EU Sanctions Against Cyberattacks 2026: What Changes for Companies

Key data

European companies with critical infrastructure or sensitive data have had stronger institutional support since 16 March 2026 against cyberattacks of state or state-affiliated origin. The Council Decision (CFSP) 2026/588 modifies the European sanctions regime on cybersecurity established in 2019, updating the list of natural and legal persons subject to restrictive measures for their involvement in significant cyberattacks against the EU or its Member States.

This decision is not entirely new: it modifies and expands the Decision (CFSP) 2019/797, the original sanctions framework that the EU launched several years ago to respond to high-impact cyber threats. What changes now is the update to the list of sanctioned actors, adapting it to the current threat landscape.

What does this regulation establish?

Decision (CFSP) 2026/588 operates within the framework of the EU's Common Foreign and Security Policy. Its function is to update the list of persons and entities against which restrictive measures are applied for having participated in significant cyberattacks directed against the European Union or its Member States.

The restrictive measures contemplated by the regime are two:

• Asset freezing: the assets and economic resources of persons and entities included in the list are blocked in European territory.
• Prohibition of entry: sanctioned natural persons cannot access the territory of EU Member States.

The following table summarizes the comparison between the original framework and the modification introduced in 2026:

Economic and operational impact

For European companies, this decision has an impact that is mainly indirect but relevant in strategic and operational terms:

• Greater deterrence against malicious actors: expanding the list of sanctioned parties strengthens the deterrent effect of the European framework, which can reduce the frequency or intensity of attacks of state or state-affiliated origin against European targets.
• Stronger institutional support: organizations that are victims of cyberattacks have a more robust legal framework that can facilitate claims, investigations and cooperation with European authorities.
• No new direct compliance obligations: this decision does not impose administrative burdens or direct costs on European companies. It is not an internal compliance rule, but a foreign policy tool.
• Signal of regulatory escalation: the update to the list in 2026 indicates that the EU maintains active surveillance and response to cyber threats, which can influence decisions on cybersecurity investment.

Who does it affect?

This regulation is directly or indirectly relevant to the following profiles:

• Companies with critical infrastructure: energy, telecommunications, transport, water, health and finance are the sectors historically most exposed to cyberattacks of state origin.
• Public bodies and administrations: they are frequent targets of malicious actors seeking political impact or access to sensitive data.
• Companies with sensitive data: organizations that manage large volumes of personal, industrial or strategic data.
• Cybersecurity managers (CISOs and security teams): must be aware of the evolution of the European regulatory framework to align their defense strategies with the regulatory context.
• CFOs and executives: the evolution of the European sanctions framework is a relevant indicator for sizing cybersecurity investments and risk management.
• Legal and compliance advisors: must incorporate this framework into regulatory risk analyses for their clients.

Practical example

A Spanish energy sector company operating electrical distribution infrastructure has suffered in recent years intrusion attempts attributed to actors linked to third countries. With the update to the sanctions regime through Decision (CFSP) 2026/588, those responsible for those attacks—if identified and included in the list of sanctioned parties—are subject to asset freezing in Europe and prohibition of entry into the EU.

For this company, the practical impact is twofold: on one hand, the European framework acts as an additional deterrent element against future attacks. On the other, in the event of an incident, the company can rely on this framework to collaborate with European authorities in identifying and sanctioning those responsible, thereby strengthening its position in claims or compensation processes.

This company does not have to do anything new in terms of compliance obligations derived from this decision, but it should review whether its cybersecurity strategy is aligned with the level of threat that the European framework itself recognizes as significant.

What should companies do now?

1. Review exposure to the risk of state-origin cyberattacks: identify whether the company operates in sectors or with data that makes it a potential target for malicious actors of state or state-affiliated origin.
2. Update cybersecurity risk analysis: incorporate the evolution of the European sanctions framework as an indicator of the level of threat institutionally recognized, which can justify additional investments in protection.
3. Establish or strengthen incident response protocols: in the event of suffering a significant cyberattack, have clear procedures to notify competent authorities and collaborate with European response mechanisms.
4. Monitor the evolution of the sanctions list: although it does not impose direct obligations, knowing which actors are sanctioned can be relevant for assessing risks in international operations or relationships with third parties.
5. Consult with advisors specialized in cybersecurity and regulatory compliance: for organizations with critical infrastructure, it is recommended to periodically review the European regulatory framework on cybersecurity, which also includes the NIS2 Directive and other complementary regulations.