Cyber-related sanctions alone do not typically disrupt cyber malicious activities, but they can “toxify” networks of malicious actors, according to new research.
A report, published on October 28 by the Royal United Services Institute (RUSI), builds from the first meeting of the RUSI Cyber Sanctions Taskforce in September.
This meeting saw current and former government officials from the UK, the US and the EU, as well as other EU officials, discuss the role of sanctions in countering cyber state threats.
The report concluded that sanctions form a growing part of government and intergovernmental cyber deterrence strategies.
However, RUSI noted that sanctions are insufficient alone to disrupt cyber-attacks or malicious cyber-espionage campaigns.
Despite this concern, the report noted that economic sanctions can alter adversary behavior, forcing underground networks to distance themselves from named actors, thus complicating their operations by making them less rewarding and more politically or economically costly.
Sanctions can also affect the decision-making of private sector intermediaries, such as exchanges or service providers, which may choose to withdraw support from sanctioned actors rather than risk exposure.
One participant in the Taskforce meeting described this impact as “toxifying” cyber malicious operations.
Additionally, the RUSI report determined that cyber sanctions are most effective when adopted as part of a cross-domain strategy that includes other leverages such as diplomatic, law enforcement and intelligence instruments to change the adversary’s behavior.
US, The Leader in Impactful Cyber Sanctions
The US is leading the way with the longest-lasting framework authorizing measures against individuals and entities engaged in significant malicious cyber activity.
This framework was established in 2015 through Executive Order 13694 and has since been used against a wide spectrum of targets, ranging from intelligence officers and military units to cybercriminal groups and their facilitators.
Additionally, the US cyber sanction approach was described as the most effective for two main reasons:
- US cyber attribution and related economic sanctions generally focus on naming individuals, who carry persistent identities and online networks, rather than solely groups or organizations, which can rebrand and reorganize
- US sanctions are generally paired with other key statecraft instruments, such as diplomatic moves, public technical advisories and criminal indictments
EU, A Diplomatic Powerhouse with Operational Challenges
The RUSI report noted that the EU’s dedicated cyber sanction regime was more recent – it was introduced in 2019 as part of the bloc’s cyber diplomacy toolbox – and more cautiously used than the US.
In principle, this framework could be powerful as it enables the enables the EU to freeze assets ban individuals from travelling when they are identified as responsible for cyber activities that threaten the foreign policy or security of the EU and its member states.
In practice, however, this framework has only been sparsely used since 2019, with only 17 individuals and four entities designated to date, including actors linked to Russian, Chinese and North Korean operations.
The first limitation the RUSI report highlighted is the requirement for unanimity among all 27 member states.
“While proposals for listings can be initiated either by member states or by the High Representative, every designation must secure unanimous agreement,” the report read.
Additionally, EU member states are often reluctant or unable to share sensitive intelligence widely, meaning that the listings that do go forward often only include the lowest common denominator with very little public justification.
Finally, the EU’s cyber sanctions regime has faced criticism for its unclear effectiveness, with limited evidence of major financial disruption due to insufficient monitoring, transparency or enforcement coordination.
Challenges stem from decentralized attribution by member states and sanctions often being shaped by political compromise rather than a unified strategic approach.
However, the RUSI report noted that EU member states previously reluctant to attribute cyber malicious campaigns, such as France and Czechia, recently started to do so.
“France issued its first public attribution of cyber-attacks to the Russian military intelligence service (GRU) in April 2025. Czechia attributed the malicious activities of cyber espionage actor APT31 to China in May 2025,” noted the report.
“These examples show how the public naming of malicious actors is becoming more widely accepted, opening the way for the greater use of sanctions as part of the toolbox for building resilience and signalling boundaries.”
UK, Coordinating Cyber Sanctions as a Core Strategy
The report noted that the UK introduced its own cyber sanction regime in 2020, after leaving the EU.
Since then, the country’s approach to cyber-related sanctions has been focused on coordination with other countries, especially the US, and with private sector partners.
“The UK has also sought to add weight to its designations by making them more detailed than the bare minimum required. Recent cases attributing activity to the GRU, for example, have included descriptions intended to help the private sector and international partners understand their context,” the report read.
However, UK-based participants in the Taskforce meeting said the country’s main challenge in the area was pairing sanctions with criminal indictments due to high evidentiary standards and low prospects of arresting foreign threat actors.
Unlike the US, the UK primarily uses sanctions for attribution, disruption and diplomatic signaling rather than as a direct law enforcement tool, the RUSI report noted.
RUSI: Cyber Sanction Policy Recommendations
Based on these conclusions, the RUSI report collected some recommendations underlined by the participants in the Taskforce meeting to enhance the impact of cyber-related sanctions on cyber malicious activities.
These include:
- Clarifying the strategic purpose of sanctions: governments should specify the explicit goals of sanctions to enable more precise targeting and a clearer assessment of the outcomes
- Integrating sanctions into cross-domain strategies: the most effective cases to date have been those in which cyber sanctions were paired with diplomatic statements, indictments, seizures or covert disruption
- Focusing on enablers, not just perpetrators: enhancing the targeting of cryptocurrency exchanges, technology suppliers and service providers can create wider disruption and shape the behavior of intermediaries
- Increasing transparency and data on impact: there is currently little consistent data on whether sanctions result in frozen assets, reduced operational activity or deterrence of specific behaviors
