EU sanctions against Russia in IT consultancy
Detailed analysis and interpretation of EU sanctions in IT consultancy, which will come into full force on January 8, 2023.
On October 6, 2022, the Council adopted the eighth package of sanctions, which were enshrined in the COUNCIL REGULATION (EU) 2022/1904 of 6 October 2022 amending Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine.
According to paragraph 2 of article 5n of the Council Regulation (EU) 2022/1904, it shall be prohibited to provide, directly or indirectly, architectural and engineering services, legal advisory services and IT consultancy services to: (a) the Government of Russia; or (b) legal persons, entities or bodies established in Russia.
‘IT consultancy services’ covers consultancy services related to the installation of computer hardware, including assistance services to the clients in the installation of computer hardware (i.e. physical equipment) and computer networks, and software implementation services, including all services involving consultancy services on, development of and implementation of software.
A detailed list of services covered by the concept of 'Consultancy services related to the installation of computer hardware' and 'Software implementation services' is contained in the MEMORANDUM on EU sanctions against Russia in IT consultancy prepared by Ukrainian Victims of War Foundation.
IT consultancy services include consulting and technical assistance services for software products in use, rewriting or changing existing programs or systems, maintaining up-to-date software documentation, assistance or advice on software updates and upgrades. However, the introduced bans do not apply to such types of IT consultancy services as supply of automatic software updates to previously purchased software.
Transition period and effective date
According to paragraph 4 of article 5n of the Council Regulation (EU) 2022/1904, imposed bans shall not apply to the provision of services that are strictly necessary for the termination by 8 January 2023 of contracts which are not compliant with this Article concluded before 7 October 2022, or of ancillary contracts necessary for the execution of such contracts.
Thus, IT consultancy services could be provided until 8 January 2023 under contracts, concluded before 7 October 2022, or of ancillary contracts necessary for the execution of such contracts. After January 8, the provision of IT services, even under existing contracts, is prohibited.
The provision of IT consultancy services is allowed:
for legal purposes (right to be heard, enforcement of awards etc.);
in case of public health emergencies and natural disasters;
to entities, established in Russia that are owned or controlled by entities from EU, EEA, Switzerland, USA, Japan, UK or South Korea;
for software updates for a certain list of dual-use goods and technology for non-military use and for a non-military end-user;
according to the decision of the competent authorities of the Member State.
Penalties for sanctions violations
Control over compliance with sanctions is entrusted to the authorized bodies of the EU Member States. The EU Member States determine the available penalty framework for the violation of the EU sanctions.
Moreover, the Council adopted a Decision to identify the violation of Union restrictive measures as an area of crime within the meaning of Article 83(1), second subparagraph, TFEU. Identifying a violation of EU sanctions as an EU crime is the first step. The next step involves the adoption of substantive secondary legislation, inter alia on the establishment of minimum rules concerning the definition of criminal offences and penalties for the violation of Union restrictive measures.
A more detailed analysis of IT consultancy sanctions can be found in the MEMORANDUM on EU sanctions against Russia in IT consultancy prepared by Ukrainian Victims of War Foundation.