The Council of the European Union has imposed new restrictive measures against three entities and two individuals for their alleged involvement in cyber-attacks targeting European institutions, member states and international partners. The sanctions form part of the bloc’s broader legal and policy framework designed to deter malicious cyber activities and protect critical digital infrastructure across Europe.
According to official statements released through open government sources, the measures were adopted under the EU’s horizontal cyber sanctions regime, a policy mechanism that enables the bloc to impose targeted sanctions against individuals or organisations responsible for cyber operations that threaten the security, economy, or democratic institutions of EU member states. With the latest action, the regime now applies to 19 individuals and seven entities.
Among those sanctioned is Integrity Technology Group, a China-based company accused of supplying technical tools and services used to compromise electronic devices across Europe. Authorities said that between 2022 and 2023, products linked to the company were used in cyber operations that compromised more than 65,000 devices across six EU member states. Officials stated that the activities involved technical and material support that enabled unauthorized access to digital systems, raising serious concerns about cross-border cyber security threats.
The Council also sanctioned Anxun Information Technology, another China-based company alleged to have provided hacking services targeting critical infrastructure and sensitive government functions in EU countries and partner states. Two Chinese nationals identified as co-founders of the company were also added to the sanctions list for their alleged role in organizing and directing cyber-attack operations affecting EU networks.
In addition, the Iranian company Emennet Pasargad was sanctioned for a series of cyber intrusions linked to data breaches and disinformation campaigns. According to EU authorities, the company unlawfully accessed a French telecommunications subscriber database and attempted to sell the data on the dark web. Investigators also linked the firm to cyber interference involving digital advertising billboards used to spread disinformation during the 2024 Paris Olympic Games. Authorities further alleged that the company compromised a Swedish SMS service, potentially affecting a large number of European citizens.
Under EU law, individuals and organisations listed under the cyber sanctions regime are subject to an asset freeze within the European Union. EU citizens and companies are also legally prohibited from providing them with funds, financial assets, or economic resources. Additionally, the sanctioned individuals face travel restrictions that bar them from entering or transiting through EU territory.
EU officials emphasized that the decision reflects the bloc’s determination to respond firmly to malicious cyber activities that threaten security and public trust in digital infrastructure. The sanctions also signal the EU’s intention to strengthen international cooperation on cyber governance and promote a secure digital environment.
The measures are part of the European Union’s broader cyber security strategy, which combines legal enforcement, regulatory frameworks and international partnerships to address growing cyber threats and safeguard critical systems across member states. The EU has repeatedly emphasized that coordinated global efforts are necessary to maintain an open, secure and stable cyberspace.