations cover any external cyber threat to the EU or its member states whether:

  • Originating outside the EU
  • Carried out outside the EU
  • Using infrastructure outside the EU
  • Carried out by any natural or legal person, entity or body established or operating outside the EU; or
  • Carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union.

The regulations also specify that breaches may involve access to information systems, information system interference, data interference, or data interception.  Furthermore, the regulations focus on threats to information systems used for critical infrastructure, services necessary for the maintenance of essential social and/or economic activities, critical State functions, the storage or processing of classified information, Government emergency response teams.

Therefore, these new EU regulations now provide the legal instruments necessary to tackle the widest possible scope of cyber threat (far more than was previously available) involving any person or legal entity seeking to commit (or in involved with) an act of cyber crime which has a significant effect on a member state.  As such, the law is now able to issue travel bans and freezing orders on a much wider group of individuals involved in cyber crime perpetrated externally on a member state.  In other words, the law now matches the sobering and cold cyber reality faced by EU countries.

How will the significance of a cyber attack be assessed?

Article 2 of the 2019 EU regulations states that any actual or attempted cyber-attack which has a ‘significant effect’ (or could potentially have if successful), will be assessed in terms of:

  • The amount and scale of the disruption.
  • The number of persons affected.
  • The number of Member States concerned.
  • The extent of economic loss or economic gain to the perpetrator.
  • The extent of any data breaches.
  • The loss of commercially sensitive data.

Crucially these regulations don’t simply focus on the actual damage caused, but also on the possible damage which could have been caused had the attack been successful.  Not only does this cast the net of cyber criminals much further, it will also increase the number of attempted prosecutions given that many serious attacks are thwarted by organisations and Governments across the EU.

Final words

The new asset-freezing regulations mark a considerable step forward in active deterrence and ability to take action against those who are seeking to inflict cyber damage to our businesses, public institutions, infrastructure, and citizens.  It would seem that the EU is now trying to make up for lost time in relation to cyber breaches which have already occurred; such as the recently apparent leak of diplomatic cables and the compromise of the EU’s mission in Moscow.  Initiatives to defend against and prevent such malicious attacks cannot come soon enough.