The European Union is looking to get tough on cyber crimes. Technocrats representing the EU’s 28 governments will meet in Brussels on Friday to discuss expanding the bloc’s sanctions regime to punish companies, states and individuals involved in cyber crimes, adding to signs of increasing alarm about alleged Chinese and Russian activity targeting Western networks.

An internal memo circulated before the meeting of the EU’s working-group on cyber issues, and seen by Bloomberg, lists data breaches, intellectual property theft, attacks on IT infrastructure, and stealing of classified information among the offenses punishable with asset freezes and travel bans.

The discussion follows a decision by EU leaders to develop a so-called Cyber Diplomacy Toolbox, and amid ever more frequent warnings from Washington to its allies that they should think twice before using equipment from companies such as China’s Huawei Technologies Co.

Key Insights

The new regime “could target those involved in these types of cyber activity anywhere, regardless of their nationality and location,” with EU-wide sanctions, according to the internal EU memo dated Feb. 6.

The process will be part of the EU’s common foreign and security policy, meaning that unanimity would be required before any punitive action is triggered. The sanctions are intended as a response to actions with significant impact on European security, attributed to other individuals, or legal entities, such as companies. The punishable offenses include theft of funds, major data breaches, data interception, large-scale intellectual property theft, attacks on critical network infrastructure, theft of classified information, attacks on information systems used for elections, hacking of commercially sensitive data. The EU could apply the sanctions even as a response to attacks against allied countries, and not on European soil. After all, it is intended as a foreign policy tool. Punishable actions don’t need to cause significant harm. Even attempts that fail may be subject to retribution.

Proposed measures include travel bans and asset freezes for companies. Like U.S. sanctions, European measures could apply globally, even if a company doesn’t hold assets inside the EU. The freeze forbids the use of any resources available subject to EU law, including transactions with European banks and other institutions. Finally, the decision to apply the sanctions must be accompanied by evidence, defensible at the European Court of Justice, as those targeted may appeal the decision, according to the memo.

What’s Next

While the discussion is still taking place at a technical level, the development of such a sanctions regime has the explicit backing of EU leaders. A move to turn plans into actionable policy tools may not be too far away.

Topics Cyber Fraud Europe Russia China