Cyber-Attacks (Asset-Freezing) Regulations 2019

May 21, 2019

The Cyber-Attacks (Asset-Freezing) Regulations 2019 SI 2019/956 have been made. They come into force on 11 June 2019 and take effect across the whole of the UK.

The Regulations provide for the enforcement of Council Regulation (EU) 2019/796 on restrictive measures against cyber-attacks threatening the EU or its member states. 

The Council Regulation was made on 17 May 2019. It establishes a framework to allow the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third states or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy.  

Cyber-attacks falling within the scope of this new sanctions regime are those which have significant impact and which:

  • originate or are carried out from outside the EU or
  • use infrastructure outside the EU or
  • are carried out by persons or entities established or operating outside the EU or
  • are carried out with the support of person or entities operating outside the EU.

Attempted cyber-attacks with a potentially significant effect are also covered by this sanctions regime.

More specifically, for the first time, the framework allows the EU to impose sanctions on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them.  

Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.

The UK regulations are being put in place to comply with the Council Regulation.

The measures include the freezing of funds and economic resources of any persons and entities listed in Annex I to the Council Regulation and ensuring that funds and economic resources are not made available to them or for their benefit. 

Regulation 2 defines designated person as any person named in Annex I to the Council Regulation (as amended from time to time). 

Regulations 3 to 7 provide prohibitions against dealing with the funds or economic resources of a designated person, making funds or economic resources available, directly or indirectly, to a designated person and making funds or economic resources available for the benefit of a designated person. 

Regulation 8 provides an exception to the prohibitions in regulations 4 and 5 where a frozen account is credited for a permitted reason. 

Regulation 9 provides a licensing procedure to enable funds and economic resources to be exempted from the prohibitions where this is permitted in the circumstances set out in the Council Regulation and creates offences for providing false information or documents or not complying with conditions included in a licence. 

Regulation 10 creates offences where the prohibitions in regulations 3 to 7 are contravened.

Regulations 11 to 14 contain provisions about officers of a body corporate, penalties and proceedings.

The Schedule makes provision for information gathering and information disclosure and creates offences for failure to comply with a request for information. 

An explanatory memorandum has also been published.