The European Union on Friday adopted powers to punish those outside the bloc who launch cyber-attacks that cripple hospitals and banks, sway elections and steal company secrets or funds.
EU ministers meeting in Brussels said the 28-nation group would now, for the first time, be able to impose asset freezes and travel bans on individuals, firms and state bodies implicated in such attacks.
“The Council (of EU countries) established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks,” it said in a statement.
It added that sanctions will be considered if a cyber-attack is determined to have had a “significant impact” on its target.
The goal is to bolster the security of EU institutions, firms and individuals against what Britain called an increase in the “scale and severity” of cyber-attacks globally.
“This is decisive action to deter future cyber-attacks,” British Foreign Secretary Jeremy Hunt said after Britain and its EU partners drafted the measures.
“For too long now, hostile actors have been threatening the EU’s security through disrupting critical infrastructure, attempts to undermine democracy and stealing commercial secrets and money running to billions of euros,” Hunt said.
“Our message to governments, regimes and criminal gangs prepared to carry out cyber-attacks is clear,” Britain’s top diplomat added.
“Together, the international community will take all necessary steps to uphold the rule of law and the rules based international system which keeps our societies safe.”
The British government has pledged to continue close cooperation with the EU after it leaves the bloc in line with the 2016 referendum.
‘Big step forward’
Under the sanctions regime, diplomats said, the 28 EU countries would have to vote unanimously to impose sanctions after meeting a legal threshold of significant impact.
For example, countries would look at the scope and severity of disruption to economic and other activities, essential services, critical state functions, public order or public safety, diplomats said.
They would examine the number of people and EU countries affected and determine how much money, intellectual property and data have been stolen.
EU diplomats told reporters it could also cover the hacking of European elections by a third party or country. Elections for a new European Parliament take place May 23-26.
In line with US intelligence assessments, EU officials highlight in particular the threat of disinformation and election hacking from Russia.
EU countries would also study how much the perpetrator has gained through such action.
A Dutch diplomat told reporters that the powers amount to a “big step forward” toward building a more secure cyberspace.
European leaders in October had called for a regime to impose sanctions against cyber-attacks.
US and European police said Thursday they have smashed a huge international cybercrime network that used Russian malware to steal 100 million dollars from tens of thousands of victims worldwide.
EU diplomats said the bloc will now start drawing up a blacklist for potential sanctions in cyber-attack cases.
A number of powerful people close to Russian President Vladimir Putin appear on a blacklist of 164 Russians and Ukrainians that was established after Moscow’s annexation of the Crimean peninsula in 2014.
Those blacklisted are under travel bans and asset freezes just like those that would be imposed on those implicated in cyber-attacks.