JUDGMENT OF THE GENERAL COURT (Eighth Chamber, Extended Composition)
10 September 2025 (*)
( Common foreign and security policy – Restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine – Freezing of funds – List of persons, entities and bodies subject to the freezing of funds and economic resources – Inclusion and maintenance of the applicant’s name on the lists – Definition of ‘entities operating in the Russian IT sector with a license administered by the FSB’ – Article 2(1)(i) of Decision 2014/145/CFSP – Article 3(1)(i) of Regulation (EU) No 269/2014 – Plea of illegality – Error of assessment – Obligation to state reasons – Rights of the defence )
In Case T‑573/23,
Positive Group PAO, established in Moscow (Russia), represented by A. Beauchemin and W. Julié, lawyers,
applicant,
v
Council of the European Union, represented by E. Nadbath, A. Boggio-Tomasaz and P. Mahnič, acting as Agents,
defendant,
supported by
Kingdom of the Netherlands, represented by M. Bulterman, C. Schillemans and E. Besselink, acting as Agents,
intervener,
THE GENERAL COURT (Eighth Chamber, Extended Composition),
composed of A. Kornezov, President, G. De Baere (Rapporteur), D. Petrlík, K. Kecsmár and S. Kingston, Judges,
Registrar: M. Zwozdziak-Carbonne, Administrator,
having regard to the written part of the procedure, in particular:
– the application lodged at the Registry of the General Court on 15 September 2023,
– the first statement of modification lodged at the Court Registry on 22 May 2024,
– the second statement of modification lodged at the Court Registry on 25 November 2024,
further to the hearing on 26 February 2025,
gives the following
Judgment
1 By its action under Article 263 TFEU, the applicant, Positive Group PAO, seeks annulment of (i) Council Decision (CFSP) 2023/1218 of 23 June 2023 amending Decision 2014/145/CFSP concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2023 L 159I, p. 526), and Council Implementing Regulation (EU) 2023/1216 of 23 June 2023 implementing Regulation (EU) No 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2023 L 159I, p. 335) (together, ‘the initial acts’); (ii) Council Decision (CFSP) 2023/1767 of 13 September 2023 amending Decision 2014/145/CFSP concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2023 L 226, p. 104), and Council Implementing Regulation (EU) 2023/1765 of 13 September 2023 implementing Regulation (EU) No 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2023 L 226, p. 3) (together, ‘the first set of maintaining acts’); (iii) Council Decision (CFSP) 2024/847 of 12 March 2024 amending Decision 2014/145/CFSP concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ L, 2024/847), and Council Implementing Regulation (EU) 2024/849 of 12 March 2024 implementing Regulation (EU) No 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ L, 2024/849) (together, ‘the second set of maintaining acts’); and (iv) Council Decision (CFSP) 2024/2456 of 12 September 2024 amending Decision 2014/145/CFSP concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ L, 2024/2456) and of Council Implementing Regulation (EU) 2024/2455 of 12 September 2024 implementing Regulation (EU) No 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ L, 2024/2455) (‘the third set of maintaining acts’), in so far as those sets of acts (together, ‘the contested acts’) concern the applicant.
Background to the dispute
2 The applicant is a holding company established in Russia that operates in the information technology (IT) sector and, in particular, the cybersecurity sector.
3 The present case arises in the context of restrictive measures adopted by the European Union in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine.
4 On 17 March 2014, the Council of the European Union adopted, under Article 29 TEU, Decision 2014/145/CFSP concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2014 L 78, p. 16). On the same date, it adopted, under Article 215 TFEU, Regulation (EU) No 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2014 L 78, p. 6).
5 On 23 June 2023, taking into account the fact that information warfare constituted a key means by which the Russian Federation was implementing its war of aggression against Ukraine, the Council adopted Decision 2023/1218 and Regulation (EU) 2023/1215 amending Regulation No 269/2014 (OJ 2023 L 159I, p. 330) in order, inter alia, to amend the criteria according to which natural or legal persons, entities and bodies can be made subject to the restrictive measures decided upon by the European Union in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine.
6 Article 1(2)(b) of Decision 2023/1218 inserted the new listing criterion laid down in Article 2(1)(i) of Decision 2014/145 (‘criterion (i)’). The latter provision provides as follows:
‘1. All funds and economic resources belonging to, or owned, held or controlled by:
…
(i) legal persons, entities or bodies operating in the Russian IT-sector with a license administered by the Federal Security Service of the Russian Federation (FSB) Centre for Licensing, Certification, and Protection of State Secrets or a “weapons and military equipment” license administered by the Russian Ministry of Industry and Trade …
… shall be frozen.’
7 Article 1(1)(b) of Regulation 2023/1215 inserted that criterion, worded identically, into Article 3(1)(i) of Regulation No 269/2014.
8 By way of the initial acts, the name of the applicant, appearing as ‘Positive Group PJSC, a.k.a. Positive technologies, a.k.a. Gruppa Pozitiva’, was added to the list of persons, entities and bodies in the Annex to Decision 2014/145, as amended, and to the list contained in Annex I to Regulation No 269/2014, as amended (‘the lists at issue’), on the following grounds:
‘Positive Group PJSC holds a license administered by the FSB. The FSB license is issued to IT companies that develop encryption and cryptography technology, information systems, and telecommunication systems for the Russian intelligence services, as well as IT companies that develop “personal database management systems” for the Russian security services (i.e. tools specifically designed to store, retrieve, and manage large amounts of data obtained through, for example, social media scraping or other intelligence gathering practices).
Therefore, Positive Group PJSC constitutes an entity operating in the Russian IT sector with a license administered by the FSB Centre for Licensing, Certification, and Protection of State Secrets.’
9 On 26 June 2023, the Council published a notice for the attention of the natural and legal persons, entities and bodies subject to the restrictive measures provided for in Decision 2014/145, as amended by Decision 2023/1218, and in Regulation No 269/2014, as implemented by Implementing Regulation 2023/1216 (OJ 2023 C 222, p. 39), in the Official Journal of the European Union.
10 By letter of 13 July 2023, the applicant requested that the Council provide access to the evidence pack on the basis of which it had decided to include the applicant’s name on the lists at issue.
11 On 4 August 2023, the Council sent the applicant a copy of the evidence pack bearing the reference WK 5423/2023, dated 3 May 2023 (‘the first evidence pack’).
12 On 13 September 2023, the Council adopted the first set of maintaining acts, by way of which the applicant’s name was maintained on the lists at issue on the same ground as that set out in the initial acts.
13 On 14 September 2023, the Council published a notice for the attention of persons and entities subject to the restrictive measures provided for in Decision 2014/145, as amended by Decision 2023/1767, and Regulation No 269/2014, as implemented by Implementing Regulation 2023/1765 (OJ 2023 C 324 p. 8), in the Official Journal.
Facts subsequent to the bringing of the action
14 By letter of 25 September 2023, the applicant requested that the Council disclose the documents forming the basis of the decision to maintain its name on the lists at issue.
15 On 31 October 2023, the Council once again sent the applicant a copy of the first evidence pack, and also disclosed the documents contained in the evidence pack bearing the reference WK 6512/2023 (‘the second evidence pack’), dated 16 May 2023.
16 By letter of 1 November 2023, the applicant sent the Council a request for reconsideration of the decision to include and maintain its name on the lists at issue.
17 On 12 March 2024, the Council adopted the second set of maintaining acts, by way of which the applicant’s name was maintained on the lists at issue for the same reason as that set out in the initial acts.
18 On 13 March 2024, the Council published a notice for the attention of persons and entities subject to the restrictive measures provided for in Decision 2014/145, as amended by Decision 2024/847, and in Regulation No 269/2014 as implemented by Implementing Regulation 2024/849 (OJ C, C/2024/2191), in the Official Journal.
19 By letter of 13 March 2024, the Council rejected the applicant’s request for reconsideration of 1 November 2023.
20 By letter of 16 May 2024, in response to emails from the applicant dated 30 April and 14 May 2024 requesting access to all the documents supporting the continued inclusion of its name on the lists at issue, the Council confirmed that all the documents – namely the first and second evidence packs – had already been disclosed to the applicant on 4 August and 31 October 2023.
21 By letter of 31 May 2024, the applicant sent the Council a request for reconsideration of the decision to maintain its name on the lists at issue by way of the second set of maintaining acts.
22 By letter of 16 July 2024, the Council informed the applicant of its intention to maintain the latter’s name on the lists at issue with an amended statement of reasons, and sent that new statement of reasons along with the evidence pack bearing the reference WK 9908/2024 (‘the third evidence pack’), dated 10 July 2024, on which it had based its decision, to the applicant.
23 By letter of 31 July 2024, in response to the letter of 16 July 2024, the applicant submitted observations to the Council concerning the latter’s intention to maintain the applicant’s name on the lists at issue having regard to the amended statement of reasons.
24 On 12 September 2024, the Council adopted the third set of maintaining acts, by way of which the applicant’s name was maintained on the lists at issue. The grounds for listing were amended as follows:
‘Positive Group PJSC is the holding company of a conglomerate that includes AO Pozitiv Teknolodzhiz. AO Pozitiv Teknolodzhiz operates in the Russian IT sector and holds a license administered by the FSB Centre for Licensing, Certification, and Protection of State Secrets. Thus, Positive Group PJSC is the holding company of a conglomerate that includes an entity operating in the Russian IT sector and holding a license administered by the FSB.
Therefore, Positive Group PJSC constitutes an entity operating in the Russian IT sector with a license administered by the FSB Centre for Licensing, Certification, and Protection of State Secrets.’
25 On 13 September 2024, the Council published a notice for the attention of the natural or legal persons, entities or bodies subject to the restrictive measures provided for in Decision 2014/145, as amended by Decision 2024/2456, and Regulation No 269/2014 as implemented by Implementing Regulation 2024/2455 (OJ C, C/2024/5573), in the Official Journal.
26 By letter of 13 September 2024, the Council rejected the applicant’s request for reconsideration, set out in the letters of 31 May and 31 July 2024, and informed the applicant of its decision to maintain its name on the lists at issue.
27 By letter of 1 November 2024, the applicant sent the Council a request for reconsideration of the decision to maintain its name on the lists at issue by way of the third set of maintaining acts.
Forms of order sought
28 The applicant, after modification of the application, claims that the Court should:
– annul the contested acts in so far as they concern the applicant;
– order the Council to pay the costs;
– dismiss the statement in intervention of the Kingdom of the Netherlands as inadmissible;
– order the Kingdom of the Netherlands to bear its own costs.
29 The Council, supported by the Kingdom of the Netherlands, contends that the Court should:
– dismiss the action;
– order the applicant to pay the costs;
– in the alternative, should the Court annul Decisions 2023/1218, 2023/1767, 2024/847 or 2024/2456 in so far as they concern the applicant, order that the effects of those decisions be maintained in respect of the applicant until the expiry of the period for lodging an appeal against the judgment of the Court or, if an appeal is lodged within that period, until any dismissal of the appeal.
Law
30 The applicant puts forward four pleas in law in support of its action, alleging (i) illegality of criterion (i); (ii) infringement of the right to effective judicial protection and of the obligation to state reasons; (iii) manifest errors of assessment; and (iv) infringement of the rights of the defence and of the Council’s obligation to conduct a proper review of its decision to include the applicant’s name on the lists at issue.
The admissibility of the statement in intervention of the Kingdom of the Netherlands
31 The applicant claims that the statement in intervention submitted by the Kingdom of the Netherlands is inadmissible, in that it fails to set out with sufficient clarity and precision the pleas and arguments on which it relies, and therefore does not meet the requirements laid down in Article 145 of the Rules of Procedure of the General Court.
32 Pursuant to Article 145(2)(b) of the Rules of Procedure, a statement in intervention must contain the pleas in law and arguments relied on by the intervener.
33 In accordance with settled case-law in relation to an application initiating proceedings, applicable by analogy in relation to a statement in intervention, the summary of the pleas in law must be sufficiently clear and precise to enable the defendant to prepare its defence and to enable the Court to give judgment in the action without the need to seek further information (see judgment of 9 September 2009, Diputación Foral de Álava and Others v Commission, T‑227/01 to T‑229/01, T‑265/01, T‑266/01 and T‑270/01, EU:T:2009:315, paragraph 94 and the case-law cited).
34 It should be observed that, in its statement in intervention, the Kingdom of the Netherlands stresses the importance of criterion (i) in responding to the Russian Federation’s information warfare in Ukraine. It notes the close ties that exist between the Russian intelligence and security services and the Russian IT sector, as well as the role played by Russian IT companies that fall under criterion (i) in the Russian Federation’s information warfare in Ukraine. In that connection, the Kingdom of the Netherlands cites examples to illustrate the fact that undertakings which hold a license administered by the Federal Security Service of the Russian Federation (FSB) Centre for Licensing, Certification, and Protection of State Secrets (‘a license from the FSB’) in order to work with cryptography tools play an important role in the Russian cyber defence complex. It submits that criterion (i) is necessary in that it reduces the possibility for the Russian Federation to continue to wage a war of information against Ukraine, and that it is proportionate.
35 Thus it is sufficiently clear from the statement in intervention of the Kingdom of the Netherlands that the arguments raised seek the rejection of the first plea, based on a plea of illegality in respect of criterion (i).
36 Accordingly, the statement in intervention of the Kingdom of the Netherlands meets the requirements of Article 145(2)(b) of the Rules of Procedure, and is admissible.
The first plea, based on a plea of illegality in respect of criterion (i)
37 The applicant raises, under Article 277 TFEU, a plea of illegality in respect of criterion (i), on the basis of which the applicant’s name was included and maintained on the lists at issue. The applicant submits that criterion (i) as interpreted by the Council, namely as applying to any IT company holding a license from the FSB, irrespective of the type of license and without any demonstrable connection having been established with activities ‘undermining or threatening the territorial integrity of Ukraine’, (i) fails to comply with the principles of foreseeability and legal certainty, (ii) fails to comply with the principle of proportionality, and (iii) constitutes a disproportionate interference with the freedom to conduct a business.
38 Under Article 277 TFEU, any party may, in proceedings in which an act of general application adopted by an institution, body, office or agency of the Union is at issue, plead the grounds specified in the second paragraph of Article 263 TFEU in order to invoke before the Court of Justice of the European Union the inapplicability of that act.
39 Article 277 TFEU gives expression to a general principle conferring upon any party to proceedings the right to challenge incidentally, with a view to obtaining the annulment of a decision addressed to that party, the validity of acts of general application which form the legal basis of that decision, if that party was not entitled under Article 263 TFEU to bring a direct action challenging those acts by which it was thus affected without having been in a position to ask that they be annulled. The general measure the illegality of which is pleaded must be applicable, directly or indirectly, to the circumstances which are the subject of the action, and there must be a direct legal connection between the individual decision contested and the general measure in question (see judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 33 and the case-law cited).
40 With regard to the intensity of judicial review, according to settled case-law, the Courts of the European Union must, in accordance with the powers conferred on them by the FEU Treaty, ensure the review, in principle the full review, of the lawfulness of all Union acts in the light of the fundamental rights forming an integral part of the European Union legal order. That obligation is expressly laid down by the second paragraph of Article 275 TFEU (see judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 34 and the case-law cited).
41 The Council nevertheless enjoys a broad discretion as regards the general and abstract definition of the legal criteria and procedures for adopting restrictive measures. Consequently, rules of general application defining those criteria and procedures, such as the provisions of the contested acts laying down the relevant criterion referred to in the present plea, are subject to a limited judicial review, restricted to checking that the rules governing procedure and the statement of reasons have been complied with, that the facts are materially accurate, that there has been no error in law and that there has been no manifest error of assessment of the facts or misuse of power (see judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 35 and the case-law cited). That limited review applies, especially, to the assessment of the considerations of appropriateness on which the restrictive measures are based (judgment of 29 April 2015, Bank of Industry and Mine v Council, T‑10/13, EU:T:2015:235, paragraph 75; see also judgment of 13 September 2023, Venezuela v Council, T‑65/18 RENV, EU:T:2023:529, paragraph 63 and the case-law cited).
42 The fact remains that the Council’s broad discretion in establishing the legal criteria surrounding the adoption of restrictive measures does not authorise it to infringe the values of the rule of law or the principles and rights enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’) and that it is therefore for the Court to ascertain whether criterion (i) is consistent with the principles of foreseeability, legal certainty and proportionality (see, to that effect, judgments of 16 July 2014, National Iranian Oil Company v Council, T‑578/12, not published, EU:T:2014:678, paragraphs 110 and 111, and of 4 September 2015, NIOC and Others v Council, T‑577/12, not published, EU:T:2015:596, paragraphs 129 and 130).
The first complaint, alleging breach of the principles of foreseeability and legal certainty
43 The applicant claims that the conditions for the applicability of criterion (i) are not defined with sufficient clarity. The literal interpretation of criterion (i) adopted by the Council confers unfettered discretion on the latter, in the applicant’s submission, and allows it to take restrictive measures against any company in the Russian IT sector that holds a license from the FSB without those measures being based on specific activities, in breach of the principles of foreseeability and legal certainty.
44 It is settled case-law that the principle of legal certainty requires EU legislation to be certain and its application foreseeable by those subject to it. That legislation must be clear and precise, so that individuals may ascertain unequivocally what their rights and obligations are (see judgment of 18 December 2024, Mironovich Shor v Council, T‑489/23, EU:T:2024:912, paragraph 84 and the case-law cited).
45 In that connection, first, it is clear from the wording of criterion (i), referred to in paragraph 6 above, that the application thereof presupposes that two objective conditions are satisfied, namely that, on the one hand, the legal person, entity or body concerned operates in the Russian IT sector and, on the other hand, it holds a license from the FSB or a ‘weapons and military equipment’ license.
46 Accordingly, the conditions for the application of criterion (i) objectively establish a defined category of persons.
47 Secondly, it should be observed that it is clear from recital 2 of Regulation 2023/1215 that the Council adopted Decision 2023/1218, which introduced criterion (i), ‘in response to information warfare conducted by [the Russian Federation] in order to implement its war of aggression against Ukraine’.
48 Thus, criterion (i) forms part of a legal framework that is circumscribed by the objectives pursued by the legislation governing the restrictive measures at issue, namely the need, in view of the gravity of the situation, to exert maximum pressure on the Russian authorities so that they bring an end to their actions and policies destabilising Ukraine and to the military aggression against Ukraine. From that perspective, the restrictive measures at issue are consistent with the objective, referred to in Article 21(2)(c) TEU, of preserving peace, preventing conflicts and strengthening international security, in accordance with the purposes and principles of the Charter of the United Nations, signed at San Francisco on 26 June 1945 (see, to that effect, judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 46 and the case-law cited).
49 Furthermore, the discretion conferred on the Council by the criterion at issue is offset by an obligation to state reasons and strengthened procedural rights (see, to that effect, judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 47 and the case-law cited). It is clear from the case-law that, where the institutions of the European Union have a power of appraisal, respect for the rights guaranteed by the legal order of the European Union in administrative procedures is of even more fundamental importance (see judgments of 16 July 2014, National Iranian Oil Company v Council, T‑578/12, not published, EU:T:2014:678, paragraph 122 and the case-law cited, and of 4 September 2015, NIOC v Council, T‑577/12, not published, EU:T:2015:596, paragraph 141 and the case-law cited).
50 Moreover, it should be noted, as the Council does, that its discretion is confined to the question whether it is appropriate to include on the lists of entities subject to restrictive measures all of the entities that satisfy criterion (i) or only some of them and, in that case, which of those entities.
51 Although the Council cannot include on the lists the names of persons who do not satisfy the listing criteria laid down by the applicable measures, it is not required to include on those lists the names of all of the persons who do satisfy those criteria. The Council has, in that regard, a broad discretion enabling it, when appropriate, not to impose those measures on such a person, where the Council considers that, in the light of the objectives of those measures, it would not be appropriate to do so (see judgment of 18 December 2024, Rosbank v Council, T‑270/23, not published, EU:T:2024:904, paragraph 136 and the case-law cited).
52 It follows that the discretion conferred on the Council by criterion (i) cannot be described as unfettered or arbitrary, since that criterion is sufficiently clear and foreseeable, and the Council’s discretion is circumscribed by the objectives pursued. Consequently, criterion (i) is consistent with the principles of foreseeability and legal certainty.
53 That finding is not called into question by the applicant’s arguments.
54 In the first place, as regards the condition laid down by criterion (i) on holding a license from the FSB, the applicant claims that this is defined in overly general terms and rests on a misunderstanding of the licensing system in Russia.
55 The applicant maintains that the wording of criterion (i) lacks precision, in that it suggests that there exists only a unique type of license administered by the FSB, whereas the latter administers a wide variety of licenses that cover trivial business activities.
56 The applicant states in particular that there are 28 ‘type 4’ licenses, namely those administered in respect of encryption-related activities. It observes that only one of those licenses concerns the development of encryption tools, that the 27 other licenses concern the use of encryption technologies – for example for online banking applications – and that nearly all banks in Russia, including foreign-owned banks, hold such licenses. The applicant also observes that there are three types of ‘State secrets’ licenses, and that they are not issued solely to undertakings operating in the IT sector, but also to mobile phone operators, construction companies, and even to providers of cleaning services. It claims that thousands of Russian undertakings across all sectors of the economy hold licenses from the FSB and have nothing to do with information warfare.
57 It should be noted that the second evidence pack prepared by the European External Action Service (EEAS), on which the Council relied in order to introduce criterion (i), contains an excerpt from the website of the FSB, which describes the various activities requiring that a license be obtained, and in which the FSB identifies seven types of license.
58 It is apparent from the website of the FSB that the ‘type 1’ licenses concern the carrying out of work related to the use of information constituting a state secret; ‘type 2’ licenses, activities related to the creation of means of protecting information containing information constituting a state secret; and ‘type 3’ licenses, implementation of measures and (or) provision of services in the field of protection of state secrets. Those three types of license are ‘State secrets’ licenses and are administered pursuant to Decree of the Government of the Russian Federation No 333 of 15 April 1995 ‘on licensing the activities of undertakings, institutions and organisations for carrying out work related to the use of information constituting a state secret, the creation of information security tools, as well as the implementation of measures and (or) provision of services for the protection of state secrets’. ‘Type 4’ licenses concern regulated activities linked to encryption (cryptographic) tools and are administered pursuant to Decree of the Government of the Russian Federation No 313 of 16 April 2012 ‘on licensing activities for the development, production and distribution of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means, performance of work, provision of services in the field of information encryption, technical maintenance of encryption (cryptographic) means, information systems and telecommunications systems protected using encryption (cryptographic) means’ (‘Decree 313’). ‘Type 5’ licenses concern activities for the development, production, sale and acquisition for the purpose of sale of special technical means intended for secretly obtaining information; ‘type 6’ licenses, activities to identify electronic devices designed to secretly obtain information; and ‘type 7’ licenses, activities for the development and production of means of protecting confidential information.
59 Furthermore, the Council does not dispute the fact that Decree 313, referred to in the second evidence pack, provides for 28 different ‘type 4’ licenses for those activities linked to encryption tools.
60 Accordingly, contrary to what the applicant maintains, it cannot be inferred from the fact that criterion (i) is aimed at entities operating in the Russian IT sector with, in particular, a license from the FSB that the Council took the view that the FSB solely administers one type of license.
61 Moreover, it should be recalled that the application of criterion (i) is not confined to the condition that an entity hold a license from the FSB, but also presupposes that that entity operates in the Russian IT sector. Thus, the fact that undertakings in other economic sectors hold a license from the FSB is irrelevant, in so far as they are not covered by criterion (i).
62 Consequently, the applicant’s argument that holding a license from the FSB is not confined to undertakings operating in the IT sector must be rejected as ineffective as regards the assessment of the lawfulness of criterion (i).
63 Similarly, the applicant’s argument that holding a ‘type 4’ encryption license does not necessarily mean also holding a ‘state secrets’ license is irrelevant, in so far as criterion (i) clearly provides for holding a single FSB license of any type, without requiring that such a license be a ‘state secrets’ license.
64 It is apparent from a literal interpretation of criterion (i) that all entities operating in the Russian IT sector, with a license from the FSB of any type, are covered by that criterion. That interpretation does not mean that the adoption of that criterion is based on a misunderstanding of the Russian licensing system.
65 Thus, contrary to what the applicant maintains, the fact that criterion (i) covers any type of license administered by the FSB does not mean that that provision lacks clarity or precision.
66 In the second place, the applicant claims that criterion (i) is not sufficiently precise, in that it does not refer to a specific activity of the person concerned, as required by the case-law.
67 First, it should be recalled that, in paragraph 81 of the judgment of 28 November 2013, Council v Fulmen and Mahmoudian (C‑280/12 P, EU:C:2013:775), on which the applicant relies, the Court of Justice merely held that, in that particular case, ‘the measure that is subject to review by the Courts of the European Union is a targeted measure that covers not a particular economic sector but an individual undertaking on account of a specific alleged activity’. It follows that the Court of Justice found only that the individual restrictive measure in question had been adopted pursuant to a criterion relating to the activity of the person concerned and that, consequently, the Council’s argument that it had the power to adopt general economic measures or target certain sectors of the Iranian economy, in accordance with Article 215(1) TFEU, was of little importance. Since that judgment does not concern the interpretation of a listing criterion, it is irrelevant in the present case.
68 Second, it should be recalled that, pursuant to the first condition under criterion (i), the application of the latter is confined to entities operating in a specific sector, namely the Russian IT sector. Furthermore, the second condition laid down by that criterion, relating to the holding of a license from the FSB, also implies the exercise of certain activities, referred to in paragraph 58 above, in respect of which such licenses are administered.
69 Moreover, it should be noted that the applicant has failed to specify what it regards as being a ‘specific activity’, and that it does not maintain that the limitation of the application of criterion (i) to activities in the Russian IT sector is not sufficiently precise.
70 Consequently, the applicant’s argument must be rejected.
71 In the third place, the applicant claims that the grant of a license is a legal prerequisite for conducting a certain type of activity, and that criterion (i) thus covers purely lawful activities. It follows, it is argued, from the case-law of the General Court that a person cannot be sanctioned on the basis of a legal obligation, such as the obligation to pay taxes, and that the fact of having a license to carry out a specific business activity, particularly when that activity takes place in a regulated sector, does not constitute a sufficient ground for an individual restrictive measure.
72 In that connection, it should be pointed out that the case-law to which the applicant refers in support of that argument does not concern the lawfulness of a criterion for inclusion on the lists of persons subject to restrictive measures, but rather seeks to establish whether the Council had produced sufficient evidence to demonstrate that the applicants satisfied the conditions laid down by the listing criterion in question.
73 Thus, in the judgments cited by the applicant, the Court found that, in so far as the payment of taxes constituted a legal obligation applicable to all taxpayers, the Council could not infer from the payment of taxes by the person concerned that he was providing financial support to the regime of a third country (judgments of 9 December 2014, Peftiev v Council, T‑441/11, not published, EU:T:2014:1041, paragraph 188, and of 6 October 2015, Chyzh and Others v Council, T‑276/12, not published, EU:T:2015:748, paragraph 169). The Court has also held that the fact that a company operated in a regulated sector either suggested ties to the regime in question but could not demonstrate, as such, that that company supported the regime financially (judgment of 9 December 2014, Peftiev v Council, T‑441/11, not published, EU:T:2014:1041, paragraph 195), or required licenses for importing and exporting weapons, which was not sufficient to establish that it benefitted from the regime in question (judgment of 27 September 2017, BelTechExport v Council, T‑765/15, not published, EU:T:2017:669, paragraph 100).
74 Accordingly, it cannot be inferred from the judgments cited by the applicant that the Court found that the Council could not make provision for a listing criterion that includes holding a particular license as a condition for adopting restrictive measures. It must therefore be held that the case-law on which the applicant relies is not relevant for the purposes of assessing the lawfulness of criterion (i).
75 Moreover, it should be observed that the applicant has failed to explain why the fact that having a license from the FSB is necessary for the conduct of lawful activities in Russia might be relevant for the purposes of assessing the lawfulness of criterion (i) in the light of the principles of foreseeability and legal certainty. In any event, neither Decision 2014/145 nor Regulation No 269/2014 makes the adoption of restrictive measures against natural and legal persons, entities and bodies the names of which are included on the lists at issue subject to the condition that these conduct activities regarded as unlawful in Russia.
76 Accordingly, contrary to what the applicant claims, the fact that criterion (i) covers any person holding a license from the FSB without regard to the lawful or unlawful nature of that person’s activities does not mean that that criterion is not sufficiently clear or foreseeable.
77 In the fourth place, in the statement of modification concerning the third set of maintaining acts, the applicant maintains that the Council interpreted criterion (i) as enabling it to include on the lists at issue the names of companies that did not themselves have a license from the FSB, on the sole ground that such a license would be held by one of their subsidiaries. The applicant claims that, in situations involving complex corporate structures, where holding companies with multiple subsidiaries may be concerned, the interpretation of criterion (i) by the Council could lead to situations in which the entire corporate group – and, in particular, those subsidiaries that do not operate in the sector concerned or do not have a license from the FSB – could be made subject to restrictive measures, simply because a single entity within the group may be in possession of a relevant license.
78 First of all, it should be noted that it is clear from the wording of criterion (i) that that provision expressly covers ‘legal persons, entities and bodies’. The three concepts employed in criterion (i) must be regarded as differing in scope.
79 As regards the concept of ‘entity’, the objective behind the use of that word is to allow criterion (i) to be applied to any ‘entity’, whatever its legal form.
80 In that connection, at the hearing, the applicant, relying on the English-language version of criterion (i) in so far as it refers to ‘legal persons, entities or bodies’, submitted that this was to be interpreted as applying to ‘legal persons, legal entities or legal bodies’.
81 However, the applicant’s argument that the concept of ‘entity’ covers only ‘legal entities’ would, as a consequence, reduce that concept to that of ‘legal person’ and strip away the effectiveness of the list under criterion (i). It is settled case-law that where a provision of EU law is open to several interpretations, preference must be given to the interpretation which ensures that the provision retains its effectiveness (see judgment of 29 June 2023, Interfel, C‑501/22 to C‑504/22, EU:C:2023:531, paragraph 54 and the case-law cited).
82 Thus, the concept of ‘entity’ does not overlap with that of ‘legal person’ and must be regarded as being broader in scope, in order to allow the adoption of restrictive measures against any ‘entity’ that meets the conditions laid down by criterion (i) without such adoption being curtailed by the various legal structures that may exist in Russia or by the lack of legal personality.
83 It must therefore be held that a parent company and its subsidiary, although legally separate persons, can nonetheless form a single entity by reference, inter alia, to the degree of the parent company’s ownership of or control over that subsidiary.
84 The use of the word ‘entity’ in criterion (i) thus serves to refer to a group formed by a parent company and the subsidiaries that it owns or controls or that are not independent from that parent company.
85 In that connection, as the Council observes, any other interpretation of criterion (i) would interfere with the effectiveness thereof and that of the restrictive measures, by enabling a company to circumvent the application of that criterion through the creation of a subsidiary in order to obtain and hold a license from the FSB.
86 It follows that, in the scenario where a parent company owns or controls one of its subsidiaries in such a way that it exerts decisive influence over that subsidiary, they form a single group and, therefore, a single entity for the purposes of criterion (i). Thus, in that scenario, the conditions for listing the entity formed by the parent company and its subsidiary under criterion (i) will be met where the subsidiary operates in the Russian IT sector and holds a license from the FSB.
87 Accordingly, contrary to what the applicant maintains, such an interpretation is in conformity with the wording of criterion (i), which must be regarded as sufficiently clear and foreseeable.
88 It follows from the foregoing that the first complaint must be rejected.
The second complaint, alleging breach of the principle of proportionality
89 The applicant claims that the Council’s literal interpretation of criterion (i) enables it to sanction any company operating in the Russian IT sector and holding a license from the FSB, without there being any demonstrable connection with ‘the Russian intelligence community’ or information warfare, which goes beyond what is necessary to achieve the objective pursued by the sanctions imposed on the Russian Federation.
90 According to settled case-law, the principle of proportionality is one of the general principles of EU law and requires that measures implemented through provisions of EU law be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not go beyond what is necessary to achieve them (judgment of 13 March 2012, Melli Bank v Council, C‑380/09 P, EU:C:2012:137, paragraph 52; see also judgments of 13 September 2023, Venezuela v Council, T‑65/18 RENV, EU:T:2023:529, paragraph 99 and the case-law cited, and of 20 December 2023, Islentyeva v Council, T‑233/22, EU:T:2023:828, paragraph 49 and the case-law cited).
91 Furthermore, with regard to judicial review of compliance with the principle of proportionality, it is clear from the case-law that the EU legislature must be allowed a broad discretion in areas which involve political, economic and social choices on its part, and in which it is called upon to undertake complex assessments. Thus, the legality of a measure adopted in those fields can be affected only if the measure is manifestly inappropriate having regard to the objective which the competent institution is seeking to pursue (see judgments of 28 November 2013, Council v Manufacturing Support & Procurement Kala Naft, C‑348/12 P, EU:C:2013:776, paragraph 120 and the case-law cited, and of 1 March 2016, National Iranian Oil Company v Council, C‑440/14 P, EU:C:2016:128, paragraph 77; see also judgment of 13 September 2023, Venezuela v Council, T‑65/18 RENV, EU:T:2023:529, paragraph 100 and the case-law cited).
92 In the first place, as regards the objectives pursued by the introduction of criterion (i), it should be observed that it is clear from recital 2 of Decision 2023/1218 that ‘the Union remains unwavering in its support for Ukraine’s sovereignty and territorial integrity’. According to recital 3 of that decision, the European Council, in its conclusions of 23 March 2023, ‘reiterated that the Union remains committed to maintaining and increasing collective pressure on [the Russian Federation], including through possible further restrictive measures’. It is also clear from recital 5 of Decision 2023/1218 that ‘the Council has … assessed that information warfare constitutes a key means by which [the Russian Federation] implements its war of aggression against Ukraine and commits gross violations of international law and the principles of the Charter of the United Nations’.
93 Furthermore, as is stated in recital 2 of Regulation 2023/1215, the Council adopted Decision 2023/1218, which introduced criterion (i), ‘in response to information warfare conducted by [the Russian Federation] in order to implement its war of aggression against Ukraine’.
94 The role played by the Russian Federation’s information manipulation in the context of its war of aggression against Ukraine is borne out by numerous documents and press articles contained in the second evidence pack. That role has also been highlighted by several reports annexed to the defence, including the 2022 report on ‘EEAS Activities to Counter FIMI [foreign information manipulation and interference]’, published on 2 February 2023; the first EEAS report, dated February 2023, on ‘Foreign Information Manipulation and Interference Threats’; and the report prepared by the EEAS and the European Union Agency for Cybersecurity (ENISA), dated December 2022, entitled ‘Foreign Information Manipulation and Interference (FIMI) and Cybersecurity – Threat landscape’.
95 Since the propaganda and disinformation campaigns are capable of undermining the foundations of democratic societies and are an integral part of the arsenal of modern warfare, the restrictive measures at issue also form part of the pursuit by the European Union of the peaceful objectives assigned to it in Article 3(1) and (5) TEU (see, to that effect, judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 162).
96 In the second place, it should be noted that the Russian Federation’s information warfare is orchestrated by the Russian security services in the context of disinformation campaigns conducted on the internet, in particular through social media platforms, or by means of cyber-attacks.
97 In that connection, first, it should be observed that numerous documents produced in annex to the defence and the statement in intervention submitted by the Kingdom of the Netherlands establish the involvement of Russian security services – in particular the Main Intelligence Directorate (GRU), the FSB and the Foreign Intelligence Service (SVR) – in disinformation, interference and destabilisation cyber-operations conducted outside Russia. Similarly, several documents contained in the second evidence pack describe the way in which the FSB is involved in information warfare conducted by the Russian authorities.
98 Second, in recital 5 of Decision 2023/1218, the Council stated that ‘Companies in the IT sector … provide[d] critical technology and software to the Russian intelligence community’ and that those companies held a license from the FSB or a specific ‘weapons and military equipment’ license.
99 In that connection, numerous documents produced by the Council and the Kingdom of the Netherlands establish that, in order to conduct their actions in the context of information warfare, the Russian security services are assisted by Russian private undertakings operating in the IT sector, in particular the IT and cybersecurity sector. For example, those documents reveal that undertakings in that sector engage in research and development activities for the Russian security services or furnish them with technological means and assist in recruitment.
100 It should be observed that the applicant confines itself to challenging two annexes to the defence, by claiming that these are not sufficient to establish that Russian IT companies (i) provide research and development support to the Russian security services, and (ii) organise competitions and conferences with a view to facilitating the recruitment efforts of the security services.
101 It should be stated, as the Council does, that the content of those two annexes is borne out by many other items of evidence, produced in annex to the defence and the statement in intervention submitted by the Kingdom of the Netherlands, none of which are disputed by the applicant. The latter also indicated, at the hearing, that certain Russian undertakings in the Russian IT sector did assist the Russian security services.
102 The Council was therefore able validly to rely on those items of evidence in order to establish the existence of a relationship between the Russian IT sector and the Russian security services.
103 Thus, criterion (i), in so far as it covers legal persons, entities or bodies operating in the Russian IT sector and holding a license from the FSB or a ‘weapons and military equipment’ license, is such as to limit the means available to the Government of the Russian Federation in order to conduct information warfare, since, by having ties to the Russian security services, those legal persons, entities or bodies contribute, directly or indirectly, to the capacity of that government to pursue its actions and policies undermining or threatening the territorial integrity, sovereignty and independence of Ukraine.
104 It follows that criterion (i) is consistent with the objective pursued, which seeks to increase pressure on the Russian authorities, and cannot be regarded as manifestly inappropriate having regard to that objective, within the meaning of the case-law cited in paragraph 91 above.
105 Furthermore, it is on account of the persistence, even the worsening, of the situation in Ukraine that the Council considered that it had to widen the circle of persons subject to restrictive measures by introducing criterion (i), with the aim of increasing the pressure on the Government of the Russian Federation by limiting its capacity for information warfare. It follows from that approach, which is based on the progressive impairment of rights according to the effectiveness of the measures, that the proportionality of those measures is established (see, by analogy, judgments of 28 November 2013, Council v Manufacturing Support & Procurement Kala Naft, C‑348/12 P, EU:C:2013:776, paragraph 126; of 25 January 2017, Almaz-Antey Air and Space Defence v Council, T‑255/15, not published, EU:T:2017:25, paragraph 104; and of 20 November 2024, Uss v Council, T‑571/23, not published, EU:T:2024:839, paragraph 78).
106 Criterion (i) is necessary to the aim of increasing the pressure on the Russian authorities, so that they put an end to their actions and policies destabilising Ukraine, as these are pursued in particular through information warfare, and to military aggression against that country. Accordingly, criterion (i) does not appear to be manifestly disproportionate in the light of the objectives pursued.
107 That finding is not called into question by the applicant’s arguments.
108 The applicant maintains that criterion (i) can be regarded as being in conformity with the principle of proportionality only if it is interpreted in the light of the objectives that justified its introduction, which are set out in recital 5 of Decision 2023/1218 and in recital 2 of Regulation 2023/1215. In the applicant’s submission, the existence of a sufficient link between criterion (i) and those objectives requires that it be demonstrated that, first, the entities operating in the Russian IT sector hold a license from the FSB enabling them to work with information at the security level of ‘state secret’, or a ‘weapons and military equipment’ license and, second, they develop technology and software for the ‘Russian intelligence community’ and that their activities include participation in the Russian Federation’s information warfare.
109 In the first place, the applicant claims that criterion (i) should be interpreted as referring solely to entities that actually participate in the Russian Federation’s information warfare.
110 On the one hand, it should be held that to interpret criterion (i) as applying only to entities that actually develop technology for the Russian security services or participate in information warfare would, as a consequence, be to strip that criterion of any effectiveness.
111 In that connection, it should be noted that the conflict situation involving the Russian Federation and Ukraine makes it particularly difficult in practice to access certain sources, to specify the primary source of some information and, where appropriate, to collect testimonies from persons who agree to be identified. The ensuing investigation difficulties can thus be a factor in preventing specific evidence and objective information being provided (see judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 116 and the case-law cited; judgment of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 60).
112 By its very essence, the cooperation between companies in the Russian IT sector and the Russian security services in conducting disinformation campaigns is secret. Thus, in practice, it would be extremely difficult, if not impossible, for the Council to adduce evidence of such collaboration.
113 In that regard, in the second evidence pack, which comprises a working paper prepared by the EEAS in order to support the introduction of criterion (i), the EEAS stated that, given the secretive nature of the activities pursued by entities holding a license from the FSB and/or a ‘weapons and military equipment license’, ‘there [was] often insufficient open source information available to link these companies directly to the Russian intelligence services, other than the one publicly available record that confirms these companies [held such a] license …’.
114 On the other hand, it should be recalled that the aim of the restrictive measures adopted on the basis of criterion (i) is to increase pressure on the Russian Federation by limiting its capacity for the information warfare that is an integral part of its war of aggression against Ukraine.
115 To that end, criterion (i) objectively covers entities operating in the Russian IT sector which, while not having any direct connection with the Russian Federation’s information warfare, are nevertheless capable of encouraging it by providing to the Russian security services with technological means enabling them to conduct their disinformation campaigns.
116 The Council, in the context of its broad discretion, could legitimately consider that the introduction of criterion (i) contributed to achieving the objective seeking to increase pressure on the Government of the Russian Federation, inasmuch as that criterion undermines the capacity of such entities to provide their support to the Russian security services and, therefore, to limit the capacity of the latter for information warfare.
117 In that regard, the Council is not required to prove that the restrictive measures at issue have such an effect, but only that they are capable of having such an effect (see, to that effect, judgments of 25 June 2020, VTB Bank v Council, C‑729/18 P, not published, EU:C:2020:499, paragraph 66, and of 20 November 2024, Uss v Council, T‑571/23, not published, EU:T:2024:839, paragraph 83).
118 It follows that criterion (i), inasmuch as it does not require that the Council establish actual participation in information warfare on the part of the entity concerned, is not manifestly inappropriate having regard to the objective pursued by Decision 2023/1218 and by Regulation 2023/1215, and therefore cannot be considered disproportionate.
119 In the second place, the applicant claims that the interpretation of criterion (i) by the Council is disproportionate in so far as it assumed the existence of ties between, on the one hand, the entities referred to and, on the other hand, the Russian security services or information warfare, on the basis of whether an entity holds a license from the FSB.
120 First, the applicant’s argument that the interpretation of criterion (i) by the Council is disproportionate in so far as holding a license from the FSB does not presuppose that the holder of that license develops technologies for the Russian security services or that it participates in information warfare, should be rejected.
121 As has been observed in paragraph 118 above, the fact that criterion (i) does not require actual participation in information warfare on the part of the entity concerned cannot be considered disproportionate in the light of the objective pursued by Decision 2023/1218 and by Regulation 2023/1215.
122 In that regard, the statement contained in the expert report produced by the applicant in Annex C.5 to the reply, according to which the holding of any types of licenses, including ‘state secret’ licenses, does not presuppose active work with the secret services or the FSB, or active involvement in information warfare, is not relevant.
123 Furthermore, it should be observed that the expert report, produced in annex to the reply, was prepared by a Russian law firm at the behest of the applicant.
124 In accordance with settled case-law, the activity of the Courts of the European Union is governed by the principle of the unfettered assessment of the evidence, and it is only the reliability of the evidence before the Court which is decisive when it comes to the assessment of its value. In order to assess the probative value of a document, regard must be had to the credibility of the information it contains, taking account in particular of the person from whom the document originates, the circumstances in which it came into being, the person to whom it was addressed and whether, on its face, the document appears to be sound and reliable (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 114 and the case-law cited, and of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 58 and the case-law cited).
125 It must therefore be held, as the Council points out, that since that expert report was prepared for the purposes of the applicant’s defence in the present proceedings, it is of limited probative value (see, by analogy, judgment 21 February 2018, Klyuyev v Council, T‑731/15, EU:T:2018:90, paragraph 124).
126 Moreover, it should be borne in mind that entities in the Russian IT sector must hold a license from the FSB in order to engage in their activities, which the applicant does not dispute.
127 The Council states that, having regard to the objective of restricting the ability of the Russian security services to engage in information warfare, criterion (i) covers entities in the Russian IT sector which hold a license from the FSB and either work with the Russian security services or are dependent on the FSB, which can mobilise those entities to support the activities of those security services, particularly in conducting disinformation campaigns.
128 It should be noted that, in the context of the Russian Federation’s information warfare, the fact that it is the FSB, an intelligence service, that administers licenses to Russian IT undertakings is a relevant factor. In that connection, several documents produced in annex to the defence, which are not disputed by the applicant, attest to the FSB’s capacity to mobilise Russian IT undertakings to come to its assistance. For example, a report titled ‘Kapersky and Beyond. Understanding Russia’s Approach to Cyber-Enabled Economic Warfare’, published in June 2018 by the Foundation for Defense of Democracies and produced in Annex B.18 to the defence, states in particular that ‘any entity in Russia that is engaged in telecommunication of any kind can be called upon by the FSB to assist in its operations’.
129 Furthermore, in a report titled ‘Don’t Underestimate Economic Side of Russia’s Cyber Warfare’, published on 25 June 20218 on the website ‘thecypherbrief.com’ and produced in Annex B.25 to the defence, ‘it’s no accident that Russian law establishes the [FSB] as the licensing authority for encryption activities. By design, the laws and regulations governing information systems, telecommunications, and encryption give the Kremlin and its security services tools to consolidate power internally and engage in aggressive activities abroad’.
130 Similarly, an article titled ‘This $500 Million Russian Cyber Mogul Planned To Take His Company Public – Then America Accused It of Hacking For Putin’s Spies’, published on 18 August 2021 on the website ‘forbes.com’, produced in Annex N.1 to the statement in intervention of the Kingdom of the Netherlands, states that ‘Russian cyber companies have no choice but to do the bidding of the government and its security apparatus’ and that ‘it is impossible to work in this space and not have a relationship with the Russian security services’.
131 Consequently, it must be held that, since Russian IT companies are dependent on the FSB in order to engage in their activities, the FSB thus has leverage to mobilise those companies to provide assistance to the Russian security services, in particular in conducting information warfare.
132 The applicant, relying on the expert report produced in Annex C.5 to the reply, maintains that the licensing requirements do not authorise the FSB to impose an obligation on IT undertakings to cooperate with or lend assistance to it.
133 However, it should be noted that the Council did not allege that there was a legal obligation permitting the FSB to require the cooperation of Russian IT undertakings applying for a license. The Council relied on the possibility, for the FSB, of putting pressure on those undertakings, having regard to the link between the IT sector and the security services in Russia and the relationship of dependence due to the obligation, for the undertakings in that sector, to hold a license from the FSB in order to engage in their activities.
134 Furthermore, the Council observes that those undertakings are made even more dependent on the Russian market and the Russian Government by the fact that they use Russian standards for their cryptographic tools, which are seen as suspicious abroad and make those undertakings untrustworthy on foreign markets. According to the Council, this isolates Russian IT companies from the global market, which makes them even more dependent on the Russian market and the Russian Government.
135 In that connection, the Council relied, in particular, on an article titled ‘Russia’s FSB Is Making Life Harder for Blockchain’, published on 14 September 2021 on the website ‘coindesk.com’ and produced in Annex B.26 to the defence. That article mentions that Russian companies using blockchain technology are required to obtain certification from the FSB for their cryptographic tools and use Russian standards applicable to cryptographic tools, which are seen as suspicious abroad.
136 The applicant simply claims that that annex concerns only a very specific sector, namely that using blockchain technology.
137 That argument is not such as to call into question the relevance of that annex inasmuch as it is an example illustrating the dependence of Russian IT companies using encryption tools vis-à-vis the Russian authorities, in particular the FSB.
138 Second, the applicant claims that, of the 28 ‘type 4’ licenses administered pursuant to Decree 313 in respect of encryption tools, only one permits the development of encryption tools. The applicant maintains that, in order to be in conformity with the objective referred to in recital 5 of Decision 2023/1218 and recital 2 of Regulation 2023/1215, criterion (i) should refer only to undertakings in the Russian IT sector that hold that license, given that they alone can supply encryption software to the Russian security services.
139 In that regard, it should be recalled that the objective to which criterion (i) refers is that of limiting the capacity of the Russian security services to engage in information warfare, by taking restrictive measures against undertakings in the IT sector capable of providing assistance to those security services. Contrary to what the applicant claims, such assistance is not confined to the supply of encryption software, but also extends to the supply of other technical or technological means.
140 The applicant has failed to explain why an undertaking in the IT sector which holds a ‘type 4’ license pursuant to Decree 313 authorising it, for example, to develop or produce information or telecommunication systems using encryption tools or to modernise, assemble, install, regulate or repair encryption tools, would not be in a position to assist the Russian security services in information warfare.
141 Contrary to what the applicant maintains, the FSB’s ability to put pressure on Russian IT companies is not contingent on the type of license that they hold.
142 The explanations given by the applicant concerning the various types of license administered by the FSB, and the difference between the ‘type 4’ licenses relating to encryption activities and ‘state secret’ licenses are therefore irrelevant. The same applies to arguments developed in the expert report annexed to the reply, according to which licenses from the FSB are not administered with the aim of cooperating with the FSB.
143 It follows that the requirement laid down by criterion (i) relating to holding a license from the FSB or a ‘weapons and military equipment’ license, in so far as it serves to cover not only entities in the Russian IT sector which actually participate in information warfare, but also those capable of being mobilised by the Russian security services to assist those services, is appropriate and necessary to achieve the objective pursued by that criterion, recalled in paragraph 114 above, which consists in limiting the capacity of the Russian Federation to engage in information warfare.
144 Accordingly, the second complaint must be rejected.
The third complaint, alleging disproportionate interference in the freedom to conduct a business
145 The applicant claims that sanctioning all Russian IT companies, on the ground that they are obliged to hold a license from the FSB in order to engage in their activities, is a disproportionate interference in the freedom to conduct a business enshrined in Article 16 of the Charter.
146 Under Article 16 of the Charter, ‘the freedom to conduct a business in accordance with Union law and national laws and practices is recognised’.
147 According to the case-law, freedom to conduct a business, like other fundamental rights, is not absolute and its exercise may be subject to restrictions justified by objectives of general interest pursued by the European Union, provided that such restrictions in fact correspond to objectives of general interest and do not constitute, in relation to the aim pursued, a disproportionate and intolerable interference, impairing the very essence of the rights thus guaranteed (see judgment of 28 March 2017, Rosneft, C‑72/15, EU:C:2017:236, paragraph 148 and the case-law cited; judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 220).
148 The Court of Justice has ruled in particular that, in the light of the wording of Article 16 of the Charter, which differs from the wording of the other fundamental freedoms laid down in Title II thereof, yet is similar to that of certain provisions of Title IV of the Charter, the freedom to conduct a business may be subject to a broad range of interventions on the part of public authorities which may limit the exercise of economic activity in the public interest (see judgment of 28 November 2013, Council v Manufacturing Support & Procurement Kala Naft, C‑348/12 P, EU:C:2013:776, paragraph 123 and the case-law cited).
149 Restrictive measures, by definition, have consequences which affect, in particular, the freedom to pursue a trade or business, thereby causing harm to persons who are in no way responsible for the situation which led to the adoption of the sanctions. That is a fortiori the case with respect to the consequences of targeted restrictive measures on the entities subject to those measures (see judgment of 28 March 2017, Rosneft, C‑72/15, EU:C:2017:236, paragraph 149 and the case-law cited; judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 221).
150 While it is, admittedly, true that restrictive measures based on a criterion such as that at issue in the present case undeniably limit the rights which the applicant enjoys under Article 16 of the Charter, the freedom to conduct a business on which the applicant relies may nevertheless be subject to limitations, under the conditions laid down in Article 52(1) of the Charter. In that regard, it should be recalled that, under Article 52(1) of the Charter, first, ‘any limitation on the exercise of the rights and freedoms recognised by [the] Charter must be provided for by law and respect the essence of those rights and freedoms’ and, second, ‘subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others’. Consequently, in order to comply with EU law, a limitation on the exercise of the fundamental rights at issue must satisfy three conditions. First, the limitation must be provided for by law. In other words, the measure in question must have a legal basis. Second, the limitation must refer to an objective of general interest, recognised as such by the European Union. Third, the limitation may not be excessive. On the one hand, it must be necessary and proportional to the aim sought. On the other hand, the ‘essence’, that is to say the substance, of the right or freedom in question, must not be impaired (see, to that effect and by analogy, judgment of 13 September 2018, Gazprom Neft v Council, T‑735/14 and T‑799/14, EU:T:2018:548, paragraphs 160 to 163 and the case-law cited).
151 It is clear that those three conditions are met in the present case.
152 First, given that the adoption of restrictive measures pursuant to criterion (i) is provided for by the relevant provisions of Decision 2014/145 and Regulation No 269/2014, the limitation of the freedom to conduct a business resulting from the application of that criterion is provided for by law.
153 Second, it should be borne in mind that criterion (i) meets an objective of general interest, recognised as such by the European Union, of such a nature as to justify those limitations. That criterion in fact seeks, first, to increase pressure on the Russian Federation by combatting the information warfare conducted by the latter in order to implement its war of aggression against Ukraine and, second, to limit the capacity of the Russian security services to conduct disinformation campaigns by targeting those entities capable of cooperating with those services. From that perspective, criterion (i) is consistent with the objectives of protecting the territorial integrity, sovereignty and independence of Ukraine and promoting a peaceful settlement of the crisis in that country, which are part of the wider objective of maintaining peace and international security, in accordance with the objectives of the Union’s external action stated in Article 21 TEU, and the purposes and principles of the Charter of the United Nations, such as to justify the possibility that, for certain operators, the consequences may be negative, even significantly so (see, to that effect, judgments of 28 March 2017, Rosneft, C‑72/15, EU:C:2017:236, paragraph 150; of 25 June 2020, Vnesheconombank v Council, C‑731/18 P, not published, EU:C:2020:500, paragraph 87; and of 29 May 2024, Vinokurov v Council, T‑302/22, not published, EU:T:2024:325, paragraph 197). Thus criterion (i) is part of the European Union’s response, with the peaceful means at its disposal and with a view to achieving the objectives laid down in Article 3(5) TEU, of an aggression committed in breach of Article 2(4) of the Charter of the United Nations and, consequently, a violation of the erga omnes obligations imposed by international law (see, to that effect and by analogy, judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 164).
154 Third, having regard to the overriding importance of those objectives, the Council was able to find, without overstepping the bounds of its discretion, that the interference in the freedom to conduct a business that would result from the application of criterion (i) was appropriate and necessary for the purposes of increasing pressure on the Russian Federation. Accordingly, such interference cannot be considered, in relation to the objectives pursued, to be a disproportionate and intolerable interference that would impair the very substance of the freedom to conduct a business of the entities falling within the scope of that criterion. Those measures do not in fact prevent Russian IT undertakings from conducting their business activities.
155 Accordingly, criterion (i) cannot be regarded as a disproportionate interference in the freedom to conduct a business.
156 Consequently, the third complaint must be rejected as, accordingly, must the first plea in its entirety.
Second plea in law, alleging infringement of the right to effective judicial protection and the obligation to state reasons
157 In the application and the first statement of modification, the applicant claims that the ground justifying the inclusion of its name on the lists at issue, set out in the initial acts and the first and second sets of maintaining acts, is not sufficiently precise and specific, inasmuch as that ground is confined to reproducing the listing criterion and contains no information specific to the applicant’s individual situation. According to the applicant, the Council simply provided a general and stereotypical statement of reasons, common to all except for one of the companies, the names of which were included on the lists at issue pursuant to criterion (i).
158 First, according to settled case-law, the right to effective judicial protection affirmed in Article 47 of the Charter requires that the person concerned must be able to ascertain the reasons upon which the decision taken in relation to him or her is based, either by reading the decision itself or by requesting and obtaining disclosure of those reasons (see judgments of 18 July 2013, Commission and Others v Kadi, C‑584/10 P, C‑593/10 P and C‑595/10 P, EU:C:2013:518, paragraph 100 and the case-law cited, and of 13 September 2018, Sberbank of Russia v Council, T‑732/14, EU:T:2018:541, paragraph 112 and the case-law cited).
159 Second, according to similarly settled case-law, the statement of reasons required by Article 296 TFEU must disclose in a clear and unequivocal fashion the reasoning followed by the institution which adopted the measures in such a way as to enable the persons concerned to ascertain the reasons for the measures for the purposes of assessing whether they are well founded and to enable the court having jurisdiction to exercise its power of review (see judgments of 15 November 2012, Council v Bamba, C‑417/11 P, EU:C:2012:718, paragraph 50 and the case-law cited, and of 22 April 2021, Council v PKK, C‑46/19 P, EU:C:2021:316, paragraph 47 and the case-law cited; judgment of 4 September 2024, Shamalov v Council, T‑651/22, not published, EU:T:2024:576, paragraph 37).
160 The statement of reasons required by Article 296 TFEU must be appropriate to the act at issue and the context in which it was adopted. The requirements to be satisfied by the statement of reasons depend on the circumstances of each case, in particular the content of the measure in question, the nature of the reasons given and the interest which the addressees of the measure, or other parties to whom it is of direct and individual concern, may have in obtaining explanations. It is not necessary for the reasoning to go into all the relevant facts and points of law, since the question whether the statement of reasons is sufficient must be assessed with regard not only to its wording but also to its context and to all the legal rules governing the matter in question. Consequently, the reasons given for a act adversely affecting a person are sufficient if that measure was adopted in a context which was known to that person and which enables him or her to understand the scope of the measure concerning him or her (see judgment of 15 November 2012, Council v Bamba, C‑417/11 P, EU:C:2012:718, paragraphs 53 and 54 and the case-law cited; judgments of 28 March 2017, Rosneft, C‑72/15, EU:C:2017:236, paragraph 122, and of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 64).
161 In addition, it has been made clear in the case-law that the statement of reasons for an act of the Council which imposed a restrictive measure had not only to identify the legal basis for that measure but also the actual and specific reasons why the Council considered, in the exercise of its discretion, that such a measure had to be adopted in respect of the person concerned (see judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 105 and the case-law cited; judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 66).
162 The statement of reasons for an asset-freezing measure cannot, as a rule, consist merely of a general, stereotypical formulation, but must, on the contrary, indicate the actual and specific reasons why the Council considers that the relevant legislation is applicable to the person concerned (see judgment of 15 September 2016, Yanukovych v Council, T‑346/14, EU:T:2016:497, paragraph 79 and the case-law cited; judgment of 30 January 2019, Stavytskyi v Council, T‑290/17, EU:T:2019:37, paragraph 47).
163 Furthermore, it must be recalled that the obligation to state reasons laid down in Article 296 TFEU is an essential procedural requirement, as distinct from the question of the merits of the grounds relied on, the merits relating to the substantive legality of the contested act. The reasoning of a decision consists in a formal statement of the grounds on which that decision is based. If those grounds are vitiated by errors, the latter will vitiate the substantive legality of the decision, but not the statement of reasons in it, which may be adequate even though it sets out reasons which are incorrect. It follows that objections and arguments intended to establish that a measure is not well founded are irrelevant in the context of a ground of appeal alleging an inadequate statement of reasons or a lack of such a statement (see judgments of 18 June 2015, Ipatau v Council, C‑535/14 P, EU:C:2015:407, paragraph 37 and the case-law cited, and of 30 November 2022, PKK v Council, T‑316/14 RENV and T‑148/19, EU:T:2022:727, paragraph 234 and the case-law cited).
164 As a preliminary point, it should be observed that the arguments raised by the applicant in the reply seeking to challenge the factual accuracy of the statement of reasons relate, in fact, to the question whether the ground for listing is well founded. Accordingly, those arguments must be rejected as irrelevant in the context of the present plea, and will be examined as part of the third plea.
165 In the first place, it should be noted, as the Council does, that the applicant does not claim that it was unable to understand the ground for the inclusion of its name in the initial acts and in the first and second sets of maintaining acts.
166 In the second place, the applicant does not argue that it was unaware of the context in which those acts were adopted or of the objectives that they were intended to attain, namely, as is clear from the recitals of Decision 2023/1218 and of Regulation 2023/1215, to increase pressure on the Russian Federation by adopting restrictive measures in response to the information warfare conducted by the latter in order to implement its war of aggression against Ukraine.
167 In the third place, it is sufficiently clear from a reading of the ground contained in the initial acts, as well as in the first and second sets of maintaining acts, referred to in paragraph 8 above, that the Council included and maintained the applicant’s name on the lists at issue on the basis of criterion (i), which the applicant does not dispute.
168 In that connection, contrary to what the applicant maintains, it should be observed that the Council did not confine itself, in that ground, to reproducing the wording of criterion (i). The statements that the applicant constitutes an entity operating in the Russian IT sector with a license from the FSB are in fact information specific to the individual situation of the applicant.
169 In the fourth place, as regards the allegedly stereotypical nature of the statement of reasons, it should be noted that, while the findings contained in the ground set out in the initial acts and in the first and second sets of maintaining acts are the same as those on the basis of which other persons referred to in the lists at issue were made subject to restrictive measures, these are designed nonetheless to describe the specific situation of the applicant, which, like other Russian IT entities, holds a license from the FSB (see, to that effect and by analogy, judgments of 27 February 2014, Ezz and Others v Council, T‑256/11, EU:T:2014:93, paragraph 115; of 15 September 2016, Yanukovych v Council, T‑346/14, EU:T:2016:497, paragraph 82; and of 30 January 2019, Stavytskyi v Council, T‑290/17, EU:T:2019:37, paragraph 56).
170 Consequently, contrary to what the applicant claims, the fact that the names of other entities that satisfy the conditions under criterion (i) were included on the lists at issue on grounds similar to that relied upon to list the applicant’s name does not mean that the statement of reasons for the initial acts and the first and second sets of maintaining acts did not also relate to its specific situation.
171 Accordingly, it follows from the statement of reasons for the initial acts and the first and second sets of maintaining acts that the specific and precise reasons that led the Council to include and maintain the applicant’s name on the lists at issue are stated sufficiently clearly and precisely as to enable the applicant to understand those reasons and the Court to exercise its power of review in that regard.
172 It follows that the second plea must be rejected.
The third plea, alleging manifest errors of assessment
173 As a preliminary point, it must be noted that the third plea in law must be regarded as alleging errors of assessment, and not manifest errors of assessment. While it is admittedly true that the Council has a degree of discretion to determine, on a case-by-case basis, whether the legal criteria on which the restrictive measures at issue are based are met, the fact remains that the Courts of the European Union must ensure the review, in principle the full review, of the lawfulness of all EU acts (see judgment of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 31 and the case-law cited).
174 The effectiveness of the judicial review guaranteed by Article 47 of the Charter requires, inter alia, that the Courts of the European Union ensure that the decision by way of which restrictive measures were adopted or maintained, which affects the person or entity concerned individually, is taken on a sufficiently solid factual basis. That entails a verification of the factual allegations in the summary of reasons underpinning that decision, with the consequence that the judicial review cannot be restricted to an assessment of the cogency in the abstract of the reasons relied on, but must concern whether those reasons or, at the very least, one of those reasons, deemed sufficient in itself to support that decision, is or are substantiated (see judgments of 19 December 2018, Azarov v Council, C‑530/17 P, EU:C:2018:1031, paragraph 22 and the case-law cited; of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 122 and the case-law cited; and of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 32 and the case-law cited).
175 Such an assessment must be carried out by examining the evidence and information not in isolation but in their context. The Council discharges the burden of proof borne by it if it presents to the Courts of the European Union a body of sufficiently specific, precise and consistent evidence to establish that, at the time when the acts in question were adopted, the person subject to a restrictive measure met the conditions laid down by the criterion applied (see, to that effect, judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 124 and the case-law cited, and of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 33 and the case-law cited).
176 It is the task of the competent EU authority to establish, in the event of challenge, that the reasons relied on against the person or entity concerned are well founded, and not the task of that person or entity to adduce evidence of the negative, namely that those reasons are not well founded (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 123 and the case-law cited, and of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 34 and the case-law cited).
177 In order to justify maintaining a person’s name on the list in question, the Council is not prohibited from basing its decision on the same evidence justifying the initial inclusion, re-inclusion or previous retention of the name of the person concerned on the list, provided that (i) the grounds for listing remain unchanged and (ii) the context has not changed in such a way that that evidence is now out of date (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 169 and the case-law cited, and of 29 May 2024, Belavia v Council, T‑116/22, EU:T:2024:334, paragraph 77 and the case-law cited). On that basis, changes in the context includes the taking into consideration of, first, the situation in the country in respect of which the system of restrictive measures has been established as well as the specific situation of the person concerned and, second, all of the relevant circumstances and, in particular, the fact that the objectives pursued by the restrictive measures have not been achieved (see judgment of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 37 and the case-law cited).
178 Furthermore, it should be emphasised that the context of the measures at issue must be taken into account and the standard of proof which may be required of the Council must be adapted in the light of the difficulty of obtaining evidence and objective information (see judgments of 1 June 2022, Prigozhin v Council, T‑723/20, not published, EU:T:2022:317, paragraph 102 and the case-law cited, and of 20 November 2024, Zubitskiy v Council, T‑1074/23, not published, EU:T:2024:840, paragraph 78 and the case-law cited).
179 In the absence of investigative powers in third countries, the assessment of the EU authorities must, in fact, rely on publicly available sources of information, reports, articles in the press, intelligence reports or other similar sources of information (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 115 and the case-law cited, and of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 59 and the case-law cited).
180 As regards the general context linked to the situation in Ukraine, it must be stated that, at the date of the contested acts, the gravity of the situation in Ukraine persisted. Similarly, the restrictive measures were still justified having regard to the objective pursued by criterion (i), namely to increase pressure on the Russian Federation by combatting the information warfare conducted by the latter in order to implement its war of aggression against Ukraine (see, to that effect and by analogy, judgments of 20 November 2014, Uss v Council, T‑571/23, not published, EU:T:2024:839, paragraphs 134 and 135, and of 20 November 2024, Zubitskiy v Council, T‑577/23, not published, EU:T:2024:840, paragraphs 110 and 111).
181 As regards the applicant’s specific situation, it should be recalled that the inclusion of its name on the lists at issue pursuant to criterion (i) presupposes that two conditions are satisfied, namely that, first, it is an entity operating in the Russian IT sector and, second, it holds a license from the FSB.
The initial acts and the first set of maintaining acts
182 The applicant claims that the inclusion and maintenance of its name on the lists at issue are based on unsubstantiated and incorrect allegations, and that the Council has failed to demonstrate that the applicant comes under criterion (i).
183 The applicant argues that it was designated in the initial acts and in the first set of maintaining acts as a legal person or ‘legal entity’ and that, as a holding company, it does not satisfy the conditions laid down by criterion (i).
184 As a preliminary point, it should be borne in mind that, in the initial acts and the first set of maintaining acts, the applicant is listed under the name ‘Positive Group PJSC, a.k.a. Positive technologies, a.k.a. Gruppa Pozitiva’. The grounds for listing the applicant’s name, set out in paragraph 8 above, state that it ‘constitutes an entity operating in the Russian IT sector with a license [from the FSB]’.
185 It follows that the applicant is referred to in the initial acts and the first set of maintaining acts as an entity, designated either by its name or by the name Positive Technologies.
186 In that connection, it should be observed that, in order to present its activities, the applicant itself provides, in Annexes A.13 to A.22 to the application, excerpts from the website of Positive Technologies, ‘ptsecurity.com’, which it presents as ‘its’ website.
187 By way of example, in Annexes A.13 and A.14 to the application, it is stated that ‘Positive Technologies is the first and only cybersecurity company in Russia to have gone public on the Moscow Exchange’.
188 Furthermore, as the Council observes, the statement published in the press on 23 June 2023, following the adoption of the initial acts, which is contained in Annex B.29 to the defence, was made by the representatives of Positive Technologies and refers to ‘the EU’s decision to impose sanctions against Positive Technologies’. The applicant claims to be the author of that statement.
189 In that regard, it should be noted that Annex B.29 comprises four press articles taken from different websites and published on 23 and 24 June 2023, which concern the sanctions imposed on Positive Technologies and refer to that statement. According to the articles published on the websites ‘rg.ru’, ‘xakep.ru’ and the website of MNIAP, the statement is attributed to Positive Technologies. On the website ‘cnews.ru’, the statement is attributed to representatives of the applicant.
190 At the hearing, the applicant explained that Positive Technologies was a business name designating the entirety of the group composed of itself as the holding company and all of its subsidiaries, and that the website ‘ptsecurity.com’ was designed to present all of the activities of the Positive Technologies Group.
191 It should be held that, by presenting the website ‘ptsecurity.com’ as ‘its’ website and making statements on behalf of Positive Technologies, the applicant acknowledges, implicitly but necessarily, that there is no distinction between the entity Positive Technologies and the applicant.
192 It follows that the person designated in the initial acts and the first set of maintaining acts – from which it must be established that that person satisfies the conditions laid down by criterion (i) – is the applicant as an entity, also known as Positive Technologies or Gruppa Pozitiva, and not the applicant as a company or a legal person.
193 In the first place, as regards the first condition laid down by criterion (i), it should be observed that the applicant does not dispute the claim that it operates in the Russian IT sector.
194 In that connection, it should be noted that, in the application, the applicant portrays itself as engaging in activities in the provision of cybersecurity and information security solutions and as providing, inter alia, solutions and software systems allowing undertakings to protect themselves against malicious attacks. In order to explain its activities, it has also produced, in Annexes A.13 to A.22 to the application, excerpts from the website of Positive Technologies, ‘ptsecurity.com’.
195 In the application, the applicant states that it does not dispute the accuracy of Exhibits Nos 1 and 6 contained in the first evidence pack, which are excerpts from public databases on undertakings, but it observes that those documents are not relevant as regards the inclusion of its name on the lists at issue.
196 However, it is apparent from Exhibit No 1 in the first evidence pack, containing the entry for the applicant taken from the Ready Ratios corporate registry, that the applicant is primarily a holding company. That document states that the applicant also engages in computer programming activities, computer consultancy activities, other information technology and computer service activities, and activities for the creation and use of databases and information resources.
197 Moreover, Exhibit No 6 in the first evidence pack, containing an entry for the applicant in the Russian ‘Spark-Interfax’ corporate registry, shows in particular that the applicant operates in the Russian IT sector.
198 Accordingly, those exhibits, inasmuch as they describe the applicant’s activities, are relevant in so far as they enabled the Council to establish that the applicant was ‘an entity operating in the Russian IT sector’ and that it met the first condition under criterion (i).
199 Consequently, it must be held that the Council has established to a sufficient degree, on the basis of the first evidence pack, that, when the initial acts and the first set of maintaining acts were adopted, the applicant was ‘an entity operating in the Russian IT sector’ and that, accordingly, it satisfied the first condition laid down by criterion (i).
200 In the second place, as regards the second condition laid down by criterion (i), the applicant claims that none of the exhibits contained in the first evidence pack is sufficient to demonstrate that it holds a license from the FSB and develops technologies and software facilitating information warfare for the Russian security services.
201 It should be noted that, in order to establish that the applicant satisfied the second condition under criterion (i), which relates to holding a license from the FSB, the Council relied on Exhibit No 2, contained in the first evidence pack. That exhibit is an excerpt from a PowerPoint presentation published on the website ‘ptsecurity.com’, regarded as the applicant’s official website, showing various licenses held by Positive Technologies, including a license from the FSB.
202 The applicant disputes, in essence, the probative value of Exhibit No 2 in the first evidence pack. It claims that that document, which is barely legible and dates back to 2019, provides no information on the type of license that, according to the Council, the applicant holds. The applicant argues that, in any event, it does not hold any license from the FSB.
203 First of all, it should be observed that it is apparent from the first evidence pack that, while Exhibit No 2 is dated 2019, the Council accessed it on 13 February 2023. The applicant has failed to raise any argument intended to maintain that the information available on the website ‘ptsecurity.com’ was out of date at the time when the Council accessed it, namely before the adoption of the initial acts and of the first set of maintaining acts.
204 Next, it should be noted that, while the reproduction of the licenses in Exhibit No 2 is indeed of poor quality, it is however clearly stated on the page from the website ‘ptsecurity.com’ that Positive Technologies does hold a license from the FSB.
205 In that connection, in so far as criterion (i) covers any type of license administered by the FSB, the fact that the type of FSB license is not clearly legible in Exhibit No 2 is irrelevant.
206 Lastly, it should be observed that the content of Exhibit No 2 is supported by the excerpts from the website ‘ptsecurity.com’, produced in Annexes B.27 and B.28 to the defence.
207 In that regard, it should be recalled that, according to settled case-law, the legality of an EU measure must be assessed on the basis of the facts and the law as they stood at the time when the act was adopted (see judgment of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 68 and the case-law cited).
208 Furthermore, the review of the substantive legality which is incumbent on the General Court must be carried out, in particular as regards disputes concerning restrictive measures, in the light not only of the material set out in the statements of reasons of the acts at issue, but also in the light of the material provided by the Council, in the event of challenge, to the General Court in order to establish that the facts alleged in those statements are made out (see judgment of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 69 and the case-law cited).
209 The fact that a piece of evidence that has been submitted as exculpatory evidence by the person subject to the restrictive measures does not prevent that evidence from possibly being used against him or her to support the merits of the reasons underpinning the restrictive measures taken against him or her (see judgments of 14 March 2018, Kim and Others v Council and Commission, T‑533/15 and T‑264/16, EU:T:2018:138, paragraph 115 and the case-law cited, and of 11 September 2024, Mordashova v Council, T‑497/22, not published, EU:T:2024:604, paragraph 80 and the case-law cited).
210 Annex B.27 to the defence contains an excerpt from the website ‘ptsecurity.com’, dated 20 November 2014 and headed ‘Positive Technologies received a license from the FSB, allowing work with cryptographic protection tools’. In the same excerpt, Positive Technologies announces the renewal of a license from the FSB to carry out work related to the use of information constituting state secrets.
211 Annex B.28 to the defence also contains an excerpt from the website ‘ptsecurity.com’, dated 2018, which contains a list of the licenses and certificates that Positive Technologies holds, including a ‘license of the FSB of Russia to work with cryptographic protection tools’ and a ‘license of the FSB of Russia to carry out work using information constituting a state secret’, together with copies of those two licenses.
212 In its reply, the applicant claims that the excerpts from the website ‘ptsecurity.com’, produced by the Council in Annexes B.27 and B.28 to the defence, do not concern it. First, the applicant maintains that the statement published on 20 November 2014, contained in Annex B.27 to the defence, cannot concern it, in so far as it was registered as an undertaking on 27 September 2017. Second, the registration number and the tax identification number on the licenses, produced in Annex B.28 to the defence, do not belong to the applicant, and those licenses date back to 28 April 2015 and 10 November 2014, before the applicant’s date of registration.
213 It should be observed that these arguments put forward by the applicant start from the mistaken premiss that it has been included on the lists at issue as a legal person.
214 It should be recalled that the grounds for listing concern the applicant, a.k.a. Positive Technologies, as an entity and not as a legal person.
215 It follows that the applicant’s date of registration as a legal person is irrelevant as regards the question whether the entity concerned holds a license.
216 Furthermore it should be noted that the applicant, in order to describe its activities, relies on an excerpt from the website ‘ptsecurity.com’, produced in Annex A.14 to the application and dated 2023, and observes that: ‘as stated on the website: “For 21 years now, [its] primary objective has been to prevent hacker attacks”’. In addition, it is apparent from an excerpt from the same website, produced by the Kingdom of the Netherlands in Annex N.7 to its statement in intervention, and headed ‘About Company’, that Positive Technologies was created in 2002.
217 Thus it is apparent from the excerpts from the website ‘ptsecurity.com’, produced in Annexes B.27 and B.28 to the defence, that the entity concerned – namely, the applicant, a.k.a. Positive Technologies – holds a license from the FSB.
218 Furthermore, in order to establish that the tax identification number that appears on the licenses produced in Annex B.28 to the defence does not belong to it, the applicant has produced, in Annex C.15 to the reply, a translation of the copies of those licenses.
219 It is apparent from that translation that the tax identification number on those licenses matches that of Pozitiv Teknolodzhiz, as this also appears in the latter’s entry on the Ready Ratios corporate registry, produced in Annex D.2 to the rejoinder. Annex B.28 to the defence establishes that Pozitiv Teknolodzhiz has, since 10 November 2014, held a license administered by the FSB to work with cryptographic protection tools and, since 28 April 2015, a license administered by the FSB for the city and region of Moscow (Russia) to carry out work using information constituting a state secret.
220 First, Exhibit No 1 in the first evidence pack comprises the entry for the applicant taken from the Ready Ratios corporate registry, dated 13 February 2023. That document shows that Pozitiv Teknolodzhiz is a subsidiary of the applicant and that they have shared the same chairman since 6 August 2021.
221 Second, in annex to the rejoinder, the Council has produced the entries for the applicant and Pozitiv Teknolodzhiz taken from the Ready Ratios corporate registry, dated 15 March 2024, from which it is apparent that they share the same chairman, as well as the same address and the same founder, and that the latter company was registered on 9 October 2007.
222 Third, it is apparent from the applicant’s consolidated financial statements for the financial year 2021, and the applicant’s interim consolidated financial statements for the first quarter of 2023, produced in annex to the rejoinder, that Pozitiv Teknolodzhiz is one of the subsidiaries of the applicant, which holds 100% of the share capital therein.
223 Accordingly, as stated in paragraphs 83 to 85 above, having regard to the degree of that holding, even though Pozitiv Teknolodzhiz is a legal person that is legally separate from the applicant, the Council could validly take the view that the applicant exercised decisive influence over that subsidiary, and that the latter was not an entity independent from the applicant.
224 It must therefore be held, as is clear from paragraph 86 above, that the conditions for listing the applicant as an entity on the basis of criterion (i) have been met, in so far as it is established that the applicant’s subsidiary, Pozitiv Teknolodzhiz, holds a license from the FSB.
225 It follows that the fact that the tax identification number on the licenses from the FSB produced in Annexes B.27 and B.28 to the defence does not match that of the applicant as a legal person is irrelevant for the purposes of establishing that the applicant as an entity satisfies the conditions for inclusion under criterion (i).
226 It follows from the foregoing that the Council did not make an error of assessment in finding that the applicant, a.k.a Positive Technologies, was an entity that held a license from the FSB.
227 That finding is not called into question by the applicant’s other arguments.
228 First, the applicant relies on a statement made by its chief operating officer in order to claim that it does not hold any license from the FSB. In that statement dated 12 September 2023, the applicant’s chief operating officer certifies that Positive Group PAO, the tax identification number of which is 9718077239, is not and has never been a holder of any licenses administered by the FSB or by any other governmental authority whatsoever.
229 It must be held that that statement is irrelevant in the present case, in so far as it concerns the applicant as a legal person and not as the entity referred to in the initial acts and in the first set of maintaining acts.
230 Second, the applicant maintains that it is apparent from Exhibit No 1 in the first evidence pack, which contains the entry for the applicant taken from the Ready Ratios corporate registry, dated 13 February 2023, that the applicant does not hold any license. It observes that that entry always refers to the licenses held by the undertakings concerned and the activities in respect of which those licenses have been administered.
231 In that connection, it should be recalled that the FSB license in Exhibit No 2 is held by Pozitiv Teknolodzhiz, the applicant’s subsidiary. Thus, the fact that that license does not appear in the excerpt taken from the Ready Ratios corporate database concerning the applicant as a legal person is not capable of establishing that the entity referred to in the grounds for listing did not hold a license from the FSB.
232 Third, the applicant claims that Exhibit No 1, which contains its entry taken from the Ready Ratios corporate registry is more recent and, therefore, more relevant than Exhibit No 2, which has not been available since September 2023. In order to establish that Exhibit No 2 is out of date and has not been accessible since September 2023, the applicant has produced, in Annex C.14 to the reply, a page from the website ‘pt.security.com’ dated 8 February 2024 displaying ‘not found’.
233 However, it must be held that that annex is of no probative value. On the one hand, there is nothing to suggest that the webpage in Annex C.14 to the reply corresponds to the page from the website ‘pt.security.com’ reproduced in Exhibit No 2. On the other hand, in the light of the date of that annex, it cannot be excluded that the possible removal of the page from the website ‘pt.security.com’ on which the licenses held by Positive Technologies appeared occurred after the present action was brought.
234 Fourth, the applicant claims that the statement that it published in the press, produced in Annex B.29 to the defence, cannot be interpreted as an acknowledgement of the fact that it holds a license from the FSB.
235 Annex B.29 to the defence comprises four press articles published on various websites, referred to in paragraph 189 above, concerning the Council’s decision to impose sanctions on Positive Technologies. The websites ‘rg.ru’ and ‘xakep.ru’ and the website of MNIAP all refer to a statement, attributed to Positive Technologies, that ‘the EU’s decision to impose sanctions against Positive Technologies is based on the fact that the company has a license from the FSB of the Russian Federation’ and that ‘obtaining a license from the FSB is a prerequisite for the work of all leading players in the cybersecurity market’. It should be recalled, as has been observed in paragraph 188 above, that the applicant has indicated that it is the author of that statement. The quote is slightly different in the article published on the website ‘cnews.ru’ according to which ‘representatives of [the applicant] said that the EU’s decision against the company is based on the fact that it has a license from the FSB’.
236 However, on the one hand, the applicant presents itself, under the name of Positive Technologies, as one of the leaders of the cybersecurity market, which means, according to that statement, that it holds a license from the FSB. On the other hand, nowhere in that statement does the applicant dispute the fact that it holds a license from the FSB, which it acknowledges as being the reason for the inclusion of its name or that of Positive Technologies on the lists at issue.
237 Moreover, as regards the applicant’s argument that the Council has failed to establish that it effectively participated in the Russian Federation’s information warfare or that the applicant developed technology for the Russian security services, it is sufficient to recall that this is not a condition for the application of criterion (i).
238 The Council was not, in fact, required to adduce evidence that the applicant actually cooperated with the Russian security services, and that argument must therefore be rejected as ineffective.
239 In that connection, the applicant’s arguments seeking to challenge Exhibits Nos 3 to 5 in the first evidence pack are also ineffective. Those exhibits refer to the sanctions adopted by the United States of America against the applicant in 2021, on account of the fact that it hosted annual conferences that were, it is claimed, used as recruiting events for the FSB and the GRU. However, those documents are not relevant to establishing that the applicant satisfied the conditions laid down by criterion (i).
240 It follows from all of the foregoing that the Council did not make an error of assessment in the initial acts or in the first set of maintaining acts by finding that the applicant satisfied the conditions for the application of criterion (i) and, accordingly, by including and maintaining the applicant’s name on the lists at issue.
The second set of maintaining acts
241 It should be recalled that, in the second set of maintaining acts, the applicant’s name was maintained on the lists at issue for the same reason as that set out in the initial acts and the first set of maintaining acts.
242 In the statement of modification concerning the second set of maintaining acts, lodged at the Registry of the General Court on 22 May 2024, the applicant merely refers to the arguments on which it had relied against the initial acts and the first set of maintaining acts.
243 Accordingly, on the same grounds as those set out in paragraphs 184 to 240 above, it must be found that the Council did not make an error of assessment by maintaining the applicant’s name on the lists at issue in the second set of maintaining acts.
The third set of maintaining acts
244 By adopting the third set of maintaining acts, the Council maintained the inclusion of the applicant on the lists at issue under the name ‘Positive Group PJSC, a.k.a. Positive technologies, a.k.a. Gruppa Pozitiva’ and amended the grounds for listing under criterion (i). Those grounds, cited in paragraph 24 above, state that the applicant is the holding company of a conglomerate that includes Pozitiv Teknolodzhiz, which operates in the Russian IT sector and holds a license administered by the FSB, and that, therefore, the applicant constitutes an entity operating in the Russian IT sector with a license administered by the FSB.
245 Furthermore, in order to justify the adoption of the third set of maintaining acts against the applicant, the Council relied on the third evidence pack.
246 In the first place, as regards the first condition laid down by criterion (i), it should be observed that Exhibit No 3 in the third evidence pack contains an excerpt from the entry for Pozitiv Teknolodzhiz taken from the Ready Ratios corporate registry, which shows that it is active in the field of computer programming.
247 Furthermore, Exhibits Nos 6 and 7 in the third evidence pack are pages from the website ‘pt.security.com’, dated 3 July 2024, which establish that Pozitiv Teknolodzhiz is a subsidiary in which the applicant owns 100% of the shares, and that it operates in the Russian IT sector.
248 It follows that Pozitiv Teknolodzhiz is a subsidiary which is wholly owned by the applicant and operates in the Russian IT sector.
249 In that connection, it should be recalled that it is clear from paragraphs 220 to 223 above that the applicant owns 100% of its subsidiary Pozitiv Teknolodzhiz, that they share the same chairman and have the same address, which the applicant does not dispute, and that the Council was able validly to find that they form a single entity.
250 Accordingly, it must be held that the Council has sufficiently established, on the basis of the third evidence pack, that, when the third set of maintaining acts were adopted, the applicant was ‘an entity operating in the Russian IT sector’ and that, accordingly, it satisfied the first condition laid down by criterion (i), which the applicant does not dispute.
251 In the second place, in the statement of modification relating to the third set of maintaining acts, the applicant claims, in essence, that the Council made an error of assessment in finding that the applicant satisfied the second condition under criterion (i), as regards holding a license administered by the FSB.
252 First, the applicant claims that its name cannot be included on the lists at issue on the basis that one of its subsidiaries allegedly holds a license from the FSB. A literal interpretation of criterion (i) requires, in the applicant’s submission, that the entity targeted itself be in possession of a license from the FSB. The applicant argues that, in a parent-subsidiary relationship, each entity is treated as legally distinct and the conduct of a subsidiary cannot automatically be attributed to its parent company. A license only authorises the legal entity to which it was attributed.
253 On the one hand, it should be borne in mind that the third set of maintaining acts do not refer to the applicant as a ‘legal person’ or ‘legal entity’, but rather as an ‘entity’. Consequently, the fact that the applicant has a legal personality that is distinct from that of its subsidiary is irrelevant for the purposes of establishing that the applicant satisfies the conditions for inclusion under criterion (i).
254 On the other hand, contrary to what the applicant claims, the application of criterion (i) does not involve attributing the conduct of a subsidiary to its parent company. It should be recalled that the application of criterion (i) does not require proof of specific conduct on the part of either the applicant or its subsidiary, but solely that it be established that the entity subject to the restrictive measures holds a license administered by the FSB.
255 Consequently, the argument that the fact that a license issued to a legal person cannot be used by another entity, namely a parent company or another subsidiary, is ineffective.
256 Furthermore, it should be borne in mind that it is clear from paragraph 249 above that the Council validly found that Pozitiv Teknolodzhiz and the applicant formed a single entity.
257 Accordingly, under those circumstances, as is clear from paragraph 86 above, the conditions for listing the applicant as an entity under criterion (i) have been satisfied, where it is established that its subsidiary, Pozitiv Teknolodzhiz, satisfies those conditions.
258 Second, the applicant claims that the third evidence pack does not contain any relevant information regarding the alleged possession of a license by Pozitiv Teknolodzhiz.
259 In order to establish that Pozitiv Teknolodzhiz held a license from the FSB, the Council relied on several documents contained in the third evidence pack. Exhibit No 2, which was previously included in the first evidence pack and is referred to in paragraph 201 above, is an excerpt from a PowerPoint presentation published on the website of Positive Technologies, ‘ptsecurity.com’, showing various licenses held by Positive Technologies, including a license from the FSB. Exhibit No 8, which is identical to that referred to in paragraph 211 above, contains an excerpt from the same website, dated 2018 and which the Council accessed on 3 July 2024, which contains a list of the licenses and certificates that Positive Technologies holds, including a ‘license of the FSB of Russia to work with cryptographic protection tools’ and a ‘license of the FSB of Russia to carry out work using information constituting a state secret’, together with copies of those licenses. Exhibit No 9, which is identical to that referred to in paragraph 210 above, also contains an excerpt from the website ‘ptsecurity.com’, dated 20 November 2014 and which the Council accessed in November 2023, headed ‘Positive Technologies received a license from the FSB, allowing work with cryptographic protection tools’, which states the activities in respect of which that license was issued. In the same excerpt, Positive Technologies announces the renewal of a license from the FSB to carry out work related to the use of information constituting state secrets.
260 The applicant claims that Exhibit No 2 is barely legible and that it is impossible on the basis of that evidence to determine which type of license is held and by whom, or whether the license in question was still valid when the third set of maintaining acts were adopted.
261 However, it should be recalled, as is clear from paragraphs 204 and 205 above, that the web page from the website of Positive Technologies, contained in Exhibit No 2, states that the latter holds a license from the FSB, and the fact that the type of license is not legible is irrelevant.
262 In the third evidence pack, Exhibit No 2 is supplemented by Exhibit No 8, which contains a list clearly showing the various licenses held by Positive Technologies, as well as a copy of two Licenses from the FSB, a translation of which is produced by the applicant in Annex C.15 to the reply.
263 As has already been observed in paragraph 219 above, the tax identification number on those licenses matches that of Pozitiv Teknolodzhiz, referred to in the entry for the latter in the Ready Ratios corporate registry contained in Exhibit No 3 in the third evidence pack.
264 As regards the first FSB license for activities using cryptographic tools, which was administered by the FSB to Pozitiv Teknolodzhiz on 10 November 2014, the applicant maintains that the Council has failed to demonstrate that that license remained in effect when the third set of maintaining acts were adopted.
265 In that connection, it should be noted that the FSB license contained in Exhibit No 8 was administered by the FSB for an unlimited period, and that the Council could reasonably infer that Pozitiv Teknolodzhiz remained the holder of that license when the third set of maintaining acts were adopted.
266 Furthermore, it should be recalled that, since criterion (i) provides for the holding of any FSB license whatsoever, the applicant’s arguments concerning the nature of that encryption license are ineffective.
267 As regards the second FSB license administered by the FSB to Pozitiv Teknolodzhiz on 28 April 2015, which was valid until 8 April 2020, to carry out work using information constituting a state secret, the applicant maintains that that license has expired.
268 In that connection, it should be observed that the Council took into account Exhibit No 9 in the third evidence pack, indicating that that license had been granted to Pozitiv Teknolodzhiz following an application to renew a license already held. The Council states that there is a very high degree of probability that Pozitiv Teknolodzhiz applied for and obtained a further renewal of that license.
269 Contrary to what the applicant maintains, the fact that Exhibit No 9 dates back to 2014 is not sufficient to support the conclusion that it was no longer relevant when the third set of maintaining acts were adopted. That exhibit in fact allows it to be established that, in 2014, Positive Technologies announced the renewal of that second FSB license.
270 It should be recalled that, in accordance with the case-law cited in paragraphs 175 and 176 above, it is for the Council to establish that the reasons relied on against the applicant at the time when the third set of maintaining acts were adopted are well founded, and that it discharges the burden of proof if it presents a body of sufficiently specific, precise and consistent evidence. In addition, in accordance with the case-law cited in paragraphs 111, 177 and 179 above, regard must be had to the difficulty in accessing evidence or certain information, in particular, in view of the conflict situation between the Russian Federation and Ukraine.
271 In that connection, it is apparent from the entry for Pozitiv Teknolodzhiz in the Ready Ratios corporate registry, produced in annex to the rejoinder, that the part concerning the licenses that it holds was redacted pursuant to Russian federal law, and bears the entry ‘access to the information is restricted’.
272 The Council could reasonable consider that it would not have been necessary to redact that part if Pozitiv Teknolodzhiz did not have any licenses.
273 It follows that the Council based its decision on a body of sufficiently reliable evidence as to allow it reasonably to consider that Pozitiv Teknolodzhiz had applied to renew the second license to carry out work using information constituting a state secret after 2020, and that the latter continued to hold such a license when the third set of maintaining acts were adopted.
274 The applicant has not adduced any evidence capable of calling that assessment into question. Questioned in that regard at the hearing, it repeatedly claimed not to have information as to whether or not Pozitiv Teknolodzhiz had a license from the FSB.
275 It follows from the foregoing that the documents contained in the third evidence pack establish to the requisite legal standard that Pozitiv Teknolodzhiz, a subsidiary wholly owned by the applicant, held a license from the FSB at the time when the third set of maintaining acts were adopted.
276 It must therefore be found that the Council has established that the applicant, a.k.a Positive Technologies, was an entity with a license from the FSB and that it satisfied the second condition laid down by criterion (i).
277 Accordingly, the Council did not make an error of assessment in the third set of maintaining acts by finding that the applicant satisfied the conditions for the application of criterion (i) and, therefore, by maintaining the applicant’s name on the lists at issue.
278 It follows that the third plea in law must be rejected.
The fourth plea in law, alleging infringement of the rights of the defence and of the Council’s obligation to conduct a proper review of its decision to include the applicant’s name on the lists at issue
279 The fourth plea in law consists, in essence, of two parts, alleging (i) infringement of the rights of the defence and (ii) infringement of the Council’s obligation to conduct a proper review of its decision to include the applicant’s name on the lists at issue.
The first part, alleging infringement of the rights of the defence
280 In its reply, the applicant claims, in essence, that the Council infringed its rights of defence by belatedly disclosing the second evidence pack.
281 First, the applicant observes that the second evidence pack, dated 16 May 2023 – that is, before the initial acts were adopted – was not sent to it by the Council in response to the applicant’s request of 13 July 2023 that the Council disclose the file forming the basis of the decision to include its name on the lists annexed to the initial acts. Second, the applicant maintains that, in so far as the second evidence pack was disclosed to it further to its request of 25 September 2023 for access to the documents justifying the maintenance of its name on the lists at issue, that evidence pack contained new evidence justifying that maintenance. It argues that the Council was under the obligation to provide it with that evidence prior to the adoption of the first set of maintaining acts.
282 In that connection, it should be recalled that, when reviewing restrictive measures, the Courts of the European Union must ensure the review, in principle the full review, of the lawfulness of all Union acts in the light of the fundamental rights forming an integral part of the European Union legal order. Those fundamental rights include, inter alia, respect for the rights of the defence and the right to effective judicial protection (see judgment of 16 October 2024, CRA v Council, T‑201/23, EU:T:2024:697, paragraphs 59 and 60 and the case-law cited).
283 According to settled case-law, the right to be heard in all proceedings, laid down in Article 41(2)(a) of the Charter, which is inherent in respect for the rights of the defence, guarantees every person the opportunity to make known his or her views effectively during an administrative procedure and before the adoption of a decision in relation to that person that is liable to affect his or her interests adversely (see judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 75 and the case-law cited; judgment of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 79).
284 As regards respect for the right to be heard, it is apparent from the case-law that, in the case of the initial decision placing a person’s or an entity’s name on the list of persons and entities whose funds are frozen, the Council is not required to inform the person or entity concerned beforehand of the grounds on which it intends to rely in order to list that person or entity. So that its effectiveness may not be jeopardised, such a measure must, by its very nature, be able to take advantage of a surprise effect and to apply immediately. Upon application to the Council, the person or entity concerned also has the right to make known his or her view on that evidence after the measure has been adopted (see judgment of 27 July 2022, RT France v Council, T‑125/22, EU:T:2022:483, paragraph 80 and the case-law cited).
285 By contrast, in a procedure relating to the adoption of the decision, in particular, to maintain the name of a person on a list in an annex to an act containing restrictive measures, respect for the rights of the defence and the right to effective judicial protection requires that the competent EU authority disclose to the person concerned the evidence against that person available to that authority and relied on as the basis of its decision, so that that individual is in a position to defend his or her rights in the best possible conditions and to decide, with full knowledge of the relevant facts, whether there is any point in bringing an action before the Courts of the European Union. When that disclosure takes place, the competent EU authority must ensure that that individual is placed in a position in which he or she may effectively make known his or her views on the grounds advanced against him or her (judgments of 10 May 2016, Mikhalchanka v Council, T‑693/13, EU:T:2016:283, paragraphs 46 and 47, and of 12 February 2020, Amisi Kumba v Council, T‑163/18, EU:T:2020:57, paragraph 50; see also, to that effect, judgment of 18 July 2013, Commission and Others v Kadi, C‑584/10 P, C‑593/10 P and C‑595/10 P, EU:C:2013:518, paragraphs 111 and 112).
286 The right to be heard prior to the adoption of acts maintaining the name of a person or an entity on a list of persons or entities subject to restrictive measures is necessary where, in the decision maintaining a person’s name on that list, the Council has included new evidence against him or her, namely evidence which was not taken into account in the initial decision to include his or her name on the list (see judgments of 18 June 2015, Ipatau v Council, C‑535/14 P, EU:C:2015:407, paragraph 26 and the case-law cited, and of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 102 and the case-law cited).
287 However, where maintaining the name of the person or entity concerned on a list of persons or entities subject to restrictive measures is based on the same reasons as those which justified the adoption of the initial act without new evidence being adduced, the Council is not obliged, in order to respect the right of that person or entity to be heard, to notify him, her or it again of the evidence against him, her or it (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 103 and the case-law cited, and of 4 September 2024, Shamalov v Council, T‑651/22, not published, EU:T:2024:576, paragraph 124 and the case-law cited).
288 In the present case, it should be observed that the second evidence pack contains a working document prepared by the EEAS concerning: ‘UKRAINE […], Underlying/supporting evidence – Horizontal Evidence Pack – status based IT-territorial integrity regime’. That working document was presented to the Council in support of the latter’s intention to introduce a new criterion for taking restrictive measures against legal persons, entities or bodies operating in the Russian IT sector with a license administered by the FSB or by the Russian Ministry of Industry and Trade. That document comprises various sources relating to Russian threats in the field of information and information technology, licenses from the FSB and the ‘weapons and military equipment’ license administered by the Russian Ministry of Industry and Trade.
289 It should be observed, as the Council does, that the second evidence pack is a working document of the EEAS prepared in support of the introduction of criterion (i), but it does not contain any material relating to the applicant’s individual situation or to the inclusion of its name on the lists at issue, which the applicant accepted at the hearing.
290 In accordance with settled case-law, the right to be heard in an administrative procedure concerning a specific person, which must be observed, even in the absence of any rules governing the procedure in question, cannot be transposed to the procedure provided for in Article 29 TEU and that provided for in Article 215 TFEU leading, as in the present case, to the adoption of measures of general application. There is no provision that requires the Council to inform any person potentially affected by a new criterion of general application of the adoption of that criterion (see judgment of 13 September 2023, Venezuela v Council, T‑65/18 RENV, EU:T:2023:529, paragraph 39 and the case-law cited).
291 Consequently, in so far as the second evidence pack contained no inculpatory evidence serving as the basis for the inclusion and maintenance of the applicant’s name on the lists at issue, the Council was under no obligation to disclose it to the latter pursuant to the case-law cited in paragraphs 284 to 286 above, be it in response to the applicant’s request of 13 July 2023 or before the first set of maintaining acts were adopted. The applicant cannot, therefore, meaningfully claim infringement of its rights of defence.
292 Accordingly, the first part must be rejected, without it being necessary to rule on the Council’s arguments disputing the admissibility thereof.
The second part, alleging infringement of the Council’s obligation to conduct a proper review of its decision to include the applicant’s name on the lists at issue
– Concerning the first set of maintaining acts
293 The applicant claims that the Council infringed its obligation, laid down under Article 6 of Decision 2014/145 and Article 14 of Regulation No 269/2014, to conduct a regular review of its listing decisions, in order to ensure that the measures are still appropriate. It maintains that a proper review of the evidence in support of the inclusion of its name on the lists at issue would have revealed that it does not have a license from the FSB and would have led to the decision to remove the applicant’s name from the lists at issue.
294 The third paragraph of Article 6 of Decision 2014/145 states that ‘this Decision shall be kept under constant review’. Article 14(4) of Regulation No 269/2014 provides that ‘the list in Annex I shall be reviewed at regular intervals and at least every 12 months’.
295 It must be observed that restrictive measures are of a precautionary and, by definition, provisional nature, the validity of which always depends on whether the factual and legal circumstances which led to their adoption continue to apply and on the need to persist with them in order to achieve their objective. Thus, when periodically reviewing those restrictive measures, it is for the Council to carry out an updated assessment of the situation and to take stock of the effects of those measures, with a view to determining whether they have made it possible to achieve the objectives pursued by the initial inclusion of the names of the persons and entities concerned on the disputed list or whether it is still possible to reach the same conclusion in relation to those persons and entities (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 168 and the case-law cited; of 29 May 2024, Belavia v Council, T‑166/22, EU:T:2024:334, paragraph 76 and the case-law cited; and of 11 September 2024, Tokareva v Council, T‑744/22, EU:T:2024:608, paragraph 36 and the case-law cited).
296 It should also be borne in mind that, in order to justify maintaining a person’s name on the list in question, the Council is not prohibited from basing its decision on the same evidence justifying the initial inclusion, re-inclusion or previous retention of the name of the person concerned on the list, provided that (i) the grounds for listing remain unchanged and (ii) the context has not changed in such a way that that evidence is now out of date. That context includes not only the situation of the country in respect of which the system of restrictive measures was established, but also the particular situation of the person concerned (see judgments of 15 November 2023, OT v Council, T‑193/22, EU:T:2023:716, paragraph 169 and the case-law cited, and of 29 May 2024, Belavia v Council, T‑116/22, EU:T:2024:334, paragraph 77 and the case-law cited).
297 In the present case, the notice published in the Official Journal of 26 June 2023, referred to in paragraph 9 above, informed the natural and legal persons, entities and bodies subject to the restrictive measures provided for by the initial acts that they could submit a request to the Council, before 14 July 2023, that the decision to include them on the lists annexed to those acts should be reconsidered.
298 However, first, the applicant did not avail itself of the opportunity afforded to it to submit a request to the Council for reconsideration of the inclusion of its name on the lists at issue after the initial acts were adopted.
299 Second, it should be noted that, in order to adopt the first set of maintaining acts, the Council based its decision on the same ground as that which justified the adoption of the initial acts, and it relied on the first evidence pack, without any new evidence being relied upon against the applicant.
300 Moreover, it is clear from the examination of the third plea that the Council did not make an error of assessment in finding, when the first set of maintaining acts were adopted, that the gravity of the situation in Ukraine persisted and that the applicant satisfied the conditions laid down by criterion (i).
301 Accordingly, the applicant cannot validly claim that the Council infringed its obligation to reconsider its decision before adopting the first set of maintaining acts.
– Concerning the second set of maintaining acts
302 The applicant claims that, before adopting the second set of maintaining acts, the Council failed to examine the grounds substantiating the listing to determine if they were still relevant, and also failed to take into consideration the observations shared by the applicant, in breach of Article 3(3) of Decision 2014/145 and Article 14(3) of Regulation No 269/2014. In its request for reconsideration of 1 November 2023, the applicant clearly explained, it argues, that the misunderstanding on the part of the Council of the Russian licensing system had led the latter to apply criterion (i) incorrectly, and that the applicant demonstrated that it did not fall within the scope of that criterion.
303 It claims that the Council merely stated, in its letter of 13 March 2023, that it could not accept the applicant’s interpretation of criterion (i), without entering into any discussions or providing any explanations. In the applicant’s submission, the Council failed to take into consideration evidence concerning the applicant, namely the entry in the Ready Ratios corporate registry, demonstrating that it did not have a license from the FSB. If the Council had examined the information that the applicant had provided and conducted a review of its decision, it would not have maintained the applicant’s name on the lists at issue.
304 Article 3(3) of Decision 2014/145 and Article 14(3) of Regulation No 269/2014 provide the following:
‘Where observations are submitted, or where substantial new evidence is presented, the Council shall review the decision referred to in paragraph 1 and inform the person, entity or body concerned accordingly.’
305 When comments are made by the person concerned on the statement of reasons, the competent European Union authority is under an obligation to examine, carefully and impartially, whether the alleged reasons are well founded, in the light of those comments and any exculpatory evidence provided with those comments (judgments of 18 July 2013, Commission and Others v Kadi, C‑584/10 P, C‑593/10 P and C‑595/10 P, EU:C:2013:518, paragraph 114, and of 6 June 2018, Arbuzov v Council, T‑258/17, EU:T:2018:331, paragraph 61).
306 Although for the rights of the defence and the right to be heard to be observed, the EU institutions must enable the person concerned by the act adversely affecting him or her to make his or her views known effectively, those institutions cannot be required to accept those views (judgments of 27 September 2018, Ezz and Others v Council, T‑288/15, EU:T:2018:619, paragraph 330, and of 11 September 2024, Mordashova v Council, T‑497/22, not published, EU:T:2024:604, paragraph 70).
307 Consequently, the mere fact that the Council did not conclude that the renewal of the imposition of restrictive measures against persons was not well founded, or even consider it useful to carry out verifications in the light of the observations submitted by the applicant, does not mean that such observations were not taken into account (judgment of 11 September 2024, Mordashova v Council, T‑497/22, not published, EU:T:2024:604, paragraph 71; see also, to that effect, judgment of 27 September 2018, Ezz and Others v Council, T‑288/15, EU:T:2018:619, paragraph 331).
308 Moreover, the Council is not required to reply, prior to the adoption of restrictive measures envisaged, to the observations submitted by the person or entity concerned (judgments of 31 January 2019, Islamic Republic of Iran Shipping Lines and Others v Council, C‑225/17 P, EU:C:2019:82, paragraph 92, and of 11 September 2024, Mordashova v Council, T‑497/22, not published, EU:T:2024:604, paragraph 72).
309 In the present case, the notice published in the Official Journal of 14 September 2023, referred to in paragraph 13 above, informed the persons and entities subject to the restrictive measures provided for by the first set of maintaining acts that they could submit a request to the Council, before 2 November 2023, that the decision to include their names on the lists annexed to those acts should be reconsidered. Furthermore, on 31 October 2023, in response to a request made by the applicant, the Council again sent it a copy of the first evidence pack and disclosed the second evidence pack. On 1 November 2023, the applicant sent the Council a request for reconsideration of the decision to maintain its name on the lists at issue by way of the first set of maintaining acts.
310 By letter of 13 March 2024, the Council responded to the applicant’s observations and rejected its request for reconsideration. In essence, the Council observed that the applicant’s observations concerning the interpretation of criterion (i) and those relating to the claim that the applicant did not hold a license from the FSB were identical to the arguments raised in the context of the present action, and the Council referred to its arguments set out in the defence. It also reaffirmed that it was apparent from the first evidence pack that the applicant, as an entity, held a license from the FSB.
311 Consequently, having regard to the case-law cited in paragraphs 306 and 307 above, the applicant wrongly claims that the Council infringed its obligation to reconsider the applicant’s situation before adopting the second set of maintaining acts.
312 Furthermore, it is clear from the case-law cited in paragraph 308 above that the applicant cannot validly criticise the Council for failing to engage in discussions concerning the interpretation of criterion (i) and the developments relating to the ‘state secret’ licenses contained in the expert report annexed to the reply. In that connection, it should be noted that that expert report, dated 7 February 2024, had not been produced by the applicant in support of its request for reconsideration of 1 November 2023.
– Concerning the third set of maintaining acts
313 The applicant claims that, before adopting the third set of maintaining acts, the Council infringed the obligation to conduct a proper review of its decision to maintain the applicant’s name on the lists at issue, particular as it accepts, in the amended grounds for listing contained in those acts, that the applicant does not have a license from the FSB and that, therefore, it does not satisfy the conditions under criterion (i). The applicant states that, in its letter of 13 September 2024, the Council maintained its assessment that there was a connection between the possession of a license from the FSB and involvement with the Russian intelligence or security services, despite the abundant evidence and explanations provided by the applicant.
314 It should be observed that the notice published in the Official Journal of 13 March 2024, referred to in paragraph 18 above, informed the persons and entities subject to the restrictive measures provided for by the second set of maintaining acts that they could submit a request to the Council, before 3 June 2024, that the decision to include their names on the lists annexed to those acts should be reconsidered. On 31 May 2024, the applicant sent the Council a request for reconsideration of the decision to maintain its name on the lists at issue by way of the second set of maintaining acts.
315 On 16 July 2024, the Council informed the applicant of its intention to maintain the latter’s name on the lists at issue with an amended statement of reasons, and disclosed the third evidence pack to the applicant. On 31 July 2024, the applicant submitted observations to the Council concerning the latter’s intention to maintain the applicant’s name on the lists at issue having regard to the amended statement of reasons.
316 By letter of 13 September 2024, the Council responded to the applicant’s observations set out in the letters of 31 May and 31 July 2024, and rejected the request for reconsideration. The Council stated that the amended statement of reasons reflected its position since the time when the initial acts were adopted, namely that the applicant and its subsidiary, Pozitiv Teknolodzhiz, formed a single entity and that the former held a license from the FSB because that license had been issued to the latter. It pointed out that the third evidence pack contained sufficient evidence that Pozitiv Teknolodzhiz held a license from the FSB. It referred to its arguments submitted in the context of the present action, pointing out that it had based its policy assessment on extensive evidence that shows that the entities operating in the Russian IT sector that have a license from the FSB could de facto be leveraged into supporting the security services; it added that the applicant had failed to adduce evidence capable of calling that assessment into question.
317 Consequently, having regard to the case-law cited in paragraphs 306 and 307 above, the applicant wrongly claims that the Council infringed its obligation to reconsider the applicant’s situation before adopting the third set of maintaining acts, and breached the applicant’s right to be heard.
318 It follows from the foregoing that the Council discharged its obligations concerning (i) the reconsideration of the applicant’s situation with a view to extending the restrictive measures to which it is subject, and (ii) compliance with the latter’s right to be heard in the course of the procedures that led to the adoption of the maintaining acts.
319 The second part must therefore be rejected as, accordingly, must the fourth plea.
320 It follows from all the foregoing considerations that the action must be dismissed in its entirety.
Costs
321 Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings.
322 Under Article 138(1) of the Rules of Procedure, the Member States and institutions which have intervened in the proceedings are to bear their own costs.
323 In the present case, since the applicant has been unsuccessful, it must be ordered to bear its own costs and to pay those incurred by the Council, in accordance with the form of order sought by the latter. The Kingdom of the Netherlands is to bear its own costs.
On those grounds,
THE GENERAL COURT (Eighth Chamber, Extended Composition)
hereby:
1. Dismisses the action;
2. Orders Positive Group PAO to bear its own costs and to pay those incurred by the Council of the European Union;
3. Orders the Kingdom of the Netherlands to bear its own costs.
Delivered in open court in Luxembourg on 10 September 2025.
V. Di Bucci | | R. Mastroianni |