New Technologies in International Law / Tymofeyeva, Crhák et al.

aspects of it. Accordingly, the article is divided into three parts. First, we outline the legal framework of EU cyber sanction, its nuances and specificities. Secondly, we shall focus on the question of immunity law that might come to the fore in the context EU cyber sanctions which entail the imposition of asset freezes on state officials or government agencies. Finally, the article will discuss several different aspect of digitalisation (including new technologies) and its effects on the field of sanctions. Our aim in this is to critically reflect on the perspicuous analysis put forward by Dana Burchardt, who recently discussed the question whether digitalization is changing international law structurally . 519 In particular, we shall focus on the possible consequences of digitalization on the field of sanctions law. 1. Outlining the EU Cyber-Sanctions Regime The cyber sanctions framework adopted by the European Union (hereinafter “EU”) represents a relatively recent foreign policy tool in the context of cyber security. It came into effect in 2019 in the form of a Council Decision (CFSP) 2019/797 and Council Regulation 2019/796 that sets out the conditions for imposing restrictive measures against cyber-attacks. Cyber sanctions fall under the rubric of horizontal sanctions (together with other horizontal restrictive measures in the context of terrorism, human rights, chemical weapons…) and are targeted in nature (so-called “smart sanctions”), as opposed to country-specific measures that are normally more comprehensive. 520 The objective of EU cyber sanctions is to “ respond to and deter cyber-attacks with a significant effect which constitute an external threat to the Union or its Member States .” 521 Hence, cyber sanctions are to be regarded as deterrence 522 measures, while by and large, restrictive measures also aim to change the behaviour of states (in this case, within the context of cyberspace). However, the EU does not characterise these measures as a “punishment” though there is a thin line between “responding to” some malicious cyber activity and punishment. Beyond this, there is an obvious signalling effect too, similarly as in the case of “traditional” sanctions. The paradox however is that there has been practically no direct attribution to any state from the EU as such which is potentially counterproductive and could limit the deterrent effect of cyber sanctions (it is well-known that different States were involved in many cyber-attacks). Moreover, when cyber sanctions were imposed by the EU, for instance in the WannaCry and NotPetya cases, it took two years from the official 519 See, Burchardt, D, ‘Does Digitalization Change International Law Structurally?’ (2023) 24 German Law Journal 438. 520 Lonardo L, EU Common Foreign and Security Policy after Lisbon between Law and Geopolitics (Springer, 2023), p. 74. 521 Council of European Union, Council Regulation (CFSP) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States. 522 However, it must be admitted that the deterrence effect of cyber sanctions is not supported by empirical evidence. See, Sameer Patil, ‘Assessing the Efficacy of the West’s Autonomous Cyber-Sanctions Regime and Its Relevance for India: EU Cyber Direct’ ( Horizon ) accessed 31 December 2023.

123