These Regulations are made under the Sanctions and Anti-Money Laundering Act 2018 (c.13) to establish a sanctions regime for the purpose of furthering the prevention of certain cyber activity as defined in regulation 4(2) (“relevant cyber activity”). Following the UK's withdrawal from the European Union, these Regulations replace the EU sanctions regime implemented via EU Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States and Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States.

The Regulations confer a power on the Secretary of State to designate persons who are, or have been, involved in relevant cyber activity. Designated persons may be excluded from the United Kingdom and may be made subject to financial sanctions, including having their funds and/or economic resources frozen. The Regulations provide for certain exceptions to this sanctions regime, in particular in relation to financial sanctions (for example to allow for frozen accounts to be credited with interest or other earnings) and also acts done for the purpose of national security or the prevention of serious crime. The Regulations also confer powers on the Treasury to issue licenses in respect of activities that would otherwise be prohibited under the financial sanctions imposed by these Regulations. Schedule 2 to these Regulations sets out the purposes for which the Treasury will issue such licences.

These Regulations make it a criminal offence to contravene, or circumvent, any of the prohibitions in these Regulations and prescribe the mode of trial and penalties that apply to such offences. The Regulations prescribe powers for the provision and sharing of information to enable the effective implementation and enforcement of the sanctions regime.

Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States is revoked by these Regulations. The Cyber-Attacks (Asset-Freezing) Regulations 2019 (S.I. 2019/956) are also revoked.

An Impact Assessment has not been produced for these Regulations, as the instrument is intended to ensure the existing sanctions regime remains in place following the United Kingdom's withdrawal from the European Union. An Impact Assessment was, however, produced for the Sanctions and Anti-Money Laundering Act 2018 and can be found at:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/653271/Sanctions_and_Anti-Money_Laundering_Bill_Impact_Assessment_18102017.pdf.