1. This Decision applies to cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Union or its Member States.
2. Cyber-attacks constituting an external threat include those which:
(a)
originate, or are carried out, from outside the Union;
(b)
use infrastructure outside the Union;
(c)
are carried out by any natural or legal person, entity or body established or operating outside the Union; or
(d)
are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union.
3. For this purpose, cyber-attacks are actions involving any of the following:
(a)
access to information systems;
(b)
information system interference;
(c)
data interference; or
(d)
data interception,
where such actions are not duly authorised by the owner or by another right holder of the system or data or part of it, or are not permitted under the law of the Union or of the Member State concerned.
4. Cyber-attacks constituting a threat to Member States include those affecting information systems relating to, inter alia:
(a)
critical infrastructure, including submarine cables and objects launched into outer space, which is essential for the maintenance of vital functions of society, or the health, safety, security, and economic or social well-being of people;
(b)
services necessary for the maintenance of essential social and/or economic activities, in particular in the sectors of: energy (electricity, oil and gas); transport (air, rail, water and road); banking; financial market infrastructures; health (healthcare providers, hospitals and private clinics); drinking water supply and distribution; digital infrastructure; and any other sector which is essential to the Member State concerned;
(c)
critical State functions, in particular in the areas of defence, governance and the functioning of institutions, including for public elections or the voting process, the functioning of economic and civil infrastructure, internal security, and external relations, including through diplomatic missions;
(d)
the storage or processing of classified information; or
(e)
government emergency response teams.
5. Cyber-attacks constituting a threat to the Union include those carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organisations, its common security and defence policy (CSDP) operations and missions and its special representatives.
6. Where deemed necessary to achieve CFSP objectives in the relevant provisions of Article 21 of the Treaty on European Union, restrictive measures under this Decision may also be applied in response to cyber-attacks with a significant effect against third States or international organisations.