Cyber-Attacks (Asset-Freezing) Regulations 2019


Key Theme(s) EU Regulations; Cyber-Attacks; Assets; and Freezing Injunctions.

Whilst the UK persists in its membership of the EU, it is still required to implement any EU Council Regulations into domestic law. On 11 June 2019, the Cyber-Attacks (Asset-Freezing) Regulations 2019 (the Regulations) seek to comply with Council Regulation (EU) 2019/796 which provides measures to allow member states to respond to and deter cyber-attacks with a particular focus on cyber-attacks which originate outside of the EU or with support from someone outside of the EU.

The Regulations apply to "designated persons" which are defined as:

  • those responsible for successful or attempted cyber-attacks;
  • those providing financial, technical or material support in successful or attempted cyber-attacks; and
  • anybody associated with points a) and b).

The consequence of such Regulations is wide ranging and both the EU and the UK are taking a clear stance in relation to the future of cyber-attacks in the region. In a globalised world, cyber-attacks may occur in any remit and therefore having regulations that cover whole sectors allows wide spread protection and deterrence. The particular focus on external threats to the EU may give a nod to a turbulent political landscape, however, nonetheless, it will be interesting to monitor how these Regulations are applied in practice on a case by case basis.

Points to Note

Main Restrictive measures:

  • bans on persons travelling to the EU;
  • freezing of funds and economic resources; and
  • prohibition from making funds available to designated persons; and

Overview of Regulations:

  • Regulation 2 – interpretation;
  • Regulations 3 to 7 – prohibits any dealing with or making available any funds or economic resources for the benefit a designated person;
  • Regulation 8 – exceptions to prohibited activities (e.g. providing funds in relation to any interest accumulated, payments due under contract, and/or court orders);
  • Regulation 9 – the Treasury is able to grant a licence authorising certain acts. Creates offences for false information; false documents; or non-compliance with a licence;
  • Regulation 10 - offences for contravention of regulations 3 to 7;
  • Regulations 11 to 14 – penalties, proceedings and consent; and

Schedule - information gathering and disclosure. Creates offences for failure to comply with a request for information and compliance with reporting obligations.


PDPL – Bahrain's data protection regime


GDPR and employment – where are we now?


Trowers & Hamlins named in The Times Best Law Firms 2020 list


Trowers & Hamlins expands international dispute resolution practice


Trowers & Hamlins partner crowned Litigator of the Year


Paving the way for data breach group actions