Key data
| Regulation | Council Decision (CFSP) 2026/1079, of 11 May 2026 |
|---|---|
| Modified regulation | Council Decision (CFSP) 2019/797 on restrictive measures against cyberattacks |
| Publication | 12 May 2026 |
| Entry into force | 11 May 2026 |
| Affected parties | Technology companies, financial entities and all economic operators in the EU |
| Category | European Regulation |
| Applicable measures | Asset freezing and prohibition of entry into the EU |
| Sanctions regime for non-compliance | Criminal or administrative sanctions according to the legislation of each Member State |
Operating with a sanctioned counterparty can become a serious legal problem overnight. The Decision (CFSP) 2026/1079, published on 12 May 2026 and in force since 11 May, modifies the European sanctions regime established in 2019 to respond to cyberattacks that threaten the EU or its Member States.
The original framework, the Decision (CFSP) 2019/797, already established restrictive measures against natural and legal persons linked to significant cyberattacks. This modification may expand the list of sanctioned subjects, update designation criteria or strengthen enforcement mechanisms. The obligation to comply rests with all economic operators in the EU, without exception.
What does this regulation establish?
Decision (CFSP) 2026/1079 modifies the EU's sanctions regime on significant cyberattacks. The restrictive measures that the EU can impose are of two types:
- Asset freezing of natural and legal persons designated as responsible for or complicit in significant cyberattacks against the EU or its Member States.
- Prohibition of entry into EU territory for natural persons included on the list of designated persons.
This decision modifies the Decision (CFSP) 2019/797, which established the original framework for sanctions on cybersecurity. The 2026 modification may involve:
- Expansion of the list of sanctioned natural and legal persons.
- Update of the criteria that determine who can be designated.
- Strengthening of enforcement and control mechanisms.
Compliance with these measures is mandatory for all economic operators in the EU. Non-compliance is sanctioned with criminal or administrative measures, the specific severity of which depends on the legislation of each Member State.
Economic and operational impact
The direct impact of this regulation is not a fee or fixed cost: it is the risk of operating with a sanctioned entity without knowing it. The operational and economic consequences are concrete:
- Blocking of operations: any transaction with a designated entity is automatically prohibited. This can paralyze technology projects, service contracts or relationships with cybersecurity providers.
- Criminal or administrative sanctions: non-compliance is not a minor infraction. Each Member State determines the severity of sanctions, which may include significant fines or criminal liability for executives.
- Reputational risk: being identified as an operator that has failed to comply with EU sanctions has consequences that go beyond the fine: it affects public procurement, banking relationships and contracts with major clients.
- Compliance cost: companies must implement or strengthen counterparty verification processes (screening) against updated sanctions lists, which involves investment in specialized tools or services.
Who does it affect?
The obligation to comply is universal for EU operators, but the risk is especially high for:
- Technology companies that work with suppliers, partners or international clients in the field of software, hardware, telecommunications or cybersecurity.
- Financial entities (banks, insurance companies, fund managers) that must apply sanctions controls in their onboarding and transaction processes.
- Cybersecurity companies that provide services to clients or work with subcontractors that could be on designated lists.
- Any economic operator in the EU with international business relationships, especially with counterparties in high-risk cyber jurisdictions.
- Legal advisors and compliance officers responsible for their organizations' regulatory compliance programs.
Practical example
A Spanish cybersecurity company hires a software provider for vulnerability analysis based outside the EU. Following the entry into force of Decision (CFSP) 2026/1079, that provider is added to the list of designated persons due to its alleged involvement in significant cyberattacks against European infrastructure.
From that moment on, the Spanish company is prohibited from making any payment to that provider and must suspend the contract immediately. If it continues to operate with it without verifying the updated lists, it incurs non-compliance with EU sanctions, with the criminal or administrative consequences established by Spanish law.
This scenario illustrates why periodic screening of counterparties is not a formality, but an obligation with real consequences. It is not enough to verify at the beginning of the business relationship: the lists of designated persons are updated, and the responsibility to stay up to date rests with the operator.
What should companies do now?
- Review the inventory of counterparties: identify all suppliers, clients and business partners operating in technology or cybersecurity sectors, especially outside the EU.
- Verify counterparties against the list of designated persons: consult the official EU sanctions list on the European Commission sanctions portal and in the Official Journal of the EU to verify that no counterparty is listed as designated.
- Implement a periodic screening process: verification is not a one-time procedure. Lists are updated with each new Council decision. Establish periodic reviews or contract automated monitoring tools.
- Update contracts: include sanctions compliance clauses that allow suspension or termination of contracts if a counterparty is designated, without penalty to the company.
- Train the compliance and procurement team: ensure that people managing relationships with suppliers and clients understand the obligations arising from this sanctions regime and know how to act when an alert occurs.
- Consult with specialized legal advice: if there is uncertainty about the status of any counterparty or about specific obligations in Spain, consult a qualified professional before the problem materializes.
Frequently asked questions
What sanctions can the EU impose for cyberattacks in 2026?
Decision (CFSP) 2026/1079 establishes two types of restrictive measures: asset freezing and prohibition of entry into EU territory for natural and legal persons designated as responsible for significant cyberattacks.
Which companies does this sanctions regulation for cyberattacks apply to?
It affects all economic operators in the EU, with particular impact on technology companies, financial entities and any operator that has business relationships with counterparties that may appear on the lists of designated persons.
What happens if a company fails to comply with EU sanctions for cyberattacks?
Non-compliance entails criminal or administrative sanctions according to the legislation of each Member State. The regulation is mandatory for all economic operators in the EU, with no exceptions based on size or sector.
How often are the EU sanctions lists for cyberattacks updated?
The lists of designated persons are updated whenever the EU Council adopts new decisions on cyberattacks. There is no fixed schedule, so companies must monitor official sources regularly or use automated tools to track changes.
Is there a grace period to comply with this regulation?
No. Decision (CFSP) 2026/1079 entered into force on 11 May 2026. Compliance is mandatory from that date. Any transaction with a designated entity after that date is prohibited.
What should a company do if it discovers it has been operating with a sanctioned counterparty?
Immediately suspend all operations with that counterparty, freeze any assets or payments, and consult with legal counsel and compliance specialists. Depending on the circumstances and the legislation of the Member State, it may be necessary to report the situation to the relevant authorities.
Official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. The information is based on the text of Decision (CFSP) 2026/1079 and related EU regulations. For specific guidance on your company's obligations or situation, consult with a qualified legal professional or compliance advisor. The author and publisher are not responsible for any consequences arising from the use or misuse of this information. Regulations may be subject to interpretation by national courts and EU institutions, and this content does not replace official legal counsel.