Targeted restrictive measures

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Targeted restrictive measures

The term “targeted restrictive measures” denotes sanctions taken by States outside of the framework of the United Nations, against individuals or companies which are being held responsible for conducting – or being otherwise involved in the conduct of – a cyber operation. Typically, restrictive measures take the form of travel bans or asset freezes for individuals and companies, but may also include other measures.[1]

Targeted restrictive measures are measures typically taken within the domestic legal framework of a State or a group of States and operate territorially within the jurisdiction of that State or group of States. By virtue of their internal sovereignty, States are in principle free to adopt any measures they consider necessary or appropriate with regard to persons engaged in cyber activities.[2]

To assess the legality of such restrictive measures taken within the domestic legal framework, it is necessary to inquire whether they violate any applicable international legal obligations of the acting State. This may be the case, for instance, if the targeted persons or entities enjoy jurisdictional immunities[3] or if the measures in question affect rights granted by an international agreement between the acting State and the State where such persons or entities are based (such as a bilateral trade agreement). In this case, the acting State would need to be able to invoke circumstances precluding the wrongfulness of such measures, in order for their imposition to be justified.[4] If no international legal obligations are breached, the restrictive measures are permissible under international law and may be qualified at most as acts of retorsion. Provided that these conditions are met, States may also impose such restrictive measures collectively.[5]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. See e.g. Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, ST/7299/2019/INIT, OJ L 129I, 17.5.2019, p. 13–19, Art. 1.
  2. Tallinn Manual 2.0, commentary to rule 2, paras 1-2.
  3. See, e.g., Jurisdictional Immunities of the State (Germany v. Italy: Greece intervening) (Judgment) [2012] ICJ Rep. 99, para 136; but cf. Tom Ruys, ‘Non-UN Financial Sanctions against Central Banks and Heads of State: in breach of international immunity law?’ EJILTalk!, 12 May 2017 (arguing that State immunity is only recognized in judicial proceedings, not against administrative or executive actions).
  4. ILC Articles on State Responsibility, Art 22.
  5. See, eg, Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17 (“Unlike countermeasures, international law does not restrict nations from collaborating on retorsion. For instance, if a state has repeatedly acted maliciously in cyberspace with targets in multiple states, all of those states could collectively engage in sanctions or release a joint public statement condemning the bad actor.”).

Bibliography and further reading[edit | edit source]