Harmonisation of sanctions and the protection of digital citizenship in the European Union

João Pedro Sousa (master’s student in European Union Law at the School of Law of the University of Minho) 

I.

The digital transformation has reconfigured the foundations of modern society, multiplying channels of communication, accelerating economic innovation, and redefining the exercise of citizenship.  However, the same technological developments that sustain progress have also created new vulnerabilities, giving rise to a new domain of criminality: cybercrime.  Within the European Union (EU), the protection of the digital sphere has thus become a constitutional concern, lying at the intersection of security policy, protection of fundamental rights, and market regulation.[1][2]

The concept of digital citizenship within the EU captures the recognition and protection of citizens’ rights and obligations in cyberspace, including privacy, freedom of speech and safe access to digital technologies.[3]  Cybercrime threatens these rights, ranging from data breaches to large-scale attacks on critical infrastructure, undermining citizen’s confidence in the Union’s capacity to ensure safety and accountability online.[4]  In this context, the 2024 Report on the State of Cybersecurity in the Union by the EU Agency for Cybersecurity (ENISA)[5][6][7] exposes a worrying rise in cyber incidents,[8] particularly ransomware, phishing, and artificial-intelligence-related crimes, accentuating the urgent need for coordinated legislative and operational responses at the Union level.[9]

Over the past decade, the EU has progressively built a comprehensive normative framework to address these challenges.  Directives such as 2013/40/EU on attacks against information systems,[10] 2016/1148/EU (NIS Directive)[11] and its successor 2022/2555/EU (NIS2 Directive),[12] together with the Cybersecurity Act (Regulation (EU) 2019/881),[13] the Cyber Resilience Act (Regulation (EU) 2024/2847,[14] reflect a deliberate movement toward a common European framework for digital security.  Together, they seek to enhance the resilience of networks, foster mutual assistance among Member States, and embed a culture of responsibility across both public and private operators.

Nevertheless, despite this normative evolution, the fragmentation of sanctioning regimes continues to undermine the Union’s deterrent capacity. Divergences in how Member States classify and penalise cyber offences allow perpetrators to exploit regulatory asymmetries and operate from jurisdictions with weaker enforcement. As ENISA warns, this “jurisdictional shopping” weakens judicial cooperation and erodes the credibility of EU cybersecurity governance. Harmonisation of sanctions therefore emerges as a prerequisite for effective protection of fundamental rights and the integrity of digital citizenship itself.[15]

Against this background, the present article explores the intersection between the harmonisation of sanctions and the protection of digital citizenship in the EU.  It examines how the EU’s evolving sanctioning framework seeks to balance the dual imperatives of security and fundamental rights, with particular attention to the current state of sanction harmonisation and its implications for the coherence of EU criminal law.  The objective is not only to contribute to the ongoing debate on cybersecurity governance but also to clarify the legal pathways through which the Union can strengthen its digital resilience and promote a more robust, trustworthy, and equitable cyberspace for all its citizens.[16][17]

II.

The European Union’s competence to legislate in the field of cybersecurity and cybercrime arises from the intersection of internal and external legal bases within the Treaties. Internally, Articles 82 to 86 TFEU confer on the Union the power to establish minimum rules on the definition of criminal offences and sanctions in areas of serious cross-border crime. This competence, grounded in the objective of creating an Area of Freedom, Security and Justice (AFSJ), has progressively encompassed cybercrime, recognised as a phenomenon whose transnational nature defies traditional jurisdictional boundaries. Article 83(1) TFEU in particular provides the constitutional anchor for such approximation of criminal law, authorising the Union to harmonise offences of “particularly serious” cross-border relevance.

At the institutional level, this dual objective is reflected in the overlap between two distinct policy domains: the Area of Freedom, Security and Justice (AFSJ) and the Common Foreign and Security Policy (CFSP).  The former, under Articles 82-86 TFEU, empowers the Union to adopt directives establishing minimum rules on the definition of criminal offences and sanctions in areas of particularly serious crime with a cross-border dimension.  Cybercrime, recognised since the early 2010s as one such area, was addressed through Directive 2013/40/EU on attacks against information systems, which replaced the earlier Framework Decision 2005/222/JHA.  This directive laid the foundation for approximation of substantive criminal law, obliging Member States to criminalise illegal access, system interference, and data interference, while ensuring effective, proportionate, and dissuasive penalties.[18]

Complementing that framework, Directive 2016/1148/EU, the NIS Directive, and its successor, Directive (EU) 2022/2555 (NIS2), pursued the parallel objective of strengthening network and information-system security across sectors critical to the internal market.  The NIS2 Directive introduced enhanced supervision and stricter enforcement mechanisms, including harmonised administrative sanctions for non-compliance, thereby narrowing disparities between national approaches to cybersecurity governance.[19]  Regulation (EU) 2019/881 (Cybersecurity Act)[20] added an internal-market dimension by establishing a European cybersecurity certification framework and conferring a permanent mandate on ENISA.  More recently, the proposal culminating in the Cyber Resilience Act extended these preventive mechanisms to hardware and software products, ensuring that cybersecurity considerations are embedded throughout the life cycle of digital devices.

Although these instruments target different aspects, criminal, regulatory, and technical, they collectively express a legislative continuum aiming at “cyber-resilience” of the Union.  Nevertheless, the persistent fragmentation of national enforcement models exposes a structural limitation of EU law.  Under Article 4(3) TEU, the principle of sincere cooperation obliges Member States to take all appropriate measures to ensure the fulfilment of Union objectives and to refrain from actions that could jeopardise them. However, in practice, national discretion in transposing and enforcing EU cybersecurity directives often results in heterogeneous sanctioning regimes.  This divergence undermines legal certainty and the equal protection of digital citizenship across the Union, particularly where cross-border crimes occur simultaneously in multiple jurisdictions.

The Union’s external dimension reinforces and complicates this internal framework. Under Articles 21 and 29 TEU, and Article 215 TFEU, the Council may adopt restrictive measures against individuals or entities responsible for cyberattacks threatening the Union or its Member States. Council Decision (CFSP) 2019/797 established the so-called EU Cyber Diplomacy Toolbox, enabling the adoption of targeted sanctions, such as asset freezes and travel bans, against perpetrators of malicious cyber activities. Although anchored in the CFSP, this mechanism interacts closely with the Union’s internal cybersecurity agenda, exemplifying the increasingly porous boundary between external action and internal security.[21]

This duality of competence demands strong institutional coordination. Agencies such as ENISA, Europol (through the European Cybercrime Centre), and Eurojust facilitate operational cooperation and information-sharing among Member States,[22][23] while the European Public Prosecutor’s Office (EPPO) adds a prosecutorial layer in cases affecting the Union’s financial interests.[24]  The resulting multi-level governance model embodies a gradual communitarisation of cybersecurity policy: once confined to national security, it now constitutes a European public good. The effective protection of digital citizenship therefore depends on the Union’s ability to align its internal criminal-law harmonisation with its external sanctions’ regime under the CFSP, ensuring both deterrence of cyber-offences and fidelity to the values enshrined in Article 2 TEU.[25]

III.

The development of a coherent sanctioning regime represents the Union’s most ambitious step toward integrating criminal enforcement into its digital security architecture.[26] This evolution illustrates the Union’s effort to transform its patchwork of sanctioning practices into a genuinely coherent system, ensuring that deterrence and accountability operate seamlessly across both internal and external policy domains. The primary aim of harmonising sanctions is therefore twofold: to ensure the effectiveness of Union external action and to safeguard the integrity of the internal legal order by preventing circumvention through jurisdictional inconsistencies.

Directive (EU) 2024/1226[27] builds upon Council Decision (EU) 2022/2332, which recognised the violation of Union restrictive measures as an “EU crime” under Article 83(1) TFEU.[28] By establishing a common baseline for the definition of offences and penalties,[29] the Directive aims to eliminate enforcement disparities and strengthen legal predictability across the Union.  It represents the first comprehensive effort to align the punitive dimension of the Union’s external restrictive measures with its internal criminal law competence, thereby transforming sanction enforcement into a coherent and genuinely European system.

Rather than replicating national models, the Directive articulates a shared baseline of deterrence. It obliges Member States to criminalise conduct, such as the provision of funds or resources to designated persons or entities, failure to freeze assets, or circumvention of travel bans or arms embargoes.[30] It also introduces corporate liability, ensuring that legal persons can be held accountable when offences are committed for their benefit.[31] Crucially, the Directive lays down proportionate yet severe penalties, such as imprisonment of up to five years for natural persons and fines up to five per cent of global turnover for legal entities, thereby establishing, for the first time, a common floor for deterrence and reinforcing the principle of equality before the law.[32] 

The Directive’s constitutional significance extends beyond its substantive provisions. It operationalises the principle of sincere cooperation under Article 4(3) TEU, compelling Member States to align investigative, prosecutorial, and judicial practices in the field of sanctions enforcement. Nevertheless, the transposition presents challenges. National legal traditions differ regarding the boundaries between administrative and criminal liability and the proportionality of sanctions. The Directive’s requirement of “effective, proportionate, and dissuasive” penalties leaves considerable discretion to Member States, risking renewed divergence at the transposition stage. Furthermore, enforcement capacity remains uneven: not all national authorities possess the investigative or prosecutorial expertise necessary to trace complex sanctions-evasion schemes, especially those involving digital assets or cyber-enabled transactions.[33]

The interaction between this internal harmonisation and the Union’s external cyber-sanctions regime further illustrates the emerging integrated model of European deterrence. Through its link with the CFSP’s Cyber Diplomacy Toolbox,[34] the Directive consolidates the EU’s deterrent capacity by aligning the criminalisation of sanction violations with the external restrictive measures’ regime. This convergence strengthens the Union’s strategic credibility and ensures consistency between the internal and external dimensions of EU law.

While the Toolbox’s restrictive measures primarily serve foreign-policy objectives, they also contribute to a gradual convergence of sanctioning practices between internal criminal law and external action.[35] The framework promotes consistency by linking the imposition of CFSP measures with their domestic enforcement through criminal penalties, as required by Directive 2024/1226. In this respect, the cyber-sanctions regime complements the NIS2 Directive, which harmonises cybersecurity obligations for critical and digital infrastructure operators. Whereas NIS2 focuses on preventive resilience and administrative enforcement, the Toolbox ensures that deliberate, malicious conduct faces uniform punitive consequences.[36] Together, they form the dual pillars of the EU’s cyber-governance model: one preventive and regulatory, the other repressive and sanction based.[37]

Finally, the evolving technological landscape, marked by the proliferation of artificial-intelligence-driven cybercrime, deep-fake manipulation, and ransomware-as-a-service, demands a sanctioning framework capable of adaptation.[38] The Directive’s static definitions may soon prove insufficient to capture novel forms of circumvention, such as the use of decentralised finance or anonymising technologies. Therefore, periodic review clauses and closer coordination with ENISA, Europol’s EC3, and the Commission’s Sanctions Envoy will be essential to maintain coherence and responsiveness. In sum, while Directive (EU) 2024/1226 and the Cyber Diplomacy Toolbox together represent a major step towards harmonisation, the Union’s deterrent capacity ultimately depends on the depth of national implementation and the political will to enforce sanctions uniformly.[39]

IV.

The consolidation of the EU’s sanctioning regime brings a decisive advantage for the coherence and credibility of Union law. By ensuring that restrictive measures, cybersecurity obligations and criminal enforcement operate within a single normative logic, the Union transforms previously fragmented instruments into a consistent legal architecture. This structural coherence strengthens deterrence, enhances mutual trust among Member States, and guarantees that sanctions have uniform legal and economic effects across jurisdictions.

Coherence in sanctioning policy also generates systemic benefits as it closes enforcement gaps, prevents jurisdictional arbitrage, and reinforces the Union’s strategic autonomy. Harmonisation enables more predictable application of law, facilitating judicial cooperation and the recognition of sanctions decisions across borders. In practical terms, it provides both public authorities and private operators with clarity on compliance obligations and legal consequences.

From the standpoint of fundamental rights, harmonisation must uphold the principles of legality, proportionality, equality and procedural fairness.  In a digital environment shaped by automation and data-driven decision-making, respect for transparency, proportionality, and the presumption of innocence is indispensable to preserve citizens’ trust in both digital technologies and the Union’s legal order.  In this sense, coherent sanctioning not only deters violations but also legitimises enforcement by linking effectiveness with accountability.[40]

Institutionally, greater coherence among agencies and national authorities ensures uniform interpretation and implementation without requiring new Treaty competences. Coordinated enforcement networks, supported by ENISA, Europol, Eurojust and the EPPO, translate the principle of mutual trust into operational practice, making the system more predictable and reliable.

A coherent sanctioning framework also reinforces the legal equality of Union citizenship, guaranteeing equivalent protection of rights in cyberspace and ensuring that violations are addressed with the same severity and procedural guarantees across the EU. By eliminating divergences, harmonisation strengthens citizen’s confidence in the impartiality and fairness of European governance.

Ultimately, coherence in sanctioning represents more than an institutional improvement, it embodies the Union’s constitutional commitment to legality, equality and trust. A unified and rights-compliant sanctions regime ensures both the effectiveness of EU action and the integrity of the rule of law, affirming the Union as a legal community where digital citizenship is protected through consistency, accountability and fairness.

[1] Commission and High Representative of the Union for Foreign Affairs and Security Policy, Joint Communication to the European Parliament and the Council on The EU’s Cybersecurity Strategy for the Digital Decade, JOIN(2020) 18 final, December 16, 2020.

[2] Recital 3 of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), OJ L 151, June 7, 2019, 15–69.

[3] European Parliament and the Council of the European Union, European Declaration on Digital Rights and Principles for the Digital Decade, 2023/C 23/01, PUB/2023/89, OJ C 23, 23 January 2023, 1–7.

[4] The EU’s Cybersecurity Strategy for the Digital Decade.

[5] Henrique Santos, “Agência da União Europeia para a Cibersegurança (ENISA),” in Instituições, Órgãos e Organismos da União Europeia, ed. Joana Covelo de Abreu and Liliana Reis (Coimbra: Almedina, 2020), 329-336.

[6] European Union Agency for Cybersecurity (ENISA), 2024 Report on the State of Cybersecurity in the Union, December 3, 2024. Accessed December 20, 2024, https://www.enisa.europa.eu/publications/2024-report-on-the-state-of-the-cybersecurity-in-the-union.

[7] This is the first report on the matter from ENISA, as foreseen by Article 18 of the Directive (EU) 2022/2555, which states that “ENISA shall adopt, in cooperation with the Commission and the Cooperation Group, a biennial report on the state of cybersecurity in the Union and shall submit and present that report to the European Parliament.”

[8] Article 2(1) of Regulation (EU) 2019/881 defines cybersecurity as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.” Incident is defined in Article 6(6) of Directive (EU) 2022/2555 as “an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.”

[9] For further details, Lisseth Katherine Chuquitucto Cotrina et al., “Cyber Crimes: A Systematic Review of Evolution, Trends, and Research Approaches,” Journal of Educational and Social Research 14, no. 5 (September 2024): 96-112, https://doi.org/10.36941/jesr-2024-0124.

[10] Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, August 8, 2013, 8–14. This directive criminalises actions such as illegal access and system interference, serves as the foundation for this effort.

[11] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, July 19, 2016, 1–30. This directive was enacted to establish cybersecurity capabilities across the Union. This directive aims to reduce threats to network and information systems used to provide essential services in key sectors. Ensuring the continuity of these services during incidents enhances the Union’s security and the effective functioning of its economy and society.

[12] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) OJ L 333, December 27, 2022, 80–152. This directive introduced measures to ensure a higher level of cybersecurity in the Member States. It addresses contemporary challenges and encourages increased cooperation among national authorities.

[13] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) OJ L 151, 7.6.2019, 15–69, https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng.

[14] Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj.

[15] ENISA, 2024 Report on the State of Cybersecurity in the Union.

[16] Cyber Resilience Act, Recitals 1 and 24.

[17] The EU’s Cybersecurity Strategy for the Digital Decade, 4.

[18] Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, August 8, 2013, 8–14. This directive criminalises actions such as illegal access and system interference, serves as the foundation for this effort.

[19] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) OJ L 333, December 27, 2022, 80–152.

[20] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) OJ L 151, 7.6.2019, 15–69, https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng.

[21] Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, ST/7299/2019/INIT, OJ L 129I, May 17, 2019, 13–19.

[22] For more information see The European Union CSIRTs network. Accessed October 15, 2025, https://csirtsnetwork.eu.

[23] European Cybercrime Centre – EC3, combating crime in a digital age. Accessed October 15, 2025, https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3.

[24] European Public Prosecutor’s Office. Accessed October 15, 2025, https://www.eppo.europa.eu/en.

[25] The EU’s Cybersecurity Strategy for the Digital Decade.

[26] Isabel Camisão and Francisco Pereira Coutinho, “Capítulo XIX: Ação Externa,” in Direito da União Europeia: Elementos de Direito e Políticas da União, ed. Alessandra Silveira, Mariana Canotilho, and Pedro Madeira Froufe (Coimbra: Almedina, 2016), 1187-1235.

[27] Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673, PE/95/2023/REV/1, OJ L, 2024/1226, April 29, 2024, ELI: http://data.europa.eu/eli/dir/2024/1226/oj.

[28] Council of the European Union, Press Release, “Council and Parliament reach political agreement to criminalise violation of EU sanctions”, December 12, 2023. Accessed January 8, 2025, https://www.consilium.europa.eu/en/press/press-releases/2023/12/12/council-and-parliament-reach political-agreement-to-criminalise-violation-of-eu-sanctions/.

[29] Directive (EU) 2024/1226, Article 1.

[30] Directive (EU) 2024/1226, Article 3.

[31] Directive (EU) 2024/1226, Article 7.

[32] Directive (EU) 2024/1226, Article 5-7.

[33] ENISA, 2024 Report on the State of Cybersecurity in the Union.

[34] Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, ST/7299/2019/INIT, OJ L 129I, May 17, 2019, 13–19.

[35] Article 4(1) stipulates that “Member States shall take the measures necessary to prevent the entry into, or transit through, their territories”; Article 5(1) specifies that “[a]ll funds and economic resources belonging to, owned, held or controlled by (…) shall be frozen.”

[36] Council Decision (CFSP) 2019/797, Article 9.

[37] Council Decision (CFSP) 2019/797, Recitals 2, 3 and 8.

[38] ENISA, 2024 Report on the State of Cybersecurity in the Union.

^[39] For further details, see Council of the European Union, Cybersecurity: how the EU tackles cyber threats. Accessed in January 8, 2024, https://www.consilium.europa.eu/en/policies/cybersecurity/.

[40] The EU’s Cybersecurity Strategy for the Digital Decade.

Picture credits: by Pixabay on pexels.com.