EU Council adopts restrictive measures against cyber-attack threats, aligned by eight countries
On 16 March 2026, the Council of the European Union formally adopted Decision (CFSP) 2026/588, instituting restrictive measures against persons and entities involved in cyber-attacks that threaten the European Union or its member states. The decision specifically identified and added two individual persons and three entities to the annex list of sanctioned natural and legal persons subject to these restrictive measures under the existing CFSP framework established by Decision (CFSP) 2019/797.
The Council's action underscores the continued efforts by the EU to deter and respond to cyber threats by applying targeted sanctions. Following the adoption of this decision, eight non-EU countries, Albania, Bosnia and Herzegovina, Iceland, Moldova, Montenegro, North Macedonia, Norway, and Ukraine, have aligned their national policies with the EU decision to ensure uniform implementation of these restrictive measures.
This alignment demonstrates international cooperation beyond EU borders in countering cyber threats. The commitments of these countries to enforce the restrictive measures in their jurisdictions were officially noted and welcomed by the European Union.
The decision and alignment reflect an ongoing EU strategy to fortify cyber resilience and apply coordinated diplomatic and economic pressure on identified cyber threat actors.
