On July 30th 2020, within the framework of the Common Foreign and Security Policy (CFSP), the Council of the European Union has imposed its first ever “targeted restrictive measures” against six Chinese and Russian individuals as well as three legal entities – two located in the aforementioned countries and one in North Korea – for their involvement in significant cyber-attacks or attempted cyber-attacks against the EU or its Member States. This reaction for the first time materializes the cyber sanctions regime which was adopted in 2019 in order to operationalize “the Cyber Diplomacy Toolbox” for countering threats to international peace and security in the cyberspace. However, the practice shows that a vast majority of cyber-attacks with high impact consequences were orchestrated at the request and with the support of governments and not just by some random hacktivists. Hence, in practice, the delimitation between attribution of responsibility to a State and targeted measures imposed to individuals potentially sponsored by such State is rather superficial.