Malicious cyber activities are on the rise. States and other relevant actors need to constantly adapt to the evolving cyber threat landscape, including by setting up effective deterrence mechanisms. This is what the European Union (EU) has done through the adoption of Common Foreign and Security Policy (CFSP) Decision 2019/797, which allows it to impose targeted sanctions to deter and respond to cyberattacks that constitute an external threat to the EU or its member states. However, in contrast to other horizontal regimes of restrictive measures in force within the EU, foreign governments are not included as potential targets of cyber sanctions. Moreover, the recital of the Decision specifies that the adoption of restrictive measures does not involve attribution of international responsibility for cyber-attacks to a third State. This article aims at identifying the rationale behind the inclusion of these distinctive features. It starts by considering the legal uncertainty that surrounds attribution of international responsibility for cyber operations. Next, it explains why the EU is not well placed to invoke third-State responsibility, and the reasons behind its reluctance to do so. It will then illustrate the risks inherent in the lack of a clear legal framework to attribute the responsibility of cyber-attacks to third countries. This may have serious consequences in terms of legal certainty when a cyber-attack amounts to a breach of the prohibition on the use of force in international relations. Then, we explore recent developments in EU legislation in the area of cyber security and the possibility to strenghten the powers of the European Union Agency for Cybersecurity (ENISA). We draw two conclusions: first, the Union might develop the capacity to attribute cyber attacks to specific actors and there is an interest to do so. However, Member States are probably still reticent to take this step. Two, despite the advantages of establishing a reliable attribution mechanisms, it is submitted that the majority of States prefers to take advantage of a regulative gap that allows them to react to cyber incidents as they see fit.