The European Union on 13 July 2026 denounced Russia's malicious cyber ecosystem and imposed restrictive measures on nine individuals and four entities linked to a wide range of cyber operations targeting EU member states and international partners. In a statement by the High Representative, the EU specifically identified the 16th Centre of Russia's Federal Security Service (FSB) as controlling cyber threat groups including TURLA, which have conducted espionage, infiltration of governmental networks, and sabotage of critical infrastructure in countries such as France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland. The sanctions target GRU intelligence officers, cybercriminals, hacktivists, and private companies contributing to destabilisation efforts.
The statement marks a significant escalation in the EU's response to Russian cyber activities, with no prior coverage of this specific file in the last 180 days. The EU's action follows years of increasingly severe cyber incidents attributed to Russian state and non-state actors. The 16th Centre of the FSB has been active since at least 2010, conducting cyber espionage against French strategic governmental entities and targeting German governmental entities. More recently, in Poland, the centre carried out disruptive sabotage operations against critical infrastructure, including combined heating and power plants. The EU also highlighted the convergence between state actors and non-state groups such as cybercriminals and hacktivists, which have caused disruptions and financial losses to public services and critical infrastructure.
The EU coordinated closely with the United Kingdom in assessing the growing convergence between state and non-state actors, and pledged to strengthen cooperation with international partners, including NATO, in support of a global, free, open, stable, and secure cyberspace. The statement underscores the EU's determination to uphold accountability in cyberspace and calls on all states, including Russia, to adhere to the United Nations framework of responsible state behaviour.
The sanctions package targets nine individuals and four entities, including GRU intelligence officers, cybercriminals, self-proclaimed hacktivists, and private companies. This move imposes costs on those responsible for malicious cyber activities and aims to deter future attacks. The EU's action impacts several stakeholders: EU member states targeted by cyber operations will benefit from increased deterrence and accountability; the Russian entities and individuals sanctioned face asset freezes and travel bans; EU cybersecurity agencies and law enforcement will see enhanced cooperation with international partners; and businesses and critical infrastructure operators in the EU may face reduced cyber threats but also increased compliance requirements related to sanctions. The decision reflects a trade-off between security and diplomatic engagement, as the EU prioritises firm action against cyber aggression over maintaining dialogue with Russia on cybersecurity norms.