Comparative analysis: the Budapest Convention vs the UN Convention Against Cybercrime
This summer, the UN finalised a draft of its first international convention against cybercrime, raising questions about how it will coexist with the long-standing Budapest Convention, and in this analysis, we compare the two frameworks to highlight key similarities and differences.
This summer, the UN Member States reached a milestone by agreeing on a draft for the organisation’s first-ever international convention against cybercrime. While this marks a significant step, it has raised many questions among those closely following cybercrime issues. One of the key concerns is how this new UN convention will coexist with current frameworks, particularly the Budapest Convention of the Council of Europe, which has been ratified by 76 countries, and is considered by the Council of Europe as the first international framework to address cybercrime. What distinguishes the UN convention from the Budapest Convention, and how will the two interact moving forward?
In this analysis, we closely look at different chapters of both conventions to highlight the similarities and differences between the two documents.
Status and parties
The ‘United Nations Convention Against Cybercrime; strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes’, or simply the UN Convention, is not formally adopted yet: while the draft was adopted by the Ad Hoc Committee by consensus, the text will be further considered by the General Assembly. Once formally adopted, the convention should come into force if ratified by 40 UN Member States.
The Convention on Cybercrime or Budapest Convention is the legally binding treaty established by a regional organisation, i.e. Council of Europe. The Convention was ratified by 76 States, including both members and non-members of the Council of Europe.
The Convention includes two protocols, developed and adopted over time. The first protocol on xenophobia and racism via computer systems was opened for signature in 2003. The second protocol on enhanced cooperation and disclosure of electronic evidence was finalised in 2022 and has been, for now, only ratified by Serbia and Japan. To come into force, the second protocol requires 5 ratifications.
The distinction between the two by parties that negotiated the treaties should also be noted: all UN Member States vs. 46 Member States of Council of Europe.
Purposes & Scope
While both the Budapest Convention and the UN Convention share the overarching goal (which is to address cybercrime), their scopes are not exactly the same.
The Budapest Convention primarily focuses on the criminalisation of specific offences (e.g. illegal access, data/system interferences, computer-related fraud, child sexual abuse material), procedural powers to address cybercrime, and fostering international cooperation, by offering an advanced framework for cross-border access to electronic evidence (e-evidence).
The UN Convention’s aim is broader and takes a more comprehensive approach: it emphasises the need to prevent and combat cybercrime by strengthening international cooperation, providing technical assistance and capacity building for developing countries, particularly.
In view of scope, the UN Convention offers a broader institutional and global cooperation framework, while the Budapest Convention covers a wider and more specific range of criminal offences and procedural powers related to cybercrime.
Specifically, the Budapest Convention and its Second Protocol apply to e-evidence related to any criminal offence, while the UN Convention limits its scope to offences with a serious crime threshold, defined in the treaty as those punishable by a maximum deprivation of liberty of at least four years or a more serious penalty.
At the same time, the UN Convention is broader by addressing a wider range of issues, including the protection of state sovereignty, preventive measures, and provisions for technical assistance and information exchange, thus extending beyond the criminalisation and procedural focus of the Budapest Convention.
Definitions
To a large extent, the definitions in the Budapest Convention have been replicated in the UN Convention. However, there are some significant differences, particularly reflecting the broader scope of the UN Convention.
The UN Convention specifically uses the terms ‘ICT’ and ‘ICT systems’ instead of ‘computer’ or ‘computer systems,’ broadening its applicability to a wider range of devices and technologies. This language has been a key point of criticism. Notably, in articles like 23(2)(b) and (c), and 35(1)(c), the reference to ‘any criminal offense’ extends beyond cybercrime, potentially allowing the collection of data for any crime as defined by national laws, raising concerns about overreach and the scope of its application. It also uses ‘electronic data’ instead of ‘computer data’ (as the Budapest Convention does) to encompass all forms of electronic data.
Specifically, article 2 defines ‘electronic data’ as ‘any representation of facts, information or concepts in a form suitable for processing in an information and communications technology system, including a program suitable to cause an information and communications technology system to perform a function’, which was criticised by civil society for taking too broad an approach to the terminology. The UN Convention also explicitly introduces ‘content data’ and ‘serious crime’, which are not defined in the Budapest Convention though are mentioned (and what triggered criticism from civil society as the definitions of ‘serious offences’ are left to domestic law and thus will vary from country to country).
Criminalisation
The UN Convention is broader in scope compared to the Budapest Convention, as it criminalises additional forms of conduct. While some offences, like illegal access, are defined similarly in both conventions, the UN treaty expands the range of criminalised activities, addressing areas beyond the cyber-dependent crimes covered by the Budapest Convention, for instance by criminalising money laundering. The UN Convention also providers a provider scope to similar offences – for instance, this broader approach can be seen in provisions related to child sexual abuse material (below).
While article 9 of the Budapest Convention criminalises actions related to material, article 15 of the UN Cybercrime Convention extends beyond content/material and addresses solicitation, grooming, or making arrangements for the purpose of committing sexual offences against children, thus focusing more on preventing sexual offences from occurring by targeting the preparatory actions (solicitation or grooming), not just the possession or distribution of illegal content. However, it’s important to note that both instances refer to content-based crimes, with criticism focusing on the risk that victims may face prosecution simply for possessing certain types of content – particularly when real-time data collection is involved. This raises concerns about how such provisions might be misused to target individuals rather than the perpetrators of the crimes.
Both the Budapest Convention and the UN Convention address the integration of child protection into domestic legislation. However, they do not make a reference to the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution, and child pornography that was ratified by 176 countries and already has this obligation in it. While both instruments touch on other treaties, they fail to incorporate or cite them directly in their text. The Budapest Convention is somewhat more comprehensive in this respect, as it explicitly references human rights treaties.
| Offences related to child pornography (Art 9), the Budapest Convention Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct: producing child sexual abuse material for the purpose of its distribution through a computer system; offering or making available child sexual abuse material through a computer system; distributing or transmitting child sexual abuse material through a computer system; procuring child sexual abuse material through a computer system for oneself or for another person; possessing child sexual abuse material in a computer system or on a computer-data storage medium. | Solicitation or grooming for the purpose ofcommitting a sexual offence against a child (Art 15), the UN Convention Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the act of intentionally communicating, soliciting, grooming, or making any arrangement through an information and communications technology system for the purpose of committing a sexual offence against a child, as defined in domestic law, including for the commission of any of the offences established in accordance with article 14 of this Convention. A State Party may require an act in furtherance of the conduct described in paragraph 1 of this article. A State Party may consider extending criminalization in accordance with paragraph 1 of this article in relation to a person believed to be a child. States Parties may take steps to exclude the criminalization of conduct as described in paragraph 1 of this article when committed by children. |
The Budapest Convention doesn’t contain specific provisions for critical infrastructure protection, while the UN Convention specifically addresses the need to protect critical information infrastructures in article 21. At the same time, the UN Convention omits offences related to copyright infringement, which are included in the Budapest Convention.
It should also be noted that the Budapest Convention integrates its criminalisation provisions across different sections (compared to the UN Convention) and is more focused on core cybercrime offences such as illegal access, data interference, and system interference. This structure reflects a narrower focus on crimes directly involving computer systems and data, without expanding into broader cyber-enabled crimes.
Procedural powers
The UN Convention (Articles 23-30) has a broader scope than the Budapest Convention (Articles 14-21), as it incorporates additional measures from UNCAC and UNTOC, such as provisions for the confiscation of crime proceeds (e.g. article 31) and witness protection (article 33 and 34), which are not covered in the Budapest Convention.
However, the core procedural powers between the two conventions are largely similar. Both conventions outline comparable conditions and safeguards, though the UN Convention has faced significant criticism from civil society due to its reliance on domestic laws to establish how these safeguards would be applied, which can vary widely across countries. This variation can lead to inadequate protections in states where local laws do not meet high human rights standards. This concern has also been raised in relation to the Budapest Convention and its protocols for a failure to provide specific procedural protections for privacy and freedom of expression
| Conditions and Safeguards (Art 15), the Budapest Convention 1. Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality. 2. Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure. 3. To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities, and legitimate interests of third parties. | Conditions and safeguards (Art 24), the UN Convention 1. Each State Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this chapter are subject to conditions and safeguards provided for under its domestic law, which shall provide for the protection of human rights, in accordance with its obligations under international human rights law, and which shall incorporate the principle of proportionality. 2. In accordance with and pursuant to the domestic law of each State Party, such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, include, inter alia, judicial or other independent review, the right to an effective remedy, grounds justifying application, and limitation of the scope and the duration of such power or procedure. 3. To the extent that it is consistent with the public interest, in particular the proper administration of justice, each State Party shall consider the impact of the powers and procedures in this chapter upon the rights, responsibilities and legitimate interests of third parties. 4. The conditions and safeguards established in accordance with this article shall apply at the domestic level to the powers and procedures set forth in this chapter, both for the purpose of domestic criminal investigations and proceedings and for the purpose of rendering international cooperation by the requested State Party. 5. References to judicial or other independent review in paragraph 2 of this article are references to such review at the domestic level. |
International cooperation
Firstly, the Budapest Convention and its Second Protocol allow international cooperation for the collection of electronic evidence related to any criminal offence. This broad scope means that countries can assist each other in investigations involving crimes beyond cyber-related activities, as long as electronic evidence is involved. The Budapest Convention emphasises cross-border cooperation through established networks and mechanisms like 24/7 contact points.
The UN Convention limits its scope of international cooperation to ‘serious crimes’ as defined by the treaty. These are offences punishable by a maximum of at least four years of imprisonment or more. However, as previously noted, articles such as 23(2)(b) and (c), and 35(1)(c) broaden the scope by referencing ‘any criminal offense.’
Secondly, the Budapest Convention in its Second Protocol includes a broader list of advanced tools (e.g. emergency mutual assistance in article 10 or video conferencing in article 11 etc.) for cross-border cooperation to obtain electronic evidence, and none of such tools have been included in the UN Convention. The Budapest Convention also emphasises timely preservation and sharing of data across borders, with an established network of 24/7 contact points to ensure rapid response in cybercrime investigations. The Second Protocol further strengthens data-sharing provisions, including direct cooperation with service providers and expedited disclosure of data in emergency situations.
The UN Convention provides mechanisms for data sharing but has been criticised for its provisions on confidentiality and transparency. Critics, including industry leaders, argue that the treaty has too many references to keeping requests confidential, which might limit transparency and oversight. This could lead to concerns about how certain countries use this data for surveillance or other purposes.
On the other hand, the UN Convention provides more areas for international cooperation since it includes the provisions from the UNTOC and UNCAC and includes provisions on crime prevention as well as freezing, seizure, confiscation and return of the proceeds (article 31), which are not included in the Budapest Convention.
The UN Convention, at the same time, lacks detailed safeguards, particularly, regarding how surveillance and data sharing might impact privacy. One of the provisions in article 22 grants states the authority to assert jurisdiction over crimes committed outside their borders if their nationals are affected, which would effectively allow other states to interfere in their domestic affairs. This also means that if states want to use the convention to prosecute the conduct of individuals outside their territory, they can do so.
Further, article 27 allows states to access electronic data (which is very broadly defined in the treaty) from individuals if they are located in their country, no matter where that data is stored. The same power is designed to order service providers that offer their services in the territory of a state to provide subscriber information relating to such services and this may include phone, emails, account details and other personally identifiable information.
Conclusion
As both the UN Cybercrime Convention and the Budapest Convention continue to shape global cybercrime policy, the challenge of how these instruments will coexist becomes increasingly relevant. The Budapest Convention, as the first international treaty on cybercrime, has long served as a foundational framework, providing a robust structure for addressing cyber-related offences while emphasising human rights and alignment with other international treaties.
However, states already party to the Budapest Convention may find themselves caught between the narrower, more established approach of that treaty and the broader mandates of the UN Convention. The latter’s focus on ‘serious crimes’ and the ambiguity around the scope of data collection for any offense defined by domestic law could lead to inconsistencies in how cybercrime is addressed globally, especially when legal definitions of cyber offences differ between nations.
The ability of these two instruments to coexist may depend on diplomatic efforts to create a complementary relationship between the two. Ensuring that both conventions are implemented in a way that respects existing international norms and human rights will be key to avoiding legal fragmentation and ensuring that global cybercrime prevention efforts are effective and coordinated.
About authors
Anastasiya Kazakova
Anastasiya Kazakova is a cyber diplomacy knowledge fellow at DiploFoundation, focusing on cyber conflict, cybercrime, and cybersecurity topics. Anastasiya also implements the Geneva Dialogue on Responsible Behaviour in Cyberspace.
Sorina Teleanu
Ms Sorina Teleanu is Director of Knowledge at DiploFoundation. She has worked in the internet and digital policy field for almost 15 years in roles including policymaking, research, capacity development, and stakeholder engagement.
Bojana Kovač
Ms Bojana Kovač holds an LLM in Public International Law from Utrecht University and an LLB in International and European Law from the Hague University of Applied Sciences. Bojana joined Diplo in 2022, and from April 2023, she has been a basket coordinator and researcher for the Digital Watch Observatory, focusing on human rights, legal and regulatory topics, and the Ad Hoc Committee on Cybercrime process.
Feodora Hamza
Ms Feodora Hamza joined Digital Watch Observatory in 2022 as a knowledge fellow, where her research focuses on emerging technology and the legal and regulatory responses. She completed her studies at the Albert Ludwigs University, Germany and Lancaster University, United Kingdom.