Ad Hoc Committee on Cybercrime

The Ad Hoc Committee to  Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (Ad Hoc Committee on Cybercrime or AHC) is an intergovernmental committee composed of experts and representatives from all regions, mandated to draft a global cybercrime convention.

In August 2024, the AHC approved the final negotiated text of the convention at its reconvened session in New York, thereby concluding the Committee’s mandate. The draft Convention against Cybercrime was subsequently considered by the Third Committee and approved without a vote. On 24 December 2024, the Convention was formally adopted by the UN General Assembly, also without a vote.

The Convention text is available here, and its provisions can also be explored through an AI assistant.

Consult Cybercrime AI Assistant

Cybercrime Convention Signing Ceremony

The Cybercrime Convention Signing Ceremony and High-Level Conference took place in Hanoi, Vietnam, from 25 to 26 October 2025, where more than 70 countries signed it. Updates are available at the treaty website.
Copy: World Map
Infogram

Next steps

The convention remains available for signing at the UN Headquarters in New York until 31 December 2026. It will enter into force 90 days after being ratified by the 40th signatory.

Following the adoption of the Convention, the Ad Hoc Committee on Cybercrime is mandated to convene for a further session in Vienna from 26 to 30 January 2026 in order to prepare draft rules of procedure for the Conference of the States Parties, as well as to address other matters specified in Article 57 of the Convention. Information on preparatory work and progress ahead of the session is provided below.

The subject matter of the treaty

The UN Convention against Cybercrime establishes the first global treaty framework addressing cybercrime and certain cyber-enabled crime, with a strong emphasis on international cooperation, procedural tools, and capacity-building. Unlike earlier regional instruments, the Convention was negotiated with universal participation and is designed to operate across diverse legal systems and levels of technical capacity. Its structure covers criminalization, jurisdiction, investigative powers, international cooperation, safeguards, technical assistance, and institutional arrangements for implementation.

Substantively, the Convention takes an offence-specific approach to criminalization, focusing on a defined set of crimes committed through or against information and communications technologies, rather than providing a general definition of “cybercrime.” While some offence definitions draw on concepts familiar from the Convention on Cybercrime (Budapest Convention), the UN Convention does not replicate that model in full, reflecting differing state views on scope, legal traditions, and concerns about over-criminalisation or unintended impacts on lawful online activity. Read the full comparative analysis between the Budapest Convention and UN Cybercrime Convention here.


A central pillar of the Convention is procedural cooperation, particularly mechanisms for obtaining electronic evidence across borders. The treaty facilitates mutual legal assistance, time-sensitive cooperation channels, and the preservation and sharing of electronic evidence, while requiring implementation through domestic law and subject to safeguards. These provisions were among the most debated during negotiations, highlighting tensions between effective law enforcement and the protection of due process, privacy, and human rights.

The Convention places strong emphasis on technical assistance and capacity development, recognising disparities in states’ abilities to prevent, investigate, and prosecute cybercrime. It establishes a Conference of the States Parties as the main implementation forum, favouring dialogue and cooperation over enforcement, and reflecting a negotiated balance between universality, flexibility, and sensitivity to unresolved interpretative issues.

 

Our analyses

Fifth session Sixth session Concluding session Will states agree? Convention approved UN Convention vs Budapest Convention The impact of the UN Convention against Cybercrime
 
 
 

Key negotiating issues and outcomes

Why was a UN cybercrime convention pursued?

States sought a universal framework to address perceived gaps in existing international cooperation mechanisms, particularly concerns about inclusivity, geographical representation, and uneven access to cooperation tools. While some states considered existing instruments effective, others viewed them as insufficiently universal or reflective of diverse legal traditions. These differing assessments shaped support for a UN-based convention as a globally negotiated instrument operating alongside, rather than replacing, existing frameworks.

 

How was the scope of the Convention defined?

One of the central disagreements concerned whether the Convention should be narrowly focused on cyber-dependent crimes or extended to a broader range of cyber-enabled conduct. The final text adopts an offence-specific approach, primarily criminalising core cyber-dependent crimes and a limited set of cyber-enabled crimes, while excluding areas such as cyberterrorism, cyberespionage, internet governance, and crimes against humanity. Although it relied heavily on the Budapest Convention, the UN Convention went further, addressing issues such as state sovereignty and introducing provisions for technical assistance and international cooperation.

How did states approach criminalisation and offence definitions?

Negotiations revealed sharp disagreements over the breadth and precision of offence definitions. Some states advocated broader formulations to capture evolving forms of cyber-enabled crime, while others stressed legal certainty and the risk of over-criminalisation or misuse. The final provisions reflect a compromise through an offence-specific approach: the Convention does not define “cybercrime” as a general category but requires criminalisation of clearly defined conduct. States retain discretion in domestic implementation, provided that the underlying conduct is criminalised, even where legal categories or terminology differ across jurisdictions.

What procedural powers and safeguards were negotiated?

The negotiation of procedural powers centred on access to electronic evidence and the scope of international cooperation. The Convention limits mandatory cooperation to “serious crimes,” defined as offences punishable by a maximum deprivation of liberty of at least four years or more, introducing a proportionality threshold intended to prevent the routine use of cross-border investigative tools for minor offences. It provides for mutual legal assistance, the preservation of electronic evidence, and time-sensitive cooperation mechanisms, while avoiding automatic or direct cross-border access to data. All procedural measures are to be carried out through domestic law, and states retain the ability to refuse, condition, or postpone cooperation in accordance with their national legal frameworks.

The Convention also incorporates explicit safeguards. These include requirements that procedural powers be exercised in accordance with domestic law and applicable international obligations, as well as provisions allowing states to deny assistance on grounds related to sovereignty, public order, or other fundamental legal principles. In addition, Article 6 affirms that “nothing in this Convention shall be interpreted as permitting the suppression of human rights or fundamental freedoms,” and negotiators emphasised that international human rights law and due process standards apply across all cooperation and investigative measures under the treaty.

At the same time, the sufficiency of these safeguards remains contested. While states point to the combination of proportionality thresholds, domestic-law controls, refusal grounds, and explicit human rights language as evidence that the Convention establishes a robust safeguard framework, a number of civil society and industry actors have argued that these protections lack operational specificity and independent oversight mechanisms. Critics contend that reliance on domestic implementation and broad state discretion may, in practice, allow intrusive investigative measures or cross-border cooperation in jurisdictions with weaker legal safeguards. These divergent assessments highlight a core compromise in the final text: strengthening cooperation while leaving the depth and enforcement of safeguards largely to national legal systems.

How was the dual criminality requirement negotiated?

States debated the role of dual criminality, particularly in extradition and mutual legal assistance. The Convention largely adheres to a dual criminality standard, requiring that the underlying conduct be criminal in both the requesting and requested states. However, it clarifies that dual criminality is deemed fulfilled regardless of whether offences are categorised differently or described using different terminology, provided the conduct itself is criminalised in both jurisdictions. This formulation was intended to facilitate cooperation despite differences in legal systems, though some states expressed concern about legal certainty.

How does the Convention relate to existing international and regional treaties?

Another key issue concerned the coexistence of the Convention with existing frameworks, including the Convention on Cybercrime (Budapest Convention), UNTOC and its Protocols, UNCAC, and the African Union Malabo Convention. The UN Convention draws heavily on concepts from the Budapest Convention but does not exclude the application of other instruments nor take precedence over them. Instead, it is intended to operate alongside existing treaties, with states applying established principles of treaty interpretation to manage overlapping obligations. Supporters view this as preserving legal continuity, while critics warn of fragmentation and complexity.

How did negotiations address uneven national capacity and demands for assistance?

Developing countries consistently emphasised that effective implementation would require technical and financial support. The Convention includes provisions encouraging developed states to provide training, technical resources, and capacity-building assistance, framing support as a collaborative effort to enable all parties to meet their obligations. However, these commitments remain flexible rather than binding, leaving discretion over the level and form of assistance. While this flexibility facilitated consensus, some observers argue it weakens accountability and predictability in support delivery.

How were sovereignty and the principle of non-intervention addressed?

Protection of sovereignty was a central concern throughout the negotiations. The final text enables cross-border cooperation in cybercrime investigations but preserves considerable discretion for states in deciding whether and how to share data or provide assistance. States may refuse, condition, or delay cooperation in accordance with domestic law, reflecting a negotiated effort to reconcile enhanced cooperation with respect for sovereignty and non-intervention.

Cybercrime negotiations throughout the years

 

 

Existing cybercrime instruments

The Budapest Convention, formally known as the Convention on Cybercrime, is the most comprehensive and widely accepted legally binding instrument on cybercrime, adopted by the Council of Europe (CoE) in November 2001 and entered into force on 1 July 2004. The convention includes a list of crimes that each signatory state must include in its law. In plain language, it requires the criminalisation of activities such as illegal hacking (including the production, sale, or distribution of hacking tools), acts relating to child pornography, and infringements of copyright and related rights.

The CoE has already adopted its first and second additional protocols. Namely, the First Additional Protocol to the Budapest Convention, which concerns the criminalisation of acts of a racist and xenophobic nature committed through computer systems. The protocol extends the scope of the Budapest Convention and covers offences of racist or xenophobic propaganda in its substantive, procedural, and international cooperation provisions. So far, 35 states have signed and ratified the protocol, while 10 have signed it but have not ratified it. The Second Additional Protocol to the Budapest Convention on enhanced cooperation and disclosure of electronic evidence responds to the challenges and complexity of obtaining evidence that may be stored in foreign or unknown jurisdictions. Namely, the protocol provides tools for direct cooperation with service providers and timely cooperation in emergencies or joint investigations while ensuring effective human rights protection. So far, 40 states have signed the second protocol, but only 2 have ratified it. 

With 68 ratifications – 20 of which are not members of the CoE (including the USA, Japan, Australia, and, most recently, Argentina, Brazil, Cabo Verde, Peru, Colombia, and Ghana) – the Budapest Convention is de facto the accepted international agreement on combating cybercrime, which has inspired numerous regional and national cybercrime regulations. 

Consulting instruments 

States' drafting suggestions include provisions from other international conventions as consulting instruments. 

The first is the UN Convention against Corruption (UNCAC), which obliges states to adopt preventative and punitive measures to combat corruption in both the public and private sectors. Essentially, the convention addresses international cooperation and obliges state parties to assist each other in legal assistance requests, including investigations, prosecutions, and judicial proceedings. It entered into force on 14 December 2005 with 189 state parties and 140 signatories. Most states that referred to UNCAC in their drafting suggestions stated that it should be used as a tool for coordinating international cooperation. 

The second is the UN Convention on Transnational Organized Crime (UNTOC), which provides measures to combat transnational organised crime. It has three additional protocols that refer to the prevention of human trafficking and smuggling of migrants by land, sea, and air, while the third obliges states to implement measures against the illegal manufacture and traffick of firearms. It entered into force on 29 September 2003 with 190 state parties and 147 signatories

Provisions from regional instruments were used as well. These include provisions from the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the Commonwealth of Independent States Agreement on Cooperation in the Fight Against Crimes in the Field of Information Technologies (Dushanbe Agreement), the Budapest Convention, mentioned earlier, and the Arab Convention on Combating Information Technology Offences, as well as recommendations of the Open-ended intergovernmental expert group to conduct a comprehensive study on cybercrime.

Next steps and pending issues

Following the conclusion of two rounds of informal consultations in Vienna in October and November, negotiations on the Rules of Procedure (RoP) for the Conference of the States Parties (CoSP) are entering a more focused phase. These consultations, co-chaired by Chile and Egypt, were based on a Secretariat compilation drawing on precedents from UNTOC and UNCAC, and highlighted a narrowing set of unresolved issues.

The central outstanding issue remains Rule 17, concerning modalities for stakeholder participation under Article 57 of the Convention. States remain divided between those supporting open participation modalities, reflecting the principles applied during the Ad Hoc Committee (AHC) negotiations, and those favouring more restrictive approaches. An updated negotiating document reflecting these positions—including proposals differentiating between plenary sessions, subsidiary bodies, and the review mechanism—is expected to be published on the dedicated UNODC webpage.

Additional issues still under discussion include whether the CoSP may establish additional protocols, the periodicity of Conference sessions, and the composition and functions of the Bureau. While voting on the Rules of Procedure remains procedurally possible, it is widely viewed as a last resort due to concerns about legitimacy and long-term institutional consequences. If consensus is not achieved, the Rules could be provisionally applied or revisited by the CoSP at a later stage.

The AHC session on the Rules of Procedure will take place from 26 to 30 January in Vienna, as a continuation of the Committee’s previous work. The session will open with Bureau elections, conducted under the interim chairmanship of Claudio Peguero, Cyber Ambassador of the Dominican Republic. The provisional agenda can be found here. The session will not reopen accreditation to new organisations; participation will be limited to already accredited entities, with stakeholder registration required by 22 January

During the AHC session, stakeholders will have opportunities to engage through side events and written submissions.