EU Council sanctions three entities and two individuals for cyber-attacks against Member States
On 16 March 2026, the Council of the European Union adopted restrictive measures (sanctions) against three entities and two individuals held responsible for cyber-attacks conducted against EU Member States and their partners. The decision is grounded in the horizontal cyber sanctions regime established in May 2019 (Regulation (EU) 2019/796 and Decision (CFSP) 2019/797) and forms part of the broader cyber diplomacy toolbox the EU put in place in June 2017.
The two legal instruments adopted today — Decision (CFSP) 2026/588 and Implementing Regulation (EU) 2026/589 — have been published in the Official Journal of the European Union. With today’s additions, the cyber sanctions regime now applies to a total of 19 individuals and 7 entities.
The sanctioned entities
Integrity Technology Group, a China-based company, has, according to the Council, routinely provided products used to compromise and access devices in EU Member States, across Europe, and worldwide. Between 2022 and 2023, through its technical and material support, over 65,000 devices were hacked across six Member States. Integrity Tech had already been sanctioned by the United States and the United Kingdom — the UK having documented that the company controlled and operated a botnet comprising more than 260,000 compromised devices globally.
Anxun Information Technology (also known as i-Soon), also based in China, provided hacking services targeting the critical infrastructure and essential functions of Member States and third countries. The two Chinese individuals listed today are co-founders of the company and were found responsible for or involved in cyber-attacks affecting EU Member States. The US and the UK also sanctioned Anxun for targeting more than 80 government and private-sector IT systems worldwide.
Emennet Pasargad, an Iranian company formerly operating as Net Peygard Samavat Company, unlawfully accessed a French subscriber database and advertised its contents for sale on the dark web, compromised advertising billboards to spread disinformation during the 2024 Paris Olympic Games, and breached a Swedish SMS service affecting a significant number of EU citizens. US authorities had already documented the company’s track record in election interference operations and its links to the Islamic Revolutionary Guard Corps (IRGC).
The measures imposed
All listed parties are subject to a freeze of funds and economic resources. EU citizens and companies are prohibited from making funds, financial assets, or economic resources available to them. Natural persons are also subject to a travel ban that prevents them from entering or transiting through EU territory.
An assessment
The Council’s decision warrants attention for at least four reasons.
The first is structural: EU cyber sanctions operate on a dual legal track — the CFSP and EU regulatory regimes, each with its own implementing acts. This architecture is not merely formal: it reflects the distinction between the intergovernmental dimension of foreign policy and the Union’s own competences in areas such as the internal market and the movement of capital.
The second consideration concerns coordination with international partners. The EU and the UK had already sanctioned the same entities. That is not a secondary detail: it signals substantive alignment among Western democracies in responding to state-sponsored or state-adjacent cyber threats, even as transatlantic relations face friction on other fronts.
The third observation is legal and systemic. EU cyber sanctions also serve a function of attribution without formal state responsibility: they allow the Union to publicly attribute responsibility for malicious activity — even where that activity is traceable to para-state structures or private companies operating within a government’s orbit — without triggering the mechanisms of formal state responsibility under public international law. That is a legally sophisticated feature that distinguishes this instrument from classical diplomatic responses, and one that most commentators overlook.
The fourth dimension concerns international normative signalling. Sanctions are not merely a bilateral response tool: they contribute to building behavioural norms in cyberspace, supporting the ongoing processes at the United Nations — both the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) — aimed at clarifying how existing international law applies to state conduct in the cyber domain. Every act of public attribution and sanctioning reinforces the principle that existing international norms extend to activities in cyberspace.
One question of effectiveness remains open, however. Restrictive measures are instruments of deterrence and political attribution of responsibility, not enforcement mechanisms. Their utility is best measured by the political signal they send and their contribution to building a shared international norm, rather than by their immediate preventive effect.
The progressive expansion of the EU cyber sanctions regime signals that digital security is assuming a structural dimension in the Union’s foreign policy, alongside and complementing internal regulatory instruments such as the NIS2 Directive, the Cyber Resilience Act, and the forthcoming Cyber Solidarity Act. The external and internal perimeters of European digital security are converging towards a single coherent governance framework.