Cyber sanctions regime
The Cyber (Sanctions) (EU Exit) Regulations 2020 came fully into force on 31 December 2020. They put in place sanctions measures aimed at furthering the prevention of cyber activity which:
- undermines, or is intended to undermine, the integrity, prosperity or security of the United Kingdom or a country other than the United Kingdom
- directly or indirectly causes, or is intended to cause, economic loss to, or prejudice to the commercial interests of, those affected by the activity
- undermines, or is intended to undermine, the independence or effective functioning of an international organisation, or a non-governmental organisation or forum whose mandate or purposes relate to the governance of international sport or the internet
- otherwise affects a significant number of persons in an indiscriminate manner
You should also review the Sanctions (EU Exit) (Miscellaneous Amendments) (No. 4) Regulations 2020 to find out any amendments made to the Regulations.
These regulations have replaced, with substantially the same effect, relevant existing EU legislation and related UK regulations.
Those persons who are designated under this regime are included on the UK sanctions list.
The Cyber (Sanctions) (EU Exit) Regulations 2020
These Regulations are made under the Sanctions and Anti-Money Laundering Act 2018 (c.13) to establish a sanctions regime for the purpose of furthering the prevention of certain cyber activity as defined in regulation 4(2) (“relevant cyber activity”). Following the UK’s withdrawal from the European Union, these Regulations replace the EU sanctions regime implemented via EU Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States and Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States.
The Regulations confer a power on the Secretary of State to designate persons who are, or have been, involved in relevant cyber activity. Designated persons may be excluded from the United Kingdom and may be made subject to financial sanctions, including having their funds and/or economic resources frozen. The Regulations provide for certain exceptions to this sanctions regime, in particular in relation to financial sanctions (for example to allow for frozen accounts to be credited with interest or other earnings) and also acts done for the purpose of national security or the prevention of serious crime. The Regulations also confer powers on the Treasury to issue licenses in respect of activities that would otherwise be prohibited under the financial sanctions imposed by these Regulations. Schedule 2 to these Regulations sets out the purposes for which the Treasury will issue such licences.
These Regulations make it a criminal offence to contravene, or circumvent, any of the prohibitions in these Regulations and prescribe the mode of trial and penalties that apply to such offences. The Regulations prescribe powers for the provision and sharing of information to enable the effective implementation and enforcement of the sanctions regime.
Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States is revoked by these Regulations. The Cyber-Attacks (Asset-Freezing) Regulations 2019 (S.I. 2019/956) are also revoked.
Memorandum to the Regulation
2020 No. 597
1. Introduction
1.1 This explanatory memorandum has been prepared by the Foreign and Commonwealth
Office and is laid before Parliament by Command of Her Majesty.
1.2 This memorandum contains information for the Joint Committee on Statutory
Instruments.
2. Purpose of the instrument
2.1 These Regulations are intended to ensure that the UK can operate an effective cyber
sanctions regime after the end of the Transition Period. When these Regulations come
into force they will replace, with a similar effect, the EU sanctions regime relating to
cyber security that is currently in force under EU legislation and related UK regulations.
The EU sanctions regime is aimed at deterring and responding to cyber-attacks or
attempted cyber-attacks with a significant or potentially significant effect which
constitute an external threat to the European Union or its Member States; it also covers
similar cyber-attacks in respect of third States or international organisations.
3. Matters of special interest to Parliament
Matters of special interest to the Joint Committee on Statutory Instruments
3.1 The instrument is being laid before Parliament under section 55(3) of the Sanctions and
Anti-Money Laundering Act 2018 (“the Sanctions Act”) and is subject to the made
affirmative procedure. It does not come into force until a date or dates to be appointed
in separate regulations made under section 56 of the Sanctions Act (see regulation 1(2)).
Section 56 of the Sanctions Act enables special provision to be made for the
commencement of sanctions regulations where such provision is appropriate in
consequence of, or otherwise in connection with, the withdrawal of the UK from the
EU. Section 56(5) of the Sanctions Act provides that the instrument must be approved
by resolution of both Houses within 60 days of the Regulations coming into force for it
to continue to have effect.
Matters relevant to Standing Orders Nos. 83P and 83T of the Standing Orders of the House
of Commons relating to Public Business (English Votes for English Laws)
3.2 The territorial application of this instrument includes Scotland and Northern Ireland.
4. Extent and Territorial Application
4.1 The territorial extent of this instrument is the whole of the UK.
4.2 Subject to paragraph 4.3, the territorial application of this instrument is the UK.
4.3 This instrument also applies to conduct by UK persons outside the UK.
5. European Convention on Human Rights
5.1 The Minister of State for South Asia and the Commonwealth at the Foreign and
Commonwealth Office, Lord Ahmad of Wimbledon, has made the following statement
regarding Human Rights:
“In my view the provisions of the Cyber (Sanctions) (EU Exit) Regulations 2020 are
compatible with the Convention rights.”
6. Legislative Context
6.1 When the UK was a member of the European Union, the UK’s implementation of UN
and other multilateral sanctions relied largely on the European Communities Act 1972.
Each sanctions regime generally consisted of an EU Council Decision, a corresponding
directly applicable EU Council Regulation, and related UK regulations made under
section 2(2) of the European Communities Act 1972 and other domestic legislation.
The European Union (Withdrawal) Act 2018 repealed the European Communities Act
1972. However, during the Transition Period, EU sanctions continue to apply in the
UK in accordance with the Withdrawal Agreement: section 1A of the European Union
(Withdrawal) Act 2018 (c.16) saves the effect of the European Communities Act 1972
for the purposes of the Withdrawal Agreement. There are currently around 35 sanctions
regimes that take effect in the UK. These include country-specific and thematic
sanctions regimes, including in relation to Russia, DPRK and counter-terrorism.
6.2 The European Union (Withdrawal) Act 2018 provides for some EU sanctions law to
form part of domestic law at the end of the Transition Period. However, that Act does
not provide powers to substantially amend that retained EU law and it does not provide
powers to lift sanctions or impose new sanctions. In addition, that Act does not retain
the effect of certain sanctions (travel bans) which are in force by virtue of EU Council
Decisions (rather than under EU Regulations). The Sanctions Act was introduced to
address these issues by providing the UK with the legal framework necessary to allow
the UK to implement sanctions autonomously.
6.3 Section 1 of the Sanctions Act enables sanctions regulations to be made for the purposes
of compliance with United Nations obligations and other international obligations, as
well as for a number of other purposes which include: furthering the prevention of
terrorism; national security; promoting international peace and security; promoting
compliance with international human rights law and respect for human rights; or
furthering foreign policy objectives.
6.4 The EU cyber sanctions regime imposed for the purpose of preventing and responding
to cyber-attacks, currently has effect in the UK through both EU instruments and related
UK regulations. Using the power contained in section 54(2) of the Sanctions Act, the
following will be revoked and replaced by these Regulations: Council Regulation (EU)
2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks
threatening the Union or its Member States; and the Cyber-Attacks (Asset-Freezing)
Regulations 2019 (S.I. 2019/956).
7. Policy background
What is being done and why?
7.1 Pursuing these purposes will help address the ongoing and increased threat in
cyberspace. Cyber attacks know no international boundaries and have grown in terms
of intensity, complexity and severity. Malicious actors in cyberspace are active and
able to execute successfully operations on countries affecting critical national
infrastructure, democratic institutions, businesses and the media. These actors are
demonstrating an increased risk appetite, be it for economic, strategic, regional or
financial gain. Over the last few years there has been a rise in the scale and impact of
operations, with co-ordinated campaigns as opposed to single incidents that potentially
allowed wide-ranging access to thousands of victims in countries globally and causing
significant financial and material damage. The purpose of the sanctions regime is to
deter those who are, or considering, conducting or directing relevant cyber activity that
undermines, or is intended to undermine, the integrity, prosperity or security of the
United Kingdom or a country other than the United Kingdom; international
organisations; and non-governmental organisations whose purposes relate to the
governance of international sport or the Internet. It will do this by imposing a
meaningful cost and signalling at a political level that malicious cyber activity has
consequences. This will help change the behaviour of those responsible for malicious
cyber activity.
7.2 The EU introduced a cyber sanctions regime in May 2019. These Regulations are
intended to deliver similar policy effects to that existing EU sanctions framework.
7.3 Bringing this sanctions regime into UK law using the powers in the Sanctions Act will
enable the existing sanctions framework to continue to operate effectively after the UK
leaves the EU, as well as enabling HMG to make designations or amend or lift the
framework autonomously.
7.4 This instrument is accompanied by two statutory reports that are required to be
published under the Sanctions Act.
7.5 Firstly, and in accordance with section 2(4) of the Sanctions Act, a report has been
produced to explain why the Minister considers that the carrying out of the stated
purpose of this instrument would meet one or more of the discretionary purposes set
out in the Sanctions Act; why there are good reasons to pursue that purpose; and why
the Minister considers that the imposition of sanctions is a reasonable course of action
for that purpose.
7.6 Secondly, and in accordance with section 18 of the Sanctions Act, a report has been
produced that identifies the offences contained in this instrument; explains why there
are good reasons for those offences; and explains why there are good reasons for the
prescribed penalties in relation to those offences. Offences include, for example,
breaching or circumventing the substantive financial sanctions measures or providing
false information for the purpose of obtaining a Treasury licence.
7.7 Part 2 of this instrument deals with the designation of persons (including individuals,
entities and organisations) under the sanctions regime. It lists the criteria against which
the Secretary of State may make a decision to designate a person as being subject to a
travel ban or asset freeze (“designated persons”). The names of any designated persons
will be held on a separate administrative list on GOV.UK to enable immediate
publication following a decision to make or amend a designation. This limits the
opportunity for designated persons to remove assets from the UK.
7.8 Part 3 of the instrument sets out financial sanctions measures that can be imposed on
designated persons. Financial sanctions include freezing a designated person’s funds
and economic resources (non-monetary assets, such as property or vehicles) and
ensuring that funds and economic resources are not made available to or for the benefit
of a designated person, either directly or indirectly.
7.9 Part 4 of the instrument sets out the effect of immigration measures made under this
instrument. A designation for the purpose of regulation 17 (immigration) of the
instrument means that section 8B of the Immigration Act 1971 then applies to the
person: a designated person is banned from travelling to or via the UK and any
permission to stay in the UK that they may have is cancelled. In certain circumstances,
the Secretary of State may direct, on an individual basis, that the travel ban does not
apply, for example for the purposes of attending UN meetings.
7.10 Part 5 of the instrument makes provision in respect of exceptions and licences that may
apply or be available, as the case may be, in respect of prohibitions and requirements
under this regime. For example, and in relation to Treasury licences, a designated
person can apply for a licence allowing funds to be released in order to pay for essential
goods or services such as food. It states that the Treasury may issue licences to permit
activity prohibited by Part 3 (Finance) where it is appropriate for a purpose set out in
Schedule 2 of the instrument. Guidance will provide further detail about licensing.
8. European Union (Withdrawal) Act/Withdrawal of the United Kingdom from the European Union
8.1 This instrument is not being made under the European Union (Withdrawal) Act but it
relates to the withdrawal of the UK from the EU. This is because this instrument
replaces, with similar effect, the existing EU cyber sanctions regime.
9. Consolidation
9.1 This instrument does not consolidate previous instruments.
10. Consultation outcome
10.1 HMG ran a public consultation on the Sanctions Act which was open for nine weeks.
Over 30,000 individuals and companies received a copy of the White Paper, and 34
individuals provided written responses. Government officials held a number of
roundtables with key sectors, including financial services, trade bodies, the legal
profession, NGOs and industry professionals and regulators. The main areas of concern
raised in consultation responses were around the legal threshold for sanctions
designations, the rights of designated persons to challenge their designations, and
licensing procedures. All of these concerns were taken into account in the drafting of
the Act.
10.2 There is neither a requirement in the Act for public consultation on instruments made
under the Act, nor is there any other legal obligation to consult in respect of this
instrument. HMG will continue engagement with stakeholders on the implementation
of UK sanctions.
11. Guidance
11.1 In accordance with section 43 of the Act, guidance will be published in relation to the
prohibitions and requirements under these Regulations. This guidance will be available
on gov.uk before these Regulations come into force.
12. Impact
12.1 As this instrument maintains with similar effect the existing sanctions framework that
is already applicable to UK business, charities and voluntary bodies through EU law,
we assess that there is no new substantial impact. Businesses and charities will need to
ensure that they are referring to and complying with the relevant UK law once EU law
ceases to apply at the end of the Transition Period.
12.2 There is no significant impact on the public sector.
12.3 An Impact Assessment has not been produced for these Regulations, as the instrument
is intended to ensure the existing sanctions framework remains in place following EU
exit. This instrument is intended to deliver a similar policy effect as the existing EU
sanctions framework. An Impact Assessment was, however, produced for the primary
legislation and can be found at https://publications.parliament.uk/pa/bills/lbill/2017-
2019/0069/sanctions-and-anti-money-laundering-IA.pdf. That assessment concluded
that the introduction of the Act, and statutory instruments under it to transfer existing
regimes into UK law, would overall reduce uncertainty for business and would not
result in significant costs or impact, apart from some familiarisation costs for businesses
associated with adapting to the new legislative framework.
13. Regulating small business
13.1 These Regulations apply to activities that are undertaken by small businesses.
13.2 These Regulations are intended to continue with similar effect the regulatory
requirements under the existing EU sanctions regime. The Foreign and Commonwealth
Office does not believe it is possible to exempt smaller businesses from the
requirements to comply with these Regulations as this could provide a route for the
circumvention or evasion of sanctions.
14. Monitoring & review
14.1 The Sanctions Act requires regular reviews of these Regulations. Under section 30 of
the Act, the Secretary of State must consider whether or not these Regulations are still
appropriate for their stated purpose and lay an annual report before Parliament,
confirming either that is the case or explaining what action has or will be taken in
consequence of that review. As such, the Minister does not consider that a review
clause in these Regulations is appropriate.
15. Contact
15.1 Oliver Case at the Foreign and Commonwealth Office telephone: 020 7008 0951 or
email: Sanctions.SIs@fco.gov.uk can be contacted with any queries regarding the
instrument.
15.2 Lisa Maguire, Deputy Director at the Foreign and Commonwealth Office, can confirm
that this Explanatory Memorandum meets the required standard.
15.3 Lord Ahmad of Wimbledon, Minister of State at the Foreign and Commonwealth
Office, can confirm that this Explanatory Memorandum meets the required standard.
Cyber sanctions: guidance
Published 3 November 2020
As required by section 43 of the Sanctions and Anti-Money Laundering Act 2018 (‘the Sanctions Act’), the Secretary of State for Foreign, Commonwealth and Development Affairs has provided this guidance to assist in the implementation of, and compliance with, the Cyber (Sanctions) (EU Exit) Regulations 2020 (the ‘Regulations’), as amended from time to time.
As required by the Sanctions Act, this document contains guidance on the prohibitions and requirements imposed by the Regulations. It additionally provides guidance on best practice for complying with the prohibitions and requirements; the enforcement of them; and circumstances where they do not apply.
This document is intended to be read alongside more detailed sanctions guidance published by departments including the Home Office and HM Treasury, through the Office of Financial Sanctions Implementation (OFSI). This document contains links to those key sources of sanctions guidance, which will be regularly maintained and updated on GOV.UK. It is designed to give an overview of the prohibitions and requirements in the Regulations and, where appropriate, direct readers to further detailed guidance. This document is current on the date of publication.
1. Prohibitions and requirements imposed by the Cyber (Sanctions) (EU Exit) Regulations 2020
The Regulations impose financial and immigration sanctions for the purpose of furthering the prevention of relevant cyber activity.
In order to achieve the stated purpose, the Regulations impose a number of prohibitions and requirements. In order to enforce these, the Regulations establish penalties and offences, which are set out in detail in the corresponding report under section 18 of the Sanctions Act in relation to criminal offences.
The prohibitions and requirements imposed by the Regulations apply within the territory of the United Kingdom (UK) (including Northern Ireland) and in relation to the conduct of all UK persons wherever they are in the world. UK persons includes British nationals, as well as all bodies incorporated or constituted under the law of any part of the UK. Accordingly, the prohibitions and requirements imposed by the Regulations apply to all companies established in any part of the UK, and they also apply to branches of UK companies operating overseas.
It is prohibited to intentionally participate in any activities if you know that the object or effect of them is directly or indirectly to circumvent the prohibitions imposed by the Regulations or to enable or facilitate the contravention of those prohibitions.
If you are unclear about any aspect of the Regulations, in particular about whether action you are considering taking could contravene the Regulations, you are advised to seek independent legal advice.
Prohibitions and requirements for the financial and immigration sanctions contained in the Regulations are set out below.
1.1 Designation of persons
The Regulations provide that the Secretary of State may designate persons for the purposes of financial and/or immigration sanctions if they are, or have been, involved in relevant cyber activity (as defined in regulation 4).
The UK Sanctions List lists the people designated under the Regulations, and details of the sanctions in respect of which they have been designated.
1.2 Financial sanctions
Asset freeze and making available provisions
The Regulations impose financial sanctions through a targeted asset freeze on designated persons and prohibitions on making funds or economic resources available. This involves the freezing of funds and economic resources (non-monetary assets, such as property or vehicles) of designated persons and ensuring that funds and economic resources are not made available to or for the benefit of designated persons, either directly or indirectly.
More information on financial sanctions can be found in the OFSI guidance.
OFSI is the authority responsible for implementing the UK’s financial sanctions on behalf of HM Treasury. OFSI helps to ensure that financial sanctions are properly understood, implemented and enforced in the UK. Further information on how OFSI implements financial sanctions can be found on the OFSI pages of GOV.UK.
1.3 Immigration sanctions
The effect of the Regulations is to impose a travel ban on persons who are designated by the Secretary of State for the purposes of being made subject to immigration sanctions under the Sanctions Act. Such persons are excluded persons for the purposes of section 8B of the Immigration Act 1971.
Designated individuals will be refused leave to enter or remain in the UK. Any applications they make for a visa to travel to the UK, including for transit purposes, will be refused. Any foreign national who is subject to a travel ban under the Regulations, and who is currently in the UK, will have their permission to stay in the UK cancelled and steps will be taken to remove them from the UK.
Further information on how the Home Office deals with those who are subject to a travel ban can be found on the Home Office pages of GOV.UK.
1.4 Information and record keeping
For the purpose of the financial sanctions contained in the Regulations, Part 6 of the Regulations places obligations on relevant firms (the definition of which is set out in the Regulations) to report information to HM Treasury about known or suspected designated persons or about persons who may have committed an offence under specified provisions of the Regulations.
It also grants powers to HM Treasury to request information from, amongst others, a designated person, including powers to request the production of documents. It also establishes offences for failing to comply with these requests (including for providing false information).
2. How will these sanctions measures be enforced?
The Regulations make it a criminal offence to contravene the financial sanctions, as well as to enable or facilitate a contravention of, or to circumvent, any of the prohibitions in the Regulations. They also prescribe the mode of trial and penalties that apply to such offences.
In addition to the below, further details on offences and penalties can be found in the corresponding report under section 18 of the Sanctions Act.
2.1 Financial sanctions
Breaches of financial sanctions are a serious criminal offence. Any breach of the main financial prohibitions in the Regulations is an offence that is triable either way and carries a maximum sentence on indictment of 7 years’ imprisonment or a fine (or both).
Offences under regulations 23(6) or 27(1) (information offences in connection with financial sanctions under the Regulations) are summary offences only and carry a maximum sentence of 6 months’ imprisonment or a fine (which in Scotland or Northern Ireland may not exceed level 5 on the standard scale) or both.
OFSI is responsible for monitoring compliance with financial sanctions and for assessing suspected breaches. It also has the power to impose monetary penalties for breaches of financial sanctions and to refer cases to law enforcement agencies for investigation and potential prosecution.
OFSI works with other parts of government, supervisory bodies and regulators to consider all cases reported to it, sharing relevant information accordingly.
3. Are there circumstances when I can get an authorisation or licence for a sanctioned activity?
Licensing and exception provisions are contained in Part 5 of the Regulations.
3.1 Exceptions
The Regulations set out exceptions to some of the sanctions prohibitions which apply within certain defined circumstances. An exception applies automatically, and does not require you to obtain a licence issued in accordance with the Regulations.
The Regulations establish exceptions relating to financial sanctions including for the crediting of a frozen account by a relevant institution (any such interest or other earnings will be frozen in accordance with the relevant legislation underpinning the asset freeze). An exception also exists from the prohibition on making funds available to a designated person, when funds are transferred to a frozen account in discharge (or partial discharge) of an obligation which arose before the recipient became a designated person.
The Regulations also include an exception in relation to any prohibition or requirement imposed by the Regulations for actions which a responsible officer has determined to be in the interests of national security, or the prevention or detection of serious crime in the UK or elsewhere.
3.2 Licensing for financial sanctions
Where a person is designated for the purposes of the financial sanctions (asset freeze measures and making available provisions) contained in the Regulations, the designated person or a representative (on their behalf) may apply for a licence from OFSI to use their funds or economic resources (non-monetary assets, such as property or vehicles). Schedule 2 to the Regulations sets out the purposes pursuant to which, or for which activities, OFSI may grant an individual licence. In summary these are:
- basic needs
- reasonable professional fees for or reasonable expenses associated with the provision of legal services
- reasonable fees or service charges for the routine holding or maintenance of frozen funds or economic resources
- extraordinary expenses
- pre-existing judicial decisions etc
- diplomatic missions etc
- extraordinary situations
- prior obligations
Further information on exceptions and licensing grounds can be found in OFSI’s guidance.
Information on licence applications and the relevant form can be found on OFSI’s GOV.UK licensing webpage.
3.3 Directions in respect of immigration sanctions
If you are subject to immigration sanctions the Home Office may direct, on a case by case basis, that the sanction does not apply in particular circumstances, such as for travel to, or through, the UK for a UN sponsored meeting. You can check how to apply for a UK visa, and find further information about travelling to the UK on GOV.UK.
SOURCE: GOV.UK
