The Cyber (Sanctions) (EU Exit) Regulations 2020
| Year | 2020 |
2020 No. 597
Exiting The European Union
Sanctions
The Cyber (Sanctions) (EU Exit) Regulations 2020
Made 15th June 2020
Laid before Parliament 17th June 2020
Coming into force in accordance with regulation 1(2)
The Secretary of State1, in exercise of the powers conferred by sections 1(1)(c) and (3)(b), 3(1)(a) and (d)(i), 4, 9(2)(a), 10(2)(a) and (c), (3) and (4), 11(2) to (9), 15(2)(a) and (b), (3), (4)(b), (5) and (6), 16, 17(2) to (5) and (8), 21(1), 54(1) and (2), 56 and 62(4) and (5) of the Sanctions and Anti-Money Laundering Act 20182, and having decided, upon consideration of the matters set out in sections 2(2) and 56(1) of that Act, that it is appropriate to do so, makes the following Regulations:
PART 1
General
Citation and commencement
1.—(1) These Regulations may be cited as the Cyber (Sanctions) (EU Exit) Regulations 2020.
(2) These Regulations come into force in accordance with regulations made by the Secretary of State under section 56 of the Act.
Interpretation
2. In these Regulations—
“the Act” means the Sanctions and Anti-Money Laundering Act 2018;
“arrangement” includes any agreement, understanding, scheme, transaction or series of transactions, whether or not legally enforceable (but see paragraph 12 of Schedule 1 for the meaning of that term in that Schedule);
“conduct” includes acts and omissions;
“document” includes information recorded in any form and, in relation to information recorded otherwise than in legible form, references to its production include producing a copy of the information in legible form;
“the EU Cyber Regulation” means Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States3, as it has effect in EU law;
“relevant cyber activity” has the meaning given by regulation 4(2);
“technical assistance” means the provision of technical support or any other technical service;
“Treasury licence” means a licence under regulation 20(1);
“United Kingdom person” has the same meaning as in section 21 of the Act.
Application of prohibitions and requirements outside the United Kingdom
3.—(1) A United Kingdom person may contravene a relevant prohibition by conduct wholly or partly outside the United Kingdom.
(2) Any person may contravene a relevant prohibition by conduct in the territorial sea.
(3) For the purposes of this regulation, a “relevant prohibition” means any prohibition imposed by—
(a)
(a) regulation 9(2) (confidential information),
(b)
(b) Part 3 (Finance), or
(c)
(c) a condition of a Treasury licence.
(4) A United Kingdom person may comply, or fail to comply, with a relevant requirement by conduct wholly or partly outside the United Kingdom.
(5) Any person may comply, or fail to comply, with a relevant requirement by conduct in the territorial sea.
(6) In this regulation a “relevant requirement” means any requirement imposed—
(a)
(a) by or under Part 6 (Information and records), or by reason of a request made under a power conferred by that Part, or
(b)
(b) by a condition of a Treasury licence.
(7) Nothing in this regulation is to be taken to prevent a relevant prohibition or a relevant requirement from applying to conduct (by any person) in the United Kingdom.
Purpose
4.—(1) The purpose of the regulations contained in this instrument that are made under section 1 of the Act is to further the prevention of relevant cyber activity.
(2) For the purpose of paragraph (1), “relevant cyber activity” means an activity falling within paragraph (3) which—
(a)
(a) undermines, or is intended to undermine, the integrity, prosperity or security of the United Kingdom or a country4other than the United Kingdom,
(b)
(b) directly or indirectly causes, or is intended to cause, economic loss to, or prejudice to the commercial interests of, those affected by the activity,
(c)
(c) undermines, or is intended to undermine, the independence or effective functioning of—
(i) an international organisation, or
(ii) a non-governmental organisation or forum whose mandate or purposes relate to the governance of international sport or the Internet, or
(d)
(d) otherwise affects a significant number of persons in an indiscriminate manner.
(3) The following activity falls within this paragraph—
(a)
(a) accessing, or attempting to access, an information system,
(b)
(b) carrying out, or attempting to carry out, information system interference, or
(c)
(c) carrying out, or attempting to carry out, data interference,
except where—
(i) the owner or other right holder of the information system or part of it has consented to such action,
(ii) there is a lawful defence to such action, or
(iii) such action is otherwise permitted under the law of the United Kingdom.
(4) For the purpose of paragraphs (2) and (3)—
“data interference”, in relation to digital data on an information system, means—
(a) deleting, damaging, deteriorating, altering or suppressing that data,
(b) rendering that data inaccessible, or
(c) stealing that data or otherwise stealing funds, economic resources or intellectual property related to such data;
“information system” includes—
(a) a device or group of interconnected or related devices, one or more of which, pursuant to a programme, automatically processes digital data;
(b) digital data stored, processed, retrieved or transmitted by such a device or group of devices for the purposes of its or their operation, use, protection or maintenance;
“information system interference” means hindering or interrupting the functioning of an information system by—
(a) inputting digital data,
(b) transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or
(c) rendering such data inaccessible;
“integrity”, in respect of a country (whether the United Kingdom or a country other than the United Kingdom), includes—
(a) the exercise of governmental functions of that country;
(b) the exercise of parliamentary functions in that country;
(c) the functioning of bodies, organisations or institutions involved in public elections or the voting process;
(d) the operation of the criminal or civil justice system in that country;
(e) the provision of essential services to the population, including banking, education, energy, healthcare, sewerage, transport or water;
(f) the operation of critical national infrastructure;
“international organisation” means an organisation and its subordinate bodies governed by international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
“prosperity”, in respect of a country (whether the United Kingdom or a country other than the United Kingdom), includes the effective functioning of the economy, or part of it, of that country.
PART 2
Designation of persons
Power to designate persons
5.—(1) The Secretary of State may designate persons5by name for the purposes of any of the following—
(a)
(a) regulations 11 to 15 (asset-freeze etc.);
(b)
(b) regulation 17 (immigration).
(2) The Secretary of State may designate different persons for the purposes of different provisions mentioned in paragraph (1).
Designation criteria
6.—(1) The Secretary of State may not designate a person under regulation 5 unless the Secretary of State—
(a)
(a) has reasonable grounds to suspect that that person is an involved person, and
(b)
(b) considers that the designation of that person is appropriate, having regard to—
(i) the purpose stated in regulation 4, and
(ii) the likely significant effects of the designation on that person (as they appear to the Secretary of State to be on the basis of the information that the Secretary of State has).
(2) In this regulation an “involved person” means a person who—
(a)
(a) is or has been involved in relevant cyber activity,
(b)
(b) is owned or controlled directly or indirectly (within the meaning of regulation 7) by a person who is or has been so involved,
(c)
(c) is acting on behalf of or at the direction of a person who is or has been so involved, or
(d)
(d) is a member of, or associated with, a person who is or has been so involved.
(3) Any reference in this regulation to being involved in relevant cyber activity includes being so involved in whatever way and wherever any actions constituting the involvement take place, and in particular includes—
(a)
(a) being responsible for, engaging in, providing support for, or promoting the commission, planning or preparation of relevant cyber activity;
(b)
(b) providing financial services, or making available funds or economic resources, that could contribute to relevant cyber activity;
(c)
(c) providing technical assistance that could contribute to relevant cyber activity;
(d)
(d) being involved in the supply of goods or technology that could contribute to relevant cyber activity, or in providing financial services relating to such supply;
(e)
(e) being involved in any other action, policy, activity or conduct which promotes, enables or facilitates the commission of relevant cyber activity;
(f)
(f) being involved in assisting the contravention or circumvention of any relevant provision.
(4) In this regulation—
“relevant provision” means—
(a) any provision of Part 3 (Finance);
(b) any provision of the law of a country other than the United Kingdom made for purposes corresponding to a purpose of any provision of Part 3 (Finance).
(5) Nothing in any sub-paragraph of paragraph (3) is to be taken to limit the meaning of any of the other sub-paragraphs of that paragraph.
Meaning of “owned or controlled directly or indirectly”
7.—(1) A person who is not an individual (“C”) is “owned or controlled directly or indirectly” by another person (“P”) if either of the following two conditions is...
To continue reading
Request your trial