UN Global Mechanism on ICT security

• Are new norms needed?

Are more norms needed at the moment? Or should the focus be placed on implementing existing ones? The 2015 GGE report, the resolution establishing the OEWG, and the final OEWG reports from 2021 and 2025 provide opportunities for developing additional norms over time.

 States have differing views on this issue: Some insist that new norms should be developed, some insist that existing norms should be implemented first, and some hold that the implementation of norms can be complementary to the gradual development of additional norms; these two processes are not mutually exclusive. 

The final OEWG report from 2025 retained the idea that additional norms could emerge, but excluded it from its recommendations. It does, however, recommend that states continue discussions on rules, norms and principles in the Global mechanism.

• Should the Voluntary Checklist be universal?

The checklist, initially proposed for adoption as an annexe to the Final Report, was not adopted in July 2025. Several states raised concerns about the applicability of a universal checklist, emphasising that implementation should consider regional, national, and culturally specificities. The checklist has been reworded and is now open for continued discussion.

• Does international law apply to cyberspace?

The UN GGE reports, the final OEWG reports of 2021 and 2025, and the related UN General Assembly (GA) resolutions affirm that international law, including the UN Charter, applies to cyberspace. However, some states believe that existing international law does not apply to cyberspace. They do, however, note that principles of international law apply – sovereign equality of states, non-use of force and threat of force, settlement of international disputes by peaceful means, and non-interference in the internal affairs of states.

The OEWG report for 2025 recommends that the states continue discussions on how international law applies in the Global Mechanism, pushing the divides in this area into the future.

• Which UN Charter principles apply to cyberspace?

Most states stated that the principle of sovereignty and sovereign equality, enshrined in Art. 2.1. of the UN Charter, applies in cyberspace. Most countries have also recognised the principle of due diligence in cyberspace.

Many states have reaffirmed the obligation of states to settle disputes peacefully in accordance with Art. 2.3 and Art. 33 of the UN Charter. This means states must use negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice. The customary international law obligation not to intervene in the internal or external affairs of another state, enshrined in Art. 2.7 of the UN Charter, applies to cyberspace, just as it applies to the physical realm All states agree that they should refrain from the threat or use of force against other states’ territorial integrity or political independence, which also applies in cyberspace. However, there is no consensus on whether misuse of ICTs/cyberattacks can be qualified as armed attacks, per Art. 51 of the UN Charter which permits the right to self-defence in case of armed attack). The states agree that the principles of due diligence, attribution, invoking the right of self-defence, and assessing whether an internationally wrongful act has been committed require additional work to understand how they apply in cyberspace.

• Is there a need for a new legally binding instrument?

The need for a new legally binding instrument regulating the use of ICT by states remains an important question in the discussions. Most countries do not see the need to develop a new legally binding instrument, opposing such a proposal and saying it would mean a significant setback in advancing international security and stability, which would lead to confusion and misunderstanding. On the other hand, some countries are calling for the development a new, single, legally binding international instrument. These countries think that cyberspace is unique and cannot be addressed by applying existing international law, that gaps in existing international law require new legally binding regulation, or that how international law applies in cyberspace needs to be clarified.

The OEWG report for 2025 keeps the door open for discussions on the possibility of future elaboration of additional binding obligations, if appropriate, and the development of additional legally-binding obligations.

• Does international humanitarian law (IHL) apply to cyberspace?

The GGE 2021 report recognised that international humanitarian law (IHL) applies only in

situations of armed conflict. Most delegations confirmed this in the discussions at the OEWG. These delegations see adherence to the IHL as of paramount importance as it offers fundamental protections and reduces the risks and potential harm to both civilians and civilian objects (IT infrastructure of hospitals or schools) and to combatants from cyber operations in the context of armed conflict. These states see it as a priority to clarify how IHL applies to cyber operations in armed conflicts.

Another group of states holds that the OEWG should not even discuss the applicability of IHL to the use of ICTs in the context of international security since it would imply that the states tacitly accept the possibility of an armed conflict in cyberspace, which would contribute to militarisation in cyberspace and would be the first step towards an armed cyberattack.

While the 2025 OEWG report states that discussions on international law deepened, it does not mention IHL in the text. The issue will likely resurface in discussions at the Global Mechanism.

• How should the UN ensure adequate and sufficient financing for capacity-building initiatives?

The proposal for a permanent UN-administered fund to support cybersecurity capacity building in developing countries generated significant debate among delegations. The supporters, including several developing nations and the Arab Group, advocate for the fund as a means to ensure equitable and sustainable access to financial resources, arguing that it would help bridge the digital divide and strengthen global cybersecurity. They pointed out that such a fund would provide consistent financing necessary for long-term initiatives, particularly in countries lacking robust cybersecurity infrastructure. However, other delegations expressed concerns about the management and oversight of the fund, fearing it could lead to duplication of existing funding mechanisms and questioning how the fund would be administered to avoid inefficiencies. For example, some European nations stressed the importance of leveraging existing structures like the World Bank’s cybersecurity initiatives, cautioning against the creation of parallel systems that might fragment international efforts.

• What should be the scope and structure of the Global Cybersecurity Cooperation Portal, and how can it be streamlined with existing initiatives?

The proposal for a Global Cyber Security Cooperation Portal sparked a detailed debate on how this new platform should be integrated or synergised with existing cybersecurity portals to avoid duplication and enhance global cooperation. Delegations expressed concerns about the potential for overlap with established platforms like the Global Forum on Cyber Expertise (GFCE) Cyber Portal and the EU CyberNet, emphasising the need for careful coordination to ensure the new portal adds value rather than creating redundancy. On the other hand, some delegations, including those from developing countries, emphasised the portal’s potential to address gaps in current systems, particularly in terms of accessibility and tailored support for countries with limited cybersecurity resources.

• How should the proposed UN Voluntary Trust Fund be operationalised, and how should it be integrated with existing funding mechanisms?

Delegations broadly supported the idea of establishing a UN Voluntary Trust Fund on security and ICT use; however, concerns emerged regarding its operationalisation. There was a need for more discussion on how the fund would be structured to avoid duplication with existing mechanisms, such as the World Bank Cybersecurity Multi-Donor Trust Fund and ITU funds. Additionally, delegations, including Australia, sought clarity on the eligibility criteria for accessing the fund, emphasising the importance of ensuring that it adds value without creating overlap or confusion within the current funding landscape.

• How should foundational cybersecurity capacities be implemented globally: through standardised approaches or by tailoring them to the countries? 

The implementation of foundational cybersecurity capacities sparked a debate between adopting a universal, standardised approach and the need for customisation to fit national contexts. While many delegations agreed on the importance of key elements such as legal frameworks, CERTs, and incident response mechanisms, there was a clear division on whether these should be uniformly applied across all countries or adapted to each nation’s specific circumstances. The concern is that imposing a one-size-fits-all solution may not be effective in diverse environments.

• Should gender and inclusivity be integrated into cybersecurity capacity building efforts?

The emphasis on gender-sensitive approaches in cybersecurity capacity building, was met with mixed reactions. While some delegations praised the development of gender-sensitive toolkits and their application in capacity building programs, others criticised the inclusion of gender and youth topics in the capacity-building agenda, arguing that these issues were unrelated to the core mandate of the OEWG.

• What is the appropriate role of nongovernmental stakeholders in cybersecurity capacity-building efforts?

The inclusion of a multistakeholder approach in capacity-building efforts sparked a debate among delegations. While most countries support the involvement of businesses, NGOs, and academia, there is strong opposition to portraying non-governmental stakeholders as equal participants in negotiations alongside states, as that could undermine state sovereignty in cybersecurity discussions.

• Should additional CBMs be formulated? 

The list of the eight CBMs has been largely settled for some time. However, since session 9, Iran has consistently proposed adding a ninth CBM to ensure unhindered access to a secure ICT market for all states. It circulated a working paper during session 10, but the proposal was ultimately not included in the final list. Although it is referenced in the final report as a possible element for discussion within the future mechanism, several states have suggested that it would be more appropriately addressed under norms or capacity-building.

• How can states’ communication be facilitated?

The development of a common terminology was a contentious issue at the start of the OEWG, but the discussion largely concluded after states agreed to share national ICT terms and terminologies in the second APR. Given the significance of this issue, it may resurface in the permanent mechanism, potentially informed by the experiences of regional organisations with such taxonomies.

The POC directory has been operational for some time, with the Secretariat continuing to conduct ‘ping’ tests. An open question remains as to whether its current design is appropriate, given highly mixed feedback from states on its use.

Discussions on the development and use of standardised templates have naturally emerged alongside the operationalisation of the POC directory since session 8. The Secretariat’s proposed template, made public in April 2025, was ultimately not adopted and is instead referenced as a topic for further discussion. The specific scope and focus of these future discussions remain unclear.

• How should CBMs be discussed in the permanent mechanism?

The final report of the OEW 2021-2025 does not designate a dedicated thematic group (DTG) specifically for CBMs, and the wording of the two agreed-upon DTGs reflects a cross-cutting approach – even in the DTG focused on capacity-building, given the acknowledged overlap between the two agenda items. Nonetheless, the possibility to addressing CBMs separately remains open through ad hoc groups.

• What will DTG1 look like?

Formally ‘An integrated, policy-oriented and cross-cutting dedicated thematic group drawing on the five pillars of the framework to address specific challenges in the sphere of ICT security in the context of international security in order to promote an open, secure, stable, accessible, peaceful, and interoperable ICT environment, with the participation of, inter alia, technical experts and other stakeholders (DTG 1)’, this group’s substantive focus and the organisational setup of DTG1 will certainly invite much discussion. Uncertainty remains over how discussions will be managed in practice, including whether key issues will be carried forward or risk being sidelined through procedural delays or filibustering.

• Will additional ad-hoc DTGs be organised?

The final report acknowledges the possibility of establishing additional ad-hoc dedicated thematic groups (DTGs). However, the number of thematic groups has always been a contentious issue – while it would enable the mechanism to dive deep into very detailed discussions, the reality is that majority of countries cannot attend a large number of groups, much less engage effectively in them. Therefore, some states support the idea of ad hoc groups, as this would enable the new permanent mechanism to remain responsive to emerging challenges and evolving priorities. Others underline that additional ad hoc groups create additional uncertainties and potential burdens on delegations, and suggest waiting for the review conference, when the states will have an opportunity to review DTGs and potentially add new ones.

• What will happen beyond 2030?

Attention is already shifting to what comes next once the current arrangement expires, particularly the configuration of future dedicated thematic groups (DTGs). Questions are emerging around how these groups will be structured and prioritised, and whether continuity will be maintained or reshaped in subsequent phases.