Germany and the 'Fancy Bear': Are the first EU cybersanctions imminent?

In the spring of 2015, a sensational hack targeted the IT system of the Bundestag (the German parliament). Unit 26165 of the Russian military intelligence service GRU, also known as the Fancy Bear, was apparently behind the attack. Germany now wants to take action in the form of ‘cybersanctions’ at EU level.

New cybersanctions regime

On 29 April 2020, Germany’s Federal Foreign Office issued an arrest warrant to the Russian ambassador Netchaev for the Russian national Dmitry Badin, who is suspected of being behind the 2015 attack. But that was not all: undersecretary of state Miguel Berger of the Foreign Office announced that Germany wanted to promote the use of the EU cybersanctions regime. In this context, Germany is looking closely at Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the EU or its Member States.

It is true that sanctions on that basis would be a novelty. However, Article 3 of the aforementioned Cyber-Attacks Regulation makes use of two instruments which are well known from sanctions laws and embargoes in general: the ban on the provision of funds on one hand and asset freezing on the other. Therefore, sanctioned persons including e.g., from Germany’s view, GRU boss Igor Kostyukov should not be provided with funds or other economic resources. Money or other resources held or controlled should be rendered inaccessible. Individual exceptions remain possible under the Cyber-Attacks Regulation. It is not yet foreseeable whether or to what extent and when the cybersanctions could enter into force.

Mandatory sanction list screening; compliance management strongly recommended

The German initiative may, first and foremost, be seen as another reason why companies should have IT-based, automated sanctions list screening (unless this would be disproportionate) in order to check both new and existing customers on a daily basis. With regard to existing compliance management systems, it could be advisable to examine whether the application requirements of certain compliance measures have an overly strong country connection, for example in the context of examinations of the business partners’ shareholders. It is not only cybersanctions that have a borderless effect, because they break with the traditional limitation to clearly defined embargo countries. The same applies to increasingly commonly observed sanctions similar to “Magnitsky sanctions” in connection with human rights violations. Last but not least, a general trend in recent years continues – namely that compliance with foreign trade laws will continuously place higher demands on companies. If companies have not yet established a genuine compliance management system, today would be a better time to do so than tomorrow.