At the end of October, 72 countries signed the United Nations Convention against Cybercrime in Hanoi, Vietnam. The Convention is the first comprehensive global treaty on this matter, providing states with a range of measures to prevent and combat cybercrime and to strengthen international cooperation in sharing electronic evidence for serious crimes. While many others are expected to join in due course, with 121 U.N. members yet to accede — and the fact that signatories are only legally bound by the treaty once they ratify it — the new U.N. instrument has a long way to go before it achieves universal acceptance.
The process for negotiating a U.N. cybercrime treaty was born in controversy. The initial push for the Convention came from Russia, the largest perpetrator of cybercrime, and the resolution tabled in 2019 to launch negotiations received only minority support. The motivation behind the decade-long pursuit was to replace the Budapest Convention as the most recognised international standard and advance a treaty that would better reflect the ideas of state-controlled internet governance. After close to three years of negotiations, an overwhelming number of stakeholders viewed the final document as flawed, due to state overreach married with weak safeguards, and many civil society organizations have called on countries to reject it.
Despite these hurdles, the text was adopted by consensus in the Ad Hoc Committee tasked with elaborating the treaty and later confirmed in the U.N. General Assembly (UNGA), in what has been hailed a victory for multilateralism. Thanks to the external voices across civil society, the technology industry, and academia that participated in negotiations, the outcome was a more balanced text compared to the initial Russian proposal.
The evolution of the treaty invites the following questions: What happened during negotiations that transformed the text into something that seemingly satisfied almost everyone? And what does that process signify for implementation?
A Growing List of Signatories
Even as delegations were disembarking from their planes in Hanoi, expectations were that only around 30 countries would sign the treaty on the spot. Disagreements over the Convention’s scope of criminalization, obligations for international cooperation, and the types of safeguards against political abuse and human rights protections created major rifts during negotiations, exemplified by the last-minute extension of talks for an additional session. The precise number of countries that planned on signing the document in Hanoi was unclear until the very last moment. Few countries published their decisions in advance, such as the United Kingdom, Australia, or the bloc of European countries.
On October 25, host country Vietnam signed the Convention first, followed by Russia and China, the countries that drove treaty negotiations. Other early signatories included Belarus, North Korea, Venezuela, and Nicaragua. Iran, which had attempted to remove the text’s remaining human rights safeguards in an unsuccessful bid on the final day of negotiations, also signed.
Despite early reservations, the European Union became a vigorous supporter of the treaty and also signed in Hanoi. So did 13 E.U. member States, including France, Spain, and Poland. Ukraine abstained from the negotiations for political reasons, with many observers perceiving the treaty as the Russian equivalent of a Trojan horse.
Three members of the “Five Eyes” intelligence alliance — the United States, Canada, and New Zealand — and other key countries, including Japan, India and Israel, actively participated in the negotiations but ultimately did not sign the Convention in Hanoi for internal reasons, ranging from pending domestic review to considerations related to national security. Canada, New Zealand, and Mexico were key advocates for stronger human rights safeguards and drove proposals strengthening related protections. At a minimum, Canada and Mexico are expected to join after internal reviews. Breaking the ranks in the Five Eyes, Australia and the United Kingdom signed, advocating that the Convention will enhance international law enforcement cooperation and that they can help influence implementation from within. The Trump administration, distrustful of multilateralism, is unlikely to ratify the treaty its delegation voted for at the U.N. General Assembly.
The Cybercrime Convention’s signatories also include representation from the African Union (14 signatories), the Shanghai Cooperation Organization (eight signatories), and the Association of Southeast Asian Nations (seven signatories) — though Singapore notably abstained. The Arab League also supported the treaty with eight signatures, including Egypt, Saudi Arabia, and Qatar. The latter opened the UNODC Regional Center for Combating Cybercrime in Doha in 2024 and now encourages member States to engage with the Center to raise capacity throughout the ratification phase. The Caribbean Community, CARICOM, was vocal during the negotiations, but only Jamaica signed in Hanoi.
Fighting Cybercrime or Enabling Authoritarian Control?
The U.N. treaty will co-exist with the Budapest Convention on Cybercrime, spearheaded by the Council of Europe in the late 1990s. Eighty-one countries are party to that treaty. After the Budapest Convention came into force, Russia fueled a narrative that the treaty was “too European,” and could therefore never become universal, and looked to create a global instrument that could replace it.
Russia is the single biggest source of cybercrime in the world. The notorious Russian-speaking ransomware-as-a-service gangs find safe harbor in the country, from where they attack critical infrastructure abroad — not shying away from targeting hospitals, power grids, water systems, and transportation networks — in Ukraine and in NATO member States. State-linked groups associated with the People’s Republic of China have also quietly infiltrated U.S. communications and lifeline infrastructure and targeted democratic institutions. Both countries, supported by their allies, have brought the international community to the table to address transnational cybercrime. Their recent push — ostensibly aimed at improving global security online — was part of a broader campaign to bring internet governance and the use of information and communication technologies under the control of sovereign States, moving away from today’s multistakeholder Internet governance framework shaped by Western like-minded countries.
During negotiations, Russia, China, Iran, and even India insisted on a long list of additional offenses, including punishments for speech deemed to promote terrorism and extremism or threaten national security. But their efforts to control the debate on what constitutes cybercrime fell short. The final outcome of negotiations was largely determined by a coalition of democratic countries. The authoritarian wish list was never adopted, but this could change as early as 2027, when States will be able to conduct negotiations for an additional protocol.
Russia’s effort to replace the Budapest Convention also backfired. Countries that are party to that treaty took an active role in these negotiations. The final product draws on Budapest’s framework and the two treaties are compatible. Thirty-two countries that signed the U.N. Convention in Hanoi are parties to the Budapest Convention, showing a substantial degree of parallelism and proving that one regime would not displace nor negate the other.
For those who negotiated the Budapest Convention in the late 1990s, the pushback against the new U.N. instrument feels like déjà vu. The Budapest treaty, now hailed as the “gold standard” and an affirmation of Western values, faced stakeholder rejection when concluded, and has been continually criticized by human rights organizations. The Hanoi Convention cannot be understood only as a criminal justice instrument. The process and decision to sign and ratify have been and will be political.
Signing the Convention signaled which countries intend to join in a near future, but the Convention’s legal obligations come only after countries ratify or accede to the treaty. Many States see joining the framework now as a means of later modifying it and shaping how cybercrime standards will be implemented globally.
Not all share this view. A dozen human rights organizations published a joint letter shortly before the Hanoi signing ceremony asking States not to sign. Critics have argued that signing onto the Convention would render States complicit in a treaty that lacks sufficient human rights protections while enabling invasive surveillance and censorship. The private sector, despite actively contributing throughout negotiations, largely abstained from the ceremony, expressing a collective view that the final document did not sufficiently reflect their positions.
This unlikely coalition between human rights organizations and private technology companies is built on concerns that the treaty is susceptible to abuse by authoritarian governments. A lot of ink has been spilled on the sharp contrast between the Convention’s broad electronic surveillance powers to investigate and cooperate on a wide range of crimes, including offenses that do not involve computer crimes, and its human rights safeguards. Human rights groups and tech companies have warned that repressive requests, masquerading as legitimate law enforcement, will be used to target dissidents, harass tech company employees and security researchers, undermine fundamental freedoms, and facilitate censorship and the abuse of people’s privacy.
Advocates for the treaty have countered that it presents a rare opportunity to raise the bar on legal standards and capacity for investigating and prosecuting cybercrimes globally. Parties will have access to a 24/7 network to request police cooperation on investigations and prosecutions, extraditions, and the seizure of criminal proceeds. The Convention will extend the number of countries replying to requests for assistance to provide electronic evidence while allowing Parties to reject requests for mutual legal assistance that discriminate on the basis of sex, race, language, religion, nationality, ethnic origin, or political opinion.
An Imperfect Agreement Requires Continued Engagement
The U.N. Cybercrime Convention is a living document. Democratic countries must not cede influence to those seeking to redefine cybercrime through the lens of state control and abuse of power. Whether in support or in opposition, engaging with treaty implementation by providing feedback on the review process, how State authorities adopt the provisions — and to what effect — and participate in any future negotiations is vital in a post-Hanoi reality.
By signing, States can ensure they remain at the table, advocate for stronger human rights safeguards, promote accountability mechanisms, and guarantee civil society participation in implementation and oversight. Those planning to ratify the treaty should at minimum conduct a multi-stakeholder review on whether to do so and how. Ratifying States should adjust or clarify domestic frameworks to support strong safeguards for the use of domestic powers and providing mutual legal assistance, allocate adequate investments in human-rights compliant cyber capacities, apply reservations to expansive provisions such as passive personality jurisdiction granting states jurisdiction over crimes committed anywhere in the world against their nationals, and actively participate in the drafting of the U.N. legislative guide to secure compliance with human-rights safeguards.
The treaty also asks for broader reflection. Without a new, ambitious and imaginative cyber-diplomacy agenda — one that is constructive, not defensive; one that prioritizes the root issues of cyber insecurity; and one that engages a wider group of partners across the Global South — Western like-minded countries will be leaving the multilateral agenda to autocratic States.
As the focus shifts to ratification, democracies must remain pragmatic but resolute. It is now up to them to do the utmost to ensure that the Convention is not abused and positively contributes to international cooperation against cybercrime.
The first test comes in January next year, when delegations meet to negotiate the rules of procedure for the new Conference of State Parties. This body will guide and monitor treaty implementation. If the justification for signing the Convention is to strengthen the fight against transnational cybercrime with respect to human rights, States must be ready to argue for stakeholder involvement in implementation with resolve — and potentially call for a vote on this issue. Securing a truly multi-stakeholder oversight mechanism can be the first step to tilting the global agenda back to democratic values, openness, and transparency, and exposing the actions of repressive regimes that are too often hidden behind the pretence of fighting cybercrime.
