EU 20th Russia sanctions package: managed security services prohibition in force since 25 May; Commission interpretive guidance outstanding

Since 25 May 2026, EU operators are prohibited from providing managed security services — incident response, penetration testing, security audits, consulting — to the Russian government and to entities established in Russia, under Council Regulation (EU) 2026/506 (20th sanctions package) (Squire Patton Boggs analysis; Greenberg Traurig analysis). Wind-down transactions must be completed before 24 October 2026. As of publication, interpretive guidance from the European Commission on the exact prohibition scope has not been issued. Swiss MSSPs are not directly subject to EU sanctions law but should note that EU-headquartered affiliates and any SWIFT/correspondent-banking touch points in EU create indirect exposure. For SOC procurement teams: this prohibition is now live compliance context when reviewing vendor contracts involving any Russian-entity counterparty.