
Cyber-attacks: Council extends sanctions and legal framework
European Council
The Council today decided to prolong the restrictive measures (sanctions) against cyber-attacks threatening the EU and its member states for a further year, until 18 May 2026. The legal framework (sanctions regime) for these measures is extended for three years until 18 May 2028. This framework allows the EU to impose targeted restrictive measures on persons or entities involved in cyber-attacks which cause a significant impact, and constitute an external threat to the EU or its member states. Restrictive measures can also be imposed in response to cyber-attacks against third states or international organisations, where such measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).