The European Union extended until May 18, 2027 the sanctions against people and entities linked to cyber attacks considered threats to the bloc, according to a decision announced by the European Council on May 11, 2026. In addition, Brussels extended until May 2028 the legal framework that allows this regime of restrictive measures to be applied.
The European Council noted that The decision responds to increase in digital threats directed against governmentscritical infrastructures, international institutions and the cryptocurrency ecosystem. The EU considers it necessary to maintain permanent tools to deter attacks and strengthen its response capacity against cyber operations attributed to foreign actors.
The current sanctions They reach 19 individuals and 7 entities accused of participating in computer attacks with significant impact against the EU, its Member States, third countries or international organizations. A notable case from the past is that of WannaCry, a massive ransomeware that managed to take over $140,000 worth of bitcoin. The measures include freezing of crypto assets, travel bans and restrictions on European citizens or companies from delivering funds or economic resources to those sanctioned.
The regime is part of the so-called “cyber diplomacy toolbox” (cyber diplomacy toolbox), created in 2017 as a framework for diplomatic response to malicious activities in cyberspace, as reported by CriptoNoticias. Two years later, in 2019, the EU formally established the sanctions mechanism to respond to cyber attacks considered external threats.
Brussels maintains that these measures seek to defend the “rules-based international order” and increase the political and economic cost for those who participate in espionage, sabotage or digital destabilization operations. Designations will be reviewed every 12 months.
The tightening of these policies generates debate. Some specialists they question the actual capacity to attribute cyberattacks with absolute certaintydue to the use of intermediaries, private networks and covert operations that make it difficult to identify those directly responsible.
Added to this is the concern of technological and business sectors that warn that new regulations could end up affecting digital platformsinfrastructure providers and private companies operating within the European digital ecosystem.
The decision reflects how cybersecurity has gone from being a technical issue to becoming a central component of Europe’s foreign and economic security policy. In a scenario marked by geopolitical conflicts, digital espionage and attacks on strategic infrastructures, the EU seeks to consolidate a more aggressive defense and deterrence strategy. At the same time, The advancement of these measures anticipates a stricter regulatory environment for technology companies and actors in the digital economy that operate within the European bloc.