Key data
| Regulation | Council Implementing Regulation (EU) 2026/1078, of 11 May 2026 |
|---|---|
| Reference | CELEX:32026R1078 |
| Publication | 12 May 2026 |
| Entry into force | 11 May 2026 |
| Base regulation | Regulation (EU) 2019/796 |
| Affected parties | Companies and individuals with financial or commercial links to sanctioned actors |
| Category | European Regulation |
| Applied measures | Freezing of financial assets and prohibition of entry to EU territory |
Any European company operating with international counterparties has a new compliance obligation as of 11 May 2026: to verify that its commercial and financial partners do not appear on the updated list of parties sanctioned by the Council Implementing Regulation (EU) 2026/1078. Failing to do so is not a theoretical risk: non-compliance can result in criminal and administrative consequences.
This regulation applies the sanctioning framework of Regulation (EU) 2019/796, which the EU uses to respond to cyberattacks that threaten the Union or its Member States. The novelty of this implementing regulation is the update of the list of natural and legal persons subject to restrictive measures.
What does this regulation establish?
Council Implementing Regulation (EU) 2026/1078 updates the list of individuals and entities sanctioned under the EU's cyber sanctions regime. The measures applied to those included on the list are two:
- Freezing of financial assets: the funds and economic resources of sanctioned parties are blocked.
- Travel prohibition: sanctioned parties cannot enter or transit through the territory of the European Union.
However, the obligation does not rest solely on the sanctioned parties. European companies and citizens are prohibited from making funds or resources available to any person or entity on the list, directly or indirectly.
This makes counterparty verification an active obligation for any company with international activity, especially in sectors with greater exposure to risk actors.
| Measure | Applied to | Obligation for European companies |
|---|---|---|
| Asset freezing | Individuals and entities on the sanctions list | Prohibited from transferring funds or resources to sanctioned parties |
| Prohibition of entry to the EU | Sanctioned natural persons | Do not facilitate or collaborate with their presence in EU territory |
Economic and operational impact
The direct impact for most companies is not a fixed fine: it is the risk of incurring administrative or criminal sanctions for operating, unknowingly, with a counterparty included on the list. The severity of those sanctions depends on the legislation of each Member State.
The real operational cost translates into the need to implement or strengthen counterparty screening processes: verifying before any financial or commercial operation that the other party does not appear on any EU sanctions list, including this update.
For companies in the financial and technology sectors, this process should already be integrated into their compliance systems. For industrial or commercial companies with activity in risk markets, it may require a review of their internal procedures.
Reputational risk is also relevant: being identified as a counterparty to an actor sanctioned for cyberattacks can have consequences that go beyond legal sanctions.
Who does it affect?
The regulation directly affects:
- Financial sector: banks, asset managers, insurers and any entity that carries out transfers or manages assets with international counterparties.
- Technology sector: software companies, cybersecurity, digital infrastructure and cloud service providers with clients or partners outside the EU.
- Companies with international commercial activity: any company that buys, sells or collaborates with entities in markets where sanctioned actors operate.
- Advisors and consulting firms: firms that manage commercial or financial relationships on behalf of third parties must verify that their clients do not operate with sanctioned parties.
- CFOs and financial directors: responsible for approving international payments and transfers who must ensure compliance before executing any operation.
Practical example
A Spanish technology company hires the services of a software development firm based outside the EU. Before formalizing the contract and making the first payment, the compliance department must verify that that firm—and its beneficial owners—do not appear on the sanctions list of Regulation (EU) 2026/1078.
If the verification is not carried out and the counterparty is included on the list, the Spanish company will have made funds available to a sanctioned party. This constitutes a breach of Regulation (EU) 2019/796 and can result in administrative or criminal sanctions according to applicable Spanish legislation, regardless of whether the company knew or not of the counterparty's status.
Verification must also be repeated for existing commercial relationships: a partner who was not sanctioned yesterday may be today following a list update like the one introduced by this regulation.
What should companies do now?
- Review the updated list of sanctioned parties: access the full text of Council Implementing Regulation (EU) 2026/1078 on EUR-Lex and check if any current counterparty appears on the list.
- Verify all active international counterparties: not just new relationships, but also existing partners, suppliers and clients with activity outside the EU.
- Update screening processes: if there is no formal sanctions verification procedure, implement one. If one exists, ensure it includes EU lists and is updated with each new implementing regulation.
- Train the procurement, finance and compliance teams: people who approve international payments and contracts must know this obligation and the verification procedure.
- Document verifications performed: in case of inspection or investigation, the company must be able to prove that it carried out the necessary checks before each operation.
- Consult with specialized legal advisors: if there is uncertainty about any counterparty or about the scope of obligations, seek advice before executing the operation.
Frequently asked questions
What happens if my company has a commercial relationship with someone on the list of parties sanctioned for cyberattacks?
Your company is in breach of Regulation (EU) 2019/796. It is prohibited to make funds or resources available to sanctioned parties. Non-compliance can result in administrative and criminal sanctions according to the legislation of each Member State.
When does the new EU list of parties sanctioned for cyberattacks come into force?
Council Implementing Regulation (EU) 2026/1078 came into force on 11 May 2026, one day before its official publication on 12 May 2026.
What specific measures do the sanctions under Regulation (EU) 2026/1078 entail?
The sanctions include two measures: freezing of financial assets of sanctioned parties and prohibition of travel to the territory of the European Union. Additionally, European companies and citizens are prohibited from making funds or resources available to those individuals or entities.
Which sectors should review the list of parties sanctioned for cyberattacks most urgently?
The financial sector, the technology sector and any company with commercial or financial activity in markets where sanctioned actors operate are the most exposed. They must verify that their counterparties do not appear on the updated list.
Where can I consult the official list of sanctioned parties?
The official list is available in the full text of Council Implementing Regulation (EU) 2026/1078, published in the Official Journal of the European Union and accessible through EUR-Lex.
Official source
Disclaimer: This article provides general information about Council Implementing Regulation (EU) 2026/1078 and is not legal advice. The interpretation and application of this regulation may vary depending on the specific circumstances of each company and the legislation of each Member State. Companies should consult with specialized legal advisors to ensure proper compliance with their obligations under this regulation and related EU sanctions frameworks. The information contained herein is current as of the publication date and may be subject to updates or amendments. Neither the author nor the publisher assumes responsibility for the use of this information or for any consequences arising from its application.