Home · Live brief · Weekly 2026-W21
EU 20th Russia sanctions package — managed-security-services prohibition effective 25 May; Switzerland adopted most measures 22 May
Entities: EU 20th Russia sanctions package
Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)
The single most defender-relevant regulatory change of the window. Council Regulation (EU) 2026/506 introduces a prohibition on providing "managed security services" — defined to include incident handling, penetration testing, security audits and security consulting/technical-support advice — to the Government of Russia and to entities legally established in Russia, effective 25 May 2026. The prohibition reaches EU-incorporated MSSPs supplying Russian subsidiaries absent a national-competent-authority licence; no European Commission interpretive guidance on scope had been published as of 24 May, so law-firm analyses advise a conservative reading. Switzerland's EAER adopted most of the 20th-package measures effective 22 May (115 individuals/entities asset-frozen, 20 Russian banks and 7 third-country intermediaries under transaction ban, RUBx / digital-ruble transactions prohibited from 26 May), deferring some energy/trade provisions; whether the Swiss transposition includes the managed-security-services prohibition specifically requires SECO confirmation. What defenders must do differently: any EU or Swiss SOC, IR firm, or pentest provider with a Russian-law-entity client must have wound those engagements down by 25 May, and should verify no security tooling (EDR agents, SIEM forwarders, ticketing/connector integrations) is being operated or serviced under a contract with a Russian-established entity.