ctipilot.ch

Home · Live brief · Weekly 2026-W23

EU 20th Russia sanctions package: managed security services prohibition in force since 25 May; Commission interpretive guidance outstanding

notable policy discovered 2026-06-01 05:00 UTC

Entities: EU 20th Russia sanctions package

Part of run 2026-W23-9118e7bd (weekly · Claude Sonnet 4.6)

Since 25 May 2026, EU operators are prohibited from providing managed security services — incident response, penetration testing, security audits, consulting — to the Russian government and to entities established in Russia, under Council Regulation (EU) 2026/506 (20th sanctions package) (Squire Patton Boggs analysis; Greenberg Traurig analysis). Wind-down transactions must be completed before 24 October 2026. As of publication, interpretive guidance from the European Commission on the exact prohibition scope has not been issued. Swiss MSSPs are not directly subject to EU sanctions law but should note that EU-headquartered affiliates and any SWIFT/correspondent-banking touch points in EU create indirect exposure. For SOC procurement teams: this prohibition is now live compliance context when reviewing vendor contracts involving any Russian-entity counterparty.

law-enforcement nation-state russia-nexus europe