EU cybersecurity / cyber sanctions

UK and EU Launch Their First Joint Cyber Sanctions Regime, Betting on Precision Over Broad Regulation

London and Brussels sanctioned 30+ Russian hackers and enablers after FSB Center 16 nearly blacked out 500,000 Poles.

UK-EU's First Joint Cyber Sanctions Package People of Internet Research · EU 24 UK designations Individuals and entities sanctione… 9 + 4 EU designations The EU sanctioned 9 individuals an… ~500,000 Poles risked losing power Population that could have lost el… ~2,100 UK Lumma Stealer victims UK victims of Lumma Stealer creden… peopleofinternet.com
UK-EU's First Joint Cyber Sanctions Pa… People of Internet Research · EU 24 UK designations 9 + 4 EU designations ~500,000 Poles risked losing power ~2,100 UK Lumma Stealer victims peopleofinternet.com

Key Takeaways

A First-of-Its-Kind Joint Package

On July 13, 2026, the United Kingdom and European Union announced their first-ever coordinated cyber sanctions package, formally attributing a near-catastrophic December 2025 attack on Poland's power grid to Center 16, the signals-intelligence arm of Russia's FSB. The UK designated 24 individuals and entities; the EU separately sanctioned 9 individuals and 4 entities under its dedicated cyber-attacks sanctions regime (Council Decision 2019/797) (Help Net Security). UK Foreign Secretary Yvette Cooper said the measures "strike at the core of the cybercriminal networks propping up the Russian state's aggression" (GOV.UK).

The attack itself came "very close" to blacking out roughly 500,000 people in the depths of winter, targeting more than 30 Polish wind and solar installations and a heat plant with data-wiping malware, before an attempted follow-on strike on Poland's National Centre for Nuclear Research in March 2026 (The Record). Poland's Ministry of Foreign Affairs called the package the first EU cybersanctions action "on such a broad scale" and said it "fully supports" the measures (Polish MFA).

Attribution Mattered as Much as the Sanctions

What's notable is not just the sanctions but the attribution fight that preceded them. Cybersecurity firms ESET and Dragos initially pinned the Poland intrusion on Sandworm, the GRU-linked group behind the 2015 and 2016 Ukraine grid attacks. CERT Polska disputed that, tracing the infrastructure to a cluster tied instead to the FSB's Center 16 — a re-attribution the UK and EU have now formally endorsed (The Record). That distinction matters for policy: FSB and GRU units operate under different chains of command and different legal mandates inside Russia, and getting attribution wrong risks misdirected diplomatic pressure. Publicly correcting the record, rather than quietly adjusting internal threat models, is a genuine transparency win.

The designee list itself is broader than a single grid attack would suggest. Alongside named FSB and GRU officers, the UK sanctioned operators of Lumma Stealer, a credential-theft tool linked to roughly 2,100 UK victims in the six months before the announcement, and ten people tied to Rybar, the pro-Kremlin outlet accused of disinformation around Ukraine and interference in Moldovan and Armenian elections (GOV.UK). Two Russian firms, AO AST and NPP Gamma, were named for allegedly supplying tools and infrastructure to Center 16's offensive operations. Bundling espionage, sabotage, criminal malware and information operations into one package reflects a real feature of the Russian ecosystem: state services increasingly lean on nominally private contractors and criminal proxies, blurring the line between statecraft and cybercrime.

The Case Regulators Would Make — and Why It's Reasonably Strong

The strongest argument for this package is that it does something regulation of Western tech companies cannot: it imposes cost directly on the people and entities responsible, without touching the platforms, networks or code they abuse. Sanctions here are individualized — travel bans and asset freezes on named officers and companies — rather than blanket rules on encryption, data flows or content that would burden law-abiding firms and users far more than they burden the FSB. Given that the underlying conduct is sabotage of critical infrastructure that could have cut power to half a million people mid-winter, a targeted, evidence-based response of this kind is proportionate, not performative.

Where the Skepticism Is Warranted

The honest caveat is that targeted sanctions on FSB officers who were never going to vacation in Nice or bank in Frankfurt have limited direct bite — this is signaling and coalition-building as much as coercion. But the mechanism itself is the right one to keep and expand: Council Decision 2019/797, in force since 2019, lets the EU sanction specific responsible parties rather than legislating against tools or platforms that have overwhelmingly legitimate uses (EUR-Lex). That is the model regulators reaching for AI, encryption or cross-border data rules should study: name and constrain the actual bad actor, don't restrict the general-purpose technology everyone else depends on. A designations regime that grows through precise, well-attributed listings — as this one now has, twice, in 2026 alone — is a far better long-run tool than reactive infrastructure mandates imposed on utilities and tech firms after every incident.

The test now is enforcement and expansion discipline: whether London and Brussels keep pace with the still-active Center 16 campaign rather than treating July 13 as a one-off headline, and whether future rounds stay this narrowly targeted rather than drifting toward broader restrictions on the security research and dual-use tools that legitimate defenders also rely on.

Sources & Citations

  1. GOV.UK — UK and EU strike Russian cyber networks with new sanctions
  2. Poland MFA — Statement on Russian malicious activities in cyberspace
  3. EUR-Lex — EU restrictive measures against cyber-attacks (Council Decision 2019/797)
  4. The Record — Russia blamed for Poland grid cyberattack in joint UK-EU sanctions package
  5. Help Net Security — EU and UK blacklist Russia's cyber operators