Breaking down the OEWG’s legacy: Hits, misses, and unfinished business
The OEWG on cybersecurity (2019–2025) shaped global debates on digital security—but did it deliver? External experts weigh in on its lasting impact, while our team, who tracked the process from day one, dissect the milestones and missed opportunities. Together, these perspectives reveal what’s next for cyber governance in a fractured world.
What is the OEWG?
The open-ended working groups (OEWGs) are a type of format present in the UN that is typically considered the most open, as the name suggests. It means that all UN member and observer states, intergovernmental organisations, and non-governmental organisations with the UN Economic and Social Council (ECOSOC) consultative status may attend public meetings of the working group. Yet, decisions are made by the UN member states. There are various OEWGs at the UN. Here, we are addressing the one dealing with cybersecurity.
What does the OEWG on cybersecurity do? In plain language, it tries to find more common ground on what is allowed and what is not in cyberspace, and how to ensure adherence to these rules. In the UN language, the Cyber OEWG was mandated to ‘continue to develop the rules, norms, and principles of responsible behaviour of states, discuss ways for their implementation, and to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the UN.’
How was the OEWG organised? The OEWG was organised around an organisational session that discussed procedures and modus operandi, and substantive ones dealing with the matter, as well as intersessional meetings and town halls supplementing the discussions. The OEWG held 10 substantive sessions during its 5-year mandate, with the 11th and final session just around the corner in July 2025, where the group will adopt its Final report.
The OEWG through expert eyes: Achievements, shortfalls, and future goals
As the OEWG 2019–2025 process nears its conclusion, we spoke with cybersecurity experts to reflect on its impact and look ahead. Their insights address four key questions: (1) the OEWG’s most substantive contributions and shortcomings in global ICT security; (2) priorities for future dialogues on responsible state behavior in cyberspace; (3) the feasibility of consensus on a permanent multilateral mechanism; and (4) the potential relevance of such a mechanism in today’s divisive geopolitical climate. Their perspectives shed light on what the OEWG has achieved—and the challenges still facing international cyber governance.
The Open-Ended Working Group’s most substantive contribution is its role in encouraging states to articulate national and regional positions on the application of international law in cyberspace. Over 30 countries, along with the African Union and EU, submitted formal positions. This growing body of documented perspectives has helped clarify how states interpret existing legal frameworks in cyberspace—an important step toward building a shared understanding of responsible state behavior online. Despite these positive developments, all things considered, the OEWG has not delivered many tangible outcomes that materially improve global cybersecurity. Key issues such as the cyber mercenary market, coordinated vulnerability disclosure, and the protection of public critical infrastructure remain largely unaddressed. The process has struggled to move beyond dialogue into actionable strategies.
Read more
The consensus-based nature of the OEWG allows a small number of states to block progress. Without genuine cooperation and constructive engagement from all participants, the process risks stagnation. Additionally, the current stakeholder modalities have proven inadequate. For cybersecurity discussions to be effective, they must include a diverse range of voices—technical experts, civil society, and system operators. Unfortunately, the OEWG has not provided a truly inclusive platform for these stakeholders to contribute meaningfully.
To advance responsible state behavior in cyberspace, future efforts may need to move beyond the limitations of the types of processes that we have traditionally seen in this space. Governments should explore mechanisms that allow for real and tangible progress. Models like the Ottawa Declaration on cluster munitions and the Montreux Document on military contractors—though not directly applicable—offer interesting food for thought in this regard. A future approach should prioritize actionable strategies and more inclusive participation to address urgent cybersecurity challenges.
Whether states can reach consensus on a permanent mechanism for dialogue depends entirely on political will. The current geopolitical climate makes this a challenging prospect, but not an impossible one. Ideally, such a mechanism would be state-led and permanent, operating on a single-track basis while incorporating meaningful multistakeholder participation. It should be designed not just for dialogue, but for action—equipped with the tools and authority to implement strategies that enhance global cybersecurity in practical, measurable ways.
The relevance and influence of a future permanent mechanism will hinge on its design, ambition and implementation. If it replicates the limitations of the current OEWG—particularly its susceptibility to deadlock and exclusion of key stakeholders—then it is unlikely to achieve meaningful progress. However, if it is action-oriented, inclusive, and strategically focused, it could become a powerful tool for fostering a more secure and stable cyberspace.
The Open-ended Working Group 2021-2025 has made a lasting contribution to global discussions on ICT security by broadening participation and providing a platform for smaller delegations and underrepresented states to engage substantively in international discourse on cybersecurity policy. This more inclusive dialogue on responsible behavior in cyberspace has strengthened cross-regional coalition-building, fostered understanding across diverse perspectives, and – as repeatedly emphasized by the Group’s Chair – thus served as a confidence-building measure (CBM) in itself.
Read more
The adoption of three Annual Progress Reports (APRs) by consensus in 2022, 2023, and 2024 amidst a challenging political climate represents a notable achievement in sustaining multilateral dialogue on cybersecurity. These reports also reflect concrete, if modest, progress, including, inter alia, the establishment of a Points of Contact (PoC) directory, agreement on eight global cyber CBMs, and consensus on a comprehensive section addressing existing and potential threats to international peace and security stemming from the use of ICTs. However, translating dialogue into implementation has remained a challenge over the course of the OEWG’s deliberations. Persistent divisions – for example, over prioritizing the implementation of existing commitments versus the elaboration of new norms and referencing discussions on International Humanitarian Law – have limited the Group’s ability to move from consensus language to specific outcomes.
Looking ahead, discussions on cybersecurity in the context of the United Nations First Committee should shift toward operationalizing the existing framework for responsible state behavior. This framework – comprising, inter alia, 11 norms for responsible state behavior, existing international law including the UN Charter, eight global cyber-confidence building measures including the PoC directory, as well as 10 cyber capacity-building principles – offers sufficient tools to do so. What is needed now is to give enhanced meaning to their sometimes abstract language and align them with practical, on-the-ground realities. Bringing in expert briefers and adopting more interactive formats could invigorate discussions and support bridging gaps between technical, legal, political, and diplomatic communities.
Whether states can reach final consensus on the design of a future permanent mechanism on cybersecurity under UN auspices next month remains an open question, particularly given the fragile compromises and last-minute diplomacy that have characterized the final stages of APR negotiations over the past two years. Annex C of the 2024 APR outlines a solid basis of elements of future permanent mechanism, but key issues – particularly concerning dedicated thematic groups and stakeholder modalities – remain unresolved. A successful outcome in July will require both a high level of political will and a willingness to compromise from all states in order to agree on a clear roadmap that avoids duplication and overlaps, fosters deeper dialogue, and enables meaningful stakeholder contributions to support evidence-based policymaking on cybersecurity at the UN level.
In our view, the most significant achievement by the OEWG 2021-2025 was reaching an agreement to set up the Points of Contact Directory. This database serves as an important tool promoting practical international cooperation countering cybersecurity threats, allowing faster information exchange between competent bodies. When reflecting on the work of the OEWG 2021-2025, we would also like to highlight the informal intersessional consultative meetings with stakeholders organized by the Chair of OEWG H.E. Mr. Burhan Gafoor and thank him for his genuine interest in engaging in a direct conversation with a multi-stakeholder community.
Read more
The UN Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (A/76/135), which was published in 2021, suggested numerous considerations for agenda prioritisation. Among them, issues covered by norms F, G (critical infrastructure protection) and I (supply chain security) could be regarded as particularly important nowadays, as one can observe a constantly growing number of cyberthreats against critical infrastructure as well as supply chains.
We hope that a consensus on the structure and function of a future permanent mechanism for dialogue on ICT-related issues will eventually be reached. We also hope that member states will work out concrete parameters of such mechanism.
During times of geopolitical turbulence, any mechanism, which enables direct dialogue, is of special importance. That is why we believe that a future permanent mechanism would be highly relevant. It would also inherit the reputation of the OEWG as one of the premier platforms for the global dialogue on ICT-related issues. Our view is that, in order to increase its efficiency, the OEWG successor should keep channels of communication with the private sector open, which has vast expertise in the ICT sphere and could make a meaningful contribution to the depth of any future discussion. Their format could vary – for example, it could be similar to aforementioned Chair’s informal intersessional consultative meetings with stakeholders. At the same time, specific measures could be taken in order to make such consultations more relevant and useful for the purposes of a future permanent mechanism – in particular, by dividing all interested non-government stakeholders in thematic groups based on their area of activity, and then inviting them to specific rounds of consultations which are relevant to their expertise.
Associate Research Fellow
Centre of Excellence for National Security
S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University, Singapore (NTU)
Most of the OEWG 2021-25 has been conducted under a geopolitical storm, making any agreement to advance the framework on responsible state behaviour in the use of ICTs a hard-won consensus. But even if it seems like an evaluation that the glass is half full, there has been progress. The OEWG has at least three annual progress reports to show for the discussions that has gone on in the group, which is no mean feat considering the geopolitical situation. Any attempt to rollback state commitments made in the previous OEWG and UNGGE has also been met with a vigorous pushback by the majority of states, keeping much of the acquis intact. This is especially important in a time where international law has come under the cosh due to the actions of some states.
Read more
There has however been a substantial change in how discussions at the group has progressed. The longer mandate given to the OEWG has enabled the group to place more emphasis on the implementation of the framework (and reporting back to the framework), rather than being bogged down with the ideological differences that has long stalked the process. I think this action-oriented approach is useful to all stakeholders in the process – states, academics, civil society, and industries – because it enables feedback on which of the norms, capacity building, and confidence building measures have proven effective, and what has been less so. And this should continue into the future permanent mechanism.
How the future permanent mechanism will look like is unclear and would most certainly be a result of political agreement that is UN-acceptable to states and unfortunately minimises the role of non-state stakeholders. Non-state stakeholders will have to accept the modalities that the future mechanism agrees to. But this does not mean that the role of non-state stakeholders should stop or decrease, and it is incumbent on the states that see the value of non-state stakeholder participation to ensure non-state stakeholder voices remain heard and relevant to the discussions on responsible state behaviour.
The numerous side events held on the sidelines of the OEWG are important in providing states and other stakeholders to deepen discussions and learn from the expertise of other states and stakeholders. This dialogue and knowledge sharing opportunity should be kept alive in the future mechanism in order to prevent the future mechanism from being siloed into a diplomatic endeavour. The future of the stability of cyberspace lies all in the hands of all stakeholders, and it would be richer if all stakeholders were involved in the process – we can only hope that the collective wisdom of all states will prevail at the final session in July.
The 2021-2025 UN Open-Ended Working Group (OEWG) has served as a pivotal forum for global cyber norms diplomacy, though its legacy remains decidedly mixed. Its most enduring contribution lies in institutionalizing a universal dialogue platform—successfully bringing all UN member states into the conversation while establishing essential trust-building mechanisms, most notably the global Points of Contact directory. This procedural progress has laid a valuable foundation for future international discussions. However, substantial advancements, particularly in developing new norms, often encountered obstacles due to geopolitical tensions, resulting in reaffirmations of existing norms rather than the creation of new commitments. Complex issues, including ransomware and emerging technology norms, remain largely unresolved.
Read more
Moving forward, emphasis should shift from norm-setting to practical implementation and operational cooperation. As cyber threats rapidly evolve—including sophisticated AI-driven incidents, supply chain vulnerabilities, and persistent ransomware—the international community would benefit from actionable measures aimed at mitigating these risks. The technology industry’s practical experience can undoubtedly contribute to this effort. Enhanced public-private cooperation in threat assessment, vulnerability disclosure, and incident response can meaningfully improve global cyber resilience.
The consensus to establish a flexible, Programme of Action (PoA)-style follow-up mechanism post-2025 reflects a pragmatic step towards continuous diplomatic engagement. This mechanism aims to sustain dialogue and build constructively on previous OEWG efforts. Its effectiveness will largely depend on genuine multistakeholder participation, where technical insights are appropriately considered without political bias.
In an increasingly complex geopolitical environment, the mechanism’s most immediate value may be crisis management and maintaining open channels of communication. Its role will likely remain normative, focusing on fostering trust and predictability rather than enforcing norms strictly or attributing responsibility explicitly. For the technology industry, this landscape presents both ongoing compliance complexity and, more significantly, a strategic importance for constructive, collaborative participation in safeguarding the stability and security of our interconnected digital infrastructure.
Topic-by-topic: Diplo’s experts assess OEWG achievements and what comes next
In addition to external cybersecurity experts, we asked our own team—who have tracked the OEWG process since its inception—to share their analysis. They highlight key achievements over the past five years, identify gaps in the discussions, and offer predictions on where debates may lead during the final session and beyond.
Over the past five years, the OEWG’s discussions on threats have really grown—not just in length, but in depth. As the threat landscape evolved, so did the conversations. What started as fairly general discussions have now become much more detailed and specific, with nearly a quarter of recent sessions focused on threats alone. That shift shows two things: first, how rapidly cyber risks like ransomware, state-sponsored attacks, and now even AI-driven threats are expanding; and second, that states are getting more comfortable talking openly about these issues.
One standout achievement is how much more states are leaning into cooperation. What’s interesting is that they’re not just naming threats anymore—they’re using just as much time to talk through how to tackle them together. That’s a big deal. We’ve seen more proposals for joint responses, support for capacity-building, and collective action than ever before. It’s a sign that this forum isn’t just about pointing out problems, but about working toward solutions.
There’s also been progress in how states describe and understand threats. In recent sessions, they flagged some new concerns—like the vulnerability of undersea cables and satellite communication networks. That’s a big leap in recognizing the physical infrastructure behind the internet and the risks we might not have talked about much before. States also raised alarms about cyber incidents targeting critical sectors like healthcare, aviation, and energy, and added AI to the mix, with specific concerns about the data used in machine learning and the misuse of AI to power more sophisticated attacks.
All of this points to a maturing conversation. We’re seeing a more layered understanding of threats, which makes space for more tailored, effective responses. And that’s exactly what global cooperation on cybersecurity should be aiming for: staying ahead of the curve, together.
What’s next?
As we head into the final session of the OEWG, expect threat discussions to stay front and centre—more detailed, more action-oriented, and more grounded in real-world risks. That momentum is set to carry into the UN’s future permanent mechanism, which will likely include a dedicated working group on threats. This won’t be just another talk shop. It’s being designed to take a cross-cutting, policy-driven approach—bringing in technical experts and other stakeholders to focus on concrete steps that boost resilience, protect critical infrastructure, and strengthen global stability in cyberspace.
The trend is clear: more specifics, more cooperation, more solutions. Future discussions will be about connecting policy and practice—turning shared concerns into collective action. So while the OEWG chapter might be closing, the real work on threat response is only just beginning.
Andrijana Gavrilovic
Head of Policy and Diplomatic Reporting, Diplo
The OEWG 2019-2025 established itself as the main space for open and inclusive talks about responsible state behaviour in cyberspace, despite a tough political environment marked by big power rivalries, ongoing conflicts, and deep divisions. One of the key achievements was reconfirming and reinforcing the existing normative framework. States didn’t just reaffirm the 11 voluntary, non-binding norms — they also moved the conversation forward on the Chair’s proposed voluntary Norms Implementation Checklist, This checklist breaks down each norm in more detail, pointing out specific actions countries can take both nationally and internationally. It’s now attached to the Zero Draft of the OEWG Final Report.
This shift from just setting norms to focusing on how to actually put them into practice is an important step. While the OEWG helped make this shift happen, many countries have already started applying the norms on their own, which shows these principles are becoming more embedded in real-world policies compared to five years ago. Sharing experiences—especially around protecting critical infrastructure and supply chain security—is growing, showing a real push to turn these norms into action. Even though the checklist is still voluntary, most agree it’s a helpful tool for being more transparent, supporting self-checks, and boosting accountability among countries.
Another important role of the OEWG was as a place to openly discuss the future of the normative framework. The group provided a space for countries to talk about whether the current norms are enough or if new, possibly legally binding rules are needed to handle new cyber threats. Although they didn’t reach an agreement on this, the OEWG allowed different views to be shared in a fair and inclusive way, highlighting the need for ongoing dialogue and cooperation.
The OEWG also made progress in setting up a more permanent way to continue this work, while recognising the important role of regional organisations, civil society, and other non-governmental stakeholders. The Zero Draft highlights these contributions and stresses the value of consultations between meetings. Most importantly, it lays the groundwork for a permanent institutional mechanism, showing strong political will to keep international cooperation on cyber norms going beyond 2025.
What’s next?
Looking ahead, the Zero Draft notes that countries are still divided on whether new or legally binding norms are needed. While we don’t expect a final consensus at the closing session, there’s clear support for keeping the conversation going in a structured way. The Chair has suggested creating thematic working groups under a future permanent mechanism. This could be a practical way to move forward, focusing on putting norms into practice while also allowing room to revisit the rules debate in a more focused, issue-specific context. These groups could be key to driving implementation at national, regional, and sector levels, while also making sure multiple stakeholders can stay involved.
However, in an era where military instruments increasingly shape the resolution of international disputes, to what extent can these peacetime-negotiated UN cyber norms remain relevant and applicable? How can voluntary norms—developed through consensus and intended to promote transparency, restraint, and responsible behaviour—be upheld when geopolitical tensions escalate into open conflict? And how might states but also stakeholders continue to apply and interpret these norms to distinguish responsible conduct from destabilising behaviour, even when trust and cooperation are under strain? These questions lie at the heart of ensuring that the normative framework remains a meaningful tool for promoting international stability and accountability—especially when the rules-based order itself is being tested. Comment end
Anastasiya Kazakova
Cyber Diplomacy Knowledge Fellow, Diplo
Between 2021 and 2025, the OEWG continued to explore how international law—especially the UN Charter—applies to how states use ICTs. These discussions got more detailed over time, both in substantive and intersessional meetings. One positive trend has been the growing number of national statements on how international law applies in cyberspace. Over 100 countries have now shared their views, along with inputs from other organisations, which helped enrich the debate (see paragraph 40(f) of the Zero Draft). These contributions gave countries a chance to share understandings of how international law applies to cyberspace and of the state responsibilities in the use of ICTs.
States largely agreed on some key legal principles. They reaffirmed that state sovereignty and related international norms and principles still apply when it comes to ICT-related activities. They also confirmed that core principles from the UN Charter—the principle of non-intervention, the prohibition on the threat or use of force, and the peaceful settlement of disputes, non-intervention—remain valid and relevant in cyberspace.
What’s next?
Looking ahead to the final session, we expect some countries to push for the inclusion of international human rights law (IHRL) and international humanitarian law (IHL) in the Final Report. Even though these two areas were discussed quite a bit during this OEWG cycle, they’re currently missing from the international law section of the Zero Draft. Including them would also help ensure they’re part of the list of issues to be explored in any future discussions under the new permanent mechanism.
That said, one major divide still hasn’t been resolved: should there be a new, legally binding agreement on how international law applies to ICTs? This question continues to split the group, and that’s unlikely to change anytime soon.The proposal to create a thematic group focused on international law within the future permanent mechanism comes with its own set of challenges. Some countries might try to use this group to start negotiating a binding legal instrument. Others will likely resist that idea, which could cause the group to stall. As with the other proposed thematic groups, it will also be important to sort out who gets to participate—technical experts, legal advisers, policy practitioners, and others. So far, it’s unclear how non-governmental stakeholders will be involved, and some states remain sceptical about their role. There’s also a risk that dividing the work into multiple thematic groups could fragment the conversation, leading to siloed discussions rather than a holistic approach. And for countries with fewer resources, it may be hard to keep up across multiple parallel discussions, potentially giving more influence to those with larger delegations and greater capacity.
Pavlina Ittelson
Executive Director, Diplo US
Cyber capacity-building has remained a cross-cutting pillar of the OEWG’s ICT-security agenda, sustaining momentum even as global tensions have made cooperation more difficult. Over the past five years, three key achievements stand out.
First, the launch of the Global Roundtable on ICT Capacity-Building in New York in May 2024 marked a big step forward. It was the UN’s first-ever event focused solely on this topic, bringing together governments, industry, civil society, and academia to share experiences, highlight good practices, and discuss what’s still missing. The strong support for making this roundtable a regular fixture shows a real commitment to keeping everyone at the table and recognising the important role of non-state actors in strengthening capacity around the world.
Second, countries have worked to set up practical tools to deliver on capacity-building. A key example is the Global ICT Security Cooperation and Capacity-Building Portal (GCSCP), which has received wide support as a neutral, government-led platform to coordinate capacity-building efforts. Alongside it, a needs-based capacity-building catalogue was also welcomed, provided both tools are connected with existing efforts to avoid duplication. Together, they’re meant to help match countries’ needs with available support.
Third, there’s been progress on the financing side. A voluntary UN trust fund was proposed to help finance projects and support participation from smaller delegations. It was broadly welcomed and is expected to complement other funding sources like the World Bank’s Cybersecurity Multi-Donor Trust Fund and ITU mechanisms.
What’s next?
The OEWG’s final session needs to turn these ideas into something that works in practice. That includes agreeing on how often to hold the roundtables, how they’ll be run, and how they’ll connect to whatever permanent mechanism comes next. The goal is to make them more than just another meeting—to turn them into a space where real progress is made.
For the GCSCP and the capacity-building catalogue, a phased rollout is likely, starting with basic modules, a document repository, a Points of Contact directory, mapping of states’ needs, and a calendar of events. More sensitive features—like a norms-tracker proposed by Kuwait or an incident-reporting tool—are likely to be delayed, given concerns from some countries about data sharing and potential politicisation.
The trust fund will need clear criteria for who can access it, how it will be monitored, and how to avoid overlaps with existing efforts. There’s still uncertainty about whether it will attract enough consistent funding to meet the varied needs of developing countries.
Finally, there’s still no agreement on how the future permanent mechanism should handle capacity-building. Some countries want a dedicated working group, while others prefer to integrate it into all relevant discussions. The OEWG has built the basic framework—now the task is to finalise the details and make sure cyber capacity-building stays inclusive, focused on real needs, and able to adapt to future challenges.
Salome Petit-Siemens
Master’s Student in International Security, Sciences Po
The launch of the Points of Contact (PoC) Directory in May 2024 stands, without a doubt, as the flagship achievement of the OEWG’s current mandate. Although the concept was first introduced in the 2021 OEWG report as one of the confidence-building measures (CBMs), the PoC Directory began to see real-world use by the end of the year 2024. Its operationalisation required active investment by the UN Secretariat, which organised the first system-wide ping test in June 2024 to verify the accuracy and responsiveness of entries. This was followed by a tabletop exercise planned for March 2025.
Another important milestone—closely tied to the PoC’s rollout—was the growing agreement on the need for a standardised communication template. At first, some states were hesitant, worried that it might make using the Directory too rigid or formal. But over time, the idea gradually gained traction. By April 2025, the Secretariat had circulated a draft template—an important step toward making communications between PoCs more consistent and efficient.
While not as visible, the globalisation of CBM practices has been arguably just as significant. Traditionally, CBM implementation was driven by regional organisations. However, 2024 witnessed a notable increase in cross-regional and multilateral initiatives, including global workshops, seminars, and training programmes. These efforts have contributed to a broader diffusion of CBM norms and practices beyond regional silos.
Yet, as we take stock of the OEWG’s progress over the past five years, one cannot ignore the gradual erosion of multistakeholder engagement in CBM discussions. As the OEWG approaches its final session, it is crucial not only to celebrate achievements but also to acknowledge areas where inclusivity and innovation have lagged behind.
What’s next?
The standardised template for PoC communication is likely to dominate discussions during the OEWG’s concluding session, especially given the Chair’s stated intention to include it in the final report.
The idea of integrating CBMs into the different thematic groups—something that’s part of the vision for a future permanent mechanism—was introduced in the last session. But most delegations seemed to prefer holding off on deep discussions until that mechanism is actually up and running. While spreading CBMs across different topics sounds good in theory, it also comes with risks. Moving these conversations out of their dedicated agenda item might risk politicising what has so far remained one of the OEWG’s most consensus-driven domains.
Ultimately, despite notable advancements, especially since 2024, the future of CBMs lies in their effective implementation, not necessarily future discussions at a global level. The next phase of development for the PoC Directory, in particular, hinges on actual use by states. Some key questions, first raised back in 2022, are still up in the air, including the precise scope of PoC functions. Only practice will provide answers to those questions.
Jenne-Louise Roellinger
PhD student in International Relations, Sciences Po
One of the biggest achievements of the OEWG has been getting broad agreement that we need a regular, ongoing space to talk about international cybersecurity. Even with all the geopolitical tensions, countries have managed to keep talking about how a future mechanism could look. In fact, the OEWG has shown that dialogue—even between politically divided countries—is not just possible, but necessary, and increasingly seen as something that should be institutionalised.
Right now, there’s still no agreement on what this future mechanism should be. Some countries want to continue with the OEWG, while others are pushing for a Programme of Action (PoA). To find a middle ground, the Chair’s Zero Draft suggests setting up a permanent UN-backed body that would hold annual meetings and run several thematic working groups. It’s a compromise aimed at keeping everyone on board while ensuring the process keeps moving. This setup recognises the need for continuity, but its design must remain politically and procedurally neutral to secure broad support.
Still, it’s unclear whether this proposal addresses the concerns of non-governmental stakeholders, who were excluded from formal sessions, despite repeated calls for transparency and inclusion. Although intersessional consultations offered some space for engagement, many in the civil society, the private sector, and the technical community expressed concern that their expertise and operational relevance were not adequately reflected in the negotiation process.
What’s next?
If countries can agree on a final report, and we shouldn’t rule that out—especially given recent signs of cooperation between Russia and the US at the UNGA—it will likely support the idea of a permanent institutional mechanism, though maybe without naming it outright. That would give the UNGA First Committee a chance to adopt a resolution during its 80th session later this year that formally launches the new framework. Such an outcome would mark a major step forward. We could see continued work starting in 2026 through annual meetings, thematic working groups, and inclusive consultations, as the Chair has proposed.
But if consensus doesn’t happen, the Chair might release a final report that lays out where countries agree and attaches statements from states on where they still disagree. At the moment, three main positions seem to be taking shape. One group of states backs the PoA model—basically a single-track, more inclusive process with full multistakeholder participation. Another group wants to stick with the OEWG as it is now, including the accreditation-based model for stakeholder participation agreed in 2022. A third group is pushing for a government-only, multilateral setup focused on five thematic pillars: threats, norms, international law, confidence-building, and capacity-building. These states also express strong reservations about continued stakeholder involvement in future UN cyber discussions.
These disagreements—about what the institutional setup should be, what issues to cover, and how stakeholders should be involved—highlight how politically tricky these negotiations are. And they’ll likely shape whatever comes next after the OEWG ends. If the divisions continue, we might see competing resolutions in the First Committee, which would mean a vote—and that increases the chance of fragmentation and less overall support for any future mechanism. Some delegations have already warned against this path, noting that splitting resources across multiple tracks could stretch everyone too thin. Yet in today’s fractured geopolitical landscape, the risk of a divided outcome in cyber diplomacy is not just possible—it’s increasingly likely.
Anastasiya Kazakova
Cyber Diplomacy Knowledge Fellow, Diplo
Interested in learning more about the OEWG?
Visit our dedicated OEWG page.