Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
SduIn- en Uitvoer
Home

Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States

Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States

Article 1

1.

This Regulation applies to cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Union or its Member States.

2.

Cyber-attacks constituting an external threat include those which:

  1. originate, or are carried out, from outside the Union;

  2. use infrastructure outside the Union;

  3. are carried out by any natural or legal person, entity or body established or operating outside the Union; or

  4. are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union.

3.

For this purpose, cyber-attacks are actions involving any of the following:

  1. access to information systems;

  2. information system interference;

  3. data interference; or

  4. data interception,

where such actions are not duly authorised by the owner or by another right holder of the system or data or part of it, or are not permitted under the law of the Union or of the Member State concerned.

4.

Cyber-attacks constituting a threat to Member States include those affecting information systems relating to, inter alia:

  1. critical infrastructure, including submarine cables and objects launched into outer space, which is essential for the maintenance of vital functions of society, or the health, safety, security, and economic or social well-being of people;

  2. services necessary for the maintenance of essential social and/or economic activities, in particular in the sectors of: energy (electricity, oil and gas); transport (air, rail, water and road); banking; financial market infrastructures; health (healthcare providers, hospitals and private clinics); drinking water supply and distribution; digital infrastructure; and any other sector which is essential to the Member State concerned;

  3. critical State functions, in particular in the areas of defence, governance and the functioning of institutions, including for public elections or the voting process, the functioning of economic and civil infrastructure, internal security, and external relations, including through diplomatic missions;

  4. the storage or processing of classified information; or

  5. government emergency response teams.

5.

Cyber-attacks constituting a threat to the Union include those carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organisations, its common security and defence policy (CSDP) operations and missions and its special representatives.

6.

Where deemed necessary to achieve common foreign and security policy (CFSP) objectives in the relevant provisions of Article 21 of the Treaty on European Union, restrictive measures under this Regulation may also be applied in response to cyber-attacks with a significant effect against third States or international organisations.

7.

For the purposes of this Regulation, the following definitions apply:

  1. ‘information systems’ means a device or group of interconnected or related devices, one or more of which, pursuant to a programme, automatically processes digital data, as well as digital data stored, processed, retrieved or transmitted by that device or group of devices for the purposes of its or their operation, use, protection and maintenance;

  2. ‘information system interference’ means hindering or interrupting the functioning of an information system by inputting digital data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;

  3. ‘data interference’ means deleting, damaging, deteriorating, altering or suppressing digital data on an information system, or rendering such data inaccessible; it also includes theft of data, funds, economic resources or intellectual property;

  4. ‘data interception’ means intercepting, by technical means, non-public transmissions of digital data to, from or within an information system, including electromagnetic emissions from an information system carrying such digital data.

8.

For the purposes of this Regulation, the following additional definitions apply:

  1. ‘claim’ means any claim, whether asserted by legal proceedings or not, made before or after the date of entry into force of this Regulation, under or in connection with a contract or transaction, and includes in particular:

    1. a claim for performance of any obligation arising under or in connection with a contract or transaction;

    2. a claim for extension or payment of a bond, financial guarantee or indemnity of whatever form;

    3. a claim for compensation in respect of a contract or transaction;

    4. a counterclaim;

    5. a claim for the recognition or enforcement, including by the procedure of exequatur, of a judgment, an arbitration award or an equivalent decision, wherever made or given;

  2. ‘contract or transaction’ means any transaction of whatever form and whatever the applicable law, whether comprising one or more contracts or similar obligations made between the same or different parties; for this purpose, ‘contract’ includes a bond, guarantee or indemnity, particularly a financial guarantee or financial indemnity, and credit, whether legally independent or not, as well as any related provision arising under, or in connection with, the transaction;

  3. ‘competent authorities’ refers to the competent authorities of the Member States as identified on the websites listed in Annex II;

  4. ‘economic resources’ means assets of every kind, whether tangible or intangible, movable or immovable, which are not funds, but may be used to obtain funds, goods or services;

  5. ‘freezing of economic resources’ means preventing the use of economic resources to obtain funds, goods or services in any way, including, but not limited to, by selling, hiring or mortgaging them;

  6. ‘freezing of funds’ means preventing any move, transfer, alteration, use of, access to, or dealing with funds in any way that would result in any change in their volume, amount, location, ownership, possession, character or destination or any other change that would enable the funds to be used, including portfolio management;

  7. ‘funds’ means financial assets and benefit of every kind, including, but not limited to:

    1. cash, cheques, claims on money, drafts, money orders and other payment instruments;

    2. deposits with financial institutions or other entities, balances on accounts, debts and debt obligations;

    3. publicly-and privately-traded securities and debt instruments, including stocks and shares, certificates representing securities, bonds, notes, warrants, debentures and derivatives contracts;

    4. interest, dividends or other income on or value accruing from or generated by assets;

    5. credit, right of set-off, guarantees, performance bonds or other financial commitments;

    6. letters of credit, bills of lading and bills of sale; and

    7. documents showing evidence of an interest in funds or financial resources;

  8. ‘territory of the Union’ means the territories of the Member States to which the Treaty is applicable, under the conditions laid down in the Treaty, including their airspace.

Article 2

The factors determining whether a cyber-attack has a significant effect as referred to in Article 1(1) include any of the following:

  1. the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety;

  2. the number of natural or legal persons, entities or bodies affected;

  3. the number of Member States concerned;

  4. the amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property;

  5. the economic benefit gained by the perpetrator, for himself or for others;

  6. the amount or nature of data stolen or the scale of data breaches; or

  7. the nature of commercially sensitive data accessed.

Article 3

1.

All funds and economic resources belonging to, owned, held or controlled by any natural or legal person, entity or body listed in Annex I shall be frozen.

2.

No funds or economic resources shall be made available, directly or indirectly, to or for the benefit of natural or legal persons, entities or bodies listed in Annex I.

3.

Annex I shall include, as identified by the Council in accordance with Article 5(1) of Decision (CFSP) 2019/797:

  1. natural or legal persons, entities or bodies who are responsible for cyber-attacks or attempted cyber-attacks;

  2. natural persons or legal persons, entities or bodies that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;

  3. natural or legal persons, entities or bodies associated with the natural or legal persons, entities or bodies covered by points (a) and (b) of this paragraph.

Article 4

1.

By way of derogation from Article 3, the competent authorities of the Member States may authorise the release of certain frozen funds or economic resources, or the making available of certain funds or economic resources, under such conditions as they deem appropriate, after having determined that the funds or economic resources concerned are:

  1. necessary to satisfy the basic needs of the natural or legal persons, entities or bodies listed in Annex I and dependent family members of such natural persons, including payments for foodstuffs, rent or mortgage, medicines and medical treatment, taxes, insurance premiums, and public utility charges;

  2. intended exclusively for the payment of reasonable professional fees or the reimbursement of incurred expenses associated with the provision of legal services;

  3. intended exclusively for the payment of fees or service charges for the routine holding or maintenance of frozen funds or economic resources;

  4. necessary for extraordinary expenses, provided that the relevant competent authority has notified the competent authorities of the other Member States and the Commission of the grounds on which it considers that a specific authorisation should be granted, at least two weeks prior to the authorisation; or

  5. to be paid into or from an account of a diplomatic or consular mission or an international organisation enjoying immunities in accordance with international law, insofar as such payments are intended to be used for official purposes of the diplomatic or consular mission or international organisation.

2.

The Member State concerned shall inform the other Member States and the Commission of any authorisation granted under paragraph 1 within two weeks of the authorisation.

Article 4a

1.

Article 3(1) and (2) shall not apply to the making available of funds or economic resources necessary to ensure the timely delivery of humanitarian assistance or to support other activities that support basic human needs where such assistance and other activities are carried out by:

  1. the United Nations (UN), including its programmes, funds and other entities and bodies, as well as its specialised agencies and related organisations;

  2. international organisations;

  3. humanitarian organisations having observer status with the UN General Assembly and members of those humanitarian organisations;

  4. bilaterally or multilaterally funded non-governmental organisations participating in the UN Humanitarian Response Plans, UN Refugee Response Plans, other UN appeals or humanitarian clusters coordinated by the UN Office for the Coordination of Humanitarian Affairs;

  5. organisations and agencies to which the Union has granted the Humanitarian Partnership Certificate or which are certified or recognised by a Member State in accordance with national procedures;

  6. Member States’ specialised agencies; or

  7. the employees, grantees, subsidiaries or implementing partners of the entities referred to in points (a) to (f) while and to the extent that they are acting in those capacities.

2.

Without prejudice to paragraph 1, and by way of derogation from Article 3(1) and (2), the competent authorities of the Member States may authorise the release of certain frozen funds or economic resources, or the making available of certain funds or economic resources, under such conditions as they deem appropriate, after having determined that the provision of such funds or economic resources is necessary to ensure the timely delivery of humanitarian assistance or to support other activities that support basic human needs.

3.

In the absence of a negative decision, a request for information or a notification for additional time from the relevant competent authority within five working days of the date of receipt of a request for authorisation under paragraph 2, that authorisation shall be considered granted.

4.

The Member State concerned shall inform the other Member States and the Commission of any authorisations granted under paragraphs 2 and 3 within four weeks of such authorisation.

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

ANNEX I

ANNEX II