On 20 May 2019, The Cyber-Attacks (Asset-Freezing) Regulations 2019 were made and published on legislation.gov.uk, together with an explanatory memorandum.

The Regulations provide a domestic framework for the implementation of Council Regulation 2019/796 concerning restrictive measures against cyber-attacks threatening the EU or its Member States. The Council Regulation came into force on 17 May 2019.

The measures implemented include the freezing of funds and economic resources of any persons and entities, listed in Annex I to the Council Regulation, and ensuring that funds and economic resources are not made available to them or for their benefit.

Key areas of the Regulations include:

  • Regulations 3 to 7 provide prohibitions against dealing with the funds or economic resources of a designated person, making funds or economic resources available, directly or indirectly, to a designated person and making funds or economic resources available for the benefit of a designated person;
  • Regulation 8 provides an exception to the prohibitions in Regulations 4 and 5 where a frozen account is credited for a permitted reason;
  • Regulation 9 provides a licensing procedure to enable funds and economic resources to be exempted from the prohibitions where this is permitted in the circumstances set out in the Council Regulation and creates offences for providing false information or documents or not complying with conditions included in a licence; and
  • Regulation 10 creates offences where the prohibitions in regulations 3 to 7 are contravened. Regulations 11 to 14 contain provisions about officers of a body corporate, penalties and proceedings.

The Regulations come into force on 11 June 2019.