Cyber-attacks against the EU and its member states: Council sanctions three entities and two individuals 14:10 The Council adopted restrictive measures against three entities[...]

The Council adopted today restrictive measures against three entities and two individuals responsible for cyber-attacks carried out against EU member states and EU partners.

The Council has listed Integrity Technology Group, a China-based company, that has routinely provided products used to compromise and access devices in EU members states, across Europe and worldwide. Between 2022 and 2023, through their technical and material support, more than 65,000 devices were hacked across six member states.

Similarly, Anxun Information Technology, a China-based company, has provided hacking services aimed at the critical infrastructure and critical functions of member states and third countries. The two Chinese individuals also listed today by the Council, are co-founders of the company and were responsible for and involved in cyber-attacks affecting EU member states.

Lastly, the Iranian company Emennet Pasargad has unlawfully gained access to a French subscriber database and advertised its contents for sale on the dark web. They also compromised advertising billboards to spread disinformation during the 2024 Paris Olympic Games. Additionally, the company compromised a Swedish SMS service, impacting a large number of EU citizens.

Those listed today under both regimes are subject to an asset freeze, and EU citizens and companies are forbidden from making funds, financial assets or economic resources available to them. Natural persons also face a travel ban that prohibits them from entering or transiting through EU territories.

With today's listings the EU horizontal cyber sanctions regime now applies to 19 individuals and 7 entities.

Today's decision confirms EU's and its member states' willingness to provide a strong and sustained response to persistent malicious cyber activities targeting the EU, its member states and partners. The EU and its member states will continue to cooperate with our international partners to promote an open, free, stable and secure cyberspace.

The relevant legal acts have been published in the Official Journal of the European Union.

Background

The Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (the "cyber diplomacy toolbox") was established in June 2017. It allows the EU and its member states to use all CFSP measures, including restrictive measures if necessary, to prevent, discourage, deter and respond to malicious cyber activities targeting the integrity and security of the EU and its member states.

In May 2019, the Council established a framework of sanctions allowing the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states.

• Council Decision (CFSP) 2026/588 of 16 March 2026 amending Decision (CFSP) 2019/797 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
• Council Implementing Regulation (EU) 2026/589 of 16 March 2026 implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
• Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (consolidated text dated 14 May 2025)
• EU cybersecurity: strategy and key policies (background information)