New Technologies in International Law / Tymofeyeva, Crhák et al.

the act as such. 531 Factually, in many cases there were links between the perpetrators of cyber-attacks and different governments and were not carried out individually (StuxNet, WannaCry, NotPetya, the attempted attack against OPCW). 532 As to the issue of vagueness, the Regulation enables the adoption of cyber sanctions against “ cyber-attacks with a significant effect ” that could have “ a potentially significant effect which constitutes an external threat to the Union or its member states .” 533 The term “significant” effect is open-ended and ensures much flexibility, albeit Article 2 lists several factors that shall be taken into account when assessing the significance of the attack. 534 The same applies to the term “external threat”. The latter term is specified in Article 1 (4) of the Regulation, though the list set out therein is not exhaustive. Such vagueness could be justified by the need to ensure a certain degree of flexibility for the Union to react promptly and more effectively in the cyberspace, which is unpredictable and subject to permanent change. Moreover, the Council had taken heed of the decision-making of the Court of Justice that has a relatively strong role in the context of restrictive measures. 535 The Council took a lesson from past judicial practice where it could not defend some of the restrictive measures it imposed. 536 On the other hand, the vagueness and imprecise nature of listing criteria creates the possibility for arbitrary decision-making, disregarding the principle of legal certainty. The second point concerns evidentiary issues. The listing must not only be based on specific reasons, but it shall be supported by evidence. Moreover, to ensure the right to fair trial the listed individuals must have access to this evidence. 537 This procedural North Korean state-sponsored groups specializing in cyber operations. See: Annex, Council of European Union, Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member State. 531 Miadzvetskaya Y, Wessel AR, ‘The Externalisation of the EU’s Cybersecurity Regime: The Cyber Diplomacy Toolbox’ (2022) 7 European Papers 413, p. 435. 532 Miadzvetskaya Y, ‘Cyber sanctions: towards a European Union cyber intelligence service?’ ( College of Europe Policy Brief , 2021) . Currently, there are four entities and eight individuals that are on the cyber sanctions list. See, Council of the European Union, Cyber-attacks: Council extends sanctions regime until 18 May 2025, Press release, accessed 31 December 2023. 533 Council of European Union, Council Regulation (CFSP) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, Article 1(1). 534 “ The factors determining whether a cyber-attack has a significant effect as referred to in Article 1(1) include any of the following: (a) the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety; (b) the number of natural or legal persons, entities or bodies affected; (c) the number of Member States concerned; (d) the amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property; (e) the economic benefit gained by the perpetrator, for himself or for others; (f) the amount or nature of data stolen or the scale of data breaches; or (g) the nature of commercially sensitive data accessed .” 535 Chachko E, ‘Foreign Affairs in Court: Lessons from CJEU Targeted Sanctions Jurisprudence’ (2019) 44 Yale Journal of International Law 1, p. 2. 536 Miadzvetskaya Y, ‘Cyber sanctions: towards a European Union cyber intelligence service?’ ( College of Europe Policy Brief , 2021) , p. 3. 537 Gordon R, Smyth M and Cornell T, Sanctions Law (Hart, 2019), pp. 156–163.

125