The European Union on Friday adopted powers to punish those outside the bloc who launch cyber attacks that cripple hospitals and banks, sway elections and steal company secrets or funds.
EU ministers meeting in Brussels said the 28-nation group would now, for the first time, be able to impose asset freezes and travel bans on individuals, firms and state bodies implicated in such attacks.
“The Council (of EU countries) established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber attacks,” it said in a statement.
It said sanctions will be considered if a cyber attack is determined to have had a “significant impact” on its target.
The goal is to bolster the security of EU institutions, firms, and individuals against what one diplomat called an increase in the “scale and severity” of cyber attacks globally.
Under the legislation, diplomats said, the 28 EU countries would have to vote unanimously to impose sanctions after meeting a legal threshold of significant impact.
For example, countries would look at the scope and severity of disruption to economic and other activities, essential services, critical state functions, public order or public safety, diplomats said.
They would examine the number of people and EU countries affected and determine how much money, intellectual property and data is stolen.
EU diplomats told reporters it could also cover the hacking of European elections by a third party or country, amid fears that Russia is working to undermine democracy in its western rivals.
They would also study how much the perpetrator has gained through such action.
A Dutch diplomat told reporters that the powers amount to a “big step forward” toward building a more secure cyberspace.
“We have seen an increase in the scale and severity of cyber attacks globally,” an EU diplomat said. “Hostile actors have been threatening EU security.”
The new regime “sends a clear message that the EU is willing and able to impose consequences on irresponsible behavior in cyberspace,” he said.
In line with US intelligence assessments, EU officials highlight in particular the threat of disinformation and election hacking from Russia.
European leaders in October had called for a law to impose sanctions against cyber attacks.