Cyberspace is not an ungoverned space. Existing international law and accepted norms of
responsible behaviour provide clear guidance
on what is and what is not permissible in cyberspace. And yet, states increasingly rely on
cyber operations to achieve their political objectives and strategic goals: whether through
industrial cyber-espionage to give competitive
advantage to domestic companies, sophisticated operations to steal military secrets, or blatant attacks targeting the critical infrastructure
of other states.
This widespread sense of impunity has driven the European Union and its member states
to support regional and global efforts to ensure that the perpetrators of the attacks face
the consequences and that their victims are
adequately protected and compensated. The
so-called Cyber Diplomacy Toolbox adopted by
the EU in 2017 provided a significant boost to the
Union’s goal of becoming a ‘forward-looking
cyber player’. In addition to a number of diplomatic and operational measures, the toolbox
proposed the use of sanctions as one of the instruments at the Union’s disposal.
This Chaillot Paper – which uses space exploration as a metaphor to demystify some
of the concepts and challenges linked to
cyber-related policymaking – focuses on the
EU’s cyber sanctions regime as established by
Council Decision 2019/797 and Council Regulation 2019/796. The EU’s autonomous cyber
sanctions regime – encompassing measures
such as travel bans and asset freezes – represents a significant achievement on the EU’s
path to promote a free, open and secure cyberspace and defend the rules-based international
order. However, the growing complexity of cyber threats and the proliferation of malicious
actors intent on undermining the EU’s global
standing, as well as its economic power and
political foundations, suggest that it is not yet
the time for self-congratulation.
Taking account of the lessons derived from
other sanctions regimes adopted by the EU in
the past, this Chaillot Paper addresses a number
of key issues relevant for ensuring the maximum effectiveness of the EU’s cyber sanctions regime:
1. Clarity about the logic behind the use of cyber sanctions;
2. Potential impact of the sanctions on the
EU’s overall bilateral relations, and their interplay with other foreign and security policy instruments;
3. Objectives that specific listings aim
to achieve;
4. Adequate timing and longevity of the listings;
5. Understanding of the target;
6. Sufficient capabilities and resources;
7. Mechanisms for coordination and information sharing;
8. Cooperation and coordination with international partners;
9. Engagement with the private sector;
10. Clear strategic communication.
In tackling these questions, the contributors to
this publication provide insights into a number of complicated issues of a political and
legal nature, including the challenges of attribution, state responsibility in cyberspace, the
principle of due diligence or the potential impact of cyber sanctions on the physical world.
The analysis concludes with a set of proposals
aimed at stimulating the discussion about the
implementation of the EU cyber sanctions regime – and which will hopefully lead to concrete actions.