European Union: Council of the European Union adopted restrictive measures against entities to address cyber-attacks

On 16 March 2026, the Council of the European Union adopted restrictive measures against three entities to address cyber-attacks threatening the Union or its Member States (Implementing Regulation 2026/589). The implementing regulation lists the China-based Integrity Technology Group for providing products allegedly used to compromise more than 65’000 devices between 2022 and 2023. It also lists the China-based company Anxun Information Technology and its two co-founders in connection with hacking services targeting critical infrastructure. In addition, the Iranian company Emennet Pasargad is listed in relation to activities including unlawful access to a French subscriber database, disruption of Swedish SMS services, and the dissemination of disinformation through advertising billboards during the 2024 Paris Olympic Games. The listed parties are subject to an asset freeze, and EU citizens and companies are prohibited from making funds or economic resources available to them. The measures form part of the EU’s cyber sanctions regime, addressing malicious cyber activities and limiting the financial resources available to listed parties. Following these additions, the regime currently applies to seven entities. The Regulation entered into force on the date of its publication.