The Regulations are intended to ensure that the UK can operate an effective cyber sanctions regime after the end of the transition period. When the Regulations come into force they will replace, with a similar effect, the EU sanctions regime relating to cyber security that is currently in force. The current EU sanctions regime is aimed at deterring and responding to cyber attacks or attempted cyber attacks that constitute an external threat to the EU or its Member States. It also covers similar cyber attacks in respect of third States or international organisations.
The Regulations do not come into force until a date or dates to be appointed in separate regulations made under s 56 of the Sanctions Anti-Money Laundering Act 2018, which allows for the commencement of sanctions regulations where appropriate due to the withdrawal of the UK from the EU. The Regulations apply to the whole of the UK.
The Regulations will revoke and replace Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber attacks threatening the Union or its Member States, and the Cyber-Attacks (Asset-Freezing) Regulations 2019.
The purpose of the sanctions regime is to deter those who are, or considering, conducting or directing relevant cyber activity that undermines, or is intended to undermine, the integrity, prosperity or security of: the UK or a country other than the UK; international organisations; and non-governmental organisations whose purposes relate to the governance of international sport or the internet. According to the Explanatory Memorandum, it will do this by imposing a meaningful cost, and signalling at a political level that malicious cyber activity has consequences. This will help change the behaviour of those responsible for malicious cyber activity.
The new Regulations are intended to deliver similar policy effects to the existing EU sanctions framework and will enable it to continue to operate effectively after the UK leaves the EU. The Regulations will also allow the Government to make designations or amend or lift the framework autonomously.
Part 2 of the Regulations gives the Secretary of State powers to designate persons (including individuals, entities and organisations), whom the Secretary of State has reasonable grounds to suspect are or have been involved in relevant cyber activity, as being subject to a travel ban (i.e. excluded from the UK) or asset freeze.
Part 3 sets out the financial sanctions that can be imposed on designated persons. They include freezing a designated person’s funds and economic resources (non-monetary assets, such as property or vehicles) and ensuring that funds and economic resources are not made available to or for the benefit of a designated person, either directly or indirectly.
Guidance in relation to the prohibitions and requirements under the Regulations will be published before the Regulations come into force. To access the legislations, click here.