EU 20th Russia Sanctions Package: Cybersecurity Services Ban Enters Force

A key provision of the EU's 20th Russia sanctions package formally entered force on May 25, 2026: a categorical ban on EU operators providing managed cybersecurity services to Russian entities. The broader 20th package — adopted April 23 — included exclusion of 20 additional Russian banks from SWIFT (total: 70), blacklisting of 46 more shadow fleet tankers (total: 632), and €895 million in new trade restrictions. The crypto asset categorical ban took effect May 24. The human rights sanctions framework against Russia (72 individuals, 1 entity) was simultaneously renewed until May 28, 2027. The package formally designated Kyrgyzstan as a sanctions circumvention jurisdiction, the first such country-level designation, following an 800% import surge in sanctioned goods since 2022.