The Council of the European Union has imposed sanctions on three entities and two individuals over cyber operations targeting member states and EU partners, in a move that brings Brussels’ cyber sanctions regime into direct use against actors linked to China and Iran.
The Council of the European Union on Monday adopted fresh cyber sanctions against three entities and two individuals it said were responsible for malicious cyber activities against member states and EU partners, marking one of the bloc’s clearest recent uses of its cyber sanctions regime.
According to the Council, the measures cover Integrity Technology Group and Anxun Information Technology, both based in China, as well as the Iranian company Emennet Pasargad. Two Chinese nationals linked to Anxun were also listed. Those designated are subject to an asset freeze, while EU persons and companies are prohibited from making funds or economic resources available to them. The individuals also face travel bans within the Union.
In its statement, the Council said Integrity Technology Group had routinely provided products used to compromise and access devices in EU member states, across Europe and beyond. It said that, between 2022 and 2023, more than 65,000 devices were hacked across six member states through technical and material support linked to the company. The Council said Anxun Information Technology had provided hacking services aimed at critical infrastructure and critical functions in member states and third countries.
The Council’s account of Emennet Pasargad centred on operations in France and Sweden. It said the Iranian company unlawfully accessed a French subscriber database and advertised the data for sale on the dark web. It also said the company had compromised advertising billboards to spread disinformation during the 2024 Paris Olympic Games and had targeted a Swedish SMS service, affecting a large number of EU citizens. Reuters, citing the EU statement, reportedthat Emennet was seen as having compromised billboards during the Paris Olympics and that the sanctions package includes an asset freeze and travel bans.
The legal framework is not new, but the political use of it remains significant. The Council said the EU’s cyber diplomacy toolbox was established in 2017 and that the specific sanctions framework was created in May 2019 to allow targeted restrictive measures against cyberattacks that constitute an external threat to the Union or its member states. The Council’s sanctions-against-cyber-attacks page states that the regime is intended to deter and respond to serious malicious cyber activity, while the underlying 2019 regulation provides the legal basis for asset freezes and related restrictions.
With these additions, the Council said the EU’s horizontal cyber sanctions regime now applies to 19 individuals and seven entities. It framed the latest listings as part of a “strong and sustained response” to persistent malicious cyber activities targeting the EU, its member states and partners. That wording matters. Brussels has often preferred declarations, diplomatic démarches and technical coordination in cyber matters; sanctions indicate a decision to attach legal and financial costs to attribution.
The move also carries diplomatic weight because it names China-based companies and Chinese nationals at a time when the EU is already managing a difficult relationship with Beijing across trade, industrial policy, support for Russia and economic security. China’s foreign ministry opposed the sanctions and urged Brussels to correct what it called its “erroneous approach”.
For Brussels, the decision fits a wider pattern in which cyber security is no longer treated as a purely technical or law-enforcement matter. The Council listed the case under foreign affairs, cybersecurity, digital infrastructure and sanctions, underlining that cyber incidents are now being handled as instruments of external coercion and hybrid pressure. That aligns with the EU’s broader approach of linking cyber resilience, foreign policy and the protection of critical infrastructure.
What follows will depend less on the legal act itself than on whether the EU is willing to keep using the regime when politically sensitive actors are involved. Monday’s decision shows that, at least in selected cases, it is.
