Council Implementing Regulation (EU) 2024/1778 of 24 June 2024 implementing Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the Union or its Member States

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyberattacks threatening the Union or its Member States (1), and in particular Article 13(1) thereof,

Having regard to the proposal from the High Representative of the Union for Foreign Affairs and Security Policy,

Whereas:

(1) On 17 May 2019, the Council adopted Regulation (EU) 2019/796.

(2) Targeted restrictive measures against cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States, are one of the measures included in the Union’s framework for a joint diplomatic response to malicious cyber activities (the Cyber Diplomacy Toolbox), and are a vital instrument to prevent, deter, discourage and respond to such activities.

(3) Malicious cyber activities against critical infrastructure or essential services, including through the use of ransomware and wipers, the targeting of supply chains and cyber-espionage, including intellectual property theft activities, are increasing in number, frequency and sophistication. With their disruptive and destructive effects, these activities pose a systemic threat to the Union’s security, economy, democracy, and to society at large.

(4) The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spillover of cyber incidents from one Member State to others and from third countries to the Union, further call for restrictive measures under Regulation (EU) 2019/796.

(5) As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in Annex I to Regulation (EU) 2019/796. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States.

(6) Annex I to Regulation (EU) 2019/796 should therefore be amended accordingly,

HAS ADOPTED THIS REGULATION:

Article 1

Annex I to Regulation (EU) 2019/796 is amended as set out in the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the date of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Luxembourg, 24 June 2024.

For the Council The President J. BORRELL FONTELLES

(1) OJ L 129 I, 17.5.2019, p. 1.