Key data
| Regulation | Commission Implementing Regulation (EU) 2026/1714 of the Council, of 13 July 2026 |
|---|---|
| Legal basis | Regulation (EU) 2019/796 on restrictive measures against cyberattacks |
| Publication | 13 July 2026 |
| Entry into force | 13 July 2026 (immediate application) |
| Affected parties | Companies and citizens with financial or commercial ties to the sanctioned parties |
| Sanctions applied | Freezing of financial assets and prohibition on travel to the EU |
| Category | European Regulation — direct application in all Member States |
| CELEX reference | 32026R1714 |
If your company operates with international counterparties—suppliers, customers, financial partners, intermediaries—and any of them appears on the updated list by Commission Implementing Regulation (EU) 2026/1714, you are at risk of non-compliance from the day of its publication: 13 July 2026.
This regulation does not create a new regime: it updates the list of natural and legal persons subject to restrictive measures under Regulation (EU) 2019/796, which established the European sanctioning framework against cyberattacks threatening the EU or its Member States. What changes now is who is on that list.
What does this regulation establish?
Commission Implementing Regulation (EU) 2026/1714 updates the official list of persons and entities subject to restrictive measures due to their involvement in cyberattacks against the European Union or its Member States. The concrete measures applied to the sanctioned parties are two:
- Freezing of financial assets: all funds and economic resources of the sanctioned parties are blocked.
- Prohibition of entry and transit through the territory of the European Union.
For companies and European citizens, the regulation establishes a clear obligation: it is prohibited to make funds or resources available to the sanctioned parties, whether directly or indirectly. This includes payments, transfers, access to financial services, supply of goods, or any other form of economic support.
As an Implementing Regulation, its application is direct and immediate in all Member States without the need for any national transposition law. It entered into force on the same day as its publication.
Economic and operational impact
The impact for companies is not abstract: operating with a sanctioned counterparty can have very concrete economic and legal consequences.
- Criminal or administrative sanctions according to the legislation of each Member State. In Spain, non-compliance with EU restrictive measures may constitute a crime against the international community.
- Blocking of ongoing operations: any payment, transfer, or delivery of goods to a sanctioned party is automatically prohibited from the date of publication of the updated list.
- Reputational risk: financial entities and auditors conduct compliance controls on their clients. Operating with sanctioned parties can trigger alerts in your own banking relationships.
- Operational cost of verification: companies with international activity must incorporate counterparty screening processes against sanctions lists, which involves time, tools, or specialized services.
The risk is not limited to companies operating in technology or cybersecurity sectors. Any company—importers, exporters, with international suppliers or investments in third countries—may unknowingly have a commercial relationship with a sanctioned party.
Who does it affect?
- Companies with international supply chains that include suppliers or intermediaries outside the EU.
- Financial and payment entities that process international transfers.
- Technology and cybersecurity companies with clients or partners in high-risk markets.
- Importers and exporters with counterparties in countries with the presence of sanctioned actors.
- Investment funds and asset managers with positions in companies or vehicles that may be linked to sanctioned parties.
- Advisors, consultancies, and law firms that provide services to international entities.
- European citizens with personal economic relationships with the sanctioned parties.
Practical example
A Spanish software company contracts a cloud infrastructure service provider based in a third country. On 13 July 2026, Regulation (EU) 2026/1714 updates the list of sanctioned parties and includes that service provider company due to its involvement in a cyberattack against European critical infrastructure.
From that same day, the Spanish company is prohibited from making any payment or transferring resources to that provider. If it does—even to settle invoices prior to the sanction—it incurs a breach of the Regulation. The consequences depend on applicable Spanish legislation, but may include serious administrative sanctions or even criminal liability.
The key point is that the Spanish company receives no individual notification: it is its responsibility to consult and monitor the official list of sanctioned parties published in the Official Journal of the EU.
What should companies do now?
- Consult the updated official list of sanctioned parties in the Official Journal of the EU to verify whether any of your current counterparties appear on it. The list is public and free.
- Review all active international commercial and financial relationships: suppliers, customers, partners, intermediaries, and any entity to which funds or resources are transferred.
- Immediately suspend any operation with counterparties identified as sanctioned, including pending payments, delivery of goods, or provision of services.
- Implement a periodic screening process of counterparties against EU sanctions lists. Lists are updated without prior notice: a counterparty that is not sanctioned today may be tomorrow.
- Document the verifications performed to demonstrate due diligence in case of inspection or investigation.
- Consult with legal advisors specialized in international compliance if you have doubts about ongoing operations or if you detect any potentially affected counterparty.
Non-compliance with the restrictive measures established in Regulation (EU) 2019/796 and its implementing regulations may result in criminal or administrative sanctions according to the legislation of each Member State. In Spain, regulations on foreign trade control and applicable criminal provisions may be triggered in case of such breaches.
Frequently asked questions
Where can I consult the updated list of EU-sanctioned parties for cyberattacks?
The official list is published in the Official Journal of the European Union, in the text of Commission Implementing Regulation (EU) 2026/1714 (CELEX:32026R1714). It can also be consulted through the EU Financial Sanctions tool (EU Sanctions Map), available on the European Commission portal. The list is updated through new implementing regulations without prior notice.
What happens if my company has made payments to a counterparty that has just been sanctioned?
If the payments were made before the date of publication of the regulation that includes that counterparty on the list (in this case, 13 July 2026), in principle there is no breach. However, any operation after that date is prohibited. If you have doubts about ongoing operations or pending payments, you must suspend them and consult with legal advisors specialized in international compliance.
When did Regulation (EU) 2026/1714 enter into force and is there an adaptation period?
Commission Implementing Regulation (EU) 2026/1714 entered into force on the same day as its publication: 13 July 2026. There is no adaptation period or vacatio legis. As an EU Implementing Regulation, its application is direct and immediate in all Member States without the need for national transposition.
What specific sanctions does the EU apply to those responsible for cyberattacks?
Regulation (EU) 2026/1714 applies two types of restrictive measures: (1) freezing of financial assets of the persons and entities included on the list, and (2) prohibition on traveling or transiting through EU territory. Additionally, European citizens and companies are prohibited from making funds or resources available to the sanctioned parties.
What are the consequences for a Spanish company operating with a sanctioned party?
Non-compliance may result in criminal or administrative sanctions according to applicable Spanish legislation. In Spain, breaches of EU restrictive measures may be classified as crimes against the international community or serious violations of foreign trade control regulations. Additionally, the financial entities with which your company operates may block operations if they detect links to sanctioned parties.
Official source
Consult complete regulation in official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=CELEX:32026R1714