UN OEWG
This page provides detailed and real-time coverage on cybersecurity and peace and security negotiations at the UN.
The use of cyberattacks by states – and, more generally, the behaviour of states in cyberspace about maintaining international peace and security – is moving to the top of the international agenda.
The UN plays a crucial role in global cybersecurity negotiations, with the issue of information security being on the UN agenda since 1998 when the Russian Federation introduced a draft resolution on the subject in the First Committee of the UN General Assembly.
The First Committee addresses issues related to disarmament, nonproliferation, arms control, and international security, recommending resolutions and decisions for adoption by the UNGA plenary session. This page provides comprehensive coverage of ongoing and past First Committee processes related to cybersecurity, peace, and security at the UN, including the Groups of Governmental Experts (GGEs) and the Open-ended Working Group (OEWG).
Currently, the focus is on the work of the UN Open-Ended Working Group (OEWG) on the security of and in the use of information and communications technologies in 2021–2025.
Recent achievements: In July 2024, delegations reached a compromise on the third Annual Progress Report at its eighth substantive session on 8-12 July 2024 in New York. Next steps: The OEWG will meet for its ninth substantive session on 2-6 December 2024. |
![UN OEWG 1 CYBER DIPLOMACY color 72 dpi](https://dig.watch/wp-content/uploads/2022/08/CYBER-DIPLOMACY-color-72-dpi-1024x536.png)
To learn more about the risks of cyber conflict, global negotiations on cyber norms and the framework of responsible behaviour, and cyber diplomacy, enrol on our Cybersecurity Diplomacy online course.
The current process - OEWG 2021-2025
The Open-ended Working Group (OEWG) on security of and in the use of information and communications technologies was established in 2021 by UNGA resolution UN A/RES/75/240). Its mandate lasts until July 2025. The composition is declared as open, allowing all UN member states that express a desire to participate. The group is mandated to:
- further develop the rules, norms and principles of responsible behaviour of States and the ways for their implementation and, if necessary, to introduce changes to them or elaborate
additional rules of behaviour; - to consider initiatives of States aimed at ensuring
security in the use of information and communications technologies; - to establish, under the auspices of the United Nations, regular institutional dialogue with the broad
participation of states; - to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security, inter alia, data security, and possible cooperative measures to prevent and counter such threats,
- how international law applies to the use of ICTs by States, as well as confidence-building measures and capacity-building.
The OEWG started its mandate with the organisational session held in June 2021.
After the first three substantive sessions held in December 2021, April and July 2022, the main stumbling stone was the participation of non-state stakeholders in the OEWG process. Despite tensions due to the war in Ukraine, some progress in confidence-building measures and capacity building was made. However, states disagree if existing international law applies to ICTs and whether new norms are needed. Discussions on the applicability of international law on ICTs and on norms of responsible behaviour have not advanced.
In July 2022, delegations adopted stakeholder modalities, agreed to establish a Points of Contact (POC) directory, and reached a compromise on the group's first Annual Progress Report. Annual Progress Reports serve as a roadmap for further negotiations.
In 2023, discussions on the applicability of international law on ICTs and on norms of responsible behaviour have not advanced. However, the work on the operalisation of the POC Directory started. In July of 2023, delegations reached a compromise on the second Annual Progress Report.
In 2024, delegations remained divided on the applicability of international law on ICTs and on norms of responsible behaviour. But two major successes were achieved: The POC Directory was officially launched in May 2024, and the delegations agreed on the basic elements of the mechanism that will follow the OEWG.
Our reports and analyses
A team of GIP rapporteurs followed the discussions at the OEWG and produced detailed reports and analyses from:
- the organisational session,
- the first substantive session,
- the second substantive session,
- the third substantive session,
- the informal intersessional consultations on confidence-building measures (CBMs),
- the fourth substantive session,
- the informal intersessional consultation on capacity building,
- the fifth substantive session
- the sixth substantive session
- the seventh substantive session
- the Global roundtable on ICT security capacity-building
See also: Africa's participation in OEWG discussions
The future process
Co-proposed by 40 states, a Programme of Action (PoA) for advancing responsible state behaviour in cyberspace would establish ‘a permanent UN forum to consider the use of ICTs by States in the context of international security’. The proposal suggests the PoA to be in a single, long-term, inclusive, and progress oriented format; its implementation and follow-up measures could be subsequently endorsed by the UN GA.
In November 2022, the First Committee of the UNGA adopted resolution A/RES/78/16 on the programme of action (PoA) on cybersecurity. This means the UNGA welcomed the proposal for a PoA as a permanent, inclusive, action-oriented mechanism. It will:
- discuss existing and potential threats;
- support States’ capacities and efforts to implement and advance commitments guided by the framework for responsible State behaviour, and discuss, and further develop, if appropriate, this framework;
- promote engagement and cooperation with relevant stakeholders;
- periodically review the progress made in the implementation of the PoA as well as the PoA’s future work.
The resolution also requests that the Secretary-General seek the views of UN member states on the scope, structure and content for the PoA, and the preparatory work and modalities for
its establishment, including at an international conference.
It was adopted by a recorded vote of 157 in favour to 6 against (China, Democratic People’s Republic of Korea, Iran, Nicaragua, Russian Federation, Syria), with 14 abstentions.
![](https://diplo-media.s3.eu-central-1.amazonaws.com/2022/11/image-15.png)
States continued to discuss the scope, structure and content of the future process during 2023 and 2024, with a significant breakthrough in June and July 2024, when the Chair published elements for the establishment of an open-ended action-oriented permanent mechanism on ICT security, building upon the resolution A/RES/78/16 on the PoA.
During negotiations in July 2024, delegations agreed on the elements for the future mechanism, enshrined in Annex C of the third APR.
It was decided that the mechanism would strengthen ICT security capacity for all states; implement and further develop the existing framework for responsible state behaviour in ICT use; address existing and potential threats; address voluntary norms, while recognising that additional norms could be developed over time; study international law’s application to ICTs and identify any potential gaps in its application, and consider new legally binding obligations if appropriate; and develop and implement confidence-building measures and capacity-building initiatives.
The structure of the mechanism was also under heavy discussion. One substantive plenary session, at least a week-long, will be held annually to discuss key topics and consider thematic group recommendations. States decided that thematic groups within the mechanism would be established to allow for deeper discussions.
The chair may convene intersessional meetings for additional issue-specific discussions. A Review Conference every five years will monitor the mechanism’s effectiveness, provide strategic direction, and decide on any modifications by consensus.
Another tricky question was the modalities of stakeholder engagement with the mechanism. The future mechanism will be a First Committee process and, therefore, a state-led process. However, there is room - and need - for stakeholder participation. Some states consider the ad-hoc committee on cybercrime modalities for stakeholder engagement to be the gold standard, where stakeholders attend any open formal sessions of the ad hoc committee, make oral statements, time permitting, after member states’ discussions, and submit written statements. Other countries caution that the OEWG’s own much-discussed modalities should be applied because they are the hard-won result of delicate compromise. This issue was ultimately deferred to the group’s next meeting.
Framework of responsible behaviour
The framework of responsible behaviour of states in cyberspace refers to the body of existing agreements. This framework is sometimes also called ‘acquis’, a term borrowed from the EU for the body of common rights and obligations that is binding on all the EU member states. While it has quickly been adopted for informal discussions, there is still no clear understanding of everything it encompasses.
It does encompass:
All reports were adopted by respective resolutions of the UNGA by consensus of all states.
Additionally, other resolutions, such as those that established the GGEs and OEWGs on cybersecurity, also play a role, as states refer to some of them throughout negotiations. This particularly refers to the UNGA resolutions that established the OEWG in 2018 and 2020, since they do not entirely match GGE's reports, but rather reflect on other issues such as propaganda, and have procedural implications.
The timeline below shows when the aforementioned documents were adopted and what their most important points were.
-
- UN starts addressing cybersecurity issues
A proposal to address cybersecurity at the United Nations was made by Russia on 30th September 1998. It was formally adopted by the UNGA Resolution A/RES/53/70 on 4th January 1999.
-
- 2010 UN Governmental Group of Experts (GGE) Report on Cybersecurity
Report of the UN GGE 2009/2010, which includes recommendations for:
- Further dialogue among States to reduce the risk and protect critical national and international infrastructure
- Confidence-building, stability and risk reduction measures
- Information exchanges on national legislation and strategies, and capacity-building measures
- The elaboration of common terms and definitions related to information security
- Capacity-building in less developed countries
-
- 2013 UN GGE report recognises that international law applies to digital space
Report of the UN GGE 2012/2013 (later adopted by the UN General Assembly Resolution A/RES/68/243), which includes:
- Recognition that international law, and in particular the UN Charter, applies to digital space
- Norms, rules, and principles on the responsible behaviour of States
- Reference that state sovereignty applies to the digital field
- The principle that states must meet their international obligations regarding internationally wrongful acts in cyberspace attributable to them
-
24/01/2023 - 2015 UN GGE Report: Introduction of 11 Principles on Cybersecurity
24/01/2023The report of the UN Group of Governmental Experts (UN GGE) 2015 encompasses principles of State sovereignty, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other states, applies to cyberspace; recognition that states must comply with their obligations under international law to respect and protect human rights and fundamental freedoms, the agreement that UN should play a leading role in developing common understandings on the application of international law and norms, rules and principles for responsible State behaviour, other norms, rules, and principles on the responsible behaviour of states, confidence-building measures (CBMs), and an invitation for international cooperation and assistance in ICT security and capacity building.
The report was later adopted by the UN General Assembly Resolution A/RES/70/174.
-
- Establishment of the UN Open-Ended Working Group (OEWG) on Cybersecurity
UN GA on OEWG resolution includes:
- Setting up the OEWG
- Welcoming a chosen set of norms enshrined in the GGE Reports of 2013 and 2015
-
- Establishment of the Second UN Open-Ended Working Group (OEWG) on Cybersecurity
Consult UN GA Resolution on Establishment of the Second OEWG that includes:
- The renewal of the OEWG for a period of five years – 2021 to 2025, with the same mandate
- The organisational session of the new OEWG be held in 2021 and includes the establishment of thematic subgroups, allowing interaction with other stakeholders.
- The group is to provide an annual progress report and a final report to the 80th UNGA, starting in autumn 2025.
-
- Report of the First UN OEWG on Cybersecurity
- Reaffirmation of the results of the previous reports of the Group of Governmental Experts (GGE), as well as that international law, and in particular the Charter of the UN, is applicable to cyberspace
- Norms do not replace or alter states’ obligations or rights under international law – which are binding – but rather provide additional and specific guidance on what constitutes responsible state behaviour in the use of ICTs
- Recommendation that states voluntarily identify and consider CBMs
- Recommends that appropriate to their specific contexts, and cooperate with other states on their implementation
- Comprehensive capacity building measures in the field of ICT security
-
- 2021 UN GGE Final Report
The UN GGE concluded its work with this Report. Cybersecurity process will shift to the UN OEWG.
Most recently, the APRs of the OEWG 2021-2025 note that the framework of responsible State behaviour in the use of ICTs includes voluntary norms, international law, and confidence-building measures (CBMs). However, delegations, including the USA, Israel, Thailand, and Iran, contend that voluntary norms and CBMs cannot be classified as obligations. They argued that, by definition, voluntary norms are not obligatory and that CBMs, within the context of this OEWG, are also voluntary. These delegations emphasised that states cannot be held accountable for obligations arising from non-binding agreements. However, the language remains in the APRs,
Open issues
Despite long-running discussions and several consensus reports, there are a number of issues that remain open.
Past processes: GGE and OEWG 2019-2021
The Open-Ended Working Group (OEWG) 2019/2020
The OEWG 2019/2020 was established by the UN General Assembly in December 2018 (A/RES/73/27).
The UN Group of Governmental Experts (GGE)
The UN Group of Governmental Experts (GGE) on Advancing responsible State behaviour in cyberspace in the context of international security (formerly: on Developments in the Field of Information and Telecommunications in the Context of International Security) have convened from 2004 until 2021.
GGE vs OEWG
In 2018, the UNGA adopted two resolutions (one sponsored by the USA (A/RES/73/266), the other by Russia (A/RES/73/27)) which set up the continuation of the GGE in 2019–21 and the UN OEWG. During 2019-2021, the GGE and the OEWG worked in parallel in somewhat different settings. Considerable cooperation between the chairs of the two groups was established, and many countries played an active and constructive role in both.
(Click on the infographic below, or here, for a voice-reader accessible .pdf version.)
Our projects
![]() |
Online courses |
![]() |
Cyber diplomacy web discussions:
|
![]() |
Geneva Dialogue on Responsible Behaviour webinars
Geneva Dialogue on Responsible Behaviour outputs |
![]() |