Country Restrictions in the Volunteering Program

Russia has been under comprehensive EU and OFAC sanctions since 2022. Beyond the legal dimension, state-coordinated threat actors including APT28, APT29 (Cozy Bear), and Sandworm actively target international infrastructure, NGOs, and civil society organisations. The BSI, CISA, and NCSC consistently rate Russia as a top-tier cyber threat. Volunteers with active ties to Russian state institutions or intelligence-linked entities pose a structural insider risk.

Belarus is subject to comprehensive EU sanctions following the 2020 election crisis and ongoing human rights violations. The Belarusian KGB and the threat group Ghostwriter are known for coordinated disinformation and cyberoperations, frequently conducted in close alignment with Russian actors. The operational overlap between Russian and Belarusian intelligence makes Belarus a compounded risk.

Iran meets all three exclusion criteria. It is subject to extensive EU and OFAC sanctions, is listed as a FATF high-risk jurisdiction, and is home to state-directed threat actors including APT33 (Elfin) and APT34 (OilRig), which specifically target NGOs, critical infrastructure, and international organisations. Iran’s legal framework also imposes intelligence cooperation obligations on its citizens.

North Korea is subject to the strictest UN, EU, and US sanctions regimes in existence. The Lazarus Group — a state-operated threat actor — is responsible for attacks on financial infrastructure, cryptocurrency platforms, and international organisations. Any operational connection to North Korean individuals or entities carries severe legal and security consequences.

The PRC is consistently rated the single largest state cyber espionage threat by CISA, NCSC, NSA, and BSI. State-directed groups including Volt Typhoon, APT10, and APT40 specifically target NGOs, think tanks, and international organisations — not for financial gain, but for long-term strategic intelligence collection. Critically, China’s National Intelligence Law (2017) legally obliges Chinese citizens to cooperate with state intelligence services upon request. This is not a personal accusation — it is a structural, legally mandated risk that we cannot manage through trust alone. Unlike Russia, which tends to attack from outside, China systematically operates through insiders. Volunteers represent exactly the access vector this model exploits.

Myanmar has been under EU sanctions since the military coup of February 2021. The country is also on the FATF high-risk list due to severe deficiencies in anti-money laundering and counter-terrorist financing controls. Political instability makes reliable background verification of applicants effectively impossible.

Syria is subject to comprehensive EU and US sanctions. The country is classified as high-risk by the FATF due to the absence of effective state control over financial flows and documented links to terrorist financing. The ongoing conflict further prevents any meaningful applicant verification.

Both countries are subject to EU sanctions. Sudan is listed by the FATF as a high-risk jurisdiction. Ongoing armed conflict and state fragility in both countries make credible identity and background verification of applicants factually impossible at this time.

Cuba is subject to longstanding US OFAC sanctions under the Cuban Assets Control Regulations (CACR). Cooperation with Cuban nationals may carry legal consequences for the organisation, particularly where US-based systems, partners, or payment services are involved in our infrastructure.

Venezuela is sanctioned by both the EU and the United States, and is assessed by the FATF as having significant deficiencies in money laundering controls. State involvement in disinformation and coordinated influence operations has also been documented by international observers.