EU Sanctions for Cyberattacks 2026: What Companies and Banks Must Do

Key data

European companies have a new compliance obligation as of 16 March 2026: Council Implementing Regulation (EU) 2026/589 updates the list of persons and entities sanctioned under Regulation (EU) 2019/796, the European sanctions instrument against cyberattacks that threaten the EU or its Member States.

This is not a technical cybersecurity regulation. It is an economic sanctions regulation: if your company operates with any of the listed subjects, you are in breach of European law, with immediate legal consequences.

What does this regulation establish?

Implementing Regulation 2026/589 updates the list of natural and legal persons subject to restrictive measures under Regulation (EU) 2019/796. This base regulation is the specific European sanctioning framework for cyberattacks and has been in force since 2019.

The restrictive measures applied to subjects included on the list are three:

• Asset freezing: the funds and economic resources of designated parties are blocked.
• Prohibition on making funds available: no company or person in the EU can transfer, pay or provide economic resources to those listed.
• Travel restrictions: applicable to natural persons included on the list.

The update of the list through this implementing regulation is the usual mechanism of the EU Council to add new cyberattack perpetrators as they are identified. Each update takes effect immediately upon publication.

Economic and operational impact

The direct impact is not a fixed regulatory cost: it is a legal liability risk. Companies that do not update their counterparty verification processes are exposed to administrative and criminal sanctions according to the legislation of each Member State where they operate.

The operational impact is concentrated in three areas:

• Counterparty screening: companies must incorporate the updated list into their customer, supplier and partner verification tools. This is especially critical for financial entities, which already have compliance obligations regarding international sanctions.
• Review of active contracts and commercial relationships: any ongoing relationship with a subject that has been added to the list must be terminated immediately.
• Update of compliance programs: compliance departments must incorporate this regulation into their due diligence and periodic review procedures.

For technology providers with clients or partners outside the EU, the risk is greater, as hostile state and non-state actors identified on the list may be present in international technology supply chains.

Who does it affect?

• Financial entities: banks, insurance companies, fund managers and any entity subject to financial regulation in the EU. They have the greatest exposure and, in many cases, already have screening systems that must be updated.
• Technology service providers: software companies, cloud infrastructure, cybersecurity, telecommunications and any IT provider with international clients or partners.
• Companies with international activity: any company that operates outside the EU, imports, exports or maintains commercial relationships with third countries, especially in areas of high geopolitical risk.
• Compliance and legal departments: responsible for keeping compliance programs updated regarding international sanctions.
• CFOs and financial directors: responsible for authorizing payments and transfers that could be prohibited if the counterparty appears on the list.

Practical example

A Spanish software company with clients in Eastern Europe maintains a license agreement with a foreign technology company. On 16 March 2026, Regulation 2026/589 enters into force, adding that foreign company to the list of sanctioned parties for its involvement in cyberattacks against European infrastructure.

From that same day, the Spanish company is prohibited from:

• Collecting or paying any amount to that company.
• Renewing or executing the license agreement.
• Making available any economic or technological resources.

If the compliance department has not updated its counterparty screening with the new list and processes a payment that month, the company incurs legal liability in Spain, regardless of whether the breach was unintentional. The verification obligation is continuous, not one-time.

What should companies do now?

1. Immediately update counterparty screening: incorporate the list from Regulation 2026/589 into customer, supplier and partner verification tools. Entry into force was 16 March 2026, with no transition period.
2. Review active commercial relationships: identify whether any current customer, supplier or partner appears on the updated list. If so, terminate the relationship and block any pending transactions.
3. Update the compliance program: include Regulation (EU) 2019/796 and its updates in due diligence and periodic review procedures for international sanctions.
4. Train compliance and finance teams: those responsible for authorizing payments must understand the obligation to verify before any transaction with international counterparties.
5. Establish a continuous update process: the list of sanctioned parties is updated periodically through new implementing regulations. The screening process must be continuous, not an annual review.
6. Consult with a legal advisor specialized in international sanctions: especially for companies with high international exposure or complex technology supply chains, where the risk of unintentional non-compliance is greater.