New Technologies in International Law / Tymofeyeva, Crhák et al.

condemnation. 523 It should be emphasized that cyber sanctions are only one of the tools with which the EU responds to malicious cyber-attacks, with the knowledge that these measures might not be sufficient and effective. According to Article 1 (2) (c) of the Regulation, a wide range of subjects can be targeted with cyber sanctions (in essence, any kind of subject). 524 Among other things, the Regulation permits the imposition of cyber sanctions even in cases of cyber-attacks against third states and international organizations. 525 The restrictive measures that can be imposed include travel bans, asset freezes and the prohibition to make funds and economic resources available to subjects accused of cyber-attacks. 526 Horizontal sanctions, in particular cyber sanctions, gives the Council a relatively wide leeway due to the indeterminate formulations used in the relevant Regulation. 527 Cyber sanctions might be imposed not only against ‘classical’ cyber-attacks, but arguably in cases of economic espionage or other theft in the cybersphere. 528 Moreover, the adoption procedure of cyber sanctions is more flexible since it is not required to enact a new legal framework each time the listing is to be updated, thereby avoiding the tedious procedure connected with the country-specific restrictive measures. In addition, in the case of horizontal sanctions, attribution questions do not have to be dealt with (at least not directly), since “ targeted restrictive measures should be differentiated from the attribution of responsibility for cyber-attacks to a third state. The application of targeted restrictive measures does not amount to such attribution, which is a sovereign political decision .“ 529 It was most likely an intention to avoid questions regarding attribution in light of state responsibility norms under international law (ARSIWA) which is a highly contentious issue, especially in the cyberspace context. Nevertheless, we agree with the claim of Yuliya Miadzvetskaya and Ramses Wessel that imposing restrictive measures on individuals is often an indirect attribution to states (since the sanctions subjects are in some cases government officials 530 ) even if the EU does not formally recognizes 523 Bendiek A and Schulze M, ‘Attribution: A Major Challenge for EU Cyber Sanctions’ ( Stiftung Wissenschaft und Politik (SWP) ) accessed 31 December 2023, p. 26. 524 “ Cyber-attacks constituting an external threat include those which: (c) are carried out by any natural or legal person, entity or body established or operating outside the Union; or (d) are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union. ” 525 Council of European Union, Council Regulation (CFSP) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, Article 1(6). 526 Ibid., Art. 3. 527 See infra. 528 Bogdanova I and Vásquez Callo-Müller M, ‘Unilateral Cyber Sanctions: Between Questioned Legality and Normative Value’ (2021) 54 Vanderbilt J. Transnat’l L. 4, p. 931. There have been several incidents of economic espionage carried out also against EU states (however, it is more discussed in the US context). See, Cristani F, ‘Economic Cyber-Espionage in the Visegrád Four Countries: A Hungarian Perspective’ (2021) 17 Politics in Central Europe 697; Market D-G for I and PwC, ‘The Scale and Impact of Industrial Espionage and Theft of Trade Secrets through Cyber’ ( Publications Office of the EU , 2018) accessed 31 December 2023. 529 Council of European Union, Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member State. 530 Examples are four Russians of the GU/GRU, including the Head of the Main Directorate; Chinese and

124