Council Implementing Regulation (EU) 2020/1125 of 30 July 2020 implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
Council Implementing Regulation (EU) 2020/1125of 30 July 2020implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member StatesTHE COUNCIL OF THE EUROPEAN UNION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member StatesOJ L 129I, 17.5.2019, p. 1., and in particular Article 13(1) thereof,Having regard to the proposal from the High Representative of the Union for Foreign Affairs and Security Policy,Whereas:(1)On 17 May 2019 the Council adopted Regulation (EU) 2019/796.(2)Targeted restrictive measures against cyber-attacks with a significant effect which constitute an external threat to the Union or its Member States are among the measures included in the Union’s framework for a joint diplomatic response to malicious cyber-activities (the cyber diplomacy toolbox) and are a vital instrument to deter and respond to such activities. Restrictive measures can also be applied in response to cyber-attacks with a significant effect against third States or international organisations, where deemed necessary to achieve common foreign and security policy objectives set out in the relevant provisions of Article 21 of the Treaty on European Union.(3)On 16 April 2018 the Council adopted conclusions in which it firmly condemned the malicious use of information and communications technologies, including in the cyber-attacks publicly known as "WannaCry" and "NotPetya", which caused significant damage and economic loss in the Union and beyond. On 4 October 2018 the Presidents of the European Council and of the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy (the "High Representative") expressed serious concerns in a joint statement about an attempted cyber-attack to undermine the integrity of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, an aggressive act which demonstrated contempt for the solemn purpose of the OPCW. In a declaration made on behalf of the Union on 12 April 2019, the High Representative urged actors to stop undertaking malicious cyber-activities that aim to undermine the Union’s integrity, security and economic competiveness, including acts of cyber-enabled theft of intellectual property. Such cyber-enabled thefts include those carried out by the actor publicly known as "APT10" ("Advanced Persistent Threat 10").(4)In this context, and to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace, six natural persons and three entities or bodies should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in Annex I to Regulation (EU) 2019/796. Those persons and entities or bodies are responsible for, provided support for or were involved in, or facilitated cyber-attacks or attempted cyber-attacks, including the attempted cyber-attack against the OPCW and the cyber-attacks publicly known as "WannaCry" and "NotPetya", as well as "Operation Cloud Hopper".(5)Regulation (EU) 2019/796 should therefore be amended accordingly,HAS ADOPTED THIS REGULATION: